Revert MAC key commitment API

README.md

@@ -10,9 +10,9 @@ Portable C implementations of the [AEGIS](https://datatracker.ietf.org/doc/draft
 - AEGIS-256 with 16 and 32 bytes tags (software, AES-NI, ARM Crypto)
 - AEGIS-256X2 with 16 and 32 bytes tags (software, VAES + AVX2, AES-NI, ARM Crypto)
 - AEGIS-256X4 with 16 and 32 bytes tags (software, AVX512, VAES + AVX2, AES-NI, ARM Crypto)
-- All variants of AEGIS-MAC, supporting incremental updates and key commitment
+- All variants of AEGIS-MAC, supporting incremental updates.
 - Encryption and decryption with attached and detached tags
-- Incremental encryption and decryption
+- Incremental encryption and decryption.
 - Unauthenticated encryption and decryption (not recommended - only implemented for specific protocols)
 - Deterministic pseudorandom stream generation.
 

src/aegis128l/aegis128l.c

@@ -180,35 +180,6 @@ aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
-int
-aegis128l_mac_init_with_commitment(aegis128l_state *st_, uint8_t *kc, const uint8_t *k)
-{
-    uint8_t out[32] = { 0 };
-    size_t  written;
-
-    aegis128l_mac_init(st_, k);
-    aegis128l_state_encrypt_update(st_, out, sizeof out, &written, out, sizeof out);
-    if (written != sizeof out) {
-        return -1;
-    }
-    memcpy(kc, out, aegis128l_COMMITBYTES);
-
-    return 0;
-}
-
-int
-aegis128l_mac_init_verify_commitment(aegis128l_state *st_, const uint8_t *kc, const uint8_t *k)
-{
-    uint8_t expected_kc[aegis128l_COMMITBYTES];
-
-    if (aegis128l_mac_init_with_commitment(st_, expected_kc, k) != 0) {
-        return -1;
-    }
-
-    COMPILER_ASSERT(aegis128l_COMMITBYTES == 16);
-    return aegis_verify_16(expected_kc, kc);
-}
-
 int
 aegis128l_mac_update(aegis128l_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis128x2/aegis128x2.c

@@ -181,35 +181,6 @@ aegis128x2_mac_init(aegis128x2_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
-int
-aegis128x2_mac_init_with_commitment(aegis128x2_state *st_, uint8_t *kc, const uint8_t *k)
-{
-    uint8_t out[32] = { 0 };
-    size_t  written;
-
-    aegis128x2_mac_init(st_, k);
-    aegis128x2_state_encrypt_update(st_, out, sizeof out, &written, out, sizeof out);
-    if (written != sizeof out) {
-        return -1;
-    }
-    memcpy(kc, out, aegis128x2_COMMITBYTES);
-
-    return 0;
-}
-
-int
-aegis128x2_mac_init_verify_commitment(aegis128x2_state *st_, const uint8_t *kc, const uint8_t *k)
-{
-    uint8_t expected_kc[aegis128x2_COMMITBYTES];
-
-    if (aegis128x2_mac_init_with_commitment(st_, expected_kc, k) != 0) {
-        return -1;
-    }
-
-    COMPILER_ASSERT(aegis128x2_COMMITBYTES == 16);
-    return aegis_verify_16(expected_kc, kc);
-}
-
 int
 aegis128x2_mac_update(aegis128x2_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis128x4/aegis128x4.c

@@ -182,35 +182,6 @@ aegis128x4_mac_init(aegis128x4_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
-int
-aegis128x4_mac_init_with_commitment(aegis128x4_state *st_, uint8_t *kc, const uint8_t *k)
-{
-    uint8_t out[32] = { 0 };
-    size_t  written;
-
-    aegis128x4_mac_init(st_, k);
-    aegis128x4_state_encrypt_update(st_, out, sizeof out, &written, out, sizeof out);
-    if (written != sizeof out) {
-        return -1;
-    }
-    memcpy(kc, out, aegis128x4_COMMITBYTES);
-
-    return 0;
-}
-
-int
-aegis128x4_mac_init_verify_commitment(aegis128x4_state *st_, const uint8_t *kc, const uint8_t *k)
-{
-    uint8_t expected_kc[aegis128x4_COMMITBYTES];
-
-    if (aegis128x4_mac_init_with_commitment(st_, expected_kc, k) != 0) {
-        return -1;
-    }
-
-    COMPILER_ASSERT(aegis128x4_COMMITBYTES == 16);
-    return aegis_verify_16(expected_kc, kc);
-}
-
 int
 aegis128x4_mac_update(aegis128x4_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis256/aegis256.c

