were removed,
Functions were renamed and arguments reordered for consistency,
and the incremental interface was added.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
.Fn crypto_argon2
in Monocypher 4.0.0.
.Sh CAVEATS
+Monocypher does not perform any input validation.
Any deviation from the algorithm constants,
specified input and output length ranges results
in
in Monocypher 3.0.0, then
.Fn crypto_chacha20_h
in Monocypher 4.0.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
.Sh SECURITY CONSIDERATIONS
.Ss Encrypted does not mean secure .
ChaCha20 only protects against eavesdropping, not forgeries.
.Fn crypto_ed25519_key_pair
replaced
.Fn crypto_ed25519_public_key .
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
+.Sh SECURITY CONSIDERATIONS
+.Ss Signature malleability
+Signature malleability is the ability of an attacker to produce a valid
+signature with knowledge of only an existing signature and the public
+key.
+Monocypher prevents that by checking the encoding of the signature,
+and guarantees that generating new signatures requires the private key.
+.Pp
+On the other hand, EdDSA signatures are not unique like cryptographic
+hashes.
+The signing procedure is deterministic by specification and
+.Fn crypto_ed25519_sign
+follows this specification.
+However, someone with the private key can generate arbitrarily many
+valid, canonical, and different signatures of the same message.
+Because of this, never assume that signatures are unique.
+.Ss Fault injection and power analysis
+Fault injection (also known as glitching) and power analysis may be used
+to manipulate the resulting signature and recover the secret key in
+some cases.
+This requires hardware access.
+We can try to mitigate this attack by prefixing all hashes a random data
+block,
+in a construction similar to Ed25519ctx.
+Note that there may still be other power-related side channels (such as
+if the CPU leaks information when an operation overflows a register)
+that must be considered.
.Fn crypto_eddsa_key_pair
replaced
.Fn crypto_sign_public_key .
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
.Sh SECURITY CONSIDERATIONS
.Ss Signature malleability
Signature malleability is the ability of an attacker to produce a valid
and
.Fn crypto_elligator_key_pair
respectively.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
.Sh SECURITY CONSIDERATIONS
The secret keys for the public keys fed into
.Fn crypto_elligator_rev
functions first appeared in Monocypher 0.1.
.Fn crypto_poly1305
first appeared in Monocypher 1.1.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
.Sh SECURITY CONSIDERATIONS
Poly1305 is difficult to use correctly.
Do not use it unless you are absolutely sure what you are doing.
and
.Fn crypto_sha512_hkdf_expand
were added in Monocypher 4.0.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
.Sh SECURITY CONSIDERATIONS
SHA-512 is a general-purpose cryptographic hash function;
this means that it is not suited for hashing passwords and deriving
and
.Fn crypto_zerocmp
functions that were present until Monocypher 1.0.1.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
The
.Fn crypto_wipe
function first appeared in Monocypher 1.1.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
and
.Fn crypto_x25519_to_eddsa
functions first appeared in Monocypher 3.1.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
.Sh SECURITY CONSIDERATIONS
If either of the long-term secret keys leaks, it may compromise
.Em all past messages .
.Xr crypto_sha512_hmac_update 3monocypher ,
.Xr crypto_sha512_init 3monocypher ,
.Xr crypto_sha512_update 3monocypher
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
.Sh SECURITY CONSIDERATIONS
Using cryptography securely is difficult.
Flaws that never manifest under normal use might be exploited by a
projects / Monocypher.git / commitdiff