Expand description
§REX Authentication
This module implements the integrity and authenticity layer for WHY2, utilizing an Encrypt-then-MAC scheme backed by HMAC-SHA256.
§Overview
While standard REX encryption guarantees confidentiality, it does not inherently prevent ciphertext manipulation (bit-flipping) or forgery. This module wraps encrypted data with a cryptographic authentication tag to ensure that:
- Data has not been modified in transit (Integrity).
- Data originated from a party knowing the shared secret (Authenticity).
§Algorithm
The authentication process computes a Message Authentication Code (MAC) over the serialized ciphertext and the initialization vector (Nonce).
$$ \text{Tag} = \text{HMAC-SHA256}(K_{mac}, \text{Nonce} \mathbin| \text{Ciphertext}) $$
The final authenticated package is constructed by prepending the tag to the data:
$$ \text{Packet} = \text{Tag} \mathbin| \text{Nonce} \mathbin| \text{Ciphertext} $$
§Binary Layout
When serialized for network transmission or storage, the byte stream follows this exact order:
+----------------------------+-----------------------+---------------------------+
| HMAC Tag (32 bytes) | Nonce (Grid Size) | Ciphertext (N * Grids) |
+----------------------------+-----------------------+---------------------------+
| Verified first (const-time)| Used for CTR setup | Encrypted payload |
+----------------------------+-----------------------+---------------------------+§Security Notes
- Constant-Time Verification: Tag comparison uses constant-time operations to prevent timing attacks.
- Independent Keys: It is strongly recommended to use different keys for encryption and authentication (or derive them via HKDF).
- Order of Operations: Verification MUST occur before decryption. If verification fails, the data is discarded immediately.
Structs§
- Authenticated
Data - Authenticated encryption data containing both MAC tag and encrypted data.