Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.7.0.

To get started using Tink, see the installation instructions.

To see what we're working towards, check our project roadmap.

What's new

The complete list of changes since 1.6.1 can be found here.

General

• Hybrid Public Key Encryption (HPKE)
  • Added support for HPKE as defined in RFC 9180
  • Implemented in C++, Java, Go, and Python.
  • NOTE: In C++, HPKE is not present when using OpenSSL or when FIPS-only mode is enabled.
• JSON Web Token (JWT)
  • Added support for a subset of JWT as defined by RFC 7519 that is considered safe and most often used
  • Implemented in C++, Java, Go, and Python.
  • See the JWT-HOWTO.
• Protocol buffer definitions and test data are now embedded within each Bazel workspace.

C++

• Post-Quantum Cryptography
  • Experimental only implementations of Dilithium, Falcon, and Sphincs.
• CMake build options
  • Added option to use pre-installed OpenSSL (v1.1.1), gTest, and Abseil (v1.1.1) src
  • Added option to propagate client CMAKE_CXX_STANDARD, see the CMAKE HOW-TO
• Optional migration to absl::Status and absl::StatusOr
  • CMake
  • Bazel

Java

• Upgraded dependencies with vulnerabilities
  • gson 2.8.6 => 2.8.9 (solves CVE-2022-25647) [src]
  • protobuf-java 3.14.0 => 3.19.3 (solves CVE-2021-22569) [src]

Go

• GCP KMS
  • Added more flexible client instantiation via NewClientWithOptions which takes option.ClientOptions arguments.
• Fix memory utilization bug in streaming AEAD (https://github.com/google/tink/issues/594)

Python

NOTE: Pending publication to PyPI.

• Python 3.10 support

Objective-C

NOTE: Pending publication to CocoaPods.

• arm64 (M1) support

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.6.1.

To get started using Tink, see the installation instructions.

What's new

This is a patch release.

The complete list of changes since 1.6.0 can be found here.

Java

Fix dependencies in Java Maven packages

In Tink 1.6.0, the Java Bazel configuration included a couple instances of a non-Android target depending on an Android target and vice versa. This resulted in larger than expected Maven packages.

Miscellaneous

Minor documentation fixes.

Known issues

• ~Tink for Python has issues in setup.py and the distribution scripts. Due to this, PyPI packages have not been published for this release. A follow up patch release will address this shortly.~ PyPI packages for 1.6.1 have been published. If you want to build these packages from branch 1.6 by yourself, patch in https://github.com/google/tink/commit/465753ac71d51baab8804aa7908b96e562fe4bff.
• Tink for Obj-C still does not build with Bazel. However, you can still use it in your apps by installing our prebuilt package.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.6.0.

To get started using Tink, see the installation instructions.

What's new

The complete list of changes since 1.5.0 can be found here.

New documentation website

We've launched a new home for Tink documentation at https://developers.google.com/tink.

The site brings together content currently spread across the HOW-TOs and other markdown files throughout the project repository.

Initially, we've populated the site with instructions and code snippets for the Java and Python implementations. Moving forward, expect additional content covering other language implementations, additional critical path overviews, and more.

Java

Key templates API

Introduced the KeyTemplates class. It has a get(name) method that facilitates getting any registered key template.

A list of currently registered key templates can be obtained by calling Registry.keyTemplates()

Custom key manager method removals

The following methods have been removed. Except where noted, the methods had been annotated as being deprecated.

• Registry
  • public static <P> PrimitiveSet<P> getPrimitives(KeysetHandle keysetHandle, final KeyManager<P> customManager, Class<P> primitiveClass)
    • not deprecated
  • public static <P> PrimitiveSet<P> getPrimitives(KeysetHandle keysetHandle, Class<P> primitiveClass)
    • not deprecated
  • public static <P> PrimitiveSet<P> getPrimitives(KeysetHandle keysetHandle, final KeyManager<P> customManager)
  • public static <P> PrimitiveSet<P> getPrimitives(KeysetHandle keysetHandle)
• KeysetHandle
  • public <P> P getPrimitive(KeyManager<P> customKeyManager, Class<P> targetClassObject)
• MacFactory
  • public static Mac getPrimitive(KeysetHandle keysetHandle, final KeyManager<Mac> keyManager)
• HybridDecryptFactory
  • public static HybridDecrypt getPrimitive(KeysetHandle keysetHandle, final KeyManager<HybridDecrypt> keyManager)
• AeadFactory
  • public static Aead getPrimitive(KeysetHandle keysetHandle, final KeyManager<Aead> keyManager)
• PublicKeyVerifyFactory
  • public static PublicKeyVerify getPrimitive(KeysetHandle keysetHandle, final KeyManager<PublicKeyVerify> keyManager)
• PublicKeySignFactory
  • public static PublicKeySign getPrimitive(KeysetHandle keysetHandle, final KeyManager<PublicKeySign> keyManager)
• DeterministicAeadFactory
  • public static DeterministicAead getPrimitive(KeysetHandle keysetHandle, final KeyManager<DeterministicAead> keyManager)
• StreamingAeadFactory
  • public static StreamingAead getPrimitive(KeysetHandle keysetHandle, final KeyManager<StreamingAead> keyManager)
    • not deprecated
• HybridEncryptFactory
  • public static HybridEncrypt getPrimitive(KeysetHandle keysetHandle, final KeyManager<HybridEncrypt> keyManager)

Dependency updates

org.json to GSON

The project has migrated to GSON for JSON serialization/deserialization functionality.

Due to this change, the Java implementation is no longer producing HTML-safe encoding by default. This behavior aligns the Java implementation with the other language implementations of Tink.

C++

FIPS only mode

https://github.com/google/tink/blob/1.6/docs/FIPS.md

Obj-C

Support for serializing keys with non-secret key material

Implemented the serializedKeysetNoSecret method on TINKKeysetHandle. This facilitates exporting public keys.

Known issues

• Tink for Obj-C still does not build with Bazel. However, you can still use it in your apps by installing our prebuilt package.

Hall of Fame

This release includes contributions from the following community members:

• saavan251
• iambrosie
• gemfield
• Steve Weis

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.5.0.

The complete list of changes since 1.4.0 can be found here.

What's new

Security fixes

This release fixes a ciphertext malleability issue (CVE-2020-8929) in Tink for Java and Android. This is a low severity issue. No loss of confidentiality or loss of plaintext integrity occurs due to this problem, only ciphertext integrity is compromised.

New language: Javascript/Typescript

This release introduces alpha support for Javascript/Typescript. Check out the HOW-TO and let us know what you think!

New primitive: PRF set

The PRF set primitive allows to redact data in a deterministic fashion, for example personal identifiable information or internal IDs, or to come up with a user ID from user information without revealing said information in the ID. This allows someone with access to the output of the PRF without access to the key do some types of analysis, while limiting others.

This primitive is supported in C++, Java, Python and Golang.

Python

• Added Streaming AEAD. Check out the example for how to encrypt arbitrary large files.

• Added CMAC.

• Added a lot of examples.

pip3 install tink

C++

• Added examples for using hybrid encryption and digital signatures.

We no longer offer prebuilt binaries for C++. Please check out the HOW-TO for compiling your application together with Tink using Bazel or CMake.

Obj-C

• Added support for accessGropus to TINKKeysetHandle.

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.5.0'
pod install

Golang

• Added Streaming AEAD with AES-CTR-HMAC.
• Bundled HCVault with Tink. In 1.4.0, HCVault was offered as a separate module, but we were advised by the Golang's team that it should be bundled with Tink.

go get github.com/google/tink/go/...

Java

• Added AES-GCM-SIV. This requires a Java security provider that supports AES-GCM-SIV such as Conscrypt.

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.5.0</version>
</dependency>

Android

• When a call to Android KeyStore failed, Tink will wait a random number of milliseconds (up to 100) before retrying one more time.

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.5.0'
}

Tinkey

brew tap google/tink https://github.com/google/tink
brew install tinkey

The prebuilt binary attached to this release should also work well on Windows.

Known issues

• Tink for Obj-C doesn't build with Bazel. You can still use it in your apps by installing our prebuilt package, as noted above.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.4.0.

The complete list of changes since 1.3.0 can be found here.

What's new

Security fixes

This release fixes the following potential security issues, affected users are recommended to upgrade.

• Quan Nguyen of Snap Inc. found that AES-CTR-HMAC-AEAD keys and the EncryptThenAuthenticate subtle implementation may be vulnerable to chosen-ciphertext attacks. An attacker can generate ciphertexts that bypass the HMAC verification if and only if all of the following conditions are true:

  • Tink C++ is used on systems where size_t is a 32-bit integer. This is usually the case on 32-bit machines.
  • The attacker can specify long (>= 2^29 bytes ~ 536MB) associated data.

• Streaming AEAD implementations encrypt the plaintext in segments. Tink uses a 4-byte segment counter. When encrypting a stream consisting of more than 2^32 segments, the segment counter might overflow and lead to leakage of key material or plaintext. This problem was found in the Java and Go implementations of the AES-GCM-HKDF-Streaming key type.

Python

This version introduces support for Python 3.7 and 3.8.

Tink in Python is built on top of C++. It supports all primitives but Streaming AEAD. For an overview, see the HOW-TO. In addition, there are illustrative examples of using Tink in Python which can be used as a jumping off point.

PyPi binary packages for Linux and macOS are provided.

pip3 install tink

C++

• Attempt to erase keys from memory after use.

• Adding support for CordAead, which is a more memory-efficient version of Aead that uses absl::Cord.

We no longer offer prebuilt binaries for C++. Please check out this documentation for how to compile your application together with Tink using Bazel or CMake.

Obj-C

• Removing Obj-C protobufs.

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.4.0'
pod install

Golang

• Cleaning up Godoc and adding better examples.

go get github.com/google/tink/go/...

Java

• Removing support for Java 7.

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.4.0</version>
</dependency>

Android

• Bundling a shaded copy of Google Protobuf. This fixes an annoying version conflict bug.

• Bundling a rule file to ensure compatibility with Proguard/R8.

• Refactoring Android Keystore integration

  • Running a self-test to only enable the integration if Android Keystore is working properly.

  • Do not automatically generate fresh keys if keys exist but are corrupt. This won't recover corrupt keys, but at least it will allow to gather more data on Android Keystore failures.

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.4.0'
}

Tinkey

Tinkey can now be installed via Homebrew on Linux and macOS.

brew tap google/tink https://github.com/google/tink
brew install tinkey

The binaries can also be downloaded from

• https://storage.googleapis.com/tinkey/tinkey-darwin-x86_64-1.4.0.tar.gz
• https://storage.googleapis.com/tinkey/tinkey-linux-x86_64-1.4.0.tar.gz

Known issues

• Tink in Obj-C doesn't build. That is, you can't build it yourself using Bazel. You can still use it in your apps by installing our prebuilt package, as noted above.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.4.0-rc2.

Changes

This release candidate adds things that we want to ship in 1.4.0, but didn't have a chance to add them to 1.4.0-rc1, such as:

• a proper fix for the infamous Protobuf issue in Tink for Android.
• a better go.mod config.
• many changes in Tink Python that didn't make the last release cut.

The complete list of changes since 1.4.0-rc1 can be found here.

Installation

C++

We no longer offer prebuilt binaries for C++. Please check out this documentation for how to compile your application together with Tink using Bazel or CMake.

Obj-C with CocoaPods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.4.0-rc2'
pod install

Golang

To install Tink locally run:

go get github.com/google/tink/go/...

Python

See setup instructions.

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.4.0-rc2</version>
</dependency>

Android with Gradle

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.4.0-rc2'
}

Known issues

• Tink Obj-C doesn't build. That is, you can't check out Tink Obj-C and build it yourself using Bazel. You can still use it in your apps by installing our prebuilt package, as noted above.

What's next

1.4.0 final should be out in 1-2 weeks, barring new issues.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.4.0-rc1.

