cryptonite-0.27: Cryptography Primitives sink
License BSD-style
Maintainer Olivier Chéron <olivier.cheron@gmail.com>
Stability experimental
Portability unknown
Safe Haskell None
Language Haskell2010

Crypto.Cipher.AESGCMSIV

Description

Implementation of AES-GCM-SIV, an AEAD scheme with nonce misuse resistance defined in RFC 8452 .

To achieve the nonce misuse-resistance property, encryption requires two passes on the plaintext, hence no streaming API is provided. This AEAD operates on complete inputs held in memory. For simplicity, the implementation of decryption uses a similar pattern, with performance penalty compared to an implementation which is able to merge both passes.

The specification allows inputs up to 2^36 bytes but this implementation requires AAD and plaintext/ciphertext to be both smaller than 2^32 bytes.

Synopsis

Documentation

nonce :: ByteArrayAccess iv => iv -> CryptoFailable Nonce Source #

Nonce smart constructor. Accepts only 12-byte inputs.

generateNonce :: MonadRandom m => m Nonce Source #

Generate a random nonce for use with AES-GCM-SIV.

encrypt :: ( BlockCipher128 aes, ByteArrayAccess aad, ByteArray ba) => aes -> Nonce -> aad -> ba -> ( AuthTag , ba) Source #

AEAD encryption with the specified key and nonce. The key must be given as an initialized AES128 or AES256 cipher.

Lengths of additional data and plaintext must be less than 2^32 bytes, otherwise an exception is thrown.

decrypt :: ( BlockCipher128 aes, ByteArrayAccess aad, ByteArray ba) => aes -> Nonce -> aad -> ba -> AuthTag -> Maybe ba Source #

AEAD decryption with the specified key and nonce. The key must be given as an initialized AES128 or AES256 cipher.

Lengths of additional data and ciphertext must be less than 2^32 bytes, otherwise an exception is thrown.