Struct tink_daead::subtle::AesSiv

pub struct AesSiv { /* private fields */ }

AesSiv is an implementation of AES-SIV-CMAC as defined in RFC 5297.

AesSiv implements a deterministic encryption with additional data (i.e. the DeterministicAEAD trait). Hence the implementation below is restricted to one AD component.

Security Note:

Chatterjee, Menezes and Sarkar analyze AES-SIV in Section 5.1 of “Another Look at Tightness”

Their analysis shows that AES-SIV is susceptible to an attack in a multi-user setting. Concretely, if an attacker knows the encryption of a message m encrypted and authenticated with k different keys, then it is possible to find one of the MAC keys in time 2^b / k where b is the size of the MAC key. A consequence of this attack is that 128-bit MAC keys give unsufficient security. Since 192-bit AES keys are not supported by tink for voodoo reasons and RFC 5297 only supports same size encryption and MAC keys this implies that keys must be 64 bytes (2*256 bits) long.

Implementations

impl AesSiv

pub fn new(key: &[u8]) -> Result<AesSiv, TinkError>

Return an AesSiv instance.

Trait Implementations

impl Clone for AesSiv

fn clone(&self) -> AesSiv

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl DeterministicAead for AesSiv

fn encrypt_deterministically( &self, plaintext: &[u8], additional_data: &[u8] ) -> Result<Vec<u8>, TinkError>

Deterministical encrypt plaintext with additional_data as additional authenticated data. The resulting ciphertext allows for checking authenticity and integrity of additional data additional_data, but there are no guarantees wrt. secrecy of that data.

fn decrypt_deterministically( &self, ciphertext: &[u8], additional_data: &[u8] ) -> Result<Vec<u8>, TinkError>

Deterministically decrypt ciphertext with additional_data as additional authenticated data. The decryption verifies the authenticity and integrity of the additional data, but there are no guarantees wrt. secrecy of that data.