diff --git a/.github/workflows/managed.yml b/.github/workflows/managed.yml index 446ae48..85c9304 100644 --- a/.github/workflows/managed.yml +++ b/.github/workflows/managed.yml @@ -14,15 +14,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: submodules: true fetch-depth: 0 - - name: Install .NET 6.0 - uses: actions/setup-dotnet@v1 + - name: Install .NET 8.0 + uses: actions/setup-dotnet@v4 with: - dotnet-version: '6.0.x' + dotnet-version: '8.0.x' - name: Build, Test, Pack, Publish shell: bash diff --git a/.github/workflows/native.yml b/.github/workflows/native.yml index c4b0b97..a4b688f 100644 --- a/.github/workflows/native.yml +++ b/.github/workflows/native.yml @@ -20,7 +20,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@v1 + uses: actions/checkout@v3 with: submodules: recursive - name: Setup Linux diff --git a/ext/Monocypher b/ext/Monocypher index baca5d3..0d85f98 160000 --- a/ext/Monocypher +++ b/ext/Monocypher @@ -1 +1 @@ -Subproject commit baca5d31259c598540e4d1284bc8d8f793abf83a +Subproject commit 0d85f98c9d9b0227e42cf795cb527dff372b40a4 diff --git a/license.txt b/license.txt index 8662fe2..6a8db61 100644 --- a/license.txt +++ b/license.txt @@ -1,4 +1,4 @@ -Copyright (c) 2021, Alexandre Mutel +Copyright (c) 2021-2024, Alexandre Mutel All rights reserved. Redistribution and use in source and binary forms, with or without modification @@ -25,7 +25,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > Monocypher.NET is a simple managed wrapper around https://github.com/LoupVaillant/Monocypher > which comes with the following license: -Copyright (c) 2017-2020, Loup Vaillant +Copyright (c) 2017-2024, Loup Vaillant Copyright (c) 2017-2019, Michael Savage Copyright (c) 2017-2020, Fabio Scotoni All rights reserved. diff --git a/readme.md b/readme.md index 4a3772f..5765b75 100644 --- a/readme.md +++ b/readme.md @@ -4,7 +4,7 @@ Monocypher.NET is a managed wrapper around [Monocypher](https://github.com/LoupVaillant/Monocypher) cryptographic library. -> The current _native_ version of Monocypher used by Monocypher.NET is `3.1.2` +> The current _native_ version of Monocypher used by Monocypher.NET is `4.0.2` ## Features - Provides the entire native Monocypher API in an efficient 1-to-1 mapping: @@ -46,7 +46,7 @@ RNGCryptoServiceProvider.Fill(key); Span nonce = stackalloc byte[24]; RNGCryptoServiceProvider.Fill(nonce); -crypto_lock(mac, cipherText, key, nonce, inputText); +crypto_aead_lock(cipherText, mac, key, nonce, ReadOnlySpan.Empty, inputText); // mac contains the authenticated code // cipherText contains the encrypted message @@ -92,7 +92,7 @@ That being said, if you are building an IoT project using the C Monocypher and y ## How to Build? -You need to install the [.NET 6 SDK](https://dotnet.microsoft.com/download/dotnet/6.0). Then from the root folder: +You need to install the [.NET 8 SDK](https://dotnet.microsoft.com/download/dotnet/8.0). Then from the root folder: ```console $ dotnet build src -c Release diff --git a/src/Monocypher.CodeGen/Monocypher.CodeGen.csproj b/src/Monocypher.CodeGen/Monocypher.CodeGen.csproj index 747cbb4..44dd459 100644 --- a/src/Monocypher.CodeGen/Monocypher.CodeGen.csproj +++ b/src/Monocypher.CodeGen/Monocypher.CodeGen.csproj @@ -2,15 +2,15 @@ Exe - net6.0 + net8.0 $(NETCoreSdkRuntimeIdentifier) false - - + + diff --git a/src/Monocypher.CodeGen/Program.cs b/src/Monocypher.CodeGen/Program.cs index eb8aeac..8746f6b 100644 --- a/src/Monocypher.CodeGen/Program.cs +++ b/src/Monocypher.CodeGen/Program.cs @@ -67,6 +67,7 @@ public void GeneratePInvoke() { e => e.Map("crypto_blake2b_vtable").Discard(), e => e.Map("crypto_sha512_vtable").Discard(), + e => e.Map("crypto_argon2_no_extras").Discard(), } }; csOptions.Plugins.Insert(0, new FixedArrayTypeConverter()); diff --git a/src/Monocypher.Tests/Monocypher.Tests.csproj b/src/Monocypher.Tests/Monocypher.Tests.csproj index 0d5db5a..4354cf4 100644 --- a/src/Monocypher.Tests/Monocypher.Tests.csproj +++ b/src/Monocypher.Tests/Monocypher.Tests.csproj @@ -1,19 +1,25 @@  - net6.0 + net8.0 false true $(NETCoreSdkRuntimeIdentifier) - - - + + + PreserveNewest + + + + + + diff --git a/src/Monocypher.Tests/Tests.cs b/src/Monocypher.Tests/Tests.cs index d0a340e..529a89e 100644 --- a/src/Monocypher.Tests/Tests.cs +++ b/src/Monocypher.Tests/Tests.cs @@ -1,4 +1,5 @@ using System; +using System.ComponentModel; using System.Security.Cryptography; using System.Text; using NUnit.Framework; @@ -13,24 +14,23 @@ public class Tests public void SimpleBlake2Init() { crypto_blake2b_ctx ctx = default; - crypto_blake2b_init(ref ctx); + crypto_blake2b_init(ref ctx, 256); Assert.AreNotEqual(0, (int)ctx.hash_size.Value, "Invalid hash_size returned from blake2b_init"); } [Test] public void TestChaCha20() { - Span ciptherText = stackalloc byte[64]; + Span ciptherText = stackalloc byte[32]; Span key = new byte[32] { 0xee, 0xc7, 0xb5, 0x3d, 0x05, 0xd9, 0xcc, 0x81, 0x61, 0x84, 0xc4, 0x9f, 0x65, 0x2f, 0x37, 0x04, 0x70, 0xa4, 0x52, 0x22, 0xa5, 0xc7, 0x4d, 0xa4, 0x2e, 0x7f, 0x09, 0xd6, 0x86, 0x2d, 0x6d, 0xd0, }; - crypto_chacha20(ciptherText, key, new Byte8().AsReadOnlySpan()); - - Span expected = new byte[64] + crypto_chacha20_h(ciptherText, key, new Byte16().AsReadOnlySpan()); + + Span expected = new byte[32] { - 0x5a, 0x3c, 0x5c, 0xd2, 0x20, 0x8b, 0x75, 0x91, 0x66, 0xbd, 0x25, 0xa8, 0x45, 0xc8, 0xf3, 0xf8, 0x24, 0xe0, 0xdb, 0x9c, 0xfa, 0x1f, 0xb0, 0x14, 0x7d, 0x90, 0xbc, 0xf4, 0xaf, 0x8c, 0xd3, 0x79, 0xf0, 0xbf, 0x31, 0x2b, 0x04, - 0xd2, 0xa1, 0xbd, 0x48, 0xd3, 0x50, 0x17, 0xc7, 0x1f, 0x29, 0x52, 0x83, 0x71, 0xba, 0x8c, 0x95, 0xe5, 0xa4, 0x0c, 0x33, 0x59, 0x01, 0x20, 0x65, 0x8c, 0x15, 0x5a + 0xf5, 0xc3, 0xeb, 0x70, 0xb2, 0x26, 0x55, 0x5e, 0x34, 0x90, 0xc3, 0x2e, 0xd1, 0x62, 0xd3, 0x8d, 0x83, 0x71, 0xba, 0x8c, 0x95, 0xe5, 0xa4, 0x0c, 0x33, 0x59, 0x01, 0x20, 0x65, 0x8c, 0x15, 0x5a }; Console.WriteLine(ciptherText.ToHexBytes()); @@ -54,7 +54,7 @@ public void CryptoLockUnlock() Span nonce = stackalloc byte[24]; RandomNumberGenerator.Fill(nonce); - crypto_lock(mac, cipherText, key, nonce, inputText); + crypto_aead_lock(cipherText, mac, key, nonce, ReadOnlySpan.Empty, inputText); var builder = new StringBuilder(); @@ -69,7 +69,7 @@ public void CryptoLockUnlock() // Verify that we get the same output from unlock Span outputText = stackalloc byte[16]; - crypto_unlock(outputText, key, nonce, mac, cipherText); + crypto_aead_unlock(outputText, mac, key, nonce, ReadOnlySpan.Empty, cipherText); Assert.True(outputText.SequenceEqual(inputText), "crypto_unlock failed. Spans are different"); } diff --git a/src/Monocypher/Monocypher.cs b/src/Monocypher/Monocypher.cs index a855b0b..d35d642 100644 --- a/src/Monocypher/Monocypher.cs +++ b/src/Monocypher/Monocypher.cs @@ -508,133 +508,6 @@ public override string ToString() } } - /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// This overrides considers plain_text input as if it was composed of all of input zero. - /// - /// - /// A 32-byte secret key. - /// A 8-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The encrypted message. - public static unsafe void crypto_chacha20(Span cipher_text, ReadOnlySpan key, ReadOnlySpan nonce) - { - ExpectSize32(nameof(key), key.Length); - ExpectSize8(nameof(nonce), nonce.Length); - fixed (void* cipher_text_ptr = cipher_text) - crypto_chacha20(new IntPtr(cipher_text_ptr), IntPtr.Zero, (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte8()); - } - - - /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// This overrides considers plain_text input as if it was composed of all of input zero. - /// - /// - /// A 32-byte secret key. - /// A 24-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The encrypted message. - public static unsafe void crypto_xchacha20(Span cipher_text, ReadOnlySpan key, ReadOnlySpan nonce) - { - ExpectSize32(nameof(key), key.Length); - ExpectSize24(nameof(nonce), nonce.Length); - fixed (void* cipher_text_ptr = cipher_text) - crypto_xchacha20(new IntPtr(cipher_text_ptr), IntPtr.Zero, (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte24()); - } - - /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// This overrides considers plain_text input as if it was composed of all of input zero. - /// - /// - /// A 32-byte secret key. - /// A 8-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The encrypted message. - /// The number of 64-byte blocks since the beginning of the stream. - public static unsafe ulong crypto_chacha20_ctr(Span cipher_text, ReadOnlySpan key, ReadOnlySpan nonce, ulong ctr) - { - ExpectSize32(nameof(key), key.Length); - ExpectSize8(nameof(nonce), nonce.Length); - fixed (void* cipher_text_ptr = cipher_text) - return crypto_chacha20_ctr(new IntPtr(cipher_text_ptr), IntPtr.Zero, (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte8(), ctr); - } - - /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// This overrides considers plain_text input as if it was composed of all of input zero. - /// - /// - /// A 32-byte secret key. - /// A 24-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The encrypted message. - /// The number of 64-byte blocks since the beginning of the stream. - public static unsafe ulong crypto_xchacha20_ctr(Span cipher_text, ReadOnlySpan key, ReadOnlySpan nonce, ulong ctr) - { - ExpectSize32(nameof(key), key.Length); - ExpectSize24(nameof(nonce), nonce.Length); - fixed (void* cipher_text_ptr = cipher_text) - return crypto_xchacha20_ctr(new IntPtr(cipher_text_ptr), IntPtr.Zero, (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte24(), ctr); - } - [MethodImpl(MethodImplOptions.AggressiveInlining)] private static char ByteHighToHex(byte value) => HexBytes[(value >> 4) & 0x0F]; [MethodImpl(MethodImplOptions.AggressiveInlining)] diff --git a/src/Monocypher/Monocypher.csproj b/src/Monocypher/Monocypher.csproj index 8c9153d..ad07fca 100644 --- a/src/Monocypher/Monocypher.csproj +++ b/src/Monocypher/Monocypher.csproj @@ -25,7 +25,7 @@ - + @@ -36,18 +36,18 @@ - - + + - + all runtime; build; native; contentfiles; analyzers; buildtransitive - + diff --git a/src/Monocypher/Monocypher.generated.cs b/src/Monocypher/Monocypher.generated.cs index 9c4c7a9..c5c42fa 100644 --- a/src/Monocypher/Monocypher.generated.cs +++ b/src/Monocypher/Monocypher.generated.cs @@ -16,34 +16,38 @@ namespace Monocypher public static partial class Monocypher { /// - /// Vtable for EdDSA with a custom hash. - /// Instantiate it to define a custom hash. - /// Its size, contents, and layout, are part of the public API. + /// Authenticated stream + /// -------------------- /// [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public partial struct crypto_sign_vtable + public unsafe partial struct crypto_aead_ctx { - public Monocypher.crypto_sign_vtable.hash_delegate hash; + public ulong counter; - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate void hash_delegate(ref Byte64 hash, IntPtr message, Monocypher.size_t message_size); + public fixed byte key[32]; - public Monocypher.crypto_sign_vtable.init_delegate init; - - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate void init_delegate(IntPtr ctx); - - public Monocypher.crypto_sign_vtable.update_delegate update; + public fixed byte nonce[8]; + } + + /// + /// Incremental interface + /// + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] + public unsafe partial struct crypto_blake2b_ctx + { + /// + /// Do not rely on the size or contents of this type, + /// for they may change without notice. + /// + public fixed ulong hash[8]; - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate void update_delegate(IntPtr ctx, IntPtr message, Monocypher.size_t message_size); + public fixed ulong input_offset[2]; - public Monocypher.crypto_sign_vtable.final_delegate final; + public fixed ulong input[16]; - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate void final_delegate(IntPtr ctx, ref Byte64 hash); + public Monocypher.size_t input_idx; - public Monocypher.size_t ctx_size; + public Monocypher.size_t hash_size; } #if NETSTANDARD2_0 @@ -74,74 +78,99 @@ public partial struct crypto_sign_vtable #endif - /// - /// Poly1305 - /// [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public unsafe partial struct crypto_poly1305_ctx + public partial struct crypto_argon2_config { /// - /// constant multiplier (from the secret key) + /// Argon2d, Argon2i, Argon2id /// - public fixed uint r[4]; + public uint algorithm; /// - /// accumulated hash + /// memory hardness, >= 8 * nb_lanes /// - public fixed uint h[5]; + public uint nb_blocks; /// - /// chunk of the message + /// CPU hardness, >= 1 (>= 3 recommended for Argon2i) /// - public fixed uint c[5]; + public uint nb_passes; /// - /// random number added at the end (from the secret key) + /// parallelism level (single threaded anyway) /// - public fixed uint pad[4]; + public uint nb_lanes; + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] + public partial struct crypto_argon2_inputs + { + public IntPtr pass; + + public IntPtr salt; + + public uint pass_size; /// - /// How many bytes are there in the chunk. + /// 16 bytes recommended /// - public Monocypher.size_t c_idx; + public uint salt_size; } - /// - /// Hash (Blake2b) - /// [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public unsafe partial struct crypto_blake2b_ctx + public partial struct crypto_argon2_extras { - public fixed ulong hash[8]; - - public fixed ulong input_offset[2]; + /// + /// may be NULL if no key + /// + public IntPtr key; - public fixed ulong input[16]; + /// + /// may be NULL if no additional data + /// + public IntPtr ad; - public Monocypher.size_t input_idx; + /// + /// 0 if no key (32 bytes recommended otherwise) + /// + public uint key_size; - public Monocypher.size_t hash_size; + /// + /// 0 if no additional data + /// + public uint ad_size; } /// - /// Signatures (EdDSA) + /// Incremental interface /// [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public unsafe partial struct crypto_sign_ctx_abstract + public unsafe partial struct crypto_poly1305_ctx { - public IntPtr hash; + /// + /// chunk of the message + /// + public fixed byte c[16]; - public fixed byte buf[96]; + /// + /// How many bytes are there in the chunk. + /// + public Monocypher.size_t c_idx; - public fixed byte pk[32]; - } - - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public partial struct crypto_sign_ctx - { - public Monocypher.crypto_sign_ctx_abstract ctx; + /// + /// constant multiplier (from the secret key) + /// + public fixed uint r[4]; + + /// + /// random number added at the end (from the secret key) + /// + public fixed uint pad[4]; - public Monocypher.crypto_blake2b_ctx hash; + /// + /// accumulated hash + /// + public fixed uint h[5]; } /// @@ -161,117 +190,34 @@ public unsafe partial struct crypto_sha512_ctx } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public unsafe partial struct crypto_hmac_sha512_ctx + public unsafe partial struct crypto_sha512_hmac_ctx { public fixed byte key[128]; public Monocypher.crypto_sha512_ctx ctx; } - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public partial struct crypto_sign_ed25519_ctx - { - public Monocypher.crypto_sign_ctx_abstract ctx; - - public Monocypher.crypto_sha512_ctx hash; - } - - /// - /// Signatures (EdDSA) - /// - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public readonly partial struct crypto_check_ctx_abstract : IEquatable - { - public crypto_check_ctx_abstract(Monocypher.crypto_sign_ctx_abstract value) => this.Value = value; - - public readonly Monocypher.crypto_sign_ctx_abstract Value; - - public bool Equals(crypto_check_ctx_abstract other) => Value.Equals(other.Value); - - public override bool Equals(object obj) => obj is crypto_check_ctx_abstract other && Equals(other); - - public override int GetHashCode() => Value.GetHashCode(); - - public override string ToString() => Value.ToString(); - - public static implicit operator Monocypher.crypto_sign_ctx_abstract(crypto_check_ctx_abstract from) => from.Value; - - public static implicit operator crypto_check_ctx_abstract(Monocypher.crypto_sign_ctx_abstract from) => new crypto_check_ctx_abstract(from); - - public static bool operator ==(crypto_check_ctx_abstract left, crypto_check_ctx_abstract right) => left.Equals(right); - - public static bool operator !=(crypto_check_ctx_abstract left, crypto_check_ctx_abstract right) => !left.Equals(right); - } - - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public readonly partial struct crypto_check_ctx : IEquatable - { - public crypto_check_ctx(Monocypher.crypto_sign_ctx value) => this.Value = value; - - public readonly Monocypher.crypto_sign_ctx Value; - - public bool Equals(crypto_check_ctx other) => Value.Equals(other.Value); - - public override bool Equals(object obj) => obj is crypto_check_ctx other && Equals(other); - - public override int GetHashCode() => Value.GetHashCode(); - - public override string ToString() => Value.ToString(); - - public static implicit operator Monocypher.crypto_sign_ctx(crypto_check_ctx from) => from.Value; - - public static implicit operator crypto_check_ctx(Monocypher.crypto_sign_ctx from) => new crypto_check_ctx(from); - - public static bool operator ==(crypto_check_ctx left, crypto_check_ctx right) => left.Equals(right); - - public static bool operator !=(crypto_check_ctx left, crypto_check_ctx right) => !left.Equals(right); - } - - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] - public readonly partial struct crypto_check_ed25519_ctx : IEquatable - { - public crypto_check_ed25519_ctx(Monocypher.crypto_sign_ed25519_ctx value) => this.Value = value; - - public readonly Monocypher.crypto_sign_ed25519_ctx Value; - - public bool Equals(crypto_check_ed25519_ctx other) => Value.Equals(other.Value); - - public override bool Equals(object obj) => obj is crypto_check_ed25519_ctx other && Equals(other); - - public override int GetHashCode() => Value.GetHashCode(); - - public override string ToString() => Value.ToString(); - - public static implicit operator Monocypher.crypto_sign_ed25519_ctx(crypto_check_ed25519_ctx from) => from.Value; - - public static implicit operator crypto_check_ed25519_ctx(Monocypher.crypto_sign_ed25519_ctx from) => new crypto_check_ed25519_ctx(from); - - public static bool operator ==(crypto_check_ed25519_ctx left, crypto_check_ed25519_ctx right) => left.Equals(right); - - public static bool operator !=(crypto_check_ed25519_ctx left, crypto_check_ed25519_ctx right) => !left.Equals(right); - } - /// /// /// Cryptographic operations often require comparison of secrets or values derived /// from secrets. Standard comparison functions like - /// memcmp() tend to exit when they find the - /// first difference, leaking information through timing differences. + /// memcmp(3) tend to exit when they find the first + /// difference, leaking information through timing differences. ///
