This is a breaking change. For data in transit, update everyone at
once. For data at rest, decrypt then re-encrypt everything. Sorry
about that. I should have thought this through earlier.
The main reason for this change is speed. While Monocypher doesn't aim
to be as fast as possible itself, it *does* aim to allow upgrades. By
ensuring that processing is aligned to block boundaries, RFC 7539
simplifies the implementation of fast algorithms.
This change brings the following benefits:
- Users who need the best speed possible ever can upgrade.
- The length of the additional data is now authenticated, closing a
potential minor vulnerability.
- We can use Libsodium's crypto_aead_xchacha20poly1305_ietf_encrypt to
generate test vectors.
---
The monolithic interface stays the same. Function names, types, and
buffer sizes, are identical. Just recompile your programs to upgrade.
The incremental interface has been changed to be more orthogonal:
`crypto_lock_encrypt()` and `crypto_lock_auth()` have been removed.
There shall be one true AEAD construction, users don't need those
building blocks. Users who *really* need another AEAD construction can
write it themselves with the low-level primitives.
`crypto_lock_aead_auth()` and `crypto_unlock_aead_auth()` have been
renamed `crypto_lock_auth_ad()` and `crypto_unlock_auth_ad()`
respectively. "aead" was a misnomer, those functions only authenticate
additional data.
`crypto_lock_auth_message()` and `crypto_unlock_auth_message()` have
been added. They authenticate the cipher text. Their main use is
performing a separate authentication pass (usefull when users expect a
high corruption rate).
projects / Monocypher.git / commit