Add SIV #319
Add SIV #319
Conversation
|
Does this enable implementation of AES-GCM-SIV? |
|
I haven't looked at that draft yet but this PR implements the "predecessor" |
|
I've read a bit through the ML and I think we should wait until the RFC is finished to prevent something like #256. |
|
Okay I played a bit with the implementation and I'm going to add an incremental Also there should be a |
|
Just FYI - there is a bunch of |
thanks, but they don't help me now as this is only AES-SIV :) I found those: and I planned to hand-pick some of the cryptomator/siv-mode |
|
Now exists as RFC8452 (April 2019):
|
That would essentially be This PR looks interesting, but needs some love... or is it abandoned? |
Absolutely not abandoned, it just needs some love. |
|
My idea was to refactor what exists into a similar API to what we usually provide as I would not split it up into an iterative/incremental API. What do you think? Do you have a better idea? |
|
I'd like to see a variant that takes an array of pointers as well, for convenience for programs that build the set of ADs dynamically. |
The current API would satisfy that, right? It feels a bit unnatural/clumsy to use IMO, but I also don't see a better way to provide an API that can accomplish this. Do we even need another version of the API? |
|
Yes. Sorry, what I meant, I'd rather not lose that API if a |
Signed-off-by: Steffen Jaeckel <[email protected]>
Signed-off-by: Steffen Jaeckel <[email protected]>
|
I decided on a mix for |
|
Oh yeah, that looks like a fun one to debug ... seems like something makes the build of the new siv code with clang fail when It fails for |
sjaeckel
force-pushed
the
add/SIV
branch
2 times, most recently
from
8602492 to
dae0cd8
Compare
sjaeckel
force-pushed
the
add/SIV
branch
2 times, most recently
from
b591fea to
5822c65
Compare
|
While reading through the RFC before writing the documentation, I'm not so sure anymore if we should really hide the detail of "how a nonce is treated in SIV". I'm thinking of adding the nonce as a separate argument to the API, what do you think? Currently it's kind of hidden as it must be passed as the "last Additional to that I'm not so sure if the "only one-shot API" way is the good way (resp. if it's even usable outside of the testcases)! If it's used in some kind of network protocol, some state will most likely have to be persistent/incrementing and can't always restart from scratch ... or am I missing something? |
Signed-off-by: Steffen Jaeckel <[email protected]>
|
Actually, if you read RFC 5297 carefully, you can see that it doesn't stipulate that the nonce must be the last AD input, but rather that it's "for the purpose of interoperability"... which is, of course, a good choice. It's also perfectly possible not to have a nonce at all. So in essence, this comes down to what choices we give the developer using libtomcrypt. Me, I'm leaning toward leaving the choice of how to handle the nonce, if any, to the caller. It does mean that the caller must understand how a nonce can be handled, and how it should be handled for interop... but that's a question of documentation, no? Regarding "only one-shot API", I can't see any technical reason against having an incremental interface as well. But, must it be added in this PR, or could that be further development? |
sjaeckel
force-pushed
the
add/SIV
branch
2 times, most recently
from
4f25fa2 to
fd3df39
Compare
As a new private API. Signed-off-by: Steffen Jaeckel <[email protected]>
I've played a bit with the API and it feels just fine if the nonce has no separate API parameter.
It could be further development, but I'd prefer to think of how we'd name it then before merging this PR. I guess if we decided to have an iterative API, it should have two API functions Therefore I've renamed these APIs to |
* Rename `siv_{en,de}crypt()` to `siv_{en,de}crypt_memory()`.
* The number of AAD components per SIV operation must not exceed 126.
* Init OMAC only once per SIV operation.
All OMAC operations start off with the same key. Instead of
re-initializing the OMAC context for each operation, init once and
store the context.
* Add SIV to timing demo.
* Add 1000-times-encrypt-then-decrypt test for SIV.
* Update docs.
Signed-off-by: Steffen Jaeckel <[email protected]>
|
This is workable enough. |
Checklist
This is a PoC/RFC for adding the enc+auth mode RFC5297 SIV - Synthetic Initialization Vector.
Feel free to tear it apart, improvements on the API welcome.
I had to decide how to process the AD's
1 wasn't really an option AFAIU the RFC
whether 2 or 3 I was like ¯\_(ツ)_/¯ so I went for 3
I didn't really look if it would make sense to have the context exposed so we could split the processing up in
init()->add_ad()->{en,de}crypt()->done()