/// /// As an example, say a message authentication code (MAC) is sent over the network /// along with a message, but the correct MAC is secret. If the attacker attempts /// a forgery, one does not want to reveal “your MAC is wrong, /// and it took 384 microseconds to tell”. If - /// the next attempt takes 462 microseconds instead, it tells the attacker they - /// just guessed a byte correctly. That way, an attacker can derive the correct - /// MAC byte by byte, and successfully forge a message. This has lead to practical - /// attacks in the past. + /// the next attempt takes 462 microseconds instead, it tells the attacker that + /// they just guessed a byte correctly. That way, an attacker can derive the + /// correct MAC byte by byte and successfully forge a message. This has led to + /// practical attacks in the past. ///
/// /// To avoid such catastrophic failure, /// (), - /// () and + /// (), and /// () provide comparison /// functions whose timing is independent from the content of their input. They /// compare the first 16, 32, or 64 bytes of the two byte arrays @@ -279,7 +225,7 @@ public partial struct crypto_sign_ed25519_ctx ///
/// /// When in doubt, prefer these functions over - /// memcmp(). + /// memcmp(3). /// /// /// A 16-byte buffer. See Monocypher manual for more details. @@ -291,23 +237,23 @@ public partial struct crypto_sign_ed25519_ctx /// /// Cryptographic operations often require comparison of secrets or values derived /// from secrets. Standard comparison functions like - /// memcmp() tend to exit when they find the - /// first difference, leaking information through timing differences. + /// memcmp(3) tend to exit when they find the first + /// difference, leaking information through timing differences. ///
/// /// As an example, say a message authentication code (MAC) is sent over the network /// along with a message, but the correct MAC is secret. If the attacker attempts /// a forgery, one does not want to reveal “your MAC is wrong, /// and it took 384 microseconds to tell”. If - /// the next attempt takes 462 microseconds instead, it tells the attacker they - /// just guessed a byte correctly. That way, an attacker can derive the correct - /// MAC byte by byte, and successfully forge a message. This has lead to practical - /// attacks in the past. + /// the next attempt takes 462 microseconds instead, it tells the attacker that + /// they just guessed a byte correctly. That way, an attacker can derive the + /// correct MAC byte by byte and successfully forge a message. This has led to + /// practical attacks in the past. ///
/// /// To avoid such catastrophic failure, /// (), - /// () and + /// (), and /// () provide comparison /// functions whose timing is independent from the content of their input. They /// compare the first 16, 32, or 64 bytes of the two byte arrays @@ -315,7 +261,7 @@ public partial struct crypto_sign_ed25519_ctx ///
/// /// When in doubt, prefer these functions over - /// memcmp(). + /// memcmp(3). /// /// /// A 16-byte buffer. See Monocypher manual for more details. @@ -328,35 +274,7 @@ public static unsafe int crypto_verify16(ReadOnlySpan a, ReadOnlySpan - /// - /// Cryptographic operations often require comparison of secrets or values derived - /// from secrets. Standard comparison functions like - /// memcmp() tend to exit when they find the - /// first difference, leaking information through timing differences. - ///
- /// - /// As an example, say a message authentication code (MAC) is sent over the network - /// along with a message, but the correct MAC is secret. If the attacker attempts - /// a forgery, one does not want to reveal “your MAC is wrong, - /// and it took 384 microseconds to tell”. If - /// the next attempt takes 462 microseconds instead, it tells the attacker they - /// just guessed a byte correctly. That way, an attacker can derive the correct - /// MAC byte by byte, and successfully forge a message. This has lead to practical - /// attacks in the past. - ///
- /// - /// To avoid such catastrophic failure, - /// (), - /// () and - /// () provide comparison - /// functions whose timing is independent from the content of their input. They - /// compare the first 16, 32, or 64 bytes of the two byte arrays - /// and . - ///
- /// - /// When in doubt, prefer these functions over - /// memcmp(). - /// + /// Function crypto_verify32 /// /// A 32-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. @@ -364,35 +282,7 @@ public static unsafe int crypto_verify16(ReadOnlySpan a, ReadOnlySpan - /// - /// Cryptographic operations often require comparison of secrets or values derived - /// from secrets. Standard comparison functions like - /// memcmp() tend to exit when they find the - /// first difference, leaking information through timing differences. - ///
- /// - /// As an example, say a message authentication code (MAC) is sent over the network - /// along with a message, but the correct MAC is secret. If the attacker attempts - /// a forgery, one does not want to reveal “your MAC is wrong, - /// and it took 384 microseconds to tell”. If - /// the next attempt takes 462 microseconds instead, it tells the attacker they - /// just guessed a byte correctly. That way, an attacker can derive the correct - /// MAC byte by byte, and successfully forge a message. This has lead to practical - /// attacks in the past. - ///
- /// - /// To avoid such catastrophic failure, - /// (), - /// () and - /// () provide comparison - /// functions whose timing is independent from the content of their input. They - /// compare the first 16, 32, or 64 bytes of the two byte arrays - /// and . - ///
- /// - /// When in doubt, prefer these functions over - /// memcmp(). - /// + /// Function crypto_verify32 /// /// A 32-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. @@ -404,35 +294,7 @@ public static unsafe int crypto_verify32(ReadOnlySpan a, ReadOnlySpan - /// - /// Cryptographic operations often require comparison of secrets or values derived - /// from secrets. Standard comparison functions like - /// memcmp() tend to exit when they find the - /// first difference, leaking information through timing differences. - ///
- /// - /// As an example, say a message authentication code (MAC) is sent over the network - /// along with a message, but the correct MAC is secret. If the attacker attempts - /// a forgery, one does not want to reveal “your MAC is wrong, - /// and it took 384 microseconds to tell”. If - /// the next attempt takes 462 microseconds instead, it tells the attacker they - /// just guessed a byte correctly. That way, an attacker can derive the correct - /// MAC byte by byte, and successfully forge a message. This has lead to practical - /// attacks in the past. - ///
- /// - /// To avoid such catastrophic failure, - /// (), - /// () and - /// () provide comparison - /// functions whose timing is independent from the content of their input. They - /// compare the first 16, 32, or 64 bytes of the two byte arrays - /// and . - ///
- /// - /// When in doubt, prefer these functions over - /// memcmp(). - /// + /// Function crypto_verify64 /// /// A 64-byte buffer. See Monocypher manual for more details. /// A 64-byte buffer. See Monocypher manual for more details. @@ -440,35 +302,7 @@ public static unsafe int crypto_verify32(ReadOnlySpan a, ReadOnlySpan - /// - /// Cryptographic operations often require comparison of secrets or values derived - /// from secrets. Standard comparison functions like - /// memcmp() tend to exit when they find the - /// first difference, leaking information through timing differences. - ///
- /// - /// As an example, say a message authentication code (MAC) is sent over the network - /// along with a message, but the correct MAC is secret. If the attacker attempts - /// a forgery, one does not want to reveal “your MAC is wrong, - /// and it took 384 microseconds to tell”. If - /// the next attempt takes 462 microseconds instead, it tells the attacker they - /// just guessed a byte correctly. That way, an attacker can derive the correct - /// MAC byte by byte, and successfully forge a message. This has lead to practical - /// attacks in the past. - ///
- /// - /// To avoid such catastrophic failure, - /// (), - /// () and - /// () provide comparison - /// functions whose timing is independent from the content of their input. They - /// compare the first 16, 32, or 64 bytes of the two byte arrays - /// and . - ///
- /// - /// When in doubt, prefer these functions over - /// memcmp(). - /// + /// Function crypto_verify64 /// /// A 64-byte buffer. See Monocypher manual for more details. /// A 64-byte buffer. See Monocypher manual for more details. @@ -485,9 +319,9 @@ public static unsafe int crypto_verify64(ReadOnlySpan a, ReadOnlySpan /// /// Sensitive data (such as cryptographic keys or secret plaintexts) should be - /// erased from memory as early as possible, to minimise the window in which it - /// can be leaked. Standard functions like memset and bzero are not safe to use, - /// as the compiler may decide they have no effect and optimise them out. + /// erased from memory as early as possible to minimise the window in which it can + /// be leaked. Standard functions like memset and bzero are not safe to use as the + /// compiler may decide they have no effect and optimise them out. ///
/// /// @@ -502,9 +336,9 @@ public static unsafe int crypto_verify64(ReadOnlySpan a, ReadOnlySpan /// /// Sensitive data (such as cryptographic keys or secret plaintexts) should be - /// erased from memory as early as possible, to minimise the window in which it - /// can be leaked. Standard functions like memset and bzero are not safe to use, - /// as the compiler may decide they have no effect and optimise them out. + /// erased from memory as early as possible to minimise the window in which it can + /// be leaked. Standard functions like memset and bzero are not safe to use as the + /// compiler may decide they have no effect and optimise them out. ///
/// /// @@ -516,549 +350,411 @@ public static unsafe void crypto_wipe(Span secret) } /// - /// () encrypts and authenticates a - /// plaintext. It can be decrypted by - /// (). + /// () encrypts and authenticates + /// a plaintext. It can be decrypted by + /// (). /// - /// A 32-byte session key, shared between the sender and the recipient. It - /// must be secret and random. Different methods can be used to produce and - /// exchange this key, such as Diffie-Hellman key exchange, password key + /// A 32-byte session key shared between the sender and the recipient. It must + /// be secret and random. Different methods can be used to produce and + /// exchange this key, such as Diffie-Hellman key exchange, password-based key /// derivation (the password must be communicated on a secure channel), or /// even meeting physically. See - /// for key - /// exchange, and for - /// password key derivation. + /// for a building + /// block for a key exchange protocol and + /// for password-based + /// key derivation. /// A 24-byte number, used only once with any given session key. It does not /// need to be secret or random, but it does have to be unique. /// Never use the same nonce twice with the same - /// key. This would reveal the XOR of 2 different messages, which allows - /// decryption and forgeries. The easiest (and recommended) way to generate + /// key. This would basically reveal the affected messages and leave you + /// vulnerable to forgeries. The easiest (and recommended) way to generate /// this nonce is to select it at random. See /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). - /// A 16-byte message authentication code (MAC), + /// generation (use your operating system's random number generator). + ///
+ /// + /// Note: () and + /// () use shorter + /// nonces (8 and 12 bytes respectively), which + /// cannot be selected at random without risking + /// a catastrophic reuse. For those shorter nonces, use a counter + /// instead. + /// A 16-byte message authentication code (MAC) /// that can only be produced by someone who knows the session key. This - /// guarantee cannot be upheld if a nonce has been reused with the session - /// key, because doing so allows the attacker to learn the authentication key + /// guarantee cannot be upheld if a nonce has been reused with the session key + /// because doing so allows the attacker to learn the authentication key /// associated with that nonce. The MAC is intended to be sent along with the /// ciphertext. + /// Additional data to authenticate. It will not + /// be encrypted. This is used to authenticate relevant data that cannot be + /// encrypted. May be NULL if + /// is zero. + /// Length of the additional data, in bytes. /// The secret message. Its contents will be kept hidden from attackers. Its - /// length however, will not. Be careful when + /// length, however, will not. Be careful when /// combining encryption with compression. See /// intro(3monocypher) for details. /// The encrypted message. /// Length of both , in bytes. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_lock(ref Byte16 mac, IntPtr cipher_text, in Byte32 key, in Byte24 nonce, IntPtr plain_text, Monocypher.size_t text_size); + public static extern void crypto_aead_lock(IntPtr cipher_text, ref Byte16 mac, in Byte32 key, in Byte24 nonce, IntPtr ad, Monocypher.size_t ad_size, IntPtr plain_text, Monocypher.size_t text_size); /// - /// () encrypts and authenticates a - /// plaintext. It can be decrypted by - /// (). + /// () encrypts and authenticates + /// a plaintext. It can be decrypted by + /// (). /// - /// A 32-byte session key, shared between the sender and the recipient. It - /// must be secret and random. Different methods can be used to produce and - /// exchange this key, such as Diffie-Hellman key exchange, password key + /// A 32-byte session key shared between the sender and the recipient. It must + /// be secret and random. Different methods can be used to produce and + /// exchange this key, such as Diffie-Hellman key exchange, password-based key /// derivation (the password must be communicated on a secure channel), or /// even meeting physically. See - /// for key - /// exchange, and for - /// password key derivation. + /// for a building + /// block for a key exchange protocol and + /// for password-based + /// key derivation. /// A 24-byte number, used only once with any given session key. It does not /// need to be secret or random, but it does have to be unique. /// Never use the same nonce twice with the same - /// key. This would reveal the XOR of 2 different messages, which allows - /// decryption and forgeries. The easiest (and recommended) way to generate + /// key. This would basically reveal the affected messages and leave you + /// vulnerable to forgeries. The easiest (and recommended) way to generate /// this nonce is to select it at random. See /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). - /// A 16-byte message authentication code (MAC), + /// generation (use your operating system's random number generator). + ///
