Start implementing support for key commitment (incl. for the AD)

In order to do so, we output two AES blocks (256 bits) right after initialization, prior to absorbing the AD. This commitment is assumed to be send/stored/verified along with the authentication tag. It is not a replacement for that tag. Both need to be verified, hence it is reasonable for the commitment size to match the key size and not twice its size.
aegis-aead · May 15, 2024 · 986fb0f · 986fb0f
1 parent 71b4e60
commit 986fb0f
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 0 deletions.
diff --git a/src/aegis128l/aegis128l.c b/src/aegis128l/aegis128l.c
@@ -180,6 +180,35 @@ aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
+int
+aegis128l_mac_init_with_commitment(aegis128l_state *st_, uint8_t *kc, const uint8_t *k)
+{
+    uint8_t out[32] = { 0 };
+    size_t  written;
+
+    aegis128l_mac_init(st_, k);
+    aegis128l_state_encrypt_update(st_, out, sizeof out, &written, out, sizeof out);
+    if (written != sizeof out) {
+        return -1;
+    }
+    memcpy(kc, out, aegis128l_COMMITBYTES);
+
+    return 0;
+}
+
+int
+aegis128l_mac_init_verify_commitment(aegis128l_state *st_, const uint8_t *kc, const uint8_t *k)
+{
+    uint8_t expeted_kc[aegis128l_COMMITBYTES];
+
+    if (aegis128l_mac_init_with_commitment(st_, expeted_kc, k) != 0) {
+        return -1;
+    }
+
+    COMPILER_ASSERT(aegis128l_COMMITBYTES == 16);
+    return aegis_verify_16(expeted_kc, kc);
+}
+
 int
 aegis128l_mac_update(aegis128l_state *st_, const uint8_t *m, size_t mlen)
 {

diff --git a/src/include/aegis128l.h b/src/include/aegis128l.h
@@ -20,6 +20,9 @@ extern "C" {
 /* The maximum length of an AEGIS authentication tag, in bytes */
 #define aegis128l_ABYTES_MAX 32
 
+/* The AEGIS commitment size, in bytes */
+#define aegis128l_COMMITBYTES aegis128l_KEYBYTES
+
 /*
  * When using AEGIS in incremental mode, this is the maximum number
  * of leftover ciphertext bytes that can be returned at finalization.
@@ -269,6 +272,46 @@ void aegis128l_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen
  */
 void aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k);
 
+/*
+ * Initialize a state for generating a MAC, with key commitment.
+ *
+ * st_: state to initialize
+ * kc: key commitment output buffer (16 bytes)
+ * k: key input buffer (16 bytes)
+ *
+ * - The same key MUST NOT be used both for MAC and encryption.
+ * - The nonce is not used in the MAC mode (fixed to zero).
+ * - If the key is secret, the MAC is secure against forgery.
+ * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
+ *
+ * The recommended way to use the MAC mode is to generate a random key and keep it secret.
+ *
+ * After initialization, the state can be reused to generate multiple MACs by cloning it
+ * with `aegis128l_mac_state_clone()`.
+ */
+int aegis128l_mac_init_with_commitment(aegis128l_state *st_, uint8_t *kc, const uint8_t *k);
+
+/*
+ * Initialize a state for verifying a MAC with key commitment.
+ *
+ * st_: state to initialize
+ * kc: key commitment input buffer (16 bytes)
+ * k: key input buffer (16 bytes)
+ *
+ * - The same key MUST NOT be used both for MAC and encryption.
+ * - The nonce is not used in the MAC mode (fixed to zero).
+ * - If the key is secret, the MAC is secure against forgery.
+ * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
+ *
+ * The recommended way to use the MAC mode is to generate a random key and keep it secret.
+ *
+ * After initialization, the state can be reused to verify multiple MACs by cloning it
+ * with `aegis128l_mac_state_clone()`.
+ *
+ * Returns 0 if the key commitment matches, -1 otherwise.
+ */
+int aegis128l_mac_init_verify_commitment(aegis128l_state *st_, const uint8_t *kc, const uint8_t *k);
+
 /*
  * Update the MAC state with input data.
  *