On Mon, Aug 15, 2016 at 9:56 PM, Martin Thomson <[email protected]> wrote: > On 16 August 2016 at 09:46, Paterson, Kenny <[email protected]> wrote: >> Sadly, you can't implement XGCM using an existing AES-GCM API, because of >> the way the MAC (which is keyed) is computed over the ciphertext in the >> standard GCM scheme. > > > Is there a reason why you can't simply XOR the plaintext stream that > is fed to AES-GCM? > > We set N = N XOR HKDF(IKM, salt, label[N], 12), which the paper shows > improves things. If we also set P = P XOR repeat(HKDF(IKM, salt, > label[P], 16)) would we gain any of the advantages of XCAU? That > change could be made without needing a new algorithm.
Yes. XOR two adjacent blocks, and you get something that is a function purely of the key. -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