+ /// + /// Note: () and + /// () use shorter + /// nonces (8 and 12 bytes respectively), which + /// cannot be selected at random without risking + /// a catastrophic reuse. For those shorter nonces, use a counter + /// instead. + /// A 16-byte message authentication code (MAC) /// that can only be produced by someone who knows the session key. This - /// guarantee cannot be upheld if a nonce has been reused with the session - /// key, because doing so allows the attacker to learn the authentication key + /// guarantee cannot be upheld if a nonce has been reused with the session key + /// because doing so allows the attacker to learn the authentication key /// associated with that nonce. The MAC is intended to be sent along with the /// ciphertext. + /// Additional data to authenticate. It will not + /// be encrypted. This is used to authenticate relevant data that cannot be + /// encrypted. May be NULL if + /// is zero. /// The secret message. Its contents will be kept hidden from attackers. Its - /// length however, will not. Be careful when + /// length, however, will not. Be careful when /// combining encryption with compression. See /// intro(3monocypher) for details. /// The encrypted message. - public static unsafe void crypto_lock(Span mac, Span cipher_text, ReadOnlySpan key, ReadOnlySpan nonce, ReadOnlySpan plain_text) + public static unsafe void crypto_aead_lock(Span cipher_text, Span mac, ReadOnlySpan key, ReadOnlySpan nonce, ReadOnlySpan ad, ReadOnlySpan plain_text) { - ExpectSize16(nameof(mac), mac.Length); ExpectSameBufferSize(nameof(cipher_text), cipher_text.Length, nameof(plain_text), plain_text.Length); + ExpectSize16(nameof(mac), mac.Length); ExpectSize32(nameof(key), key.Length); ExpectSize24(nameof(nonce), nonce.Length); fixed(void* cipher_text_ptr = cipher_text) + fixed(void* ad_ptr = ad) fixed(void* plain_text_ptr = plain_text) - crypto_lock(ref mac.AsByte16(), new IntPtr(cipher_text_ptr), in key.AsByte32(), in nonce.AsByte24(), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length); + crypto_aead_lock(new IntPtr(cipher_text_ptr), ref mac.AsByte16(), in key.AsByte32(), in nonce.AsByte24(), new IntPtr(ad_ptr), (Monocypher.size_t)ad.Length, new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length); } /// - /// () encrypts and authenticates a - /// plaintext. It can be decrypted by - /// (). + /// Function crypto_aead_unlock /// - /// A 32-byte session key, shared between the sender and the recipient. It - /// must be secret and random. Different methods can be used to produce and - /// exchange this key, such as Diffie-Hellman key exchange, password key - /// derivation (the password must be communicated on a secure channel), or - /// even meeting physically. See - /// for key - /// exchange, and for - /// password key derivation. - /// A 24-byte number, used only once with any given session key. It does not - /// need to be secret or random, but it does have to be unique. - /// Never use the same nonce twice with the same - /// key. This would reveal the XOR of 2 different messages, which allows - /// decryption and forgeries. The easiest (and recommended) way to generate - /// this nonce is to select it at random. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). - /// A 16-byte message authentication code (MAC), - /// that can only be produced by someone who knows the session key. This - /// guarantee cannot be upheld if a nonce has been reused with the session - /// key, because doing so allows the attacker to learn the authentication key - /// associated with that nonce. The MAC is intended to be sent along with the - /// ciphertext. - /// The secret message. Its contents will be kept hidden from attackers. Its - /// length however, will not. Be careful when - /// combining encryption with compression. See - /// intro(3monocypher) for details. - /// The encrypted message. - /// Length of both , in bytes. + /// See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 24-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern int crypto_unlock(IntPtr plain_text, in Byte32 key, in Byte24 nonce, in Byte16 mac, IntPtr cipher_text, Monocypher.size_t text_size); + public static extern int crypto_aead_unlock(IntPtr plain_text, in Byte16 mac, in Byte32 key, in Byte24 nonce, IntPtr ad, Monocypher.size_t ad_size, IntPtr cipher_text, Monocypher.size_t text_size); /// - /// () encrypts and authenticates a - /// plaintext. It can be decrypted by - /// (). + /// Function crypto_aead_unlock /// - /// A 32-byte session key, shared between the sender and the recipient. It - /// must be secret and random. Different methods can be used to produce and - /// exchange this key, such as Diffie-Hellman key exchange, password key - /// derivation (the password must be communicated on a secure channel), or - /// even meeting physically. See - /// for key - /// exchange, and for - /// password key derivation. - /// A 24-byte number, used only once with any given session key. It does not - /// need to be secret or random, but it does have to be unique. - /// Never use the same nonce twice with the same - /// key. This would reveal the XOR of 2 different messages, which allows - /// decryption and forgeries. The easiest (and recommended) way to generate - /// this nonce is to select it at random. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). - /// A 16-byte message authentication code (MAC), - /// that can only be produced by someone who knows the session key. This - /// guarantee cannot be upheld if a nonce has been reused with the session - /// key, because doing so allows the attacker to learn the authentication key - /// associated with that nonce. The MAC is intended to be sent along with the - /// ciphertext. - /// The secret message. Its contents will be kept hidden from attackers. Its - /// length however, will not. Be careful when - /// combining encryption with compression. See - /// intro(3monocypher) for details. - /// The encrypted message. - public static unsafe int crypto_unlock(Span plain_text, ReadOnlySpan key, ReadOnlySpan nonce, ReadOnlySpan mac, ReadOnlySpan cipher_text) - { - ExpectSameBufferSize(nameof(plain_text), plain_text.Length, nameof(cipher_text), cipher_text.Length); + /// See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 24-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe int crypto_aead_unlock(Span plain_text, ReadOnlySpan mac, ReadOnlySpan key, ReadOnlySpan nonce, ReadOnlySpan ad, ReadOnlySpan cipher_text) + { + ExpectSameBufferSize(nameof(plain_text), plain_text.Length, nameof(cipher_text), cipher_text.Length); + ExpectSize16(nameof(mac), mac.Length); ExpectSize32(nameof(key), key.Length); ExpectSize24(nameof(nonce), nonce.Length); - ExpectSize16(nameof(mac), mac.Length); fixed(void* plain_text_ptr = plain_text) + fixed(void* ad_ptr = ad) fixed(void* cipher_text_ptr = cipher_text) - return crypto_unlock(new IntPtr(plain_text_ptr), in key.AsByte32(), in nonce.AsByte24(), in mac.AsByte16(), new IntPtr(cipher_text_ptr), (Monocypher.size_t)plain_text.Length); + return crypto_aead_unlock(new IntPtr(plain_text_ptr), in mac.AsByte16(), in key.AsByte32(), in nonce.AsByte24(), new IntPtr(ad_ptr), (Monocypher.size_t)ad.Length, new IntPtr(cipher_text_ptr), (Monocypher.size_t)plain_text.Length); } /// - /// () encrypts and authenticates a - /// plaintext. It can be decrypted by - /// (). + /// Function crypto_aead_init_x /// - /// A 32-byte session key, shared between the sender and the recipient. It - /// must be secret and random. Different methods can be used to produce and - /// exchange this key, such as Diffie-Hellman key exchange, password key - /// derivation (the password must be communicated on a secure channel), or - /// even meeting physically. See - /// for key - /// exchange, and for - /// password key derivation. - /// A 24-byte number, used only once with any given session key. It does not - /// need to be secret or random, but it does have to be unique. - /// Never use the same nonce twice with the same - /// key. This would reveal the XOR of 2 different messages, which allows - /// decryption and forgeries. The easiest (and recommended) way to generate - /// this nonce is to select it at random. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). - /// A 16-byte message authentication code (MAC), - /// that can only be produced by someone who knows the session key. This - /// guarantee cannot be upheld if a nonce has been reused with the session - /// key, because doing so allows the attacker to learn the authentication key - /// associated with that nonce. The MAC is intended to be sent along with the - /// ciphertext. - /// The secret message. Its contents will be kept hidden from attackers. Its - /// length however, will not. Be careful when - /// combining encryption with compression. See - /// intro(3monocypher) for details. - /// The encrypted message. - /// Length of both , in bytes. + /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 24-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_aead_init_x(ref Monocypher.crypto_aead_ctx ctx, in Byte32 key, in Byte24 nonce); + + /// + /// Function crypto_aead_init_x + /// + /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 24-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_aead_init_x(ref Monocypher.crypto_aead_ctx ctx, ReadOnlySpan key, ReadOnlySpan nonce) + { + ExpectSize32(nameof(key), key.Length); + ExpectSize24(nameof(nonce), nonce.Length); + crypto_aead_init_x(ref ctx, in key.AsByte32(), in nonce.AsByte24()); + } + + /// + /// Function crypto_aead_init_djb + /// + /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 8-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_aead_init_djb(ref Monocypher.crypto_aead_ctx ctx, in Byte32 key, in Byte8 nonce); + + /// + /// Function crypto_aead_init_djb + /// + /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 8-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_aead_init_djb(ref Monocypher.crypto_aead_ctx ctx, ReadOnlySpan key, ReadOnlySpan nonce) + { + ExpectSize32(nameof(key), key.Length); + ExpectSize8(nameof(nonce), nonce.Length); + crypto_aead_init_djb(ref ctx, in key.AsByte32(), in nonce.AsByte8()); + } + + /// + /// Function crypto_aead_init_ietf + /// + /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 12-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_aead_init_ietf(ref Monocypher.crypto_aead_ctx ctx, in Byte32 key, in Byte12 nonce); + + /// + /// Function crypto_aead_init_ietf + /// + /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 12-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_aead_init_ietf(ref Monocypher.crypto_aead_ctx ctx, ReadOnlySpan key, ReadOnlySpan nonce) + { + ExpectSize32(nameof(key), key.Length); + ExpectSize12(nameof(nonce), nonce.Length); + crypto_aead_init_ietf(ref ctx, in key.AsByte32(), in nonce.AsByte12()); + } + + /// + /// Function crypto_aead_write + /// + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. /// See Monocypher manual for more details. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_lock_aead(ref Byte16 mac, IntPtr cipher_text, in Byte32 key, in Byte24 nonce, IntPtr ad, Monocypher.size_t ad_size, IntPtr plain_text, Monocypher.size_t text_size); + public static extern void crypto_aead_write(ref Monocypher.crypto_aead_ctx ctx, IntPtr cipher_text, ref Byte16 mac, IntPtr ad, Monocypher.size_t ad_size, IntPtr plain_text, Monocypher.size_t text_size); /// - /// () encrypts and authenticates a - /// plaintext. It can be decrypted by - /// (). + /// Function crypto_aead_write /// - /// A 32-byte session key, shared between the sender and the recipient. It - /// must be secret and random. Different methods can be used to produce and - /// exchange this key, such as Diffie-Hellman key exchange, password key - /// derivation (the password must be communicated on a secure channel), or - /// even meeting physically. See - /// for key - /// exchange, and for - /// password key derivation. - /// A 24-byte number, used only once with any given session key. It does not - /// need to be secret or random, but it does have to be unique. - /// Never use the same nonce twice with the same - /// key. This would reveal the XOR of 2 different messages, which allows - /// decryption and forgeries. The easiest (and recommended) way to generate - /// this nonce is to select it at random. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). - /// A 16-byte message authentication code (MAC), - /// that can only be produced by someone who knows the session key. This - /// guarantee cannot be upheld if a nonce has been reused with the session - /// key, because doing so allows the attacker to learn the authentication key - /// associated with that nonce. The MAC is intended to be sent along with the - /// ciphertext. - /// The secret message. Its contents will be kept hidden from attackers. Its - /// length however, will not. Be careful when - /// combining encryption with compression. See - /// intro(3monocypher) for details. - /// The encrypted message. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. /// See Monocypher manual for more details. - public static unsafe void crypto_lock_aead(Span mac, Span cipher_text, ReadOnlySpan key, ReadOnlySpan nonce, ReadOnlySpan ad, ReadOnlySpan plain_text) + /// See Monocypher manual for more details. + public static unsafe void crypto_aead_write(ref Monocypher.crypto_aead_ctx ctx, Span cipher_text, Span mac, ReadOnlySpan ad, ReadOnlySpan plain_text) { - ExpectSize16(nameof(mac), mac.Length); ExpectSameBufferSize(nameof(cipher_text), cipher_text.Length, nameof(plain_text), plain_text.Length); - ExpectSize32(nameof(key), key.Length); - ExpectSize24(nameof(nonce), nonce.Length); + ExpectSize16(nameof(mac), mac.Length); fixed(void* cipher_text_ptr = cipher_text) fixed(void* ad_ptr = ad) fixed(void* plain_text_ptr = plain_text) - crypto_lock_aead(ref mac.AsByte16(), new IntPtr(cipher_text_ptr), in key.AsByte32(), in nonce.AsByte24(), new IntPtr(ad_ptr), (Monocypher.size_t)ad.Length, new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length); + crypto_aead_write(ref ctx, new IntPtr(cipher_text_ptr), ref mac.AsByte16(), new IntPtr(ad_ptr), (Monocypher.size_t)ad.Length, new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length); } /// - /// () encrypts and authenticates a - /// plaintext. It can be decrypted by - /// (). + /// Function crypto_aead_read /// - /// A 32-byte session key, shared between the sender and the recipient. It - /// must be secret and random. Different methods can be used to produce and - /// exchange this key, such as Diffie-Hellman key exchange, password key - /// derivation (the password must be communicated on a secure channel), or - /// even meeting physically. See - /// for key - /// exchange, and for - /// password key derivation. - /// A 24-byte number, used only once with any given session key. It does not - /// need to be secret or random, but it does have to be unique. - /// Never use the same nonce twice with the same - /// key. This would reveal the XOR of 2 different messages, which allows - /// decryption and forgeries. The easiest (and recommended) way to generate - /// this nonce is to select it at random. