Nocrypto: for when you're sick of crypto.
Numeric utilities.
Misc elementary number theory functions:
Block ciphers.
Module types for various instantiations of block ciphers.
Modes of operation:
Implementation of Fortuna CSPRNG.
Generator state. Changes when operated upon.
Internally, generation always produces a multiple of block_size
bytes.
Accumulator pools, collecting entropy and periodically reseeding the attached g.
Reseeding is performed on the first generate following a non-empty sequence of calls to [root:add].
Each accumulator instance contains 32 entropy pools, which are taken into account with exponentially decreasing frequency and are meant to be fed round-robin.
An accumulator.
add ~acc ~source ~pool bytes
adds bytes into pool
-th entropy pool of
the accumulator acc
, marked as coming from source
. pool
is taken
mod 32
and source
is taken mod 256
.
This operation is fast and is expected to be frequently called with small
amounts of environmentally sourced entropy, such as timings or user input.
source
should indicate a stable source of input but has no meaning beyond
that. pool
s should be rotated roughly round-robin.
The global RNG. Instantiates Fortuna.
Module types.
The core random generator signature.
State type for this generator.
RSA public-key cryptography.
Keys are taken to be trusted material, and their properties are not checked.
Messages are checked not to exceed the key size, and this is signalled via exceptions.
Private-key operations are optionally protected through RSA blinding.
Raised if the numeric magnitude of a message, with potential padding, is
inappropriate for a given key, i.e. the message, when interpreted as
big-endian encoding of a natural number, meets or exceeds the key's n
,
or is 0.
Module providing operations with PKCS1 padding.
The operations that take cleartext to ciphertext, [root:sign] and encrypt,
assume that the key has enough bits to encode the message and the padding,
and raise exceptions otherwise. The operations that recover cleartext
from ciphertext, [root:verify] and decrypt, return size and padding
mismatches as None
.
DSA digital signature algorithm.
Key size request. Three Fips variants refer to FIPS-standardized
L-values (p
size) and imply the corresponding N (q
size); The last
variants specifies L and N directly.
K_gen
can be instantiated over a hashing module to obtain an RFC6979
compliant k
-generator over that hash.
massage key digest
is the numeric value of digest
taken modulo q
and
represented in the leftmost bits(q)
bits of the result.
Both FIPS.186-4 and RFC6979 specify that only the leftmost bits(q)
bits of
digest
are to be taken into account, but some implementations consider the
entire digest
. In cases where sign and verify seem incompatible with
a given implementation (esp. if sign produces signatures with the s
component different from the other implementation's), it might help to
pre-process digest
using this function
(e.g. sign ~key (massage ~key:(pub_of_priv key) digest)
).
Diffie-Hellman, MODP version.
Raised if the public key is degenerate. Implies either badly malfunctioning DH on the other side, or an attack attempt.
Bit size of the modulus (not the subgroup order, which might not be known).
gen_group bits
generates a random group with modulus size bits
.
Uses a safe prime p = 2q + 1
(with prime q
) as modulus, and 2
or q
as
the generator.
Subgroup order is strictly q
.
Runtime is on the order of minute for 1024 bits.
Invalid_argument
if bits
is ridiculously small.