search

tink-crypto / tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
https://developers.google.com/tink
Apache License 2.0
13.47k stars 1.18k forks source link

Is there a specific reason for java hybrid encryption to be limited to 128bit security #647

Closed ghost closed 1 year ago

ghost commented 1 year ago

I can see it has been developed up to 256bit in python

rafa-mczk commented 1 year ago

Hi zjmo,

Thank you for your message.

I suspect you mean support to AES-256 in the AEAD component of a Hybrid Encryption cipher suite, and not overall bit security, right? I'm asking because ome Python key templates indeed support AES-256 but note that these hybrid encryption configurations do not achieve more than 128 bits of security for ll components in the cipher suite.

For example, the usage of X25519 for the key encapsulation part achieves ~128 bits of security only. Note also that Tink documentation does not claim anything other than "at least 128 bits of security" (except for RSA-based ciphers) in our documentation.

Now back to your question. :) There's no reason for not supporting AES-256 in Tink Java hybrid encryption as well. Thanks for the suggestion. We just need to add these key templates to our Java implementation as well, and we will work on this shortly. Stay tuned! :)

Rafael

ghost commented 1 year ago

I see, just checked again and realized it is indeed a 128 bit asymmetric wrapper DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_256_GCM. Anyway why not to use the other 512 bit EC curve for wrapping? Is it not suitable for the purpose or just not necessary?

tholenst commented 1 year ago

You can use this already with e.g. KeysetHandle.generateNew( KeyTemplates.get("DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_256_GCM")); Let me know if that doesn't work for you.

tholenst commented 1 year ago

(To clarify -- reopen if this problem still exists).