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). - /// A 16-byte message authentication code (MAC), - /// that can only be produced by someone who knows the session key. This - /// guarantee cannot be upheld if a nonce has been reused with the session - /// key, because doing so allows the attacker to learn the authentication key - /// associated with that nonce. The MAC is intended to be sent along with the - /// ciphertext. - /// The secret message. Its contents will be kept hidden from attackers. Its - /// length however, will not. Be careful when - /// combining encryption with compression. See - /// intro(3monocypher) for details. - /// The encrypted message. - /// Length of both , in bytes. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. /// See Monocypher manual for more details. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern int crypto_unlock_aead(IntPtr plain_text, in Byte32 key, in Byte24 nonce, in Byte16 mac, IntPtr ad, Monocypher.size_t ad_size, IntPtr cipher_text, Monocypher.size_t text_size); + public static extern int crypto_aead_read(ref Monocypher.crypto_aead_ctx ctx, IntPtr plain_text, in Byte16 mac, IntPtr ad, Monocypher.size_t ad_size, IntPtr cipher_text, Monocypher.size_t text_size); /// - /// () encrypts and authenticates a - /// plaintext. It can be decrypted by - /// (). + /// Function crypto_aead_read /// - /// A 32-byte session key, shared between the sender and the recipient. It - /// must be secret and random. Different methods can be used to produce and - /// exchange this key, such as Diffie-Hellman key exchange, password key - /// derivation (the password must be communicated on a secure channel), or - /// even meeting physically. See - /// for key - /// exchange, and for - /// password key derivation. - /// A 24-byte number, used only once with any given session key. It does not - /// need to be secret or random, but it does have to be unique. - /// Never use the same nonce twice with the same - /// key. This would reveal the XOR of 2 different messages, which allows - /// decryption and forgeries. The easiest (and recommended) way to generate - /// this nonce is to select it at random. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). - /// A 16-byte message authentication code (MAC), - /// that can only be produced by someone who knows the session key. This - /// guarantee cannot be upheld if a nonce has been reused with the session - /// key, because doing so allows the attacker to learn the authentication key - /// associated with that nonce. The MAC is intended to be sent along with the - /// ciphertext. - /// The secret message. Its contents will be kept hidden from attackers. Its - /// length however, will not. Be careful when - /// combining encryption with compression. See - /// intro(3monocypher) for details. - /// The encrypted message. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. /// See Monocypher manual for more details. - public static unsafe int crypto_unlock_aead(Span plain_text, ReadOnlySpan key, ReadOnlySpan nonce, ReadOnlySpan mac, ReadOnlySpan ad, ReadOnlySpan cipher_text) + /// See Monocypher manual for more details. + public static unsafe int crypto_aead_read(ref Monocypher.crypto_aead_ctx ctx, Span plain_text, ReadOnlySpan mac, ReadOnlySpan ad, ReadOnlySpan cipher_text) { ExpectSameBufferSize(nameof(plain_text), plain_text.Length, nameof(cipher_text), cipher_text.Length); - ExpectSize32(nameof(key), key.Length); - ExpectSize24(nameof(nonce), nonce.Length); ExpectSize16(nameof(mac), mac.Length); fixed(void* plain_text_ptr = plain_text) fixed(void* ad_ptr = ad) fixed(void* cipher_text_ptr = cipher_text) - return crypto_unlock_aead(new IntPtr(plain_text_ptr), in key.AsByte32(), in nonce.AsByte24(), in mac.AsByte16(), new IntPtr(ad_ptr), (Monocypher.size_t)ad.Length, new IntPtr(cipher_text_ptr), (Monocypher.size_t)plain_text.Length); + return crypto_aead_read(ref ctx, new IntPtr(plain_text_ptr), in mac.AsByte16(), new IntPtr(ad_ptr), (Monocypher.size_t)ad.Length, new IntPtr(cipher_text_ptr), (Monocypher.size_t)plain_text.Length); } /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. + /// Hashing(), + /// (), + /// (), and + /// () implement BLAKE2b, a + /// cryptographically secure hash based on the ideas of ChaCha20. It is faster + /// than MD5, yet just as secure as SHA-3. ///
/// /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the + /// from them; use the /// family of functions for that purpose instead. ///
/// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. + /// While BLAKE2b is immune to length extension attacks, and as such requires fewer + /// precautions than older hashes, we do recommend avoiding prefix-MAC and using + /// keyed mode with () + /// instead. Doing so enables better security arguments when using BLAKE2b as a + /// random oracle. ///
/// /// - /// A 64-byte buffer. The output hash. + /// The output hash. + /// Length of , in bytes. Must be between + /// 1 and 64. Anything below 32 is discouraged when using BLAKE2b as a + /// general-purpose hash function. /// The message to hash. May overlap with /// . May be /// NULL if /// is 0. /// Length of , in bytes. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_blake2b(ref Byte64 hash, IntPtr message, Monocypher.size_t message_size); + public static extern void crypto_blake2b(IntPtr hash, Monocypher.size_t hash_size, IntPtr message, Monocypher.size_t message_size); /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. + /// Hashing(), + /// (), + /// (), and + /// () implement BLAKE2b, a + /// cryptographically secure hash based on the ideas of ChaCha20. It is faster + /// than MD5, yet just as secure as SHA-3. ///
/// /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the + /// from them; use the /// family of functions for that purpose instead. ///
/// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. + /// While BLAKE2b is immune to length extension attacks, and as such requires fewer + /// precautions than older hashes, we do recommend avoiding prefix-MAC and using + /// keyed mode with () + /// instead. Doing so enables better security arguments when using BLAKE2b as a + /// random oracle. ///
/// /// - /// A 64-byte buffer. The output hash. + /// The output hash. /// The message to hash. May overlap with /// . May be /// NULL if /// is 0. public static unsafe void crypto_blake2b(Span hash, ReadOnlySpan message) { - ExpectSize64(nameof(hash), hash.Length); + fixed(void* hash_ptr = hash) fixed(void* message_ptr = message) - crypto_blake2b(ref hash.AsByte64(), new IntPtr(message_ptr), (Monocypher.size_t)message.Length); + crypto_blake2b(new IntPtr(hash_ptr), (Monocypher.size_t)hash.Length, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); } /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// + /// Function crypto_blake2b_keyed /// - /// The output hash. - /// Length of , in bytes. Must be between - /// 1 and 64. Anything below 32 is discouraged when using Blake2b as a - /// general-purpose hash function; anything below 16 is discouraged when using - /// Blake2b as a message authentication code. - /// Some secret key. One cannot predict the final hash without it. May be - /// NULL if - /// is 0, in which case no key is - /// used. Keys can be used to create a message authentication code (MAC). Use - /// , - /// , or - /// to compare MACs - /// created this way. Choose the size of the hash accordingly. Users may want - /// to wipe the key with - /// once they are done with it. - /// Length of , in bytes. Must be between - /// 0 and 64. 32 is a good default. - /// The message to hash. May overlap with - /// . May be - /// NULL if - /// is 0. - /// Length of , in bytes. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_blake2b_general(IntPtr hash, Monocypher.size_t hash_size, IntPtr key, Monocypher.size_t key_size, IntPtr message, Monocypher.size_t message_size); + public static extern void crypto_blake2b_keyed(IntPtr hash, Monocypher.size_t hash_size, IntPtr key, Monocypher.size_t key_size, IntPtr message, Monocypher.size_t message_size); /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// + /// Function crypto_blake2b_keyed /// - /// The output hash. - /// Some secret key. One cannot predict the final hash without it. May be - /// NULL if - /// is 0, in which case no key is - /// used. Keys can be used to create a message authentication code (MAC). Use - /// , - /// , or - /// to compare MACs - /// created this way. Choose the size of the hash accordingly. Users may want - /// to wipe the key with - /// once they are done with it. - /// The message to hash. May overlap with - /// . May be - /// NULL if - /// is 0. - public static unsafe void crypto_blake2b_general(Span hash, ReadOnlySpan key, ReadOnlySpan message) + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe void crypto_blake2b_keyed(Span hash, ReadOnlySpan key, ReadOnlySpan message) { fixed(void* hash_ptr = hash) fixed(void* key_ptr = key) fixed(void* message_ptr = message) - crypto_blake2b_general(new IntPtr(hash_ptr), (Monocypher.size_t)hash.Length, new IntPtr(key_ptr), (Monocypher.size_t)key.Length, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); + crypto_blake2b_keyed(new IntPtr(hash_ptr), (Monocypher.size_t)hash.Length, new IntPtr(key_ptr), (Monocypher.size_t)key.Length, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); } /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// + /// Function crypto_blake2b_init /// - /// The output hash. - /// Length of , in bytes. Must be between - /// 1 and 64. Anything below 32 is discouraged when using Blake2b as a - /// general-purpose hash function; anything below 16 is discouraged when using - /// Blake2b as a message authentication code. - /// Some secret key. One cannot predict the final hash without it. May be - /// NULL if - /// is 0, in which case no key is - /// used. Keys can be used to create a message authentication code (MAC). Use - /// , - /// , or - /// to compare MACs - /// created this way. Choose the size of the hash accordingly. Users may want - /// to wipe the key with - /// once they are done with it. - /// Length of , in bytes. Must be between - /// 0 and 64. 32 is a good default. - /// The message to hash. May overlap with - /// . May be - /// NULL if - /// is 0. - /// Length of , in bytes. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_blake2b_init(ref Monocypher.crypto_blake2b_ctx ctx); + public static extern void crypto_blake2b_init(ref Monocypher.crypto_blake2b_ctx ctx, Monocypher.size_t hash_size); /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// + /// Function crypto_blake2b_keyed_init + /// + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_blake2b_keyed_init(ref Monocypher.crypto_blake2b_ctx ctx, Monocypher.size_t hash_size, IntPtr key, Monocypher.size_t key_size); + + /// + /// Function crypto_blake2b_keyed_init + /// + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe void crypto_blake2b_keyed_init(ref Monocypher.crypto_blake2b_ctx ctx, Monocypher.size_t hash_size, ReadOnlySpan key) + { + fixed(void* key_ptr = key) + crypto_blake2b_keyed_init(ref ctx, hash_size, new IntPtr(key_ptr), (Monocypher.size_t)key.Length); + } + + /// + /// Function crypto_blake2b_update /// - /// The message to hash. May overlap with - /// . May be - /// NULL if - /// is 0. - /// Length of , in bytes. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] public static extern void crypto_blake2b_update(ref Monocypher.crypto_blake2b_ctx ctx, IntPtr message, Monocypher.size_t message_size); /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// + /// Function crypto_blake2b_update /// - /// The message to hash. May overlap with - /// . May be - /// NULL if - /// is 0. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. public static unsafe void crypto_blake2b_update(ref Monocypher.crypto_blake2b_ctx ctx, ReadOnlySpan message) { fixed(void* message_ptr = message) @@ -1066,44 +762,18 @@ public static unsafe void crypto_blake2b_update(ref Monocypher.crypto_blake2b_ct } /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// + /// Function crypto_blake2b_final /// - /// The output hash. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] public static extern void crypto_blake2b_final(ref Monocypher.crypto_blake2b_ctx ctx, IntPtr hash); /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// + /// Function crypto_blake2b_final /// - /// The output hash. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. public static unsafe void crypto_blake2b_final(ref Monocypher.crypto_blake2b_ctx ctx, Span hash) { fixed(void* hash_ptr = hash) @@ -1112,85 +782,12 @@ public static unsafe void crypto_blake2b_final(ref Monocypher.crypto_blake2b_ctx /// /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// - /// - /// Length of , in bytes. Must be between - /// 1 and 64. Anything below 32 is discouraged when using Blake2b as a - /// general-purpose hash function; anything below 16 is discouraged when using - /// Blake2b as a message authentication code. - /// Some secret key. One cannot predict the final hash without it. May be - /// NULL if - /// is 0, in which case no key is - /// used. Keys can be used to create a message authentication code (MAC). Use - /// , - /// , or - /// to compare MACs - /// created this way. Choose the size of the hash accordingly. Users may want - /// to wipe the key with - /// once they are done with it. - /// Length of , in bytes. Must be between - /// 0 and 64. 32 is a good default. - /// See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_blake2b_general_init(ref Monocypher.crypto_blake2b_ctx ctx, Monocypher.size_t hash_size, IntPtr key, Monocypher.size_t key_size); - - /// - /// - /// BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20. - /// It is faster than MD5, yet just as secure as SHA-3. - ///
- /// - /// Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// BLAKE2b is immune to length extension attacks, and as such does not require any - /// specific precautions, such as using the HMAC algorithm. - ///
- /// - /// - /// Length of , in bytes. Must be between - /// 1 and 64. Anything below 32 is discouraged when using Blake2b as a - /// general-purpose hash function; anything below 16 is discouraged when using - /// Blake2b as a message authentication code. - /// Some secret key. One cannot predict the final hash without it. May be - /// NULL if - /// is 0, in which case no key is - /// used. Keys can be used to create a message authentication code (MAC). Use - /// , - /// , or - /// to compare MACs - /// created this way. Choose the size of the hash accordingly. Users may want - /// to wipe the key with - /// once they are done with it. - /// See Monocypher manual for more details. - public static unsafe void crypto_blake2b_general_init(ref Monocypher.crypto_blake2b_ctx ctx, Monocypher.size_t hash_size, ReadOnlySpan key) - { - fixed(void* key_ptr = key) - crypto_blake2b_general_init(ref ctx, hash_size, new IntPtr(key_ptr), (Monocypher.size_t)key.Length); - } - - /// - /// - /// Argon2i is a resource intensive password key derivation scheme optimised for the - /// typical x86-like processor. It runs in constant time with respect to the - /// contents of the password. + /// Argon2 is a resource intensive password-based key derivation scheme optimised + /// for the typical x86-like processor. It runs in constant time with respect to + /// the contents of the password. ///
/// - /// Typical applications are password checking (for online services), and key + /// Typical applications are password checking (for online services) and key /// derivation (for encryption). Derived keys can be used to encrypt, for example, /// private keys or password databases. ///
@@ -1203,23 +800,20 @@ public static unsafe void crypto_blake2b_general_init(ref Monocypher.crypto_blak /// See Monocypher manual for more details. /// See Monocypher manual for more details. /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_argon2i(IntPtr hash, uint hash_size, IntPtr work_area, uint nb_blocks, uint nb_iterations, IntPtr password, uint password_size, IntPtr salt, uint salt_size); + public static extern void crypto_argon2(IntPtr hash, uint hash_size, IntPtr work_area, Monocypher.crypto_argon2_config config, Monocypher.crypto_argon2_inputs inputs, Monocypher.crypto_argon2_extras extras); /// /// - /// Argon2i is a resource intensive password key derivation scheme optimised for the - /// typical x86-like processor. It runs in constant time with respect to the - /// contents of the password. + /// Argon2 is a resource intensive password-based key derivation scheme optimised + /// for the typical x86-like processor. It runs in constant time with respect to + /// the contents of the password. ///
