PRIMITIVES.md

Tink Primitives

Tink performs cryptographic tasks via so-called primitives, which provide an abstract representation of the provided functionality. Currently Tink supports the following cryptograhic operations via the corresponding primitives:

• authenticated encryption with associated data (primitive: AEAD)
• message authentication codes (primitive: MAC),
• digital signatures (primitives: PublicKeySign and PublicKeyVerify)
• hybrid encryption (primitives: HybridEncrypt and HybridDecrypt).

This document describes the main properties of Tink’s primitives.

General properties of all primitives:

• stateless (hence thread-safe)
• copy-safe (for the parameters)
• at least 128-bit security (with an exception for RSA)

Authenticated Encryption with Associated Data

AEAD primitive (Authenticated Encryption with Associated Data) provides functionality of symmetric authenticated encryption. Implementations of this primitive are secure against adaptive chosen ciphertext attacks. When encrypting a plaintext one can optionally provide associated data that should be authenticated but not encrypted. That is, the encryption with associated data ensures authenticity (ie. who the sender is) and integrity (ie. data has not been tampered with) of that data, but not its secrecy (see RFC 5116).

Minimal properties:

• plaintext and associated data can have arbitrary length (within the range 0..2³² bytes)
• CCA2 security
• at least 80-bit authentication strength
• there are no secrecy or knowledge guarantees wrt. to the value of associated data
• can encrypt at least 2³² messages with a total of 2⁵⁰ bytes so that no attack has success probability larger than 2^-32

Streaming Authenticated Encryption with Associated Data

Streaming AEAD primitive (Streaming Authenticated Encryption with Associated Data) provides authenticated encryption for streaming data, and is useful when the data to be encrypted is too large to be processed in a single step. Typical use cases include encryption of large files or encryption of live data streams.

The underlying encryption modes are selected so that partial plaintext can be obtained fast by decrypting and authenticating just a part of the ciphertext, without need of processing the entire ciphertext.

Encryption must be done in one session. There is no possibility to modify an existing ciphertext or to append to it (other than to reencrypt the entire file again).

Instances of Streaming AEAD follow the OAE2 definition proposed in the paper "Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance" by Hoang, Reyhanitabar, Rogaway and Vizár.

Minimal properties:

• plaintext can have arbitrary length within the range 0..2³⁸ and associated data can have arbitrary length within the range 0..2³¹-1 bytes
• CCA2 security
• at least 80-bit authentication strength
• there are no secrecy or knowledge guarantees wrt. to the value of associated data
• can encrypt at least 2³² messages with a total of 2⁶⁸ bytes so that no attack with up to 2³² chosen plaintexts/chosen ciphertexts has success probability larger than 2^-32.

Deterministic Authenticated Encryption with Associated Data

Deterministic AEAD primitive (Deterministic Authenticated Encryption with Associated Data, DAEAD) provides encryption with a deterministic property: encrypting the same data always yields the same ciphertext. Such encryption is useful e.g. for key wrapping or for some schemes for searching on encrypted data (see RFC 5297, Section 1.3 for more info). However, because of deterministic property, implementations of this primitive are not semantically secure.

As for (regular) AEAD, when using Deterministic AEAD to encrypt a plaintext one can optionally provide associated data that should be authenticated but not encrypted. That is, the encryption with associated data ensures authenticity (ie. who the sender is) and integrity (ie. data has not been tampered with) of that data, but not its secrecy (see RFC 5116).