This document formally defines the mathematical function represented by
AES-GCM-HKDF Streaming keys (encoded in proto format as
type.googleapis.com/google.crypto.tink.AesGcmHkdfStreamingKey
).
This encryption is loosely based on [HRRV15]1. For an analysis of the security we refer to [HS20]2.
Key and parameters
Keys are described by the following parts (all sizes in this document are in bytes):
- \(\mathrm{KeyValue}\), a byte string.
- \(\mathrm{CiphertextSegmentSize} \in \{1, 2, \ldots, 2^{31}-1\}\).
- \(\mathrm{DerivedKeySize} \in \{16, 32\}\).
- \(\mathrm{HkdfHashType} \in \{\mathrm{SHA1}, \mathrm{SHA256}, \mathrm{SHA512}\}\).
Valid keys additionally satisfy the following properties:
- \(\mathrm{len}(\mathrm{KeyValue}) \geq \mathrm{DerivedKeySize}\).
- \(\mathrm{CiphertextSegmentSize} > \mathrm{DerivedKeySize} + 24\) (This equals \(\mathrm{len}(\mathrm{Header}) + 16\) as explained later).
Keys which don't satisfy any of these properties are rejected by Tink (either when the key is parsed or when the corresponding primitive is created).
Encryption function
To encrypt a message \(\mathrm{Msg}\) with associated data \(\mathrm{AssociatedData}\), we create a header, split the message into segments, encrypt each segment, and concatenate the segments. We explain these steps in the following.
Creating the header
To create the header, we first pick a uniform random string \(\mathrm{Salt}\) of length \(\mathrm{DerivedKeySize}\). We next pick a uniform random string \(\mathrm{NoncePrefix}\) of length 7.
We then set \(\mathrm{Header} := \mathrm{len}(\mathrm{Header}) \| \mathrm{Salt} \| \mathrm{NoncePrefix}\), where the length of the header is encoded as a single byte. We note that \(\mathrm{len}(\mathrm{Header}) \in \{24, 40\}\).
Next, we use HKDF3 with the hash function given by \(\mathrm{HkdfHashType}\) and inputs \(\mathrm{ikm} := \mathrm{KeyValue}\), \(\mathrm{salt} := \mathrm{Salt}\), and \(\mathrm{info} := \mathrm{AssociatedData}\), with output length \(\mathrm{DerivedKeySize}\). We call the result \(k\).
Splitting the message
The message \(\mathrm{Msg}\) is next split into parts: \(\mathrm{Msg} = M_0 \| M_1 \| \cdots \| M_{n-1}\).
Their lengths are chosen so that they satisfy:
- \(\mathrm{len}(M_0) \in \{0,\ldots, \mathrm{CiphertextSegmentSize} - \mathrm{len}(\mathrm{Header}) - \mathrm{16}\}\).
- If \(n>1\), then \(\mathrm{len}(M_1), \ldots, \mathrm{len}(M_{n-1}) \in \{1,\ldots, \mathrm{CiphertextSegmentSize} - \mathrm{16}\}\).
- If \(n>1\), then \(\mathrm{len}(M_{0}), \ldots, \mathrm{len}(M_{n-2})\) must have maximal length according to the above to constraints.
In this splitting, \(n\) may at most be \(2^{32}\). Otherwise, encryption fails.
Encrypting the blocks
To encrypt segment \(M_i\), we first compute
\(\mathrm{IV}_i := \mathrm{NoncePrefix} \| \mathrm{i} \| b\), where we encode
\(\mathrm{i}\) in 4 bytes using big-endian encoding, and set the byte $b$ to be
0x00
if $i < n-1$ and 0x01
otherwise.
We then encrypt \(M_i\) using AES GCM4, where the key is \(\mathrm{DerivedKey}\), the initialization vector is \(\mathrm{IV}_i\), and the associated data \(A\) is the empty string. We set \(C_i\) to be the result of this encryption (i.e., the concatenation of \(C\) and \(T\) in the above reference).
Concatenate the segments
Finally, all segments are concatenated as \(\mathrm{Header} \| C_0 \| \cdots \| C_{n-1}\), which is the final ciphertext.
Decryption
Decryption simply inverts the encryption. We use the header to obtain the nonce, and decrypt each segment of ciphertext individually.
APIs may (and typically do) allow random access, or access to the beginning of a file without inspecting the end of the file. This is intentional, since it is possible to decrypt \(M_i\) from \(C_i\), without decrypting all previous and remaining ciphertext blocks.
However, APIs should be careful to not allow users to confuse end-of-file and decryption errors: in both cases the API probably has to return an error, and ignoring the difference can lead to an adversary being able to effectively truncate files.
Serialization and parsing of keys
To serialize a key in the "Tink Proto" format, we first map the parameters
in the obvious way into the proto given at
aes_gcm_hkdf_streaming.proto.
The field version
needs to be set to 0.
We then serialize this using normal proto serialization, and embed the resulting
string in the value of field of a KeyData proto.
We set the type_url
field
to type.googleapis.com/google.crypto.tink.AesGcmHkdfStreamingKey
.
We then set key_material_type
to SYMMETRIC
, and embed this into a keyset. We
usually set the output_prefix_type
to RAW
. The exception is that if the key
was parsed with a different value set for output_prefix_type
,
Tink may either write RAW
or the previous value.
To parse a key, we reverse the above process (in the usual way when parsing
protos). The field key_material_type
is ignored. The value of
output_prefix_type
can either be ignored, or keys which
have output_prefix_type
different from RAW
can be rejected.
Keys which have a version
different from 0 must be rejected.
Known issues
Implementations of the above encryption function are not expected to be fork safe. See Fork Safety.
References
-
[HRRV15] Hoang, Reyhanitabar, Rogaway, Vizar. Online authenticated-encryption and its nonce-reuse misuse-resistance. CRYPTO 2015. https://eprint.iacr.org/2015/189 ↩
-
[HS20] Security of Streaming Encryption in Google's Tink Library. Hoang, Shen, 2020. https://eprint.iacr.org/2020/1019 ↩
-
[HKDF] HMAC-based Extract-and-Expand Key Derivation Function (HKDF), RFC 5869. https://www.rfc-editor.org/rfc/rfc5869 ↩
-
NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. ↩