/// - /// Typical applications are password checking (for online services), and key + /// Typical applications are password checking (for online services) and key /// derivation (for encryption). Derived keys can be used to encrypt, for example, /// private keys or password databases. ///
@@ -1231,705 +825,548 @@ public static unsafe void crypto_blake2b_general_init(ref Monocypher.crypto_blak /// /// See Monocypher manual for more details. /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - public static unsafe void crypto_argon2i(Span hash, Span work_area, uint nb_blocks, uint nb_iterations, ReadOnlySpan password, ReadOnlySpan salt) + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe void crypto_argon2(Span hash, Span work_area, Monocypher.crypto_argon2_config config, Monocypher.crypto_argon2_inputs inputs, Monocypher.crypto_argon2_extras extras) { fixed(void* hash_ptr = hash) fixed(void* work_area_ptr = work_area) - fixed(void* password_ptr = password) - fixed(void* salt_ptr = salt) - crypto_argon2i(new IntPtr(hash_ptr), (uint)hash.Length, new IntPtr(work_area_ptr), nb_blocks, nb_iterations, new IntPtr(password_ptr), (uint)password.Length, new IntPtr(salt_ptr), (uint)salt.Length); + crypto_argon2(new IntPtr(hash_ptr), (uint)hash.Length, new IntPtr(work_area_ptr), config, inputs, extras); } /// - /// - /// Argon2i is a resource intensive password key derivation scheme optimised for the - /// typical x86-like processor. It runs in constant time with respect to the - /// contents of the password. - ///
- /// - /// Typical applications are password checking (for online services), and key - /// derivation (for encryption). Derived keys can be used to encrypt, for example, - /// private keys or password databases. - ///
- /// - /// The version provided by Monocypher has no threading support, so the degree of - /// parallelism is limited to 1. This is considered good enough for most purposes. - ///
- /// + /// Function crypto_x25519_public_key /// - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_argon2i_general(IntPtr hash, uint hash_size, IntPtr work_area, uint nb_blocks, uint nb_iterations, IntPtr password, uint password_size, IntPtr salt, uint salt_size, IntPtr key, uint key_size, IntPtr ad, uint ad_size); + public static extern void crypto_x25519_public_key(ref Byte32 public_key, in Byte32 secret_key); /// - /// - /// Argon2i is a resource intensive password key derivation scheme optimised for the - /// typical x86-like processor. It runs in constant time with respect to the - /// contents of the password. - ///
- /// - /// Typical applications are password checking (for online services), and key - /// derivation (for encryption). Derived keys can be used to encrypt, for example, - /// private keys or password databases. - ///
- /// - /// The version provided by Monocypher has no threading support, so the degree of - /// parallelism is limited to 1. This is considered good enough for most purposes. - ///
- /// + /// Function crypto_x25519_public_key /// - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - public static unsafe void crypto_argon2i_general(Span hash, Span work_area, uint nb_blocks, uint nb_iterations, ReadOnlySpan password, ReadOnlySpan salt, ReadOnlySpan key, ReadOnlySpan ad) + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_x25519_public_key(Span public_key, ReadOnlySpan secret_key) { - fixed(void* hash_ptr = hash) - fixed(void* work_area_ptr = work_area) - fixed(void* password_ptr = password) - fixed(void* salt_ptr = salt) - fixed(void* key_ptr = key) - fixed(void* ad_ptr = ad) - crypto_argon2i_general(new IntPtr(hash_ptr), (uint)hash.Length, new IntPtr(work_area_ptr), nb_blocks, nb_iterations, new IntPtr(password_ptr), (uint)password.Length, new IntPtr(salt_ptr), (uint)salt.Length, new IntPtr(key_ptr), (uint)key.Length, new IntPtr(ad_ptr), (uint)ad.Length); + ExpectSize32(nameof(public_key), public_key.Length); + ExpectSize32(nameof(secret_key), secret_key.Length); + crypto_x25519_public_key(ref public_key.AsByte32(), in secret_key.AsByte32()); } /// - /// () computes a shared key - /// with your secret key and their public key. - ///
- /// () - /// deterministically computes the public key from a random secret key. - ///
- /// + /// () performs an X25519 key + /// exchange between and + /// . It is a low-level building + /// block for protocols such as X3DH. + /// () Generates a + /// public key from a secret key. /// - /// A 32-byte buffer. The shared secret, known only to those who know a relevant secret key - /// (yours or theirs). It is cryptographically random, and suitable for use - /// with the family of - /// functions. - /// A 32-byte random number, known only to you. See + /// A 32-byte buffer. The shared secret, known only to those who know a relevant secret key + /// (yours or theirs). It is not cryptographically random. Do not use it + /// directly as a key. Hash it concatenated with + /// and + /// using + /// for key + /// derivation. + /// A 32-byte secret random number. See /// intro(3monocypher) for advice about /// generating random bytes (use the operating system's random number /// generator). /// A 32-byte buffer. The public key of the other party. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_key_exchange(ref Byte32 shared_key, in Byte32 your_secret_key, in Byte32 their_public_key); + public static extern void crypto_x25519(ref Byte32 raw_shared_secret, in Byte32 your_secret_key, in Byte32 their_public_key); /// - /// () computes a shared key - /// with your secret key and their public key. - ///
- /// () - /// deterministically computes the public key from a random secret key. - ///
- /// + /// () performs an X25519 key + /// exchange between and + /// . It is a low-level building + /// block for protocols such as X3DH. + /// () Generates a + /// public key from a secret key. /// - /// A 32-byte buffer. The shared secret, known only to those who know a relevant secret key - /// (yours or theirs). It is cryptographically random, and suitable for use - /// with the family of - /// functions. - /// A 32-byte random number, known only to you. See + /// A 32-byte buffer. The shared secret, known only to those who know a relevant secret key + /// (yours or theirs). It is not cryptographically random. Do not use it + /// directly as a key. Hash it concatenated with + /// and + /// using + /// for key + /// derivation. + /// A 32-byte secret random number. See /// intro(3monocypher) for advice about /// generating random bytes (use the operating system's random number /// generator). /// A 32-byte buffer. The public key of the other party. - public static unsafe void crypto_key_exchange(Span shared_key, ReadOnlySpan your_secret_key, ReadOnlySpan their_public_key) + public static unsafe void crypto_x25519(Span raw_shared_secret, ReadOnlySpan your_secret_key, ReadOnlySpan their_public_key) { - ExpectSize32(nameof(shared_key), shared_key.Length); + ExpectSize32(nameof(raw_shared_secret), raw_shared_secret.Length); ExpectSize32(nameof(your_secret_key), your_secret_key.Length); ExpectSize32(nameof(their_public_key), their_public_key.Length); - crypto_key_exchange(ref shared_key.AsByte32(), in your_secret_key.AsByte32(), in their_public_key.AsByte32()); + crypto_x25519(ref raw_shared_secret.AsByte32(), in your_secret_key.AsByte32(), in their_public_key.AsByte32()); } /// - /// () and - /// () provide EdDSA public key - /// signatures and verification. - ///
- /// + /// Function crypto_x25519_to_eddsa /// - /// A 32-byte random number, known only to you. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). Do not - /// use the same private key for both signatures and key exchanges. The public - /// keys are different, and revealing both may leak information. - /// A 32-byte buffer. The public key, generated from - /// with (). + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_sign_public_key(ref Byte32 public_key, in Byte32 secret_key); + public static extern void crypto_x25519_to_eddsa(ref Byte32 eddsa, in Byte32 x25519); /// - /// () and - /// () provide EdDSA public key - /// signatures and verification. - ///
- /// + /// Function crypto_x25519_to_eddsa /// - /// A 32-byte random number, known only to you. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). Do not - /// use the same private key for both signatures and key exchanges. The public - /// keys are different, and revealing both may leak information. - /// A 32-byte buffer. The public key, generated from - /// with (). - public static unsafe void crypto_sign_public_key(Span public_key, ReadOnlySpan secret_key) + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_x25519_to_eddsa(Span eddsa, ReadOnlySpan x25519) + { + ExpectSize32(nameof(eddsa), eddsa.Length); + ExpectSize32(nameof(x25519), x25519.Length); + crypto_x25519_to_eddsa(ref eddsa.AsByte32(), in x25519.AsByte32()); + } + + /// + /// Function crypto_x25519_inverse + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_x25519_inverse(ref Byte32 blind_salt, in Byte32 private_key, in Byte32 curve_point); + + /// + /// Function crypto_x25519_inverse + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_x25519_inverse(Span blind_salt, ReadOnlySpan private_key, ReadOnlySpan curve_point) + { + ExpectSize32(nameof(blind_salt), blind_salt.Length); + ExpectSize32(nameof(private_key), private_key.Length); + ExpectSize32(nameof(curve_point), curve_point.Length); + crypto_x25519_inverse(ref blind_salt.AsByte32(), in private_key.AsByte32(), in curve_point.AsByte32()); + } + + /// + /// Function crypto_x25519_dirty_small + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_x25519_dirty_small(ref Byte32 pk, in Byte32 sk); + + /// + /// Function crypto_x25519_dirty_small + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_x25519_dirty_small(Span pk, ReadOnlySpan sk) + { + ExpectSize32(nameof(pk), pk.Length); + ExpectSize32(nameof(sk), sk.Length); + crypto_x25519_dirty_small(ref pk.AsByte32(), in sk.AsByte32()); + } + + /// + /// Function crypto_x25519_dirty_fast + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_x25519_dirty_fast(ref Byte32 pk, in Byte32 sk); + + /// + /// Function crypto_x25519_dirty_fast + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_x25519_dirty_fast(Span pk, ReadOnlySpan sk) { + ExpectSize32(nameof(pk), pk.Length); + ExpectSize32(nameof(sk), sk.Length); + crypto_x25519_dirty_fast(ref pk.AsByte32(), in sk.AsByte32()); + } + + /// + /// Function crypto_eddsa_key_pair + /// + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_eddsa_key_pair(ref Byte64 secret_key, ref Byte32 public_key, ref Byte32 seed); + + /// + /// Function crypto_eddsa_key_pair + /// + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_eddsa_key_pair(Span secret_key, Span public_key, Span seed) + { + ExpectSize64(nameof(secret_key), secret_key.Length); ExpectSize32(nameof(public_key), public_key.Length); - ExpectSize32(nameof(secret_key), secret_key.Length); - crypto_sign_public_key(ref public_key.AsByte32(), in secret_key.AsByte32()); + ExpectSize32(nameof(seed), seed.Length); + crypto_eddsa_key_pair(ref secret_key.AsByte64(), ref public_key.AsByte32(), ref seed.AsByte32()); } /// - /// () and - /// () provide EdDSA public key - /// signatures and verification. - ///
- /// + /// High + /// level API() and + /// () provide EdDSA public + /// key signatures and verification. + /// () computes the + /// private and public keys from a random seed. /// /// A 64-byte buffer. The signature. - /// A 32-byte random number, known only to you. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). Do not - /// use the same private key for both signatures and key exchanges. The public - /// keys are different, and revealing both may leak information. - /// A 32-byte buffer. The public key, generated from - /// with (). - /// Message to sign. + /// A 64-byte buffer. A secret key generated by + /// (), known only to + /// you. Internally the secret key is made up of the seed and the public key. + /// They are bundled together to avoid misuse, and should be treated as a + /// unit. + /// The message to sign. /// Length of , in bytes. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_sign(ref Byte64 signature, in Byte32 secret_key, in Byte32 public_key, IntPtr message, Monocypher.size_t message_size); + public static extern void crypto_eddsa_sign(ref Byte64 signature, in Byte64 secret_key, IntPtr message, Monocypher.size_t message_size); /// - /// () and - /// () provide EdDSA public key - /// signatures and verification. - ///
- /// + /// High + /// level API() and + /// () provide EdDSA public + /// key signatures and verification. + /// () computes the + /// private and public keys from a random seed. /// /// A 64-byte buffer. The signature. - /// A 32-byte random number, known only to you. See - /// intro(3monocypher) about random number - /// generation (use your operating system's random number generator). Do not - /// use the same private key for both signatures and key exchanges. The public - /// keys are different, and revealing both may leak information. - /// A 32-byte buffer. The public key, generated from - /// with (). - /// Message to sign. - public static unsafe void crypto_sign(Span signature, ReadOnlySpan secret_key, ReadOnlySpan public_key, ReadOnlySpan message) + /// A 64-byte buffer. A secret key generated by + /// (), known only to + /// you. Internally the secret key is made up of the seed and the public key. + /// They are bundled together to avoid misuse, and should be treated as a + /// unit. + /// The message to sign. + public static unsafe void crypto_eddsa_sign(Span signature, ReadOnlySpan secret_key, ReadOnlySpan message) { ExpectSize64(nameof(signature), signature.Length); - ExpectSize32(nameof(secret_key), secret_key.Length); - ExpectSize32(nameof(public_key), public_key.Length); + ExpectSize64(nameof(secret_key), secret_key.Length); fixed(void* message_ptr = message) - crypto_sign(ref signature.AsByte64(), in secret_key.AsByte32(), in public_key.AsByte32(), new IntPtr(message_ptr), (Monocypher.size_t)message.Length); + crypto_eddsa_sign(ref signature.AsByte64(), in secret_key.AsByte64(), new IntPtr(message_ptr), (Monocypher.size_t)message.Length); } /// - /// () and - /// () provide EdDSA public key - /// signatures and verification. - ///
- /// + /// Function crypto_eddsa_check /// - /// A 64-byte buffer. The signature. - /// A 32-byte buffer. The public key, generated from - /// with (). - /// Message to sign. - /// Length of , in bytes. + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern int crypto_check(in Byte64 signature, in Byte32 public_key, IntPtr message, Monocypher.size_t message_size); + public static extern int crypto_eddsa_check(in Byte64 signature, in Byte32 public_key, IntPtr message, Monocypher.size_t message_size); /// - /// () and - /// () provide EdDSA public key - /// signatures and verification. - ///
- /// + /// Function crypto_eddsa_check /// - /// A 64-byte buffer. The signature. - /// A 32-byte buffer. The public key, generated from - /// with (). - /// Message to sign. - public static unsafe int crypto_check(ReadOnlySpan signature, ReadOnlySpan public_key, ReadOnlySpan message) + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe int crypto_eddsa_check(ReadOnlySpan signature, ReadOnlySpan public_key, ReadOnlySpan message) { ExpectSize64(nameof(signature), signature.Length); ExpectSize32(nameof(public_key), public_key.Length); fixed(void* message_ptr = message) - return crypto_check(in signature.AsByte64(), in public_key.AsByte32(), new IntPtr(message_ptr), (Monocypher.size_t)message.Length); + return crypto_eddsa_check(in signature.AsByte64(), in public_key.AsByte32(), new IntPtr(message_ptr), (Monocypher.size_t)message.Length); } /// - /// () provides a - /// not-so-cryptographic hash. It may be used for some specific purposes, such as - /// X25519 key derivation, or XChacha20 initialisation. If in doubt, do not use - /// directly. Use - /// instead. - ///
