-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trait for tweakable block ciphers #177
Comments
There was some discussion on RustCrypto/block-ciphers#459 about whether to model a tweak as an additional input to the block cipher encryption/decryption operation, or having a separate method that can mutate the block cipher state prior to performing an encrypt/decrypt operation. I thought I'd just note here that in the traditional definition of a tweakable block cipher, it's definitely modeled as a separate parameter, and is specifically described as a "new (second) input": https://people.eecs.berkeley.edu/~daw/papers/tweak-crypto02.pdf I was expecting the trait to look something along the lines of option (c) above. In all applications of tweakable block ciphers I'm familiar with, the tweak changes between invocations of the block cipher, so having it be a mutable part of the state seems like it's inviting accidental "tweak reuse". |
Unfortunately, there are several unresolved issues with this design. How many of the block cipher trait methods we want to duplicate in new tweak traits? Should tweakable block cipher implement both |
It would impact encrypt and decrypt methods. I don't think we should use blanket impls for these traits. I'm not even sure how they would work. To me they're just completely separate interfaces. |
I meant whether the tweakble traits should have methods like
They could work by passing a zero tweak to the tweakable methods. IIUC tweakable block ciphers are soemtimes used as simple block ciphers. |
I think they should have a shape similar to
For a blanket impl to make sense, that MUST be true 100% of the time, and I know of no such definition of tweakable block cipher that says that must always be the case. I can think of the following scenarios involving the relationship between tweaked and untweaked constructions, and while I don't have concrete examples, I don't think we can rule any of them out:
|
Maybe we could introduce a wrapper over tweakable block ciphers, something like |
Another option is to do something similar to what I was suggesting for the Such a trait could carry the value of the tweak as an associated constant. |
But IIUC such trait would mean that tweak is fixed for a tweakable block cipher, meaning that we will not be able to easily use tweaks for domain separation. Instead of the const wrapper a better option could be a wrapper with tweak set at runtime: struct RtTweak<C: TweakSizeUser> {
cipher: C,
tweak: Tweak<C>,
}
impl<C: TweakSizeUser> From<C> for RtTweak<C> {
fn from(cipher: C) -> Self {
Self { cipher, tweak: Default::default() }
}
}
impl<C: TweakSizeUser> RtTweak<C> {
fn set_tweak(&mut self, tweak: Tweak<C>) {
self.tweak = tweak;
}
}
// Blanket impls of BlockCipherEnc/Dec for RtTweak<C> Or we could do both similarly to |
BTW do you know tweakable block ciphers with tweak size bigger than 128 bits? Maybe we could use UPD: QARMAv2 supports 256 bit tweaks. |
A
Such an approach doesn't need customization: it's more of the opposite, it's codifying something specific about a particular algorithm. Allowing customization (which you've already described as not being possible without Otherwise, "tweak reuse" is an antipattern in true usages of tweakable block ciphers, IMO, similar to nonce reuse. -- Backing up: before we go down the path of even trying to support some automatic way to use tweakable block ciphers via the untweaked |
Threefish is an example of tweakable block cipher, thus ideally we need an appropriate trait for it.
One option is to use something like this:
Additional context can be found in the previous issue.
The text was updated successfully, but these errors were encountered: