-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key comitting AEADs #241
Comments
I'm not sure it makes sense to work on these until there are some sort of standardized constructions which have evolved beyond the research (or internal corporate usage) stage. |
Adding to the list: |
I've been looking into implementing some of these lately. It seems the generic transformations will require a new Often, a generic transformation will be of the form "open AND check some value; succeed iff both succeed". In order for this to be constant time, Currently, most trait ClobberingDecryptor {
// Still to return `Result` because buffer or AAD might exceed max length
fn clobbering_decrypt(
&mut self,
buffer: &mut [u8],
aad: &[u8],
tag: &Tag,
) -> Result<Choice>;
// Re-encrypts the previously decrypted ciphertext; only called when opening fails
fn unclobber(&mut self, buffer: &mut [u8], tag: &Tag);
} Open to suggestions. Other alternatives include:
Also this would definitely be feature gated because nobody should reasonably use this. |
@rozbb perhaps build one or more implementations with inherent methods first? |
Sure, I can use a fork of AEADs and see how it goes.
… On Apr 29, 2022, at 09:42, Tony Arcieri ***@***.***> wrote:
@rozbb perhaps build one or more implementations with inherent methods first?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
|
I have some preliminary key-committing AEADs running now. Here's an example of how I use the clobbering decryption feature. I settled on the Separately, there's the question of whether the |
As we move towards one-pass interleaved authentication/decryption (#74), they will all need to do this, as the MAC can't be verified until that pass is complete. |
It's maybe too soon to consider this here, but..
There are a few recent standards that started including key committing AEADs, notable anything extremely low-entropy like OPAQUE.
https://eprint.iacr.org/2017/664.pdf
https://eprint.iacr.org/2020/1491.pdf
https://eprint.iacr.org/2020/1153.pdf
There remain some gaps in the literature, like encrypt-then-MAC with either a KDF or KEX that yields a common encryption and MAC key sounds more committing than any of those articles indicates, and is already fairly standard practice.
The text was updated successfully, but these errors were encountered: