Nocrypto: for when you're sick of crypto.
A treasure-trove of random utilities. This is largely an internal API and prone to breakage.
Addons to [root:Cstruct].
Misc elementary number theory functions:
Mutable hashing context.
Size of hashing results, in bytes.
Simpler short-hands for common operations over varying hashes:
Module types for various instantiations of block ciphers.
Raw block cipher in all its glory.
Modes of operation:
Cipher-block chaining mode.
Counter with CBC-MAC mode.
Implementation of Fortuna CSPRNG.
Generator state. Changes when operated upon.
Internally, generation always produces a multiple of
Accumulator pools, collecting entropy and periodically reseeding the attached g.
Reseeding is performed on the first generate following a non-empty sequence of calls to [root:add].
Each accumulator instance contains 32 entropy pools, which are taken into account with exponentially decreasing frequency and are meant to be fed round-robin.
add ~acc ~source ~pool bytes adds bytes into
pool-th entropy pool of
acc, marked as coming from
pool is taken
mod 32 and
source is taken
This operation is fast and is expected to be frequently called with small
amounts of environmentally sourced entropy, such as timings or user input.
source should indicate a stable source of input but has no meaning beyond
pools should be rotated roughly round-robin.
The global RNG. Instantiates Fortuna.
The core random generator signature.
State type for this generator.
Typed random number extraction: Rng for a type
The type of extracted values.
RNG with full suite of typed numeric extractions.
RSA public-key cryptography.
Keys are taken to be trusted material, and their properties are not checked.
Messages are checked not to exceed the key size, and this is signalled via exceptions.
Private-key operations are optionally protected through RSA blinding.
Raised if the numeric magnitude of a message, with potential padding, is
inappropriate for a given key, i.e. the message, when interpreted as
big-endian encoding of a natural number, meets or exceeds the key's
or is 0.
Module providing operations with PKCS1 padding.
The operations that take cleartext to ciphertext, [root:sign] and encrypt,
assume that the key has enough bits to encode the message and the padding,
and raise exceptions otherwise. The operations that recover cleartext
from ciphertext, [root:verify] and decrypt, return size and padding
DSA digital signature algorithm.
Key size request. Three Fips variants refer to FIPS-standardized
p size) and imply the corresponding N (
q size); The last
variants specifies L and N directly.
K_gen can be instantiated over a hashing module to obtain an RFC6979
k-generator over that hash.
massage key digest is the numeric value of
digest taken modulo
represented in the leftmost
bits(q) bits of the result.
Both FIPS.186-4 and RFC6979 specify that only the leftmost
bits(q) bits of
digest are to be taken into account, but some implementations consider the
digest. In cases where sign and verify seem incompatible with
a given implementation (esp. if sign produces signatures with the
component different from the other implementation's), it might help to
digest using this function
sign ~key (massage ~key:(pub_of_priv key) digest)).
Diffie-Hellman, MODP version.
Raised if the public key is degenerate. Implies either badly malfunctioning DH on the other side, or an attack attempt.
Bit size of the modulus (not the subgroup order, which might not be known).
gen_group bits generates a random group with modulus size
Uses a safe prime
p = 2q + 1 (with prime
q) as modulus, and
Subgroup order is strictly
Runtime is on the order of minute for 1024 bits.
bitsis ridiculously small.
A small catalog of standardized groups.
From RFC 2409:
From RFC 3526:
From RFC 5114: