Copyright | (c) Joseph Abrahamson 2013 |
---|---|

License | MIT |

Maintainer | me@jspha.com |

Stability | experimental |

Portability | non-portable |

Safe Haskell | None |

Language | Haskell2010 |

Secret-key encryption: Crypto.Saltine.Core.Stream

The `stream`

function produces a sized stream `ByteString`

as a
function of a secret key and a nonce. The `xor`

function encrypts a
message `ByteString`

using a secret key and a nonce. The `xor`

function guarantees that the ciphertext has the same length as the
plaintext, and is the `plaintext `

. Consequently
`xor`

stream k n`xor`

can also be used to decrypt.

The `stream`

function, viewed as a function of the nonce for a
uniform random key, is designed to meet the standard notion of
unpredictability ("PRF"). For a formal definition see, e.g.,
Section 2.3 of Bellare, Kilian, and Rogaway, "The security of the
cipher block chaining message authentication code," Journal of
Computer and System Sciences 61 (2000), 362–399;
http://www-cse.ucsd.edu/~mihir/papers/cbc.html. This means that
an attacker cannot distinguish this function from a uniform random
function. Consequently, if a series of messages is encrypted by
`xor`

with *a different nonce for each message*, the ciphertexts
are indistinguishable from uniform random strings of the same
length.

Note that the length is not hidden. Note also that it is the caller's responsibility to ensure the uniqueness of nonces—for example, by using nonce 1 for the first message, nonce 2 for the second message, etc. Nonces are long enough that randomly generated nonces have negligible risk of collision.

Saltine does not make any promises regarding the resistance of crypto_stream to "related-key attacks." It is the caller's responsibility to use proper key-derivation functions.

Crypto.Saltine.Core.Stream is `crypto_stream_xsalsa20`

, a
particular cipher specified in "Cryptography in NaCl"
(http://nacl.cr.yp.to/valid.html), Section 7. This cipher is
conjectured to meet the standard notion of unpredictability.

This is version 2010.08.30 of the stream.html web page.

# Documentation

An opaque `stream`

cryptographic key.

An opaque `stream`

nonce.

:: Key | |

-> Nonce | |

-> Int | |

-> ByteString | Cryptographic stream |

:: Key | |

-> Nonce | |

-> ByteString | Message |

-> ByteString | Ciphertext |

Computes the exclusive-or between a message and a cryptographic
random stream indexed by the `Key`

and the `Nonce`

. This renders
the output indistinguishable from random noise so long as the
`Nonce`

is not used more than once. *Note:* while this can be used
for encryption and decryption, it is *possible for an attacker to*
*manipulate the message in transit without detection*. USE AT YOUR
OWN RISK.