This is a note about how we intend to use AES encryption, and the need for multi-channel support.
We're using AES-GCM-SIV, with the goal of performing AES on the DCP/CAAM, and accelerating the GHASH-like universal hash function (POLYVAL) using NEON instructions on the M7.
Notably AES-GCM-SIV uses 2 AES keys: it's keyed with a single AES key (I'd like to use the UNIQUE key for this), but uses AES as a KDF / CTR-DRBG in order to derive a per-nonce child key:
To make that work, we'll need multiple AES channels. In practice I think it will look something like:
Channel 0: dedicated to the UNIQUE key (by virtue of Armistice keeping the UNIQUE key's AES instance around in perpetuity)
Channel 1: used by either the subkey derived for the UNIQUE key, or as the parent/key-generating-key of an AES-GCM-SIV instance with a key instantiated from a bytestring
Channel 2: used as the subkey for AES-GCM-SIV operations which aren't using hardware-backed keys
japaric
commented
4 years ago
This is a note about how we intend to use AES encryption, and the need for multi-channel support.
We're using AES-GCM-SIV, with the goal of performing AES on the DCP/CAAM, and accelerating the GHASH-like universal hash function (POLYVAL) using NEON instructions on the M7.
Notably AES-GCM-SIV uses 2 AES keys: it's keyed with a single AES key (I'd like to use the
UNIQUEkey for this), but uses AES as a KDF / CTR-DRBG in order to derive a per-nonce child key:https://github.com/RustCrypto/AEADs/blob/master/aes-gcm-siv/src/lib.rs#L259
To make that work, we'll need multiple AES channels. In practice I think it will look something like:
UNIQUEkey (by virtue of Armistice keeping theUNIQUEkey's AES instance around in perpetuity)UNIQUEkey, or as the parent/key-generating-key of an AES-GCM-SIV instance with a key instantiated from a bytestring