Documentation ¶
Overview ¶
Package subtle provides subtle implementations of the DeterministicAEAD primitive.
Index ¶
Constants ¶
const (
// AESSIVKeySize is the key size in bytes.
AESSIVKeySize = 64
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AESSIV ¶
type AESSIV struct {
// contains filtered or unexported fields
}
AESSIV is an implementation of AES-SIV-CMAC as defined in https://tools.ietf.org/html/rfc5297.
AESSIV implements a deterministic encryption with associated data (i.e. the DeterministicAEAD interface). Hence the implementation below is restricted to one AD component.
Security Note:
Chatterjee, Menezes and Sarkar analyze AES-SIV in Section 5.1 of https://www.math.uwaterloo.ca/~ajmeneze/publications/tightness.pdf
Their analysis shows that AES-SIV is susceptible to an attack in a multi-user setting. Concretely, if an attacker knows the encryption of a message m encrypted and authenticated with k different keys, then it is possible to find one of the MAC keys in time 2^b / k where b is the size of the MAC key. A consequence of this attack is that 128-bit MAC keys give unsufficient security. Since 192-bit AES keys are not supported by tink for voodoo reasons and RFC 5297 only supports same size encryption and MAC keys this implies that keys must be 64 bytes (2*256 bits) long.
func (*AESSIV) DecryptDeterministically ¶
DecryptDeterministically deterministically decrypts ciphertext with associatedData.