Skip to main content

Module auth

Module auth 

Source
Expand description

§REX Authentication

This module implements the integrity and authenticity layer for WHY2, utilizing an Encrypt-then-MAC scheme backed by HMAC-SHA256.

§Overview

While standard REX encryption guarantees confidentiality, it does not inherently prevent ciphertext manipulation (bit-flipping) or forgery. This module wraps encrypted data with a cryptographic authentication tag to ensure that:

  1. Data has not been modified in transit (Integrity).
  2. Data originated from a party knowing the shared secret (Authenticity).

§Algorithm

The authentication process computes a Message Authentication Code (MAC) over the serialized ciphertext and the initialization vector (Nonce).

$$ \text{Tag} = \text{HMAC-SHA256}(K_{mac}, \text{Nonce} \mathbin| \text{Ciphertext}) $$

The final authenticated package is constructed by prepending the tag to the data:

$$ \text{Packet} = \text{Tag} \mathbin| \text{Nonce} \mathbin| \text{Ciphertext} $$

§Binary Layout

When serialized for network transmission or storage, the byte stream follows this exact order:

+----------------------------+-----------------------+---------------------------+
| HMAC Tag (32 bytes)        | Nonce (Grid Size)     | Ciphertext (N * Grids)    |
+----------------------------+-----------------------+---------------------------+
| Verified first (const-time)| Used for CTR setup    | Encrypted payload         |
+----------------------------+-----------------------+---------------------------+

§Security Notes

  • Constant-Time Verification: Tag comparison uses constant-time operations to prevent timing attacks.
  • Independent Keys: It is strongly recommended to use different keys for encryption and authentication (or derive them via HKDF).
  • Order of Operations: Verification MUST occur before decryption. If verification fails, the data is discarded immediately.

Structs§

AuthenticatedData
Authenticated encryption data containing both MAC tag and encrypted data.