- /// + /// Function crypto_eddsa_to_x25519 + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_eddsa_to_x25519(ref Byte32 x25519, in Byte32 eddsa); + + /// + /// Function crypto_eddsa_to_x25519 + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_eddsa_to_x25519(Span x25519, ReadOnlySpan eddsa) + { + ExpectSize32(nameof(x25519), x25519.Length); + ExpectSize32(nameof(eddsa), eddsa.Length); + crypto_eddsa_to_x25519(ref x25519.AsByte32(), in eddsa.AsByte32()); + } + + /// + /// Function crypto_eddsa_trim_scalar /// - /// A 32-byte buffer. A sufficiently random key, such as the output of - /// . /// A 32-byte buffer. See Monocypher manual for more details. - /// A 16-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_hchacha20(ref Byte32 @out, in Byte32 key, in Byte16 @in); + public static extern void crypto_eddsa_trim_scalar(ref Byte32 @out, in Byte32 @in); /// - /// () provides a - /// not-so-cryptographic hash. It may be used for some specific purposes, such as - /// X25519 key derivation, or XChacha20 initialisation. If in doubt, do not use - /// directly. Use - /// instead. - ///
- /// + /// Function crypto_eddsa_trim_scalar /// - /// A 32-byte buffer. A sufficiently random key, such as the output of - /// . /// A 32-byte buffer. See Monocypher manual for more details. - /// A 16-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_hchacha20(Span @out, ReadOnlySpan key, ReadOnlySpan @in) + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_eddsa_trim_scalar(Span @out, ReadOnlySpan @in) { ExpectSize32(nameof(@out), @out.Length); - ExpectSize32(nameof(key), key.Length); - ExpectSize16(nameof(@in), @in.Length); - crypto_hchacha20(ref @out.AsByte32(), in key.AsByte32(), in @in.AsByte16()); + ExpectSize32(nameof(@in), @in.Length); + crypto_eddsa_trim_scalar(ref @out.AsByte32(), in @in.AsByte32()); } /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// + /// Function crypto_eddsa_reduce /// - /// A 32-byte secret key. - /// A 8-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The message to encrypt. It is allowed to be - /// NULL, in which case it will be - /// interpreted as an all zero input. - /// will then contain the raw - /// Chacha20 stream. - /// The encrypted message. - /// Length of both and - /// , in bytes. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_chacha20(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte8 nonce); + public static extern void crypto_eddsa_reduce(ref Byte32 reduced, in Byte64 expanded); /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// + /// Function crypto_eddsa_reduce /// - /// A 32-byte secret key. - /// A 8-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The message to encrypt. It is allowed to be - /// NULL, in which case it will be - /// interpreted as an all zero input. - /// will then contain the raw - /// Chacha20 stream. - /// The encrypted message. - public static unsafe void crypto_chacha20(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce) + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_eddsa_reduce(Span reduced, ReadOnlySpan expanded) { - ExpectSameBufferSize(nameof(cipher_text), cipher_text.Length, nameof(plain_text), plain_text.Length); - ExpectSize32(nameof(key), key.Length); - ExpectSize8(nameof(nonce), nonce.Length); - fixed(void* cipher_text_ptr = cipher_text) - fixed(void* plain_text_ptr = plain_text) - crypto_chacha20(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte8()); + ExpectSize32(nameof(reduced), reduced.Length); + ExpectSize64(nameof(expanded), expanded.Length); + crypto_eddsa_reduce(ref reduced.AsByte32(), in expanded.AsByte64()); } /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// + /// Function crypto_eddsa_mul_add /// - /// A 32-byte secret key. - /// A 24-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The message to encrypt. It is allowed to be - /// NULL, in which case it will be - /// interpreted as an all zero input. - /// will then contain the raw - /// Chacha20 stream. - /// The encrypted message. - /// Length of both and - /// , in bytes. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_xchacha20(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte24 nonce); + public static extern void crypto_eddsa_mul_add(ref Byte32 r, in Byte32 a, in Byte32 b, in Byte32 c); /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// + /// Function crypto_eddsa_mul_add /// - /// A 32-byte secret key. - /// A 24-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The message to encrypt. It is allowed to be - /// NULL, in which case it will be - /// interpreted as an all zero input. - /// will then contain the raw - /// Chacha20 stream. - /// The encrypted message. - public static unsafe void crypto_xchacha20(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce) + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_eddsa_mul_add(Span r, ReadOnlySpan a, ReadOnlySpan b, ReadOnlySpan c) { - ExpectSameBufferSize(nameof(cipher_text), cipher_text.Length, nameof(plain_text), plain_text.Length); - ExpectSize32(nameof(key), key.Length); - ExpectSize24(nameof(nonce), nonce.Length); - fixed(void* cipher_text_ptr = cipher_text) - fixed(void* plain_text_ptr = plain_text) - crypto_xchacha20(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte24()); + ExpectSize32(nameof(r), r.Length); + ExpectSize32(nameof(a), a.Length); + ExpectSize32(nameof(b), b.Length); + ExpectSize32(nameof(c), c.Length); + crypto_eddsa_mul_add(ref r.AsByte32(), in a.AsByte32(), in b.AsByte32(), in c.AsByte32()); } /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive as - /// specified by the IETF in RFC 8439. They are provided strictly for - /// compatibility with existing systems or strict standards compliance. New - /// programs are strongly encouraged to use - /// instead. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// The () and - /// () functions behave - /// the same as and - /// , respectively, but use - /// differently-sized nonce and counter values. The nonce encompasses 12 bytes and - /// the counter is correspondingly reduced to 4 bytes. The short counter limits a - /// single pair of key and nonce to 256 GiB of data. A nonce of 12 bytes is - /// just barely too short to be safely chosen at - /// random; use a message counter instead. RFC 8439 also permits linear feedback - /// shift registers to generate nonces. - /// + /// Function crypto_eddsa_scalarbase /// - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_eddsa_scalarbase(ref Byte32 point, in Byte32 scalar); + + /// + /// Function crypto_eddsa_scalarbase + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_eddsa_scalarbase(Span point, ReadOnlySpan scalar) + { + ExpectSize32(nameof(point), point.Length); + ExpectSize32(nameof(scalar), scalar.Length); + crypto_eddsa_scalarbase(ref point.AsByte32(), in scalar.AsByte32()); + } + + /// + /// Function crypto_eddsa_check_equation + /// + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern int crypto_eddsa_check_equation(in Byte64 signature, in Byte32 public_key, in Byte32 h_ram); + + /// + /// Function crypto_eddsa_check_equation + /// + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe int crypto_eddsa_check_equation(ReadOnlySpan signature, ReadOnlySpan public_key, ReadOnlySpan h_ram) + { + ExpectSize64(nameof(signature), signature.Length); + ExpectSize32(nameof(public_key), public_key.Length); + ExpectSize32(nameof(h_ram), h_ram.Length); + return crypto_eddsa_check_equation(in signature.AsByte64(), in public_key.AsByte32(), in h_ram.AsByte32()); + } + + /// + /// Function crypto_chacha20_h + /// + /// A 32-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. - /// A 12-byte buffer. See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_ietf_chacha20(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte12 nonce); + public static extern void crypto_chacha20_h(ref Byte32 @out, in Byte32 key, in Byte16 @in); /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive as - /// specified by the IETF in RFC 8439. They are provided strictly for - /// compatibility with existing systems or strict standards compliance. New - /// programs are strongly encouraged to use - /// instead. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// The () and - /// () functions behave - /// the same as and - /// , respectively, but use - /// differently-sized nonce and counter values. The nonce encompasses 12 bytes and - /// the counter is correspondingly reduced to 4 bytes. The short counter limits a - /// single pair of key and nonce to 256 GiB of data. A nonce of 12 bytes is - /// just barely too short to be safely chosen at - /// random; use a message counter instead. RFC 8439 also permits linear feedback - /// shift registers to generate nonces. - /// + /// Function crypto_chacha20_h /// - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. - /// A 12-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_ietf_chacha20(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce) + /// A 16-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_chacha20_h(Span @out, ReadOnlySpan key, ReadOnlySpan @in) { - ExpectSameBufferSize(nameof(cipher_text), cipher_text.Length, nameof(plain_text), plain_text.Length); + ExpectSize32(nameof(@out), @out.Length); ExpectSize32(nameof(key), key.Length); - ExpectSize12(nameof(nonce), nonce.Length); - fixed(void* cipher_text_ptr = cipher_text) - fixed(void* plain_text_ptr = plain_text) - crypto_ietf_chacha20(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte12()); + ExpectSize16(nameof(@in), @in.Length); + crypto_chacha20_h(ref @out.AsByte32(), in key.AsByte32(), in @in.AsByte16()); } /// /// - /// These functions provide an interface for the Chacha20 encryption primitive. + /// These functions provide an interface for the ChaCha20 encryption primitive. ///
/// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . + /// ChaCha20 is a low-level primitive. Consider using authenticated encryption, + /// implemented by . ///
/// /// /// A 32-byte secret key. - /// A 8-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number + /// A 8-byte buffer. An 8-byte, 12-byte, or 24-byte number used only once with any given key. + /// It does not need to be secret or random, but it does have to be unique. + /// Repeating a nonce with the same key reveals the XOR of two different + /// messages, which allows decryption. 24-byte nonces can be selected at + /// random. 8-byte and 12-byte nonces cannot + /// because they are too small and the same nonce may be selected twice by + /// accident. See intro(3monocypher) for advice + /// about generating random numbers (use the operating system's random number /// generator). /// The message to encrypt. It is allowed to be /// NULL, in which case it will be - /// interpreted as an all zero input. + /// interpreted as an all-zero input. /// will then contain the raw - /// Chacha20 stream. + /// ChaCha20 stream. /// The encrypted message. /// Length of both and /// , in bytes. - /// The number of 64-byte blocks since the beginning of the stream. + /// The number of 64-byte blocks we skip from the beginning of the stream. + /// This can be used to encrypt (or decrypt) part of a long message or to + /// implement some AEAD constructions such as the one described in RFC 8439. + /// Should be zero by default. When using this, be careful not to accidentally + /// reuse parts of the random stream as that would destroy confidentiality. + /// The return value can help here. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern ulong crypto_chacha20_ctr(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte8 nonce, ulong ctr); + public static extern ulong crypto_chacha20_djb(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte8 nonce, ulong ctr); /// /// - /// These functions provide an interface for the Chacha20 encryption primitive. + /// These functions provide an interface for the ChaCha20 encryption primitive. ///
/// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . + /// ChaCha20 is a low-level primitive. Consider using authenticated encryption, + /// implemented by . ///
/// /// /// A 32-byte secret key. - /// A 8-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number + /// A 8-byte buffer. An 8-byte, 12-byte, or 24-byte number used only once with any given key. + /// It does not need to be secret or random, but it does have to be unique. + /// Repeating a nonce with the same key reveals the XOR of two different + /// messages, which allows decryption. 24-byte nonces can be selected at + /// random. 8-byte and 12-byte nonces cannot + /// because they are too small and the same nonce may be selected twice by + /// accident. See intro(3monocypher) for advice + /// about generating random numbers (use the operating system's random number /// generator). /// The message to encrypt. It is allowed to be /// NULL, in which case it will be - /// interpreted as an all zero input. + /// interpreted as an all-zero input. /// will then contain the raw - /// Chacha20 stream. + /// ChaCha20 stream. /// The encrypted message. - /// The number of 64-byte blocks since the beginning of the stream. - public static unsafe ulong crypto_chacha20_ctr(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce, ulong ctr) + /// The number of 64-byte blocks we skip from the beginning of the stream. + /// This can be used to encrypt (or decrypt) part of a long message or to + /// implement some AEAD constructions such as the one described in RFC 8439. + /// Should be zero by default. When using this, be careful not to accidentally + /// reuse parts of the random stream as that would destroy confidentiality. + /// The return value can help here. + public static unsafe ulong crypto_chacha20_djb(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce, ulong ctr) { ExpectSameBufferSize(nameof(cipher_text), cipher_text.Length, nameof(plain_text), plain_text.Length); ExpectSize32(nameof(key), key.Length); ExpectSize8(nameof(nonce), nonce.Length); fixed(void* cipher_text_ptr = cipher_text) fixed(void* plain_text_ptr = plain_text) - return crypto_chacha20_ctr(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte8(), ctr); + return crypto_chacha20_djb(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte8(), ctr); } /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// + /// Function crypto_chacha20_ietf /// - /// A 32-byte secret key. - /// A 24-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The message to encrypt. It is allowed to be - /// NULL, in which case it will be - /// interpreted as an all zero input. - /// will then contain the raw - /// Chacha20 stream. - /// The encrypted message. - /// Length of both and - /// , in bytes. - /// The number of 64-byte blocks since the beginning of the stream. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 12-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern ulong crypto_xchacha20_ctr(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte24 nonce, ulong ctr); + public static extern uint crypto_chacha20_ietf(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte12 nonce, uint ctr); /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// + /// Function crypto_chacha20_ietf /// - /// A 32-byte secret key. - /// A 24-byte buffer. An 8-byte or 24-byte number, used only once with any given key. It does - /// not need to be secret or random, but it does have to be unique. Repeating - /// a nonce with the same key reveals the XOR of two different messages, which - /// allows decryption. 24-byte nonces can be selected at random. 8-byte nonces - /// cannot. They are too small, and the same - /// nonce may be selected twice by accident. See - /// intro(3monocypher) for advice about - /// generating random numbers (use the operating system's random number - /// generator). - /// The message to encrypt. It is allowed to be - /// NULL, in which case it will be - /// interpreted as an all zero input. - /// will then contain the raw - /// Chacha20 stream. - /// The encrypted message. - /// The number of 64-byte blocks since the beginning of the stream. - public static unsafe ulong crypto_xchacha20_ctr(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce, ulong ctr) + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 12-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe uint crypto_chacha20_ietf(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce, uint ctr) { ExpectSameBufferSize(nameof(cipher_text), cipher_text.Length, nameof(plain_text), plain_text.Length); ExpectSize32(nameof(key), key.Length); - ExpectSize24(nameof(nonce), nonce.Length); + ExpectSize12(nameof(nonce), nonce.Length); fixed(void* cipher_text_ptr = cipher_text) fixed(void* plain_text_ptr = plain_text) - return crypto_xchacha20_ctr(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte24(), ctr); + return crypto_chacha20_ietf(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte12(), ctr); } /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive as - /// specified by the IETF in RFC 8439. They are provided strictly for - /// compatibility with existing systems or strict standards compliance. New - /// programs are strongly encouraged to use - /// instead. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// The () and - /// () functions behave - /// the same as and - /// , respectively, but use - /// differently-sized nonce and counter values. The nonce encompasses 12 bytes and - /// the counter is correspondingly reduced to 4 bytes. The short counter limits a - /// single pair of key and nonce to 256 GiB of data. A nonce of 12 bytes is - /// just barely too short to be safely chosen at - /// random; use a message counter instead. RFC 8439 also permits linear feedback - /// shift registers to generate nonces. - /// + /// Function crypto_chacha20_x /// /// See Monocypher manual for more details. /// See Monocypher manual for more details. /// See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. - /// A 12-byte buffer. See Monocypher manual for more details. + /// A 24-byte buffer. See Monocypher manual for more details. /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern uint crypto_ietf_chacha20_ctr(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte12 nonce, uint ctr); + public static extern ulong crypto_chacha20_x(IntPtr cipher_text, IntPtr plain_text, Monocypher.size_t text_size, in Byte32 key, in Byte24 nonce, ulong ctr); /// - /// - /// These functions provide an interface for the Chacha20 encryption primitive as - /// specified by the IETF in RFC 8439. They are provided strictly for - /// compatibility with existing systems or strict standards compliance. New - /// programs are strongly encouraged to use - /// instead. - ///
