Comments (3)
There is also a slightly simpler version of my proposal:
kmac || pnonce = HChaCha12(n=({0}||id), k=key)
nonce = pnonce || random_data
e = XChaCha12(m=msg, n=nonce, k=key)
mac = Siphash(m= (random_data || e), ctx, kmac)
c = mac || random_data || e
If a random value is used anyway, there's no need to use kn
and because of XChaCha generates a subkey, we can use the "root" key here (it's never used directly for encryption)
This also reduce the overhead to |mac| + |random_data| = 16 + 8 = 24
.The random_data
would be 8 bytes long - so it's still secure to encrypt the same message with the same key and the same msg_id 2^32 times.
from libhydrogen.
Hi,
And congrats for your implementation!
One of the things hydrogen tries to mitigate is the implication of a completely broken PRNG, which is a common cause of security disasters on embedded systems.
If we have a PRNG, great. We can use it to generate unique nonces. If we don't, we have to work around it, i.e. compute deterministic nonces from the message. Both proposals would fail if the PRNG produced the same output twice.
Even if the PRNG is not that broken, but produces data that can be distinguished from random data, the second construction will clearly expose any bias of the PRNG in the ciphertext.
The first version will also expose all weaknesses of the PRNG if a (message, id, key)
is reused. Not so much after the diffusion provided by the extra call to the hash function. That extra call also provide better domain separation, doesn't do unusual things with the nonce, but more importantly, it incorporates the context in the computation of the ciphertext.
With your proposal, the same message encrypted with the same key and different context will produce different MACs, but the same ciphertext.
We're trying to mitigate the implications of a broken PRNG, repeated message ids (after all, this is optional, and if multiple devices are using the same key simultaneously, keeping counters is hard), and key reuse across multiple messages. All of these happening simultaneously is a realistic scenario.
The flipside is that it requires two passes over the message (if you consider the encryption+MAC computation as a single pass, which could be), and all the discussions about misuse-resistance never lead to a magical alternative to this.
A universal hash function could be used instead of a generic hash function in order to compute the nonce key and the MAC. That would be faster on some platforms, not so much on microcontrollers.
from libhydrogen.
Your right, a (completely) broken PRNG is something between bad and catastrophic. I didn't consider the implications of a broken PRNG in my proposals.
A bias of the PRNG could probably be fixed (e.g. use the output of HChaCha12(nonce) instead of the nonce itself), but I can't see how to defend against a PRNG, which produces the same output twice, in the "worst case" (key, msg_id, context
are the same).
Furthermore my proposals have some strange properties like:
With your proposal, the same message encrypted with the same key and different context will
produce different MACs, but the same ciphertext.
The solution I can image is exactly your approach.
from libhydrogen.
Related Issues (20)
- API Thoughts HOT 1
- hydro_random_init() get called twice HOT 1
- Sealed boxes support! HOT 2
- Linking issue on Android HOT 5
- Init RNG seeding seemingly very predictable on Arduino Uno HOT 11
- Flipping bit in secret key doesn't change results? HOT 1
- Problems compiling with clang 13 on windows HOT 2
- Secret key encryption without authentication HOT 2
- GCC 11 warnings read/accessing out of regions HOT 4
- What does hydro_hash_hash return, and under what conditions? HOT 3
- How to send a message using KK_variant Key exchange? HOT 6
- Leaked public keys of KK_variant? HOT 3
- Do KK_variant's Three functions perform the signing and public key encryption?
- Libhydrogen API hydro_kx_kk_2 getting failed in AIX HOT 2
- Error C4146 in Windows HOT 2
- Add Noise X and IK patterns
- using secretbox where the full payload isnt available/cant fit in memory?
- Is there a way to do signcryption with this library? HOT 7
- Additional Data HOT 1
- Is the text in the footer of all the Wiki pages intentional or vandalism? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libhydrogen.