(Last updated July 2023)
This page details the high-level goals of the Tink team. It will be periodically updated as the goals are achieved or changed.
Multiple GitHub repositories
We are splitting the project into multiple GitHub repositories, separated by language. This provides the following benefits:
- decoupled releases for each language (meaning an issue in C++ doesn't prevent performing a release for Java, for example)
- more frequent releases
- a reduced set of dependencies to download for each library (for example, SDKs for several cloud providers)
Documentation improvements
We are undertaking an effort to improve the Tink documentation. This involves consolidating Tink documentation sources (making this site the source of truth for Tink documentation), providing updated and easy-to-follow examples, and filling any documentation gaps that may exist. We welcome any documentation improvement suggestions. Please use the survey linked below or file a bug or feature request as outlined in the Contibutions page.
Keyset and registry redesign
We want to give users a better way to manage keys within a keyset. This will make it easier to implement key management systems and will enable more comprehensive support for importing and exporting keys to different formats like PEM or JWK (while ensuring the API prevents common mistakes that could result in security vulnerabilities). This work is underway.
We are also working on allowing multiple registries in Tink. This will make it easier to develop libraries based on Tink and will also allow for the easy removal and deprecation of insecure algorithms. See more on the Registry page.
Monitoring support
We have added monitoring hooks to Tink. Users can employ these hooks to collect and analyze non-sensitive data about their cryptographic operations, such as which key types are in use, or the number of encryption calls made with a specific key.
This type of information is useful to ensure adequate key rotation, or to create a list of keys that may be vulnerable to quantum computers. We will be providing a tutorial on how to use these hooks in due course.
Post-quantum cryptography (PQC)
We are actively working on low-level implementations of the NIST-selected PQC algorithms. These include key encapsulation mechanisms (KEMs), specifically Kyber/ML-KEM, and digital signatures, namely Dilithium/ML-DSA and SPHINCS+/SLH-DSA. Once ready, we will provide official APIs for these post-quantum algorithms in Tink. For anyone interested in starting with PQC, Tink already provides experimental PQC algorithms in C++, covering the NIST-selected digital signatures, and the NTRU-HRSS KEM (a NIST KEM candidate which was ultimately not selected).
Performance
We intend to fine-tune our Tink performance measurements and provide appropriate performance benchmarks for our users. We are also starting to investigate possible performance enhancements to Tink.
Tell us what you think!
We would love to hear about how you use Tink or which features would be most useful for your implementation. Let us know by taking our survey.