Serializing ciphertext with 32-bit prefixes.

Notice about ciphertext change and testing format.

Previously, tkn20 ciphertext was encoding the ciphertext header
`C1`, the envelope `env` (containing inner ciphertext), and
macData using 16-bit prefixes, which caused a limitation on
the maximum size allowed for encrypting plaintexts.

With this change, the encoding now uses 32-bit prefixes for
these three elements allowing to encrypt plaintexts longer
than 2^16 bytes. So, ciphertexts produced by tkn20 package are
now 12 bytes longer.

Ciphertexts in the previous format are still decryptable.
The following functions are backwards-compatible:
 - AttributeKey.Decrypt
 - Attributes.CouldDecrypt
 - Policy.ExtractFromCiphertext

abe/cpabe/tkn20/example_test.go

@@ -132,6 +132,6 @@ func Example() {
 	// Output:
 	// (occupation:doctor and country:US)
 	// plaintext size: 27 bytes
-	// ciphertext size: 2735 bytes
+	// ciphertext size: 2747 bytes
 	// Successfully recovered plaintext
 }

abe/cpabe/tkn20/format_test.go

@@ -41,8 +41,23 @@ func TestAttributeKeyFormat(t *testing.T) {
 	}
 }
 
+func TestCiphertext_v137(t *testing.T) {
+	// As of v1.3.8 ciphertext format changed to use wider prefixes.
+	// Ciphertexts in the previous format are still decryptable.
+	// The following functions are backwards-compatible:
+	// - AttributeKey.Decrypt
+	// - Attributes.CouldDecrypt
+	// - Policy.ExtractFromCiphertext
+	testCiphertext(t, "testdata/ciphertext_v137")
+}
+
 func TestCiphertext(t *testing.T) {
-	ciphertext, err := os.ReadFile("testdata/ciphertext")
+	testCiphertext(t, "testdata/ciphertext")
+}
+
+func testCiphertext(t *testing.T, ctName string) {
+	t.Logf("Checking ciphertext: %v\n", ctName)
+	ciphertext, err := os.ReadFile(ctName)
 	if err != nil {
 		t.Fatalf("Unable to read ciphertext data")
 	}

abe/cpabe/tkn20/internal/tkn/bk.go

@@ -1,6 +1,7 @@
 package tkn
 
 import (
+	"bytes"
 	"crypto/subtle"
 	"fmt"
 	"io"
@@ -20,6 +21,9 @@ import (
 // for our output size of 256 bits.
 const macKeySeedSize = 72
 
+// As of v1.3.8, ciphertexts are prefixed with this string.
+const CiphertextVersion = "v1.3.8"
+
 func blakeEncrypt(key []byte, msg []byte) ([]byte, error) {
 	xof, err := blake2b.NewXOF(blake2b.OutputLengthUnknown, key)
 	if err != nil {
@@ -117,39 +121,51 @@ func EncryptCCA(rand io.Reader, public *PublicParams, policy *Policy, msg []byte
 	if err != nil {
 		return nil, err
 	}
-	macData := appendLenPrefixed(nil, C1)
-	macData = appendLenPrefixed(macData, env)
+	macData := appendLen32Prefixed(nil, C1)
+	macData = appendLen32Prefixed(macData, env)
 
 	tag, err := blakeMac(macKey, macData)
 	if err != nil {
 		return nil, err
 	}
 
-	ret := appendLenPrefixed(nil, id)
-	ret = appendLenPrefixed(ret, macData)
+	ret := append([]byte{}, []byte(CiphertextVersion)...)
+	ret = appendLenPrefixed(ret, id)
+	ret = appendLen32Prefixed(ret, macData)
 	ret = appendLenPrefixed(ret, tag)
 
 	return ret, nil
 }
 
+type rmLenPref = func([]byte) ([]byte, []byte, error)
+
+func checkCiphertextFormat(ciphertext []byte) (ct []byte, fn rmLenPref) {
+	const N = len(CiphertextVersion)
+	if bytes.Equal(ciphertext[0:N], []byte(CiphertextVersion)) {
+		return ciphertext[N:], removeLen32Prefixed
+	}
+	return ciphertext, removeLenPrefixed
+}
+
 func DecryptCCA(ciphertext []byte, key *AttributesKey) ([]byte, error) {
-	id, rest, err := removeLenPrefixed(ciphertext)
+	rest, removeLenPrefixedVar := checkCiphertextFormat(ciphertext)
+	id, rest, err := removeLenPrefixed(rest)
 	if err != nil {
 		return nil, err
 	}
-	macData, rest, err := removeLenPrefixed(rest)
+	macData, rest, err := removeLenPrefixedVar(rest)
 	if err != nil {
 		return nil, err
 	}
 	tag, _, err := removeLenPrefixed(rest)
 	if err != nil {
 		return nil, err
 	}
-	C1, envRaw, err := removeLenPrefixed(macData)
+	C1, envRaw, err := removeLenPrefixedVar(macData)
 	if err != nil {
 		return nil, err
 	}
-	env, _, err := removeLenPrefixed(envRaw)
+	env, _, err := removeLenPrefixedVar(envRaw)
 	if err != nil {
 		return nil, err
 	}
@@ -208,15 +224,16 @@ func DecryptCCA(ciphertext []byte, key *AttributesKey) ([]byte, error) {
 }
 