Changes

• This version introduces support for Python. Tink Python, which is a Pybind11 wrapper of Tink C++, supports all primitives but Streaming AEAD (which will come in 1.5.0). For an overview of using the Tink Python implementation, see the Python HOW-TO. In addition, there are illustrative examples of using Tink Python which can be used as a jumping off point.

• Tink C++ now tries to erase keys from memory after use.

The complete list of changes since 1.3.0 can be found here. Please note that Tink JavaScript is not a part of this release.

Installation

C++

We no longer offer prebuilt binaries for C++. Please check out this documentation for how to compile your application together with Tink using Bazel or CMake.

Obj-C with CocoaPods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.4.0-rc1'
pod install

Golang

To install Tink locally run:

go get github.com/google/tink/go/...

Python

See setup instructions.

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.4.0-rc1</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.4.0-rc1'
}

Known issues

• Tink Obj-C doesn't build. That is, you can't check out Tink Obj-C and build it yourself using Bazel. You can still use it in your apps by installing our prebuilt package, as noted above. We're fixing this.

What's next

1.4.0 final should be out in 1-2 weeks, barring new issues.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.3.0.

Changes

There is no change since rc4.

Compared to 1.2.x, main changes in 1.3.0 include

• new language: Golang with primitives MAC, AEAD (incl. KMS envelope), deterministic AEAD, hybrid encryption and digital signatures (see supported primitives and GOLANG HOWTO for details)
• C++ deterministic AEAD (AES-SIV) and streaming AEAD (AES-GCM-HKDF-STREAMING)
• C++ KMS-AEAD and KMS-envelope-AEAD, incl. integration with AWS KMS and GCP KMS.
• RSA-signatures for Java and C++ (RSA-SSA-PKCS1, RSA-SSA-PSS)
• ED25519 signatures for C++, Obj-C, and Go

Please note that Tink JavaScript and Tink Python are not a part of this release. Moreover, streaming envelope encryption (for Java and C++) has been de-prioritized and also is not a part of this release.

Installation

C++

We no longer offer prebuilt binaries for C++. Please check out this documentation for how to compile your application together with Tink using Bazel or CMake.

Obj-C with CocoaPods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.3.0'
pod install

Golang

To install Tink locally run:

go get github.com/google/tink/go/...

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.3.0</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.3.0'
}

What's next

We're actively working on 1.4.0. This release will add Python support. It should be out by April 2020.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.3.0 Release Candidate 4.

Changes

The complete list of changes since 1.3.0-rc3 can be found here.

Changes of note include (from rc3 to rc4):

• Fix an inconsistency in the Envelope Encryption approach in the C++ implementation (8e4b5c700)

Please note that Tink JavaScript and Tink Python are not a part of this release. Moreover, streaming envelope encryption (for Java and C++) has been de-prioritized and also is not a part of this release.

Installation

C++ with prebuilt binaries

OS="$(uname | tr '[:upper:]' '[:lower:]')"
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.3.0-rc4.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with CocoaPods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.3.0-rc4'
pod install

Golang

To install Tink locally run:

go get github.com/google/tink/go/...

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.3.0-rc4</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.3.0-rc4'
}

What's next

This should be the last release candidate before the final 1.3.0 release.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.3.0 Release Candidate 3

Changes

The complete list of changes since 1.3.0-rc2 can be found here.

Changes of note include (from rc2 to rc3):

• Fix ExceptionInInitializerError with tink-android (#289)
• Fix CocoaPod to actually include new APIs.

Please note that Tink JavaScript and Tink Python are not a part of this release. Moreover, streaming envelope encryption (for Java and C++) has been de-prioritized and also is not a part of this release.

Installation

C++ with prebuilt binaries

OS="$(uname | tr '[:upper:]' '[:lower:]')"
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.3.0-rc3.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with CocoaPods

The Obj-C artifacts are pending publication. This note will be removed once they are published.

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.3.0-rc3'
pod install

Golang

To install Tink locally run:

go get github.com/google/tink/go/...

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.3.0-rc3</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.3.0-rc3'
}

What's next

There may be a few more release candidates before we get to the final 1.3.0 release. It should be out by December 2019.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.3.0 Release Candidate 2

Changes

The complete list of changes since 1.3.0-rc1 can be found here.

Changes of note include (from rc1 to rc2):

• The recommended version of Bazel is documented in the .bazelversion file in the root of the repository. This approach is compatible with Bazelisk, a wrapper for Bazel maintained by the Bazel team.

Please note that Tink JavaScript and Tink Python are not a part of this release. Moreover, streaming envelope encryption (for Java and C++) has been de-prioritized and also is not a part of this release.

Installation

C++ with prebuilt binaries

OS="$(uname | tr '[:upper:]' '[:lower:]')"
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.3.0-rc2.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with CocoaPods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.3.0-rc2'
pod install

Golang

To install Tink locally run:

go get github.com/google/tink/go/...

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.3.0-rc2</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.3.0-rc2'
}

What's next

There may be a few more release candidates before we get to the final 1.3.0 release. It should be out by December 2019.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.3.0 Release Candidate 1

Changes

The complete list of changes since 1.2.2 can be found here.

The main changes include:

• new language: Tink in Go, with primitives MAC, AEAD (incl. KMS envelope), deterministic AEAD, hybrid encryption and digital signatures (see supported primitives and GOLANG HOWTO for details)
• C++ deterministic AEAD (AES-SIV) and streaming AEAD (AES-GCM-HKDF-STREAMING)
• C++ KMS-AEAD and KMS-envelope-AEAD, incl. integration with AWS KMS and GCP KMS.
• RSA-signatures for Java and C++ (RSA-SSA-PKCS1, RSA-SSA-PSS)
• ED25519 signatures for C++, Obj-C, and Go

Please note that Tink JavaScript and Tink Python are not a part of this release. Moreover, streaming envelope encryption (for Java and C++) has been de-prioritized and also is not a part of this release.

Installation

C++ with prebuilt binaries

OS="$(uname | tr '[:upper:]' '[:lower:]')"
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.3.0-rc1.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with CocoaPods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.3.0-rc1'
pod install

Golang

To install Tink locally run:

go get github.com/google/tink/go/...

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.3.0-rc1</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.3.0-rc1'
}

What's next

There may be a few more release candidates before we get to the final 1.3.0 release. It should be out by the end of July 2019.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.2.2.

Changes

This release fixes an issue with the Obj-C build distributed via CocoaPods. In particular, the BoringSSL library is statically linked to prevent namespace clashes in projects which depend on OpenSSL.

The complete list of changes since 1.2.1 can be found here.

Installation

C++ with prebuilt binaries

OS="$(uname | tr '[:upper:]' '[:lower:]')"
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.2.2.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with CocoaPods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.2.2'
pod install

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.2.2</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.2.2'
}

What's next

See the project road map for future plans.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.2.1.

Changes

This release fixes a bunch of (non-security) bugs. There is no change in the public APIs.

The complete list of changes since 1.2.0 can be found here.

Installation

C++ with prebuilt binaries

OS="$(uname | tr '[:upper:]' '[:lower:]')"
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.2.1.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with Cocoapods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.2.1'
pod install

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.2.1</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.2.1'
}

What's next

See the project road map for future plans.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.2.0.

Changes

The complete list of changes since Release Candidate 4 can be found here.

Please ignore RSA-related changes; RSA is not part of 1.2.0 release.

New languages: C++ and Obj-C

Tink 1.2.0 adds support for C++ and Obj-C. Both have been running in production at Google for a few months, and support the following algorithms:

• AEAD: AES-EAX, AES-GCM, AES-CTR-HMAC-AEAD
• MAC: HMAC-SHA2
• Digital Signature: ECDSA over NIST curves
• Hybrid Encryption: ECIES over NIST curves with AEAD (AES-GCM and AES-CTR-HMAC-AEAD) and HKDF

Support for AWS KMS will be added to the Tink C++ library in future release candidates. Support for Google Cloud KMS has to wait post 1.2.0 because of lack of Cloud KMS client library.

