On Wed, Aug 17, 2016 at 03:09:51PM -0700, Eric Rescorla wrote: > Issue: > https://github.com/tlswg/tls13-spec/issues/555 > > ADL suggested that we could slightly reduce the number of HKDF > computations by generating the IVs as a single block rather than > with individual HKDF-Expands. You can't generally do this kind > of slice-and-dice and preserve the key boundary, but IVs are > public anyway.
Except that actually usefully make IVs public (without it just being pointless disclosure), you would need MRAE, which is strictly stronger notion that AE(AD) required by TLS. Neither GCM nor Poly1305 are MRAE (and I don't think CCM is either). Basically, doing generic encryption with AEAD is not possible. One needs protocol-specific knowledge. This is because of the disaster that repeating nonce is. TLS 1.3 protocol-level prevention of duplicate nonces does not help any here. > At least for NSS, this makes things slightly more complicated > because we generate the directional traffic keys independently, > but it's also not a big deal to change if people want. And yes, this makes code that generates the directions independently (which is reasonable thing to do even for simple implementation) quite much more annoying, as one needs to slice the IV buffer. I don't also expect this to improve performance any: The code will probably still generate directions independently, not saving the other half of the IV, so it needs to be recomputed when the other direction is computed. So complicates code for no actual benefit. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
