Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Throw Away Galois/Counter Mode as Committing Encryption #1
Following the article Message Franking via Committing Authenticated Encryption, the internal hash of GCM used for MAC is not collision-resistant, and thus, breaking the binding property (the sender can brute-force a MAC collision in feasible amount of time/space). It's possibly 'cause the hash of GCM is 128-bits, most 128-bits are already broken too nowadays.
Due that vector attack, I must replace AES-GCM entirely. I should use instead better options, such as AES-CBC + Blake2B 512-bits keyed mode, for instance. In the case, it would be an instance of the Encrypt-then-MAC approach of Authenticated Encryption algorithms.
Backwards compatibility will be broken, and I must report that on top of documentation. There's some mitigation on the
This issue is open to possibly track further discussion.
We have a master key, and from that we derive an encryption key and a MAC key. The input vector is randomly generated and appended on the final commitment/cipher. Our header is the hashed process/context fingerprint. This fingerprint could not be used to associate/detect the commitment issuer 'cause these fingerprints are public, it is only used to provide a randomization context which reduces the probabilities of the distributed commitment collision. They must not be used for any kind of authentication, proof, identification, whatever...
This patch is tracked on the branch
Future plans might include to split this AEAD (Authenticated Encryption with Associated Data) module in a separate library. The benefits are clear, the community can use an AEAD encryption directly without relying on this library for commitment schemes and accessing the internals here.
This issue will be closed once the PR on OPAM repository is approved and merged.