Adding AEAD support as new encryption method

crypt4gh.tex

@@ -286,6 +286,17 @@ \subsection{File Structure}
   \textbf{Data Edit List Packet (plain-text)} \\
   List of byte counts to alternately exclude and include in output
 };
+
+\node (sequence number) [boxes=2,below=of data edit list.south] {
+\nodepart{one}Packet Type
+\nodepart[text width=10em]{two}Sequence number
+};
+\draw (data edit list.south west) to (sequence number.north west);
+\draw (data edit list.south east) to (sequence number.north east);
+\node (sequence number notes) at (sequence number -| file notes) [notes] {
+  \textbf{Sequence Number Packet (plain-text)} \\
+  Sequence number used in AEAD mode
+};
 \end{tikzpicture}
 \end{center}
 
@@ -321,7 +332,7 @@ \subsection{File Structure}
 \end{itemize}
 
 \subsection{Header Packet Types}\label{overview:header_packet_types}
-There are two types of header packet:
+There are three types of header packet:
 \begin{itemize}
 \item Data encryption key packets.
 
@@ -345,6 +356,12 @@ \subsection{Header Packet Types}\label{overview:header_packet_types}
 the new file.
 On reading, the data blocks are decrypted and then the edit list is used to find out which parts of the unencrypted
 data should be discarded.
+
+\item Sequence number packets.
+
+In AEAD mode, this packet contains the initial number for an incrementing sequence, injected as AEAD data in each encrypted segment.
+
+This mode ensures no encrypted segments can be lost or re-ordered.
 \end{itemize}
 
 \subsection{Encoding For Multiple Public/Secret Key Pairs}
@@ -532,10 +549,12 @@ \subsubsection{Header packet encrypted payload}
 enum Header_packet_type<le_uint32> {
   data_encryption_parameters = 0;
   data_edit_list = 1;
+  sequence_number = 2;
 };
 
 enum Data_encryption_method<le_uint32> {
   chacha20_ietf_poly1305 = 0;
+  chacha20_ietf_poly1305_with_AEAD = 1;
 };
 
 struct Encrypted_header_packet {
@@ -546,12 +565,19 @@ \subsubsection{Header packet encrypted payload}
       enum Data_encryption_method<le_uint32>  data_encryption_method;
       select (data_encryption_method) {
         case chacha20_ietf_poly1305:
+        case chacha20_ietf_poly1305_with_AEAD:
           byte  data_key[32];
       };
 
     case data_edit_list:
       le_uint32 number_lengths;
       le_uint64 lengths[number_lengths];
+
+    case sequence_number:
+      select (data_encryption_method) {
+        case chacha20_ietf_poly1305_with_AEAD:
+          le_uint32 initial_value;
+      };
   };
 };
 \end{verbatim}
@@ -584,6 +610,17 @@ \subsubsection{data\_edit\_list packet}
 It is not permitted to have more than one edit list.
 If more than one edit list is present, the file SHOULD be rejected.
 
+\subsubsection{sequence\_number packet}
+
+This packet contains an unsigned integer, used as \kw{initial\_value} for an incrementing sequence.
+
+It is used in the AEAD mode, ie, when \kw{data\_encryption\_method} is \kw{chacha20\_ietf\_poly1305\_with\_AEAD}.
+
+Application of the AEAD mode to the plain-text is described in section~\ref{data:AEAD_encrypting_mode}.
+
+It is not permitted to have more than one sequence number.
+If more than one sequence number is present, the file SHOULD be rejected.
+
 \subsection{Header packet encryption}
 
 \subsubsection{X25519\_chacha20\_ietf\_poly1305 Encryption}~\label{header:X25519}
@@ -671,20 +708,6 @@ \subsubsection{Reading the header}
 If more than one \kw{data\_edit\_list} packet is present, the file SHOULD be rejected.
 
