AEGIS MAC: add support for 128-bit tags (#15379)

When used as a MAC, 256-bit tags are recommended. But in interactive protocols, 128 bits may be acceptable.
2023-04-21 13:52:33 -06:00
parent 83970b6d91
commit 391663e497
2 changed files with 16 additions and 0 deletions
--- a/lib/std/crypto/aegis.zig
+++ b/lib/std/crypto/aegis.zig
@@ -417,6 +417,20 @@ pub const Aegis128LMac = AegisMac(Aegis128L_256);
 /// - It has a large security margin against internal collisions.
 pub const Aegis256Mac = AegisMac(Aegis256_256);

+/// Aegis128L MAC with a 128-bit output.
+/// A MAC with a 128-bit output is not safe unless the number of messages
+/// authenticated with the same key remains small.
+/// After 2^48 messages, the probability of a collision is already ~ 2^-33.
+/// If unsure, use the  Aegis128LMac type, that has a 256 bit output.
+pub const Aegis128LMac_128 = AegisMac(Aegis128L);
+
+/// Aegis256 MAC with a 128-bit output.
+/// A MAC with a 128-bit output is not safe unless the number of messages
+/// authenticated with the same key remains small.
+/// After 2^48 messages, the probability of a collision is already ~ 2^-33.
+/// If unsure, use the  Aegis256Mac type, that has a 256 bit output.
+pub const Aegis256Mac_128 = AegisMac(Aegis256);
+
 fn AegisMac(comptime T: type) type {
    return struct {
        const Self = @This();