The Tink Obj-C library supports reading/writing key material to/from iOS Keychain.

Please see the C++ HOWTO and the Obj-C HOWTO for usage.

Installation

C++ with prebuilt binaries

OS="linux"  # Change to "darwin" for macOS
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.2.0.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with Cocoapods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.2.0'
pod install

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.2.0</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.2.0'
}

What's next

See the project road map for future plans.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.2.0 Release Candidate 4.

Changes

The complete list of changes since Release Candidate 3 can be found here.

Please ignore RSA-related changes; RSA is not part of 1.2.0 release.

New languages: C++ and Obj-C

Tink 1.2.0 adds support for C++ and Obj-C. Both have been running in production at Google for a few months, and support the following algorithms:

• AEAD: AES-EAX, AES-GCM, AES-CTR-HMAC-AEAD
• MAC: HMAC-SHA2
• Digital Signature: ECDSA over NIST curves
• Hybrid Encryption: ECIES over NIST curves with AEAD (AES-GCM and AES-CTR-HMAC-AEAD) and HKDF

Support for AWS KMS will be added to the Tink C++ library in future release candidates. Support for Google Cloud KMS has to wait post 1.2.0 because of lack of Cloud KMS client library.

The Tink Obj-C library supports reading/writing key material to/from iOS Keychain.

Please see the C++ HOWTO and the Obj-C HOWTO for usage.

Installation

C++ with prebuilt binaries

OS="linux"  # Change to "darwin" for macOS
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.2.0-rc4.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with Cocoapods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.2.0-rc4'
pod install

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.2.0-rc4</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.2.0-rc4'
}

What's next

This is intended to be the last release candidate before the final 1.2.0 release.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.2.0 Release Candidate 3.

Changes

The complete list of changes since Release Candidate 2 can be found here. Please ignore RSA-related changes; RSA is not part of 1.2.0 release.

This candidate adds C++/Obj-C APIs to generate keys and to get public keys from private keys. We thank Sreejith Krishnan R for reporting these bugs.

New languages: C++ and Obj-C

Tink 1.2.0 adds support for C++ and Obj-C. Both have been running in production at Google for a few months, and support the following algorithms:

• AEAD: AES-EAX, AES-GCM, AES-CTR-HMAC-AEAD
• MAC: HMAC-SHA2
• Digital Signature: ECDSA over NIST curves
• Hybrid Encryption: ECIES over NIST curves with AEAD (AES-GCM and AES-CTR-HMAC-AEAD) and HKDF

Support for AWS KMS will be added to the Tink C++ library in future release candidates. Support for Google Cloud KMS has to wait post 1.2.0 because of lack of Cloud KMS client library.

The Tink Obj-C library supports reading/writing key material to/from iOS Keychain.

Please see the C++ HOWTO and the Obj-C HOWTO for usage.

Installation

C++ with prebuilt binaries

OS="linux"  # Change to "darwin" for macOS
TARGET_DIR="/usr/local"
curl -L \
  "https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.2.0-rc3.tar.gz" |
sudo tar -xz -C ${TARGET_DIR}

Obj-C with Cocoapods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.2.0-rc3'
pod install

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.2.0-rc3</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.2.0-rc3'
}

What's next

There may be a few more release candidates before we get to the final 1.2.0 release. It should be out by the end of July 2018.

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink 1.2.0 Release Candidate 2.

Note: Release Candidate 1 was private and used to test the Obj-C publishing process.

New languages: C++ and Obj-C

Tink 1.2.0 adds support for C++ and Obj-C. Both have been running in production at Google for a few months, and support the following algorithms:

• AEAD: AES-EAX, AES-GCM, AES-CTR-HMAC-AEAD
• MAC: HMAC-SHA2
• Digital Signature: ECDSA over NIST curves
• Hybrid Encryption: ECIES over NIST curves with AEAD (AES-GCM and AES-CTR-HMAC-AEAD) and HKDF

Support for AWS KMS will be added to the Tink C++ library in future release candidates. Support for Google Cloud KMS has to wait post 1.2.0 because of lack of Cloud KMS client library. The Tink Obj-C library supports reading/writing key material to/from iOS Keychain.