 \subsection{Encrypted Data}\label{data:encryption}
-\subsubsection{chacha20\_ietf\_poly1305 Encryption}\label{data:chacha20_encryption}
-
-ChaCha20 is a stream cipher which maps a 256-bit key, nonce and counter to a 512-bit key-stream block.
-In IETF mode the nonce is 96 bits long and the counter is 32 bits.
-The counter starts at 1, and is incremented by 1 for each successive key-stream block.
-The cipher-text is the plain-text message combined with the key-stream using the bit-wise exclusive-or operation.
-
-Poly1305 is used to generate a 16-byte message authentication code (MAC) over the cipher-text.
-As the MAC is generated over the entire cipher-text it is not possible to authenticate partially decrypted data.
-
-ChaCha20 and Poly1305 are combined using the AEAD construction described in section 2.8 of \cite{RFC8439}.
-This construction allows additional authenticated data (AAD) to be included in the Poly1305 MAC calculation.
-For the purposes of this format, the AAD is zero bytes long.
-
 \subsubsection{Segmenting the input}
 
 To allow random access without having to authenticate the entire file, the plain-text is divided into 65536-byte
@@ -697,6 +720,7 @@ \subsubsection{Segmenting the input}
 struct Segment {
   select (method) {
     case chacha20_ietf_poly1305:
+    case chacha20_ietf_poly1305_with_AEAD:
       byte    nonce[12];
       byte[]  encrypted_data;
       byte    mac[16];
@@ -708,6 +732,38 @@ \subsubsection{Segmenting the input}
 For chacha20\_ietf\_poly1305, this expansion will be 28 bytes, so a 65536 byte plain-text input will become a 65564
 byte encrypted and authenticated cipher-text output.
 
+\subsubsection{chacha20\_ietf\_poly1305 Encryption}\label{data:chacha20_encryption}
+
+ChaCha20 is a stream cipher which maps a 256-bit key, nonce and counter to a 512-bit key-stream block.
+In IETF mode the nonce is 96 bits long and the counter is 32 bits.
+The counter starts at 1, and is incremented by 1 for each successive key-stream block.
+The cipher-text is the plain-text message combined with the key-stream using the bit-wise exclusive-or operation.
+
+Poly1305 is used to generate a 16-byte message authentication code (MAC) over the cipher-text.
+As the MAC is generated over the entire cipher-text it is not possible to authenticate partially decrypted data.
+
+ChaCha20 and Poly1305 are combined using the AEAD construction described in section 2.8 of \cite{RFC8439}.
+This construction allows additional authenticated data (AAD) to be included in the Poly1305 MAC calculation.
+In case the selected encryption method is \kw{chacha20\_ietf\_poly1305}, the AAD is zero bytes long.
+In case the selected encryption method is \kw{chacha20\_ietf\_poly1305\_with\_AEAD}, the AAD is a 4-bytes little-endian number (section~\ref{data:AEAD_encrypting_mode}).
+
+\subsubsection{AEAD encrypting mode: chacha20\_ietf\_poly1305\_with\_AEAD}\label{data:AEAD_encrypting_mode}
+
+The AEAD mode ensures no segments can be lost or re-ordered.
+
+Consider an incrementing sequence of unsigned 4-bytes numbers, eventually wrapping around.
+The initial value of the sequence is written in the \kw{sequence\_number} packet.
+
+For each plain-text segment, in order, we encrypt as
+in~\ref{data:chacha20_encryption} while attaching the number we pop
+from the sequence as authenticated data.
+
+Additionally, in case the end of the file lands on a segment boundary,
+a final and empty encrypted segment is appended to the ciphertext. If
+not, the last segment is smaller then the segment maximum size and no
+extra encrypted segment is appended.
+
+
 \section{Decryption}
 
 \subsection{chacha20\_ietf\_poly1305 Decryption}
@@ -744,6 +800,15 @@ \subsection{chacha20\_ietf\_poly1305 Decryption}
 to timing attacks which try to detect which key was successful); or simply insist that only one key is used for
 the whole file.
 
+\subsection{AEAD mode}\label{data:AEAD_decrypting_mode}
+
+A packet of type \kw{sequence\_number} must be present in the header.
+
+The $n^{th}$ segment is decrypted using the sequence number incremented by $n$ as authenticated data.
+
+Finally, the presence of the eventual last empty segment must be checked according to \ref{data:AEAD_encrypting_mode}.\\
+Failing that check SHOULD consider the file as truncated, and reject it.
+
 \subsection{Edit List}\label{data:edit_list}
 
 The edit list is designed to assist splicing of encrypted files (for example to remove parts that are not needed