Skip to content

Latest commit

 

History

History
46 lines (30 loc) · 2.54 KB

README.md

File metadata and controls

46 lines (30 loc) · 2.54 KB

Daence

Crates.io Docs.rs MIT licensed

Here lies an implementation of "Deterministic Authenticated Encryption with no noNCEnse" by Taylor ‘Riastradh’ Campbell.

Security Warning

No security audits of this crate have ever been performed, and it has not been thoroughly assessed to ensure its operation is constant-time on common CPU architectures.

USE AT YOUR OWN RISK!

Description

Rumor has it that this AEAD construct thrives in abscence of nonces.

That property, combined with a tag size of only 12 bytes, allows using it for extremely size-constrained messages.

It seems like it works, I am going to use it, and so can you.

Notably, at the time of writing, it is probably as constant-time as the underlying poly1305::Poly1305, chacha20::hchacha, chacha20::XChaCha20 and <[u8] as subtle::ConstantTimeEq>::ct_eq.
There is no flow control, and all of these get called on the entire relevant portions of the data for any and all keys, additional data, cyphertext, and tag.

⚠ That said, neither this implementation, nor the original specification have been sufficiently peer reviewed, and using this today may be unreasonable for many usecases. ⚠
I personally have several questions for the specification...
If you have the space for it, you may want to use AES-GCM-SIV. If you additionaly have a source of nonces, and are confident they will not be reused, you may use ChaCha20Poly1305.

Currently, only the later XChaCha20 (as opposed to the Salsa20) variant is implemented.

Contributions are welcome, including documentation, benchmarks, and especially implementing the aead traits.

License

This project is licensed under the MIT license.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in Daencezs by you, shall be licensed as MIT, without any additional terms or conditions.