@@ -180,34 +180,6 @@ aegis256_mac_init(aegis256_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
-int
-aegis256_mac_init_with_commitment(aegis256_state *st_, uint8_t *kc, const uint8_t *k)
-{
-    size_t written;
-
-    memset(kc, 0, aegis256_COMMITBYTES);
-    aegis256_mac_init(st_, k);
-    aegis256_state_encrypt_update(st_, kc, aegis256_COMMITBYTES, &written, kc,
-                                  aegis256_COMMITBYTES);
-    if (written != aegis256_COMMITBYTES) {
-        return -1;
-    }
-    return 0;
-}
-
-int
-aegis256_mac_init_verify_commitment(aegis256_state *st_, const uint8_t *kc, const uint8_t *k)
-{
-    uint8_t expected_kc[aegis256_COMMITBYTES];
-
-    if (aegis256_mac_init_with_commitment(st_, expected_kc, k) != 0) {
-        return -1;
-    }
-
-    COMPILER_ASSERT(aegis256_COMMITBYTES == 32);
-    return aegis_verify_32(expected_kc, kc);
-}
-
 int
 aegis256_mac_update(aegis256_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis256x2/aegis256x2.c

@@ -181,34 +181,6 @@ aegis256x2_mac_init(aegis256x2_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
-int
-aegis256x2_mac_init_with_commitment(aegis256x2_state *st_, uint8_t *kc, const uint8_t *k)
-{
-    size_t written;
-
-    memset(kc, 0, aegis256x2_COMMITBYTES);
-    aegis256x2_mac_init(st_, k);
-    aegis256x2_state_encrypt_update(st_, kc, aegis256x2_COMMITBYTES, &written, kc,
-                                    aegis256x2_COMMITBYTES);
-    if (written != aegis256x2_COMMITBYTES) {
-        return -1;
-    }
-    return 0;
-}
-
-int
-aegis256x2_mac_init_verify_commitment(aegis256x2_state *st_, const uint8_t *kc, const uint8_t *k)
-{
-    uint8_t expected_kc[aegis256x2_COMMITBYTES];
-
-    if (aegis256x2_mac_init_with_commitment(st_, expected_kc, k) != 0) {
-        return -1;
-    }
-
-    COMPILER_ASSERT(aegis256x2_COMMITBYTES == 32);
-    return aegis_verify_32(expected_kc, kc);
-}
-
 int
 aegis256x2_mac_update(aegis256x2_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis256x4/aegis256x4.c

@@ -182,34 +182,6 @@ aegis256x4_mac_init(aegis256x4_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
-int
-aegis256x4_mac_init_with_commitment(aegis256x4_state *st_, uint8_t *kc, const uint8_t *k)
-{
-    size_t written;
-
-    memset(kc, 0, aegis256x4_COMMITBYTES);
-    aegis256x4_mac_init(st_, k);
-    aegis256x4_state_encrypt_update(st_, kc, aegis256x4_COMMITBYTES, &written, kc,
-                                    aegis256x4_COMMITBYTES);
-    if (written != aegis256x4_COMMITBYTES) {
-        return -1;
-    }
-    return 0;
-}
-
-int
-aegis256x4_mac_init_verify_commitment(aegis256x4_state *st_, const uint8_t *kc, const uint8_t *k)
-{
-    uint8_t expected_kc[aegis256x4_COMMITBYTES];
-
-    if (aegis256x4_mac_init_with_commitment(st_, expected_kc, k) != 0) {
-        return -1;
-    }
-
-    COMPILER_ASSERT(aegis256x4_COMMITBYTES == 32);
-    return aegis_verify_32(expected_kc, kc);
-}
-
 int
 aegis256x4_mac_update(aegis256x4_state *st_, const uint8_t *m, size_t mlen)
 {

src/include/aegis128l.h

@@ -20,9 +20,6 @@ extern "C" {
 /* The maximum length of an AEGIS authentication tag, in bytes */
 #define aegis128l_ABYTES_MAX 32
 
-/* The AEGIS commitment size, in bytes */
-#define aegis128l_COMMITBYTES aegis128l_KEYBYTES
-
 /*
  * When using AEGIS in incremental mode, this is the maximum number
  * of leftover ciphertext bytes that can be returned at finalization.
@@ -315,46 +312,6 @@ int aegis128l_mac_verify(aegis128l_state *st_, const uint8_t *mac, size_t maclen
  */
 void aegis128l_mac_state_clone(aegis128l_state *dst, const aegis128l_state *src);
 
-/*
- * Initialize a state for generating a MAC, with key commitment.
- *
- * st_: state to initialize
- * kc: key commitment output buffer (16 bytes)
- * k: key input buffer (16 bytes)
- *
- * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
- * - If the key is secret, the MAC is secure against forgery.
- * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
- *
- * The recommended way to use the MAC mode is to generate a random key and keep it secret.
- *
- * After initialization, the state can be reused to generate multiple MACs by cloning it
- * with `aegis128l_mac_state_clone()`.
- */
-int aegis128l_mac_init_with_commitment(aegis128l_state *st_, uint8_t *kc, const uint8_t *k);
-
-/*
- * Initialize a state for verifying a MAC with key commitment.
- *
- * st_: state to initialize
- * kc: key commitment input buffer (16 bytes)
- * k: key input buffer (16 bytes)
- *
- * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
- * - If the key is secret, the MAC is secure against forgery.
- * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
- *
- * The recommended way to use the MAC mode is to generate a random key and keep it secret.
- *
- * After initialization, the state can be reused to verify multiple MACs by cloning it
- * with `aegis128l_mac_state_clone()`.
- *
- * Returns 0 if the key commitment matches, -1 otherwise.
- */
-int aegis128l_mac_init_verify_commitment(aegis128l_state *st_, const uint8_t *kc, const uint8_t *k);
-
 #ifdef __cplusplus
 }
 #endif

