AES-SIV does not accept empty plaintext.

[bleichenbacher-daniel]

This issue is possibly related to #10808, which observes a similar behavior for AES-GCM-SIV.

I'm using python version 3.12.3
and cryptography version 42.0.5

The following code

from cryptography.hazmat.primitives.ciphers import aead
import cryptography
import sys

def test_empty_pt():
    key = bytes(range(32))
    nonce = bytes(range(12))
    pt = b""
    aads = [b"row1", b"col2", b"timestamp"]
    crypter = aead.AESSIV(key)
    ct = crypter.encrypt(pt, aads)

if __name__ == "__main__":
    print(f"{sys.version=}")
    print(f"{cryptography.__version__=}")
    test_empty_pt()

gives the following result:

sys.version='3.12.3 (tags/v3.12.3:f6650f9, Apr 9 2024, 14:05:25) [MSC v.1938 64 bit (AMD64)]'
cryptography.version='42.0.5'
Traceback (most recent call last):
File ".../aes_siv_test.py", line 16, in
test_empty_pt()
File ".../aes_siv_test.py", line 11, in test_empty_pt
ct = crypter.encrypt(pt, aads)
ValueError: data must not be zero length

The only restriction I could find is RFC 5297, section 6, where there is a lower bound of 1 byte for the nonce, when AES-SIV is being used as AEAD. However, AES-SIV is useful in many contexts, e.g., deterministically encrypting cells in a database using row and column as AAD. For such uses it would be helpful if all fields can be empty.

[alex]

Without being at a computer to test, this almost certainly is for the same reason -- n Limitations in OpenSSL

…

On Tue, May 7, 2024, 2:03 PM bleichenbacher-daniel ***@***.***> wrote: This issue is possibly related to #10808 <#10808>, which observes a similar behavior for AES-GCM-SIV. I'm using python version 3.12.3 and cryptography version 42.0.5 The following code from cryptography.hazmat.primitives.ciphers import aead import cryptography import sys def test_empty_pt(): key = bytes(range(32)) nonce = bytes(range(12)) pt = b"" aads = [b"row1", b"col2", b"timestamp"] crypter = aead.AESSIV(key) ct = crypter.encrypt(pt, aads) if __name__ == "__main__": print(f"{sys.version=}") print(f"{cryptography.__version__=}") test_empty_pt() gives the following result: sys.version='3.12.3 (tags/v3.12.3:f6650f9, Apr 9 2024, 14:05:25) [MSC v.1938 64 bit (AMD64)]' cryptography.*version*='42.0.5' Traceback (most recent call last): File ".../aes_siv_test.py", line 16, in test_empty_pt() File ".../aes_siv_test.py", line 11, in test_empty_pt ct = crypter.encrypt(pt, aads) ValueError: data must not be zero length The only restriction I could find is RFC 5297, section 6, where there is a lower bound of 1 byte for the nonce, when AES-SIV is being used as AEAD. However, AES-SIV is useful in many contexts, e.g., deterministically encrypting cells in a database using row and column as AAD. For such uses it would be helpful if all fields can be empty. — Reply to this email directly, view it on GitHub <#10958>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBDMFSUFJHDMLCESKQLZBEJOZAVCNFSM6AAAAABHLPMXPOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4DGOJTGI4TGNQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[alex]

Note: Someone should file an upstream bug with OpenSSL for this.

[reaperhulk]

openssl/openssl#26580