 func CouldDecrypt(ciphertext []byte, a *Attributes) bool {
-	id, rest, err := removeLenPrefixed(ciphertext)
+	rest, removeLenPrefixedVar := checkCiphertextFormat(ciphertext)
+	id, rest, err := removeLenPrefixed(rest)
 	if err != nil {
 		return false
 	}
-	macData, _, err := removeLenPrefixed(rest)
+	macData, _, err := removeLenPrefixedVar(rest)
 	if err != nil {
 		return false
 	}
-	C1, _, err := removeLenPrefixed(macData)
+	C1, _, err := removeLenPrefixedVar(macData)
 	if err != nil {
 		return false
 	}
@@ -237,15 +254,16 @@ func CouldDecrypt(ciphertext []byte, a *Attributes) bool {
 }
 
 func (p *Policy) ExtractFromCiphertext(ct []byte) error {
-	_, rest, err := removeLenPrefixed(ct)
+	rest, removeLenPrefixedVar := checkCiphertextFormat(ct)
+	_, rest, err := removeLenPrefixed(rest)
 	if err != nil {
 		return fmt.Errorf("invalid ciphertext")
 	}
-	macData, _, err := removeLenPrefixed(rest)
+	macData, _, err := removeLenPrefixedVar(rest)
 	if err != nil {
 		return fmt.Errorf("invalid ciphertext")
 	}
-	C1, _, err := removeLenPrefixed(macData)
+	C1, _, err := removeLenPrefixedVar(macData)
 	if err != nil {
 		return fmt.Errorf("invalid ciphertext")
 	}

abe/cpabe/tkn20/internal/tkn/util.go

@@ -42,14 +42,14 @@ func HashStringToScalar(key []byte, value string) *pairing.Scalar {
 	return s
 }
 
-func appendLenPrefixed(a []byte, b []byte) []byte {
+func appendLen16Prefixed(a []byte, b []byte) []byte {
 	a = append(a, 0, 0)
 	binary.LittleEndian.PutUint16(a[len(a)-2:], uint16(len(b)))
 	a = append(a, b...)
 	return a
 }
 
-func removeLenPrefixed(data []byte) (next []byte, remainder []byte, err error) {
+func removeLen16Prefixed(data []byte) (next []byte, remainder []byte, err error) {
 	if len(data) < 2 {
 		return nil, nil, fmt.Errorf("data too short")
 	}
@@ -60,6 +60,29 @@ func removeLenPrefixed(data []byte) (next []byte, remainder []byte, err error) {
 	return data[2 : 2+itemLen], data[2+itemLen:], nil
 }
 
+var (
+	appendLenPrefixed = appendLen16Prefixed
+	removeLenPrefixed = removeLen16Prefixed
+)
+
+func appendLen32Prefixed(a []byte, b []byte) []byte {
+	a = append(a, 0, 0, 0, 0)
+	binary.LittleEndian.PutUint32(a[len(a)-4:], uint32(len(b)))
+	a = append(a, b...)
+	return a
+}
+
+func removeLen32Prefixed(data []byte) (next []byte, remainder []byte, err error) {
+	if len(data) < 4 {
+		return nil, nil, fmt.Errorf("data too short")
+	}
+	itemLen := int(binary.LittleEndian.Uint32(data))
+	if (4 + itemLen) > len(data) {
+		return nil, nil, fmt.Errorf("data too short")
+	}
+	return data[4 : 4+itemLen], data[4+itemLen:], nil
+}
+
 func marshalBinarySortedMapMatrixG1(m map[string]*matrixG1) ([]byte, error) {
 	sortedKeys := make([]string, 0, len(m))
 	for key := range m {

abe/cpabe/tkn20/tkn20.go

@@ -8,6 +8,15 @@
 // attribute-based encryption. In A. Kiayias, M. Kohlweiss, P. Wallden, and
 // V. Zikas, editors, PKC, volume 12110 of Lecture Notes in Computer Science,
 // pages 3–33. Springer, 2020. https://eprint.iacr.org/2019/966
+//
+// # Update v1.3.8
+//
+// As of v1.3.8, ciphertext format changed to use wider prefixes.
+// Ciphertexts in the previous format are still decryptable.
+// The following functions are backwards-compatible:
+//   - [AttributeKey.Decrypt]
+//   - [Attributes.CouldDecrypt]
+//   - [Policy.ExtractFromCiphertext]
 package tkn20
 
 import (