Add authenticated encryption. #127
Conversation
porcuquine
force-pushed
the
encryption
branch
6 times, most recently
from
5fb3ea2
to
37d9893
Compare
porcuquine
force-pushed
the
encryption
branch
2 times, most recently
from
9aba397
to
c2a413a
Compare
porcuquine
force-pushed
the
encryption
branch
from
c2a413a
to
025e8c8
Compare
porcuquine
force-pushed
the
encryption
branch
from
025e8c8
to
f1f8e38
Compare
|
|
||
| if *tag != computed_tag { | ||
| return Err(Error::TagMismatch); | ||
| }; |
There was a problem hiding this comment.
If plaintext length does not not divide arity we should check that other elements are 0.
There was a problem hiding this comment.
In essence there is implicit padding applied during encryption (by not adding anything when calling duplex with smaller number of inputs), we need to verify that padding.
There was a problem hiding this comment.
I don't think we do need to verify it explicitly. It is implicitly checked by the final authentication tag. If you decrypt with the 'wrong' padding values, then you won't get the correct tag, and decryption will fail.
Do you mean something different? Can you give an example where what I described fails?
There was a problem hiding this comment.
I assume the nonce is part of a key in the implementation, not verifying the padding allows the same plaintext and key-nonce combination to encrypt into different ciphertext+tag. Which can be an issue for some applications.
Other than that I can't think off top of my head more significant negative for not verifying the padding in this case but it is recommended in both source documents.
There was a problem hiding this comment.
I think we resolved this in our conversation elsewhere, but please let me know if it still seems problematic.
There was a problem hiding this comment.
I think I will probably switch to always using explicit padding treated uniformly, for a different reason though. That will allow for a more uniform circuit — which will make proofs simpler in most cases.
|
Thanks for review, @Kubuxu. I decided to add variable-length messages, and will probably also extend to include multiple messages and headers in the same stream. So another commit with those changes (and a fix for the problem you noted) will be coming. Your having reviewed this one first will make following those changes simpler though. |
|
No problem. I will review updates as well. |
porcuquine
force-pushed
the
encryption
branch
from
c5c0628
to
7e3a9c4
Compare
|
@Kubuxu This still needs more work, but you can see generally where I'm going with it if you're interested. If you want to wait, I will also ping you when it's ready. |
porcuquine
force-pushed
the
encryption
branch
3 times, most recently
from
624354c
to
1b17425
Compare
porcuquine
force-pushed
the
encryption
branch
from
1b17425
to
f6e31ca
Compare
|
@porcuquine I think we should add nonce there, I know that nonce can be considered "part of the key" here because it is no different but for ease of use we should add it explicitly. |
As described in LNCS 7118 - Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications and recommended in the Poseidon paper.
Details:
NOTE: This needs more attention and should not be merged. I don't yet have confidence in its overall correctness yet. I do want eyes on the DST construction, which is plausibly correct and will stay as it is unless a problem is found.
UPDATE: I somehow managed not to find this document (https://drive.google.com/file/d/1EVrP3DzoGbmzkRmYnyEDcIQcXVU7GlOd/edit) initially and instead chased pointers from the main Poseidon paper to https://link.springer.com/content/pdf/10.1007%2F978-3-642-28496-0_19.pdf . I may change this PR (potentially including the DST also) once I've had a chance to look at it in more detail.
It's not all bad: this made me think and understand what's going on better than I probably would have otherwise.
TODO:
support collection of intermediate authentication tags