tink icon indicating copy to clipboard operation
tink copied to clipboard
verified publisher icon tink-crypto

Feature Request: Nonce based AES-SIV

Open elansys-kc opened this issue 5 years ago • 1 comments

It would be nice to have AES-SIV available to golang as an AEAD with nonce misuse resistance.

elansys-kc avatar Feb 17 '20 11:02 elansys-kc

AES-SIV is available in golang as a deterministic AEAD. (see https://github.com/google/tink/tree/master/go/daead). In order to turn this into a nonce misuse resistant scheme, you can just use crypto/rand to generate some nonce (or generate the nonce differently, depending on your system, given that it is misuse resistant) and then put it into the associated data argument of the EncryptDeterministically call. Unfortunately our interfaces don't expose AES-SIV's option to have multiple pieces of associated data, but if you can combine them for example with this scheme:

const (
  nonceLength = 16
)

struct NonceReuseResistantAEAD {
  Primitive tink.DeterministicAEAD
}

func (aead NonceReuseResistantAEAD) Encrypt(plaintext, additionalData []byte) ([]byte, error) ([]byte, error) {
  nonce := make([]byte, nonceLength)
  _, err := rand.Read(nonce)
  if err != nil {
    return nil, err
  }
  result, err := aead.Primitive.EncryptDeterministically(plaintext, append(nonce, additionalData...))
  if err != nil {
    return nil, err
  }
  return append(nonce, result...)
}

func (aead NonceReuseResistantAEAD) Decrypt(ciphertext, additionalData []byte) ([]byte, error) ([]byte, error) {
  if len(ciphertext) < nonceLength {
    return nil, errors.New("Decryption failed")
  }
  nonce := ciphertext[:nonceLength]
  actualCiphertext := ciphertext[nonceLength:]
  result, err := aead.Primitive.DecryptDeterministically(actualCiphertext, append(nonce, additionalData...))
  if err != nil {
    return nil, err
  }
  return result
}

(Hope I'm not messing up the golang append syntax, double check that before using it that it gets you what you want)

if you don't generate the nonce with a fixed length, you should ensure that it is length encoded before mixing it with the associated data.

Let me know if that works for you or if you'd prefer having an AEAD key type for this. (The biggest advantage of a nonce misuse resistant AEAD is that you can let users mess with the nonce, but Tink's AEAD interface doesn't really support messing with nonces)

sophieschmieg avatar Mar 24 '21 22:03 sophieschmieg

I assume that the solution proposed by Sophie works here, and will close this accordingly. Please reopen if this doesn't apply.

tholenst avatar Jan 26 '23 15:01 tholenst