- /// - /// Chacha20 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// The () and - /// () functions behave - /// the same as and - /// , respectively, but use - /// differently-sized nonce and counter values. The nonce encompasses 12 bytes and - /// the counter is correspondingly reduced to 4 bytes. The short counter limits a - /// single pair of key and nonce to 256 GiB of data. A nonce of 12 bytes is - /// just barely too short to be safely chosen at - /// random; use a message counter instead. RFC 8439 also permits linear feedback - /// shift registers to generate nonces. - /// + /// Function crypto_chacha20_x /// /// See Monocypher manual for more details. /// See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. - /// A 12-byte buffer. See Monocypher manual for more details. + /// A 24-byte buffer. See Monocypher manual for more details. /// See Monocypher manual for more details. - public static unsafe uint crypto_ietf_chacha20_ctr(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce, uint ctr) + public static unsafe ulong crypto_chacha20_x(Span cipher_text, ReadOnlySpan plain_text, ReadOnlySpan key, ReadOnlySpan nonce, ulong ctr) { ExpectSameBufferSize(nameof(cipher_text), cipher_text.Length, nameof(plain_text), plain_text.Length); ExpectSize32(nameof(key), key.Length); - ExpectSize12(nameof(nonce), nonce.Length); + ExpectSize24(nameof(nonce), nonce.Length); fixed(void* cipher_text_ptr = cipher_text) fixed(void* plain_text_ptr = plain_text) - return crypto_ietf_chacha20_ctr(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte12(), ctr); + return crypto_chacha20_x(new IntPtr(cipher_text_ptr), new IntPtr(plain_text_ptr), (Monocypher.size_t)cipher_text.Length, in key.AsByte32(), in nonce.AsByte24(), ctr); } /// @@ -1937,15 +1374,15 @@ public static unsafe uint crypto_ietf_chacha20_ctr(Span cipher_text, ReadO /// Poly1305 is a one-time message authentication code. “One-time” /// means the authentication key can be used only once. /// This makes Poly1305 easy to misuse. On the other - /// hand, Poly1305 is fast, and provably secure if used correctly. + /// hand, Poly1305 is fast and provably secure if used correctly. ///
/// /// Poly1305 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . + /// implemented by . ///
/// /// - /// A 16-byte buffer. The authentication code. + /// A 16-byte buffer. The message authentication code. /// A 32-byte buffer. The secret authentication key. Use only once per message. Do not use the /// session key to authenticate messages. It should be wiped with /// after use. @@ -1960,15 +1397,15 @@ public static unsafe uint crypto_ietf_chacha20_ctr(Span cipher_text, ReadO /// Poly1305 is a one-time message authentication code. “One-time” /// means the authentication key can be used only once. /// This makes Poly1305 easy to misuse. On the other - /// hand, Poly1305 is fast, and provably secure if used correctly. + /// hand, Poly1305 is fast and provably secure if used correctly. ///
/// /// Poly1305 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . + /// implemented by . ///
/// /// - /// A 16-byte buffer. The authentication code. + /// A 16-byte buffer. The message authentication code. /// A 32-byte buffer. The secret authentication key. Use only once per message. Do not use the /// session key to authenticate messages. It should be wiped with /// after use. @@ -1983,1756 +1420,61 @@ public static unsafe void crypto_poly1305(Span mac, ReadOnlySpan mes } /// - /// - /// Poly1305 is a one-time message authentication code. “One-time” - /// means the authentication key can be used only once. - /// This makes Poly1305 easy to misuse. On the other - /// hand, Poly1305 is fast, and provably secure if used correctly. - ///
- /// - /// Poly1305 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// - /// A 32-byte buffer. The secret authentication key. Use only once per message. Do not use the - /// session key to authenticate messages. It should be wiped with - /// after use. - /// See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_poly1305_init(ref Monocypher.crypto_poly1305_ctx ctx, in Byte32 key); - - /// - /// - /// Poly1305 is a one-time message authentication code. “One-time” - /// means the authentication key can be used only once. - /// This makes Poly1305 easy to misuse. On the other - /// hand, Poly1305 is fast, and provably secure if used correctly. - ///
- /// - /// Poly1305 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// - /// A 32-byte buffer. The secret authentication key. Use only once per message. Do not use the - /// session key to authenticate messages. It should be wiped with - /// after use. - /// See Monocypher manual for more details. - public static unsafe void crypto_poly1305_init(ref Monocypher.crypto_poly1305_ctx ctx, ReadOnlySpan key) - { - ExpectSize32(nameof(key), key.Length); - crypto_poly1305_init(ref ctx, in key.AsByte32()); - } - - /// - /// - /// Poly1305 is a one-time message authentication code. “One-time” - /// means the authentication key can be used only once. - /// This makes Poly1305 easy to misuse. On the other - /// hand, Poly1305 is fast, and provably secure if used correctly. - ///
- /// - /// Poly1305 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// - /// The message to authenticate. May overlap with the - /// argument. - /// Length of , in bytes. - /// See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_poly1305_update(ref Monocypher.crypto_poly1305_ctx ctx, IntPtr message, Monocypher.size_t message_size); - - /// - /// - /// Poly1305 is a one-time message authentication code. “One-time” - /// means the authentication key can be used only once. - /// This makes Poly1305 easy to misuse. On the other - /// hand, Poly1305 is fast, and provably secure if used correctly. - ///
- /// - /// Poly1305 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// - /// The message to authenticate. May overlap with the - /// argument. - /// See Monocypher manual for more details. - public static unsafe void crypto_poly1305_update(ref Monocypher.crypto_poly1305_ctx ctx, ReadOnlySpan message) - { - fixed(void* message_ptr = message) - crypto_poly1305_update(ref ctx, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); - } - - /// - /// - /// Poly1305 is a one-time message authentication code. “One-time” - /// means the authentication key can be used only once. - /// This makes Poly1305 easy to misuse. On the other - /// hand, Poly1305 is fast, and provably secure if used correctly. - ///
- /// - /// Poly1305 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// + /// Function crypto_poly1305_init /// - /// A 16-byte buffer. The authentication code. /// See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_poly1305_final(ref Monocypher.crypto_poly1305_ctx ctx, ref Byte16 mac); - - /// - /// - /// Poly1305 is a one-time message authentication code. “One-time” - /// means the authentication key can be used only once. - /// This makes Poly1305 easy to misuse. On the other - /// hand, Poly1305 is fast, and provably secure if used correctly. - ///
- /// - /// Poly1305 is a low-level primitive. Consider using authenticated encryption, - /// implemented by . - ///
- /// - /// - /// A 16-byte buffer. The authentication code. - /// See Monocypher manual for more details. - public static unsafe void crypto_poly1305_final(ref Monocypher.crypto_poly1305_ctx ctx, Span mac) - { - ExpectSize16(nameof(mac), mac.Length); - crypto_poly1305_final(ref ctx, ref mac.AsByte16()); - } - - /// - /// () computes a shared secret with - /// and - /// . It is a low-level - /// primitive. Use - /// unless you have a specific reason not to. - ///
- /// () is the same as - /// . It - /// deterministically computes the public key from a random secret key. - ///
- /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_x25519_public_key(ref Byte32 public_key, in Byte32 secret_key); - - /// - /// () computes a shared secret with - /// and - /// . It is a low-level - /// primitive. Use - /// unless you have a specific reason not to. - ///
- /// () is the same as - /// . It - /// deterministically computes the public key from a random secret key. - ///
- /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_x25519_public_key(Span public_key, ReadOnlySpan secret_key) - { - ExpectSize32(nameof(public_key), public_key.Length); - ExpectSize32(nameof(secret_key), secret_key.Length); - crypto_x25519_public_key(ref public_key.AsByte32(), in secret_key.AsByte32()); - } - - /// - /// () computes a shared secret with - /// and - /// . It is a low-level - /// primitive. Use - /// unless you have a specific reason not to. - ///
- /// () is the same as - /// . It - /// deterministically computes the public key from a random secret key. - ///
- /// - /// - /// A 32-byte buffer. The shared secret, known only to those who know a relevant secret key - /// (yours or theirs). It is not cryptographically random. Do not use it - /// directly as a key. Hash it with - /// or - /// first. - /// A 32-byte secret random number. See - /// intro(3monocypher) for advice about - /// generating random bytes (use the operating system's random number - /// generator). - /// A 32-byte buffer. The public key of the other party. - ///
- /// and - /// may overlap if your - /// secret is no longer required. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_x25519(ref Byte32 raw_shared_secret, in Byte32 your_secret_key, in Byte32 their_public_key); - - /// - /// () computes a shared secret with - /// and - /// . It is a low-level - /// primitive. Use - /// unless you have a specific reason not to. - ///
- /// () is the same as - /// . It - /// deterministically computes the public key from a random secret key. - ///
- /// - /// - /// A 32-byte buffer. The shared secret, known only to those who know a relevant secret key - /// (yours or theirs). It is not cryptographically random. Do not use it - /// directly as a key. Hash it with - /// or - /// first. - /// A 32-byte secret random number. See - /// intro(3monocypher) for advice about - /// generating random bytes (use the operating system's random number - /// generator). - /// A 32-byte buffer. The public key of the other party. - ///
- /// and - /// may overlap if your - /// secret is no longer required. - public static unsafe void crypto_x25519(Span raw_shared_secret, ReadOnlySpan your_secret_key, ReadOnlySpan their_public_key) - { - ExpectSize32(nameof(raw_shared_secret), raw_shared_secret.Length); - ExpectSize32(nameof(your_secret_key), your_secret_key.Length); - ExpectSize32(nameof(their_public_key), their_public_key.Length); - crypto_x25519(ref raw_shared_secret.AsByte32(), in your_secret_key.AsByte32(), in their_public_key.AsByte32()); - } - - /// - /// - /// These functions are used in public key generation for - /// . - /// This is a highly advanced feature; unless you are - /// reading this because you were referred here from - /// , - /// you likely have no reason to be using these - /// functions and are probably looking for - /// or - /// instead. Expect - /// elliptic curve jargon on this page. - ///
- /// - /// Both functions generate a Curve25519 public key - /// from the given secret key - /// ; the public keys are on the - /// whole curve, rather than just the main - /// prime-order subgroup. Both do the same with different code size and memory - /// characteristics: () - /// uses multiple large temporary variables and uses functions that are normally - /// used internally for ; - /// accordingly, it uses both more memory (for the temporary variables) and more - /// code size (unless the signing code is already compiled in elsewhere). - /// () yields the same - /// result, but does so using less code and memory at a large performance penalty - /// compared to (). - ///
- /// - /// The resulting public keys are to be used with - /// or - /// , which clear the - /// cofactor. - /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_x25519_dirty_small(ref Byte32 pk, in Byte32 sk); - - /// - /// - /// These functions are used in public key generation for - /// . - /// This is a highly advanced feature; unless you are - /// reading this because you were referred here from - /// , - /// you likely have no reason to be using these - /// functions and are probably looking for - /// or - /// instead. Expect - /// elliptic curve jargon on this page. - ///
- /// - /// Both functions generate a Curve25519 public key - /// from the given secret key - /// ; the public keys are on the - /// whole curve, rather than just the main - /// prime-order subgroup. Both do the same with different code size and memory - /// characteristics: () - /// uses multiple large temporary variables and uses functions that are normally - /// used internally for ; - /// accordingly, it uses both more memory (for the temporary variables) and more - /// code size (unless the signing code is already compiled in elsewhere). - /// () yields the same - /// result, but does so using less code and memory at a large performance penalty - /// compared to (). - ///
- /// - /// The resulting public keys are to be used with - /// or - /// , which clear the - /// cofactor. - /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_x25519_dirty_small(Span pk, ReadOnlySpan sk) - { - ExpectSize32(nameof(pk), pk.Length); - ExpectSize32(nameof(sk), sk.Length); - crypto_x25519_dirty_small(ref pk.AsByte32(), in sk.AsByte32()); - } - - /// - /// - /// These functions are used in public key generation for - /// . - /// This is a highly advanced feature; unless you are - /// reading this because you were referred here from - /// , - /// you likely have no reason to be using these - /// functions and are probably looking for - /// or - /// instead. Expect - /// elliptic curve jargon on this page. - ///
- /// - /// Both functions generate a Curve25519 public key - /// from the given secret key - /// ; the public keys are on the - /// whole curve, rather than just the main - /// prime-order subgroup. Both do the same with different code size and memory - /// characteristics: () - /// uses multiple large temporary variables and uses functions that are normally - /// used internally for ; - /// accordingly, it uses both more memory (for the temporary variables) and more - /// code size (unless the signing code is already compiled in elsewhere). - /// () yields the same - /// result, but does so using less code and memory at a large performance penalty - /// compared to (). - ///
