Limit DNDK-GCM to 24-byte nonces

Author: script3r

dndk-gcm/README.md

@@ -4,10 +4,7 @@ Pure Rust implementation of DNDK-GCM (Double Nonce Derive Key AES-GCM) with
 key commitment disabled (KC_Choice = 0) as specified in
 `draft-gueron-cfrg-dndkgcm`.
 
-This crate provides two fixed-nonce variants:
-
-- `DndkGcm24`: 24-byte nonce (recommended in the draft).
-- `DndkGcm12`: 12-byte nonce (AES-GCM compatible length).
+This crate provides a fixed 24-byte nonce variant: `DndkGcm24`.
 
 ## Usage
 

dndk-gcm/src/lib.rs

@@ -50,20 +50,11 @@ pub struct DndkGcm24 {
     aes: Aes256,
 }
 
-/// DNDK-GCM with a 12-byte nonce (KC_Choice = 0).
-#[derive(Clone)]
-pub struct DndkGcm12 {
-    aes: Aes256,
-}
-
 type KeySize = <Aes256Gcm as KeySizeUser>::KeySize;
 
 /// DNDK-GCM nonce (24 bytes).
 pub type Nonce24 = aes_gcm::Nonce<cipher::consts::U24>;
 
-/// DNDK-GCM nonce (12 bytes).
-pub type Nonce12 = aes_gcm::Nonce<U12>;
-
 /// DNDK-GCM key.
 pub type Key<B = Aes256> = aes_gcm::Key<B>;
 
@@ -85,32 +76,16 @@ impl AeadCore for DndkGcm24 {
     const TAG_POSITION: TagPosition = TagPosition::Postfix;
 }
 
-impl AeadCore for DndkGcm12 {
-    type NonceSize = U12;
-    type TagSize = <Aes256Gcm as AeadCore>::TagSize;
-    const TAG_POSITION: TagPosition = TagPosition::Postfix;
-}
-
 impl KeySizeUser for DndkGcm24 {
     type KeySize = KeySize;
 }
 
-impl KeySizeUser for DndkGcm12 {
-    type KeySize = KeySize;
-}
-
 impl KeyInit for DndkGcm24 {
     fn new(key: &Key) -> Self {
         Self { aes: Aes256::new(key) }
     }
 }
 
-impl KeyInit for DndkGcm12 {
-    fn new(key: &Key) -> Self {
-        Self { aes: Aes256::new(key) }
-    }
-}
-
 impl AeadInOut for DndkGcm24 {
     fn encrypt_inout_detached(
         &self,
@@ -142,37 +117,6 @@ impl AeadInOut for DndkGcm24 {
     }
 }
 
-impl AeadInOut for DndkGcm12 {
-    fn encrypt_inout_detached(
-        &self,
-        nonce: &Nonce12,
-        associated_data: &[u8],
-        buffer: InOutBuf<'_, '_, u8>,
-    ) -> Result<Tag, Error> {
-        if buffer.len() as u64 > P_MAX || associated_data.len() as u64 > A_MAX {
-            return Err(Error);
-        }
-
-        let (gcm_iv, key) = derive_key_and_iv::<12>(&self.aes, nonce.as_slice());
-        Aes256Gcm::new(&key).encrypt_inout_detached(&gcm_iv, associated_data, buffer)
-    }
-
-    fn decrypt_inout_detached(
-        &self,
-        nonce: &Nonce12,
-        associated_data: &[u8],
-        buffer: InOutBuf<'_, '_, u8>,
-        tag: &Tag,
-    ) -> Result<(), Error> {
-        if buffer.len() as u64 > C_MAX || associated_data.len() as u64 > A_MAX {
-            return Err(Error);
-        }
-
-        let (gcm_iv, key) = derive_key_and_iv::<12>(&self.aes, nonce.as_slice());
-        Aes256Gcm::new(&key).decrypt_inout_detached(&gcm_iv, associated_data, buffer, tag)
-    }
-}
-
 type Block = Array<u8, <Aes256 as BlockSizeUser>::BlockSize>;
 
 type GcmIv = aes_gcm::Nonce<U12>;

dndk-gcm/tests/dndkgcm.rs

@@ -6,7 +6,7 @@ mod common;
 
 use aes_gcm::aead::{Aead, AeadInOut, KeyInit, Payload, array::Array};
 use common::TestVector;
-use dndk_gcm::{DndkGcm12, DndkGcm24};
+use dndk_gcm::DndkGcm24;
 use hex_literal::hex;
 
 /// DNDK-GCM test vectors (draft-gueron-cfrg-dndkgcm-03, Appendix A)
@@ -21,21 +21,4 @@ const TEST_VECTORS_24: &[TestVector<[u8; 32], [u8; 24]>] = &[
     },
 ];
 
-/// DNDK-GCM test vectors (draft-gueron-cfrg-dndkgcm-03, Appendix A)
-const TEST_VECTORS_12: &[TestVector<[u8; 32], [u8; 12]>] = &[
-    TestVector {
-        key: &hex!("0100000000000000000000000000000000000000000000000000000000000000"),
-        nonce: &hex!("000102030405060708090a0b"),
-        plaintext: &hex!("11000001"),
-        aad: &hex!("0100000011"),
-        ciphertext: &hex!("b95cf258"),
-        tag: &hex!("39e74511d997eaafd0f567d13758305b"),
-    },
-];
-
 tests!(DndkGcm24, TEST_VECTORS_24);
-
-mod dndk_gcm12 {
-    use super::*;
-    tests!(DndkGcm12, TEST_VECTORS_12);
-}