Please see the C++ HOWTO and the Obj-C HOWTO for usage.

Installation

C++ with prebuilt binaries

OS="linux" # Change to "darwin" for macOS
TARGET_DIR="/usr/local"
curl -L \
"https://storage.googleapis.com/tink/releases/libtink-${OS}-x86_64-1.2.0-rc2.tar.gz" |
sudo tar -xz -C $TARGET_DIR

Obj-C with Cocoapods

cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.2.0-rc2'
pod install

Java with Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.2.0-rc2</version>
</dependency>

Android with Gradle

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.2.0-rc2'
}

What's next

There may be a few more release candidates before we get to the final 1.2.0 release. It should be out by the end of July 2018.

Tink is a multi-language, cross-platform library that provides an easy, simple, secure, and agile API for common cryptographic tasks.

This is a minor release which includes a fix for a build error (#94) and documentation cleanup.

Installation

Java developers can install Tink using Maven:

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.1.1</version>
</dependency>

Android developers can install Tink using Gradle:

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.1.1'
}

For usage, please see the Java HOWTO. A list of known issues is provided here.

Javadoc

• Java
• Android
• Google Pay Token

Tink is a multi-language, cross-platform library that provides an easy, simple, secure, and agile API for common cryptographic tasks.

This is the second release. Like the first release, Java is still the only officially supported language. Tink for C++, Objective-C and Go are working (C++ has been running in production at Google for a while), and we’re working hard to bring these languages in 1.2.0. See our feature roadmap for more details.

Installation

Java developers can install Tink using Maven:

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.1.0</version>
</dependency>

Android developers can install Tink using Gradle:

dependencies {
  compile 'com.google.crypto.tink:tink-android:1.1.0'
}

For usage, please see the Java HOWTO. A list of known issues is provided here.

New primitives and algorithms

• AEAD: CHACHA20-POLY1305

• Digital Signature: ED25519

• Deterministic AEAD: AES-SIV

• Streaming AEAD: AES-GCM-HKDF-STREAMING and AES-CTR-HMAC-STREAMING

New apps

Aside from the core APIs, Tink provides apps that implement common standards or protocols. The apps depend on Tink, but are built separately.

Google Pay Token

This app is an implementation of Google Pay Token Cryptography Standard. Version 1.1.0 adds supports for the ECv2 protocol.

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>apps-paymentmethodtoken</artifactId>
  <version>1.1.0</version>
</dependency>

Web Push Message Encryption

This app is an implementation of RFC 8291 - Message Encryption for Web Push.

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>apps-webpush</artifactId>
  <version>1.1.0</version>
</dependency>

Javadoc

• Java
• Android
• Google Pay Token
• Web Push Message Encryption

This is the first release of Tink. The only supported language in this release is Java. Tink for Java comes in two flavors:

• The main flavor, and
• The Android flavor that is optimized for Android.

For installation and usage, please see the Java HOWTO.

Supported primitives and algorithms

Both flavors support the following primitives and algorithms:

• AEAD: AES-EAX, AES-GCM, AES-CTR-HMAC-AEAD, KMS Envelope
• MAC: HMAC-SHA2
• Digital Signature: ECDSA over NIST curves
• Hybrid Encryption: ECIES over NIST curves with AEAD (AES-GCM and AES-CTR-HMAC-AEAD) and HKDF

Supported key management systems

• Main flavor: AWS KMS, GCP KMS
• Android flavor: Android Keystore (require Android M or newer).

Warnings

Do not use APIs including fields and methods marked with the @Alpha annotation. They can be modified in any way, or even removed, at any time. They are in the package, but not for official, production release, but only for testing.

What's next

We've already started working on 1.1.0. If things go well, we'll introduce the following algorithms:

• AEAD: CHACHA20-POLY1305, XCHACHA20-POLY1305, XSALSA20-POLY1305
• Digital signature: EdDSA over Ed25519
• Hybrid Encryption: NaCl CryptoBox