Tink

Tink is a multi-language, cross-platform cryptographic library developed by Google, designed to make secure cryptography easy and accessible for developers while eliminating common pitfalls and misuse. Created by Daniel Bleichenbacher, Thai Duong, and Emilia Kasper at Google, Tink was born out of the observation that even experienced developers frequently make cryptographic mistakes when using low-level libraries, leading to vulnerabilities like nonce reuse, weak random number generation, improper key management, and insecure algorithm choices. Tink addresses these issues by providing high-level, opinionated APIs that make insecure operations difficult or impossible to perform. Key design principles include: using safe defaults for all algorithms (developers do not choose cipher modes, key sizes, or nonce strategies — Tink selects the most secure options automatically), eliminating nonce reuse (Tink manages nonce generation internally using cryptographic random, ensuring that nonces are never reused for the same key), key rotation and versioning (Tink supports keysets containing multiple keys with different versions, enabling seamless key rotation without breaking decryption of older data), key management integration (Tink integrates with Google Cloud KMS, AWS KMS, HashiCorp Vault, and local key stores for secure key storage), and audit logging (tracking all cryptographic operations for compliance). Supported cryptographic primitives include: authenticated symmetric encryption (AES-GCM, AES-CTR-HMAC, XChaCha20-Poly1305), hybrid encryption (ECIES over P-256 or X25519), digital signatures (ECDSA over P-256, Ed25519, RSA-SSA-PKCS1), MAC (HMAC-SHA256, AES-CMAC), deterministic encryption (AES-SIV), and streaming encryption for large files. Available in Java, C++, Go, and Python. As of 2026, Tink has over 13,000 stars.