License | BSD-style |
---|---|
Maintainer | Olivier Chéron <olivier.cheron@gmail.com> |
Stability | experimental |
Portability | unknown |
Safe Haskell | None |
Language | Haskell2010 |
Implementation of AES-GCM-SIV, an AEAD scheme with nonce misuse resistance defined in RFC 8452.
To achieve the nonce misuse-resistance property, encryption requires two passes on the plaintext, hence no streaming API is provided. This AEAD operates on complete inputs held in memory. For simplicity, the implementation of decryption uses a similar pattern, with performance penalty compared to an implementation which is able to merge both passes.
The specification allows inputs up to 2^36 bytes but this implementation requires AAD and plaintext/ciphertext to be both smaller than 2^32 bytes.
Synopsis
- data Nonce
- nonce :: ByteArrayAccess iv => iv -> CryptoFailable Nonce
- generateNonce :: MonadRandom m => m Nonce
- encrypt :: (BlockCipher128 aes, ByteArrayAccess aad, ByteArray ba) => aes -> Nonce -> aad -> ba -> (AuthTag, ba)
- decrypt :: (BlockCipher128 aes, ByteArrayAccess aad, ByteArray ba) => aes -> Nonce -> aad -> ba -> AuthTag -> Maybe ba
Documentation
Nonce value for AES-GCM-SIV, always 12 bytes.
nonce :: ByteArrayAccess iv => iv -> CryptoFailable Nonce #
Nonce smart constructor. Accepts only 12-byte inputs.
generateNonce :: MonadRandom m => m Nonce #
Generate a random nonce for use with AES-GCM-SIV.
encrypt :: (BlockCipher128 aes, ByteArrayAccess aad, ByteArray ba) => aes -> Nonce -> aad -> ba -> (AuthTag, ba) #
decrypt :: (BlockCipher128 aes, ByteArrayAccess aad, ByteArray ba) => aes -> Nonce -> aad -> ba -> AuthTag -> Maybe ba #