Modern encryption modes support associated data, which is authenticated but not encrypted. This can be used to bind a ciphertext to a specific context.
Examples of binding ciphertext to associated data include:
Encrypting a database cell-by-cell (or column-by-column). This ensures the cell's ciphertext is only valid in that specific cell. This prevents the attacker from moving the ciphertext from one cell to another. In this example, the ciphertext should be bound to the
column_idandrow_idfor the given database cell.Storing ciphertexts in different clients lets you detect misbehavior if Client A provides Client B's ciphertext for decryption. Here, the ciphertext should be bound to the client's name.
Tink has several options for binding ciphertext to its context:
AEAD, Streaming AEAD, and Deterministic AEAD all accept an associated data input along with the plaintext. The decryption fails if the associated data is not provided with the ciphertext.
Hybrid encryption provides the same feature using the context info parameter.