traits icon indicating copy to clipboard operation
traits copied to clipboard
verified publisher icon RustCrypto

Handling of algorithms which support variable key sizes

Open newpavlov opened this issue 5 months ago • 3 comments

This issue a follow up on https://github.com/RustCrypto/block-ciphers/issues/495

Right now API of the KeyInit/KeyIvInit/InnerInit traits support algorithms with variable key sizes (block ciphers and other algorithms built on top of them) using the new_from_slice(s) methods. For example, Blowfish supports key sizes from 4 to 56 bytes. The idea here is that the KeySize associated type indicates the "default" key size (usually the biggest key size), but if necessary algorithms could be initialized with key sizes which vary at runtime. The important difference between Blowfish and ciphers like AES (where we introduce separate block cipher types for each supported key size) is that for ciphers with variable key size support encryption/decryption does not depend on key size.

As argued by @tarcieri in the discussion, this approach may cause confusion when users want to support several key sizes, but do not know about the fact that we implemented support for them using the new_from_slice(s) methods. There is also a problem with some higher-level crates which do not properly account for variable key sizes. For example, ocb3 implements KeyInit directly without accounting for new_from_slice. Arguably, it should instead implement the InnerInit trait and rely on the blanket impls.

We have two options:

  1. Keep the current API and intent behind it intact. Improve docs to better explain how to deal with variable key sizes. Fix the higher-level crates.
  2. Make implementations generic over key sizes with appropriate trait bounds. It would make it clearer for users that the algorithm supports different key sizes. We would lose support for initializing algorithms with key sizes variable at runtime, but it's arguably an anti-pattern and not that important in practice. With this option it also may be reasonable to remove the new_from_slice(s) methods from our traits.

Personally, I lean towards the first option, but it's not a strong opinion.

newpavlov avatar Aug 06 '25 12:08 newpavlov

For serpent specifically I was thinking of adding a typed wrapper like SerpentN which is just a newtype for Serpent but generic around a phantom key size (and maybe a few type aliases like Serpent128/Serpent256). Purely additive and it would allow for the use of well-typed key sizes while still supporting the runtime dynamism of the current Serpent type. It would also avoid monomorphization bloat.

Though migrating the Serpent type completely to a generic phantom key size also makes sense to me, it's just less flexible (depending on if that flexibility is actually needed) and doesn't actually use the phantom key size parameter to e.g. size internal storage of the key schedule.

tarcieri avatar Aug 06 '25 12:08 tarcieri

Serpent is a bit special. While technically it supports variable key sizes (and we reflect it in our implementation), because of historic reasons officially it declares support only for 128, 192, and 256 bit keys. How about introducing Serpent128/192/256 types without the variable key size support and SerpentVar with it?

newpavlov avatar Aug 07 '25 23:08 newpavlov

Sure, sounds good

tarcieri avatar Aug 07 '25 23:08 tarcieri