hybrid

Documentation

Overview

Package hybrid provides subtle implementations of the HKDF and EC primitives.

The functionality of Hybrid Encryption is represented as a pair of primitives (interfaces):

• HybridEncrypt for encryption of data

• HybridDecrypt for decryption of data

Implementations of these interfaces are secure against adaptive chosen ciphertext attacks. In addition to plaintext the encryption takes an extra parameter contextInfo, which usually is public data implicit from the context, but should be bound to the resulting ciphertext, i.e. the ciphertext allows for checking the integrity of contextInfo (but there are no guarantees wrt. the secrecy or authenticity of contextInfo).

Example:

package main

import (
    "github.com/google/tink/go/hybrid"
    "github.com/google/tink/go/core/registry"
    "github.com/google/tink/go/keyset"
)

func main() {

    kh , err := keyset.NewHandle(hybrid.ECIESHKDFAES128CTRHMACSHA256KeyTemplate())
    if err != nil {
        //handle error
    }
    h := hybrid.NewHybridEncrypt(kh)

    ct, err = h.Encrypt([]byte("secret message"), []byte("context info"))
    if err != nil {
        // handle error
    }

    khd , err := keyset.NewHandle( .....); /// get a handle on the decryption key material
    hd := hybrid.NewHybridDecrypt(khd)

    pt, err := hd.Decrypt(ct, []byte("context info"))
    if err != nil {
        // handle error
    }
}

Index

• func ECIESHKDFAES128CTRHMACSHA256KeyTemplate() *tinkpb.KeyTemplate
• func ECIESHKDFAES128GCMKeyTemplate() *tinkpb.KeyTemplate
• func NewHybridDecrypt(h *keyset.Handle) (tink.HybridDecrypt, error)
• func NewHybridDecryptWithKeyManager(h *keyset.Handle, km registry.KeyManager) (tink.HybridDecrypt, error)
• func NewHybridEncrypt(h *keyset.Handle) (tink.HybridEncrypt, error)
• func NewHybridEncryptWithKeyManager(h *keyset.Handle, km registry.KeyManager) (tink.HybridEncrypt, error)

Functions

func ECIESHKDFAES128CTRHMACSHA256KeyTemplate

func ECIESHKDFAES128CTRHMACSHA256KeyTemplate() *tinkpb.KeyTemplate

ECIESHKDFAES128CTRHMACSHA256KeyTemplate is a KeyTemplate that generates an ECDH P-256 and decapsulation key AES128-CTR-HMAC-SHA256 with the following parameters:

• KEM: ECDH over NIST P-256
• DEM: AES128-CTR-HMAC-SHA256 with the following parameters
• AES key size: 16 bytes
• AES CTR IV size: 16 bytes
• HMAC key size: 32 bytes
• HMAC tag size: 16 bytes
• KDF: HKDF-HMAC-SHA256 with an empty salt

func ECIESHKDFAES128GCMKeyTemplate

func ECIESHKDFAES128GCMKeyTemplate() *tinkpb.KeyTemplate

ECIESHKDFAES128GCMKeyTemplate is a KeyTemplate that generates an ECDH P-256 and decapsulation key AES128-GCM key with the following parameters:

• KEM: ECDH over NIST P-256
• DEM: AES128-GCM
• KDF: HKDF-HMAC-SHA256 with an empty salt

func NewHybridDecrypt

func NewHybridDecrypt(h *keyset.Handle) (tink.HybridDecrypt, error)

NewHybridDecrypt returns an HybridDecrypt primitive from the given keyset handle.

func NewHybridDecryptWithKeyManager

func NewHybridDecryptWithKeyManager(h *keyset.Handle, km registry.KeyManager) (tink.HybridDecrypt, error)

NewHybridDecryptWithKeyManager returns an HybridDecrypt primitive from the given keyset handle and custom key manager.

func NewHybridEncrypt

func NewHybridEncrypt(h *keyset.Handle) (tink.HybridEncrypt, error)

NewHybridEncrypt returns an HybridEncrypt primitive from the given keyset handle.

func NewHybridEncryptWithKeyManager

func NewHybridEncryptWithKeyManager(h *keyset.Handle, km registry.KeyManager) (tink.HybridEncrypt, error)

NewHybridEncryptWithKeyManager returns an HybridEncrypt primitive from the given keyset handle and custom key manager.