src/include/aegis128x2.h

@@ -20,9 +20,6 @@ extern "C" {
 /* The maximum length of an AEGIS authentication tag, in bytes */
 #define aegis128x2_ABYTES_MAX 32
 
-/* The AEGIS commitment size, in bytes */
-#define aegis128x2_COMMITBYTES aegis128x2_KEYBYTES
-
 /*
  * When using AEGIS in incremental mode, this is the maximum number
  * of leftover ciphertext bytes that can be returned at finalization.
@@ -315,47 +312,6 @@ int aegis128x2_mac_verify(aegis128x2_state *st_, const uint8_t *mac, size_t macl
  */
 void aegis128x2_mac_state_clone(aegis128x2_state *dst, const aegis128x2_state *src);
 
-/*
- * Initialize a state for generating a MAC, with key commitment.
- *
- * st_: state to initialize
- * kc: key commitment output buffer (16 bytes)
- * k: key input buffer (16 bytes)
- *
- * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
- * - If the key is secret, the MAC is secure against forgery.
- * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
- *
- * The recommended way to use the MAC mode is to generate a random key and keep it secret.
- *
- * After initialization, the state can be reused to generate multiple MACs by cloning it
- * with `aegis128x2_mac_state_clone()`.
- */
-int aegis128x2_mac_init_with_commitment(aegis128x2_state *st_, uint8_t *kc, const uint8_t *k);
-
-/*
- * Initialize a state for verifying a MAC with key commitment.
- *
- * st_: state to initialize
- * kc: key commitment input buffer (16 bytes)
- * k: key input buffer (16 bytes)
- *
- * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
- * - If the key is secret, the MAC is secure against forgery.
- * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
- *
- * The recommended way to use the MAC mode is to generate a random key and keep it secret.
- *
- * After initialization, the state can be reused to verify multiple MACs by cloning it
- * with `aegis128x2_mac_state_clone()`.
- *
- * Returns 0 if the key commitment matches, -1 otherwise.
- */
-int aegis128x2_mac_init_verify_commitment(aegis128x2_state *st_, const uint8_t *kc,
-                                          const uint8_t *k);
-
 #ifdef __cplusplus
 }
 #endif

src/include/aegis128x4.h

@@ -20,9 +20,6 @@ extern "C" {
 /* The maximum length of an AEGIS authentication tag, in bytes */
 #define aegis128x4_ABYTES_MAX 32
 
-/* The AEGIS commitment size, in bytes */
-#define aegis128x4_COMMITBYTES aegis128x4_KEYBYTES
-
 /*
  * When using AEGIS in incremental mode, this is the maximum number
  * of leftover ciphertext bytes that can be returned at finalization.
@@ -315,47 +312,6 @@ int aegis128x4_mac_verify(aegis128x4_state *st_, const uint8_t *mac, size_t macl
  */
 void aegis128x4_mac_state_clone(aegis128x4_state *dst, const aegis128x4_state *src);
 
-/*
- * Initialize a state for generating a MAC, with key commitment.
- *
- * st_: state to initialize
- * kc: key commitment output buffer (16 bytes)
- * k: key input buffer (16 bytes)
- *
- * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
- * - If the key is secret, the MAC is secure against forgery.
- * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
- *
- * The recommended way to use the MAC mode is to generate a random key and keep it secret.
- *
- * After initialization, the state can be reused to generate multiple MACs by cloning it
- * with `aegis128x4_mac_state_clone()`.
- */
-int aegis128x4_mac_init_with_commitment(aegis128x4_state *st_, uint8_t *kc, const uint8_t *k);
-
-/*
- * Initialize a state for verifying a MAC with key commitment.
- *
- * st_: state to initialize
- * kc: key commitment input buffer (16 bytes)
- * k: key input buffer (16 bytes)
- *
- * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
- * - If the key is secret, the MAC is secure against forgery.
- * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
- *
- * The recommended way to use the MAC mode is to generate a random key and keep it secret.
- *
- * After initialization, the state can be reused to verify multiple MACs by cloning it
- * with `aegis128x4_mac_state_clone()`.
- *
- * Returns 0 if the key commitment matches, -1 otherwise.
- */
-int aegis128x4_mac_init_verify_commitment(aegis128x4_state *st_, const uint8_t *kc,
-                                          const uint8_t *k);
-
 #ifdef __cplusplus
 }
 #endif