newpavlov
commented
4 weeks ago We probably should first add a trait for tweakable block ciphers, see: https://github.com/RustCrypto/traits/issues/177
Open k3rb3ros opened 4 weeks ago
newpavlov
commented
4 weeks ago We probably should first add a trait for tweakable block ciphers, see: https://github.com/RustCrypto/traits/issues/177
k3rb3ros
commented
4 weeks ago That would be great. What's the timeline for feature development in RustCrypto like that? Weeks, months, years?
tarcieri
commented
4 weeks ago Weeks (or less) if you want to get it into an unstable release, depending on the quality of the PR
tarcieri
commented
4 weeks ago (I would personally love to see traits for tweakable block ciphers land finally)
newpavlov
commented
3 weeks ago I guess the main question is what API style should we use: one where we pass tweak during en/decryption of each block, or one where we modify block cipher state with a &mut self method. Initially, I thought to use the former, but the latter should be more composable and will require less changes in the cipher crate, but it may be less convenient in cases where users want to keep cipher state immutable.
k3rb3ros
commented
3 weeks ago Personally, I think encapsulating cipher state from the users is a better approach, but I don't have much context on the RustCrypto project and I'm not a cryptographer. I'm just a dude on the internet who wants a feature. Although, as you said adding tweak to every cipher operation would require the greatest number of changes. You could also add additional encrypt/decrypt functions that take a tweak and then turn the existing encrypt functions into wrapper functions that call the tweak parameter versions with a zeroed-out tweak.
tarcieri
commented
3 weeks ago Maybe https://github.com/RustCrypto/traits/issues/177 is a better place for these discussions?
Currently, there is no way to update the tweak value between successive encrypt/decrypt calls without creating a new cipher instance. This is inefficient and it would be appreciated if you added a way to update the tweak without creating a new cipher instance. I'm not sure it would be possible to add given that your current implementation stores all of the cipher state in a giant array
sk, but in the original C implementationkeyCtxis passed into every encrypt/decrypt call, which allowed the tweak to be changed between cipher calls without mucking with the rest of the cipher state.