libcrux/hpke/
aead.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
//! # Authenticated Encryption (AEAD)
//!
//! > 💡 This is a hacspec representation of the [HPKE RFC].
//! > The text is mostly verbatim from the RFC with changes where required.
//! > It demonstrates the possibilities of hacspec for specifications.
//!
//! - [`Seal(key, nonce, aad, pt)`](`AeadSeal`): Encrypt and authenticate plaintext
//! `pt` with associated data `aad` using symmetric key `key` and nonce
//! `nonce`, yielding ciphertext and tag `ct`. This function
//!  can raise a [`MessageLimitReachedError`](`HpkeError::MessageLimitReachedError`) upon failure.
//! - [`Open(key, nonce, aad, ct)`](`AeadOpen`): Decrypt ciphertext and tag `ct` using
//! associated data `aad` with symmetric key `key` and nonce `nonce`,
//! returning plaintext message `pt`. This function can raise an
//! [`OpenError`](`HpkeError::OpenError`) or [`MessageLimitReachedError`](`HpkeError::MessageLimitReachedError`) upon failure.
//! - [`Nk`]: The length in bytes of a key for this algorithm.
//! - [`Nn`]: The length in bytes of a nonce for this algorithm.
//! - [`Nt`]: The length in bytes of the authentication tag for this algorithm.
//!
//! ## Security Requirements on an AEAD
//!
//! All AEADs MUST be IND-CCA2-secure, as is currently true for all AEADs
//! listed in [`AEAD`].
//!
//! [hpke rfc]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/
//! [publication queue]: https://www.rfc-editor.org/current_queue.php
#![allow(
    non_camel_case_types,
    non_snake_case,
    unused_imports,
    non_upper_case_globals
)]

use crate::{
    aead::{self, *},
    hmac::tag_size,
};

use super::errors::*;

type AeadAlgResult = Result<Algorithm, HpkeError>;

/// ## Authenticated Encryption with Associated Data (AEAD) Functions
///
/// The `0xFFFF` AEAD ID is reserved for applications which only use the Export
/// interface; see HPKE for more details.
///
/// | Value  | AEAD             | Nk  | Nn  | Nt  | Reference |
/// | :----- | :--------------- | :-- | :-- | :-- | :-------- |
/// | 0x0000 | (reserved)       | N/A | N/A | N/A | N/A       |
/// | 0x0001 | AES-128-GCM      | 16  | 12  | 16  | [GCM]     |
/// | 0x0002 | AES-256-GCM      | 32  | 12  | 16  | [GCM]     |
/// | 0x0003 | ChaCha20Poly1305 | 32  | 12  | 16  | [RFC8439] |
/// | 0xFFFF | Export-only      | N/A | N/A | N/A | RFCXXXX   |
///
/// The "HPKE AEAD Identifiers" registry lists identifiers for authenticated
/// encryption with associated data (AEAD) algorithms defined for use with HPKE.
/// These identifiers are two-byte values, so the maximum possible value is
/// 0xFFFF = 65535.
///
/// Template:
///
/// * Value: The two-byte identifier for the algorithm
/// * AEAD: The name of the algorithm
/// * Nk: The length in bytes of a key for this algorithm
/// * Nn: The length in bytes of a nonce for this algorithm
/// * Nt: The length in bytes of an authentication tag for this algorithm
/// * Reference: Where this algorithm is defined
///
/// [GCM]: https://doi.org/10.6028/nist.sp.800-38d
/// [RFC8439]: https://www.rfc-editor.org/info/rfc8439
#[derive(Clone, Copy, PartialEq, Debug)]
pub enum AEAD {
    /// 0x0001
    AES_128_GCM,
    /// 0x0002
    AES_256_GCM,
    /// 0x0003
    ChaCha20Poly1305,
    /// 0xFFFF
    Export_only,
}

/// The length in bytes of a key for this algorithm.
///
/// See [`AEAD`] for details.
pub fn Nk(aead_id: AEAD) -> usize {
    match aead_id {
        AEAD::AES_128_GCM => 16,
        AEAD::AES_256_GCM => 32,
        AEAD::ChaCha20Poly1305 => 32,
        AEAD::Export_only => 0,
    }
}

/// The length in bytes of the authentication tag for this algorithm.
///
/// See [`AEAD`] for details.
pub fn Nt(aead_id: AEAD) -> usize {
    match aead_id {
        AEAD::AES_128_GCM => 16,
        AEAD::AES_256_GCM => 16,
        AEAD::ChaCha20Poly1305 => 16,
        AEAD::Export_only => 0,
    }
}

/// The length in bytes of a nonce for this algorithm.
///
/// See [`AEAD`] for details.
pub fn Nn(aead_id: AEAD) -> usize {
    match aead_id {
        AEAD::AES_128_GCM => 12,
        AEAD::AES_256_GCM => 12,
        AEAD::ChaCha20Poly1305 => 12,
        AEAD::Export_only => 0,
    }
}

/// An AEAD key is a sequence of bytes.
pub type Key = Vec<u8>;

/// An AEAD nonce is a sequence of bytes.
pub type Nonce = Vec<u8>;

fn alg_for_aead(aead_id: AEAD) -> AeadAlgResult {
    match aead_id {
        AEAD::AES_128_GCM => AeadAlgResult::Ok(Algorithm::Aes128Gcm),
        AEAD::AES_256_GCM => AeadAlgResult::Ok(Algorithm::Aes256Gcm),
        AEAD::ChaCha20Poly1305 => AeadAlgResult::Ok(Algorithm::Chacha20Poly1305),
        AEAD::Export_only => AeadAlgResult::Err(HpkeError::UnsupportedAlgorithm),
    }
}

/// Encrypt and authenticate plaintext `pt` with associated data `aad` using
/// symmetric key `key` and nonce `nonce`, yielding ciphertext and tag `ct`.
/// This function can raise a [`MessageLimitReachedError`](`HpkeError::MessageLimitReachedError`) upon failure.
pub fn AeadSeal(aead_id: AEAD, key: &Key, nonce: &Nonce, aad: &[u8], pt: &[u8]) -> HpkeBytesResult {
    let algorithm = alg_for_aead(aead_id)?;
    let key = aead::Key::from_slice(algorithm, key)?;
    match encrypt_detached(&key, pt, Iv::new(nonce)?, aad) {
        Ok((tag, mut ct)) => {
            ct.extend_from_slice(tag.as_ref());
            HpkeBytesResult::Ok(ct)
        }
        Err(_) => HpkeBytesResult::Err(HpkeError::CryptoError),
    }
}

/// Decrypt ciphertext and tag `ct` using
/// associated data `aad` with symmetric key `key` and nonce `nonce`,
/// returning plaintext message `pt`. This function can raise an
/// [`OpenError`](`HpkeError::OpenError`) or [`MessageLimitReachedError`](`HpkeError::MessageLimitReachedError`) upon failure.
pub fn AeadOpen(aead_id: AEAD, key: &Key, nonce: &Nonce, aad: &[u8], ct: &[u8]) -> HpkeBytesResult {
    let algorithm = alg_for_aead(aead_id)?;
    let key = aead::Key::from_slice(algorithm, key)?;
    let mut ct = ct.to_vec();
    let tag = ct.split_off(ct.len() - Nt(aead_id));
    match decrypt_detached(&key, ct, Iv::new(nonce)?, aad, &Tag::from_slice(tag)?) {
        Ok(pt) => HpkeBytesResult::Ok(pt.into()),
        Err(_) => HpkeBytesResult::Err(HpkeError::CryptoError),
    }
}