- /// - /// The resulting public keys are to be used with - /// or - /// , which clear the - /// cofactor. - /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_x25519_dirty_fast(ref Byte32 pk, in Byte32 sk); - - /// - /// - /// These functions are used in public key generation for - /// . - /// This is a highly advanced feature; unless you are - /// reading this because you were referred here from - /// , - /// you likely have no reason to be using these - /// functions and are probably looking for - /// or - /// instead. Expect - /// elliptic curve jargon on this page. - ///
- /// - /// Both functions generate a Curve25519 public key - /// from the given secret key - /// ; the public keys are on the - /// whole curve, rather than just the main - /// prime-order subgroup. Both do the same with different code size and memory - /// characteristics: () - /// uses multiple large temporary variables and uses functions that are normally - /// used internally for ; - /// accordingly, it uses both more memory (for the temporary variables) and more - /// code size (unless the signing code is already compiled in elsewhere). - /// () yields the same - /// result, but does so using less code and memory at a large performance penalty - /// compared to (). - ///
- /// - /// The resulting public keys are to be used with - /// or - /// , which clear the - /// cofactor. - /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_x25519_dirty_fast(Span pk, ReadOnlySpan sk) - { - ExpectSize32(nameof(pk), pk.Length); - ExpectSize32(nameof(sk), sk.Length); - crypto_x25519_dirty_fast(ref pk.AsByte32(), in sk.AsByte32()); - } - - /// - /// - /// The () function performs - /// scalar multiplication of the multiplicative inverse of a scalar for X25519. - /// This is a highly advanced, specialized feature; - /// unless you are implementing a protocol that requires this specifically, - /// you likely have no reason to be using these - /// functions and are probably looking for - /// or - /// instead. Expect - /// elliptic curve jargon on this page. - ///
- /// - /// This function is used, for example, with exponential blinding in oblivious - /// pseudo-random functions (OPRFs). - /// - /// A 32-byte buffer. The output point. - /// A 32-byte buffer. The private key (scalar) to use. First, the value is clamped; then the - /// clamped value's multiplicative inverse (modulo the curve order) is - /// determined; the clamped value's multiplicative inverse then has its - /// cofactor cleared, and that final value is then used for scalar - /// multiplication. - /// A 32-byte buffer. The curve point on X25519 to multiply with the multiplicative inverse - /// (modulo the curve order) of - /// . - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_x25519_inverse(ref Byte32 blind_salt, in Byte32 private_key, in Byte32 curve_point); - - /// - /// - /// The () function performs - /// scalar multiplication of the multiplicative inverse of a scalar for X25519. - /// This is a highly advanced, specialized feature; - /// unless you are implementing a protocol that requires this specifically, - /// you likely have no reason to be using these - /// functions and are probably looking for - /// or - /// instead. Expect - /// elliptic curve jargon on this page. - ///
- /// - /// This function is used, for example, with exponential blinding in oblivious - /// pseudo-random functions (OPRFs). - /// - /// A 32-byte buffer. The output point. - /// A 32-byte buffer. The private key (scalar) to use. First, the value is clamped; then the - /// clamped value's multiplicative inverse (modulo the curve order) is - /// determined; the clamped value's multiplicative inverse then has its - /// cofactor cleared, and that final value is then used for scalar - /// multiplication. - /// A 32-byte buffer. The curve point on X25519 to multiply with the multiplicative inverse - /// (modulo the curve order) of - /// . - public static unsafe void crypto_x25519_inverse(Span blind_salt, ReadOnlySpan private_key, ReadOnlySpan curve_point) - { - ExpectSize32(nameof(blind_salt), blind_salt.Length); - ExpectSize32(nameof(private_key), private_key.Length); - ExpectSize32(nameof(curve_point), curve_point.Length); - crypto_x25519_inverse(ref blind_salt.AsByte32(), in private_key.AsByte32(), in curve_point.AsByte32()); - } - - /// - /// - /// These functions convert keys for use with - /// (EdDSA with the BLAKE2b - /// hash function) to keys for use with - /// and - /// . This may be useful in - /// some resource-constrained contexts or when no other key is available (for - /// example, when retrieving SSH public keys from GitHub and reusing the SSH - /// public keys as X25519 public keys). - ///
- /// - /// The () function - /// converts an EdDSA (with BLAKE2b) private key to an X25519 private key. The - /// () function - /// converts an EdDSA public key to an X25519 public key. - ///
- /// - /// X25519 key pairs cannot be converted back to EdDSA key pairs. The conversion of - /// private keys is specific to EdDSA with BLAKE2b because of the way EdDSA works. - /// In particular, this means that the output of - /// () differs from - /// in the - /// optional code. However, the output of - /// () is identical to - /// . - ///
- /// - /// - /// A 32-byte buffer. The signing public key or private key to convert to a X25519 public key or - /// private key, respectively. - /// A 32-byte buffer. The converted private key or public key. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_from_eddsa_private(ref Byte32 x25519, in Byte32 eddsa); - - /// - /// - /// These functions convert keys for use with - /// (EdDSA with the BLAKE2b - /// hash function) to keys for use with - /// and - /// . This may be useful in - /// some resource-constrained contexts or when no other key is available (for - /// example, when retrieving SSH public keys from GitHub and reusing the SSH - /// public keys as X25519 public keys). - ///
- /// - /// The () function - /// converts an EdDSA (with BLAKE2b) private key to an X25519 private key. The - /// () function - /// converts an EdDSA public key to an X25519 public key. - ///
- /// - /// X25519 key pairs cannot be converted back to EdDSA key pairs. The conversion of - /// private keys is specific to EdDSA with BLAKE2b because of the way EdDSA works. - /// In particular, this means that the output of - /// () differs from - /// in the - /// optional code. However, the output of - /// () is identical to - /// . - ///
- /// - /// - /// A 32-byte buffer. The signing public key or private key to convert to a X25519 public key or - /// private key, respectively. - /// A 32-byte buffer. The converted private key or public key. - public static unsafe void crypto_from_eddsa_private(Span x25519, ReadOnlySpan eddsa) - { - ExpectSize32(nameof(x25519), x25519.Length); - ExpectSize32(nameof(eddsa), eddsa.Length); - crypto_from_eddsa_private(ref x25519.AsByte32(), in eddsa.AsByte32()); - } - - /// - /// - /// These functions convert keys for use with - /// (EdDSA with the BLAKE2b - /// hash function) to keys for use with - /// and - /// . This may be useful in - /// some resource-constrained contexts or when no other key is available (for - /// example, when retrieving SSH public keys from GitHub and reusing the SSH - /// public keys as X25519 public keys). - ///
- /// - /// The () function - /// converts an EdDSA (with BLAKE2b) private key to an X25519 private key. The - /// () function - /// converts an EdDSA public key to an X25519 public key. - ///
- /// - /// X25519 key pairs cannot be converted back to EdDSA key pairs. The conversion of - /// private keys is specific to EdDSA with BLAKE2b because of the way EdDSA works. - /// In particular, this means that the output of - /// () differs from - /// in the - /// optional code. However, the output of - /// () is identical to - /// . - ///
- /// - /// - /// A 32-byte buffer. The signing public key or private key to convert to a X25519 public key or - /// private key, respectively. - /// A 32-byte buffer. The converted private key or public key. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_from_eddsa_public(ref Byte32 x25519, in Byte32 eddsa); - - /// - /// - /// These functions convert keys for use with - /// (EdDSA with the BLAKE2b - /// hash function) to keys for use with - /// and - /// . This may be useful in - /// some resource-constrained contexts or when no other key is available (for - /// example, when retrieving SSH public keys from GitHub and reusing the SSH - /// public keys as X25519 public keys). - ///
- /// - /// The () function - /// converts an EdDSA (with BLAKE2b) private key to an X25519 private key. The - /// () function - /// converts an EdDSA public key to an X25519 public key. - ///
- /// - /// X25519 key pairs cannot be converted back to EdDSA key pairs. The conversion of - /// private keys is specific to EdDSA with BLAKE2b because of the way EdDSA works. - /// In particular, this means that the output of - /// () differs from - /// in the - /// optional code. However, the output of - /// () is identical to - /// . - ///
- /// - /// - /// A 32-byte buffer. The signing public key or private key to convert to a X25519 public key or - /// private key, respectively. - /// A 32-byte buffer. The converted private key or public key. - public static unsafe void crypto_from_eddsa_public(Span x25519, ReadOnlySpan eddsa) - { - ExpectSize32(nameof(x25519), x25519.Length); - ExpectSize32(nameof(eddsa), eddsa.Length); - crypto_from_eddsa_public(ref x25519.AsByte32(), in eddsa.AsByte32()); - } - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_sign_init_first_pass(ref Monocypher.crypto_sign_ctx_abstract ctx, in Byte32 secret_key, in Byte32 public_key); - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_sign_init_first_pass(ref Monocypher.crypto_sign_ctx_abstract ctx, ReadOnlySpan secret_key, ReadOnlySpan public_key) - { - ExpectSize32(nameof(secret_key), secret_key.Length); - ExpectSize32(nameof(public_key), public_key.Length); - crypto_sign_init_first_pass(ref ctx, in secret_key.AsByte32(), in public_key.AsByte32()); - } - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_sign_update(ref Monocypher.crypto_sign_ctx_abstract ctx, IntPtr message, Monocypher.size_t message_size); - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - public static unsafe void crypto_sign_update(ref Monocypher.crypto_sign_ctx_abstract ctx, ReadOnlySpan message) - { - fixed(void* message_ptr = message) - crypto_sign_update(ref ctx, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); - } - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_sign_init_second_pass(ref Monocypher.crypto_sign_ctx_abstract ctx); - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// A 64-byte buffer. See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_sign_final(ref Monocypher.crypto_sign_ctx_abstract ctx, ref Byte64 signature); - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// A 64-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_sign_final(ref Monocypher.crypto_sign_ctx_abstract ctx, Span signature) - { - ExpectSize64(nameof(signature), signature.Length); - crypto_sign_final(ref ctx, ref signature.AsByte64()); - } - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// A 64-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_check_init(ref Monocypher.crypto_check_ctx_abstract ctx, in Byte64 signature, in Byte32 public_key); - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// A 64-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_check_init(ref Monocypher.crypto_check_ctx_abstract ctx, ReadOnlySpan signature, ReadOnlySpan public_key) - { - ExpectSize64(nameof(signature), signature.Length); - ExpectSize32(nameof(public_key), public_key.Length); - crypto_check_init(ref ctx, in signature.AsByte64(), in public_key.AsByte32()); - } - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_check_update(ref Monocypher.crypto_check_ctx_abstract ctx, IntPtr message, Monocypher.size_t message_size); - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - /// See Monocypher manual for more details. - /// See Monocypher manual for more details. - public static unsafe void crypto_check_update(ref Monocypher.crypto_check_ctx_abstract ctx, ReadOnlySpan message) - { - fixed(void* message_ptr = message) - crypto_check_update(ref ctx, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); - } - - /// - /// - /// These functions are variants of - /// and - /// . Prefer those simpler - /// functions if possible. - ///
- /// - /// - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern int crypto_check_final(ref Monocypher.crypto_check_ctx_abstract ctx); - - /// - /// - /// These functions are variants of the - /// family - /// of functions: They provide the ability to replace the EdDSA hash function with - /// any user-provided hash function. - ///
- /// This is a highly advanced feature. Interoperability - /// of public key signatures with other cryptographic libraries can normally be - /// achieved by using - /// or - /// - /// already. This interface is exposed only for completeness and to handle special - /// situations (e.g. to use the hash function of the future winner of the NIST - /// lightweight crypto competition on a device with highly constrained resources - /// or taking advantage of hardware support for cryptographic hash functions). - /// Whenever possible, these functions should be avoided. - ///
- /// - /// To make available a custom hash algorithm for use with these functions, a - /// crypto_sign_vtable structure must be - /// provided. It is defined as: - ///
- /// 
-        /// 
-        /// typedef struct { 
-        ///     void (*hash)(uint8_t hash[64], const uint8_t *message, 
-        ///                  size_t message_size); 
-        ///     void (*init  )(void *ctx); 
-        ///     void (*update)(void *ctx, const uint8_t *message, 
-        ///                    size_t message_size); 
-        ///     void (*final )(void *ctx, uint8_t hash[64]); 
-        ///     size_t ctx_size; 
-        /// } crypto_sign_vtable;
-        /// 
-        ///
- ///
- /// - /// The context argument to the functions shall be referred to as “outer - /// signing context”. The outer signing context must contain a - /// crypto_sign_ctx_abstract as - /// its first member. Other than that, the outer - /// signing context may be defined freely. Logically, it is required to contain - /// some kind of hash context as well, else it cannot work as a custom hash - /// function. - ///
- /// - /// Because the calling code cannot know the real type of the outer signing context, - /// it is cast to void * when calling the hash - /// functions in the vtable, but the argument - /// to the functions in the vtable is always guaranteed to be the outer signing - /// context. - ///
- /// - /// The hash functions must not fail. If they somehow can fail, they have no way to - /// propagate its error status, and thus the only ways to handle errors are to - /// either assume an error never occurs (if reasonable), or to induce a crash in - /// the code when an error occurs. - ///
- /// - /// The fields of crypto_sign_vtable are: - ///
- ///
- /// - ///
- ///
- /// Function that computes a 64-byte hash for a given message and writes the - /// computed hash to . The output length - /// must be exactly 64 bytes. This will normally - /// be constructed using the functions that provide the - /// , - /// and - /// members. - ///
- ///
- /// - ///
- ///
- /// Function that initialises the hash context of an outer signing - /// context. - ///
- ///
- /// - ///
- ///
- /// Function that updates the hash context of an outer signing context. It - /// must be able to handle message sizes of at least 32 bytes. - ///
- ///
- /// - ///
- ///
- /// Function that finalises the hash context of an outer signing context and - /// writes the computed hash to . The - /// output length must be exactly 64 bytes. This - /// function should wipe the hash context with - /// if it contains - /// pointers to objects outside the outer signing context. Monocypher takes - /// care of wiping the outer signing context. - ///
- ///
- /// - ///
- ///
- /// The size of the outer signing context as determined by - /// sizeof(). - ///
- /// - ///
- ///
- /// - /// The functions indicated in the - /// crypto_sign_vtable must be thread-safe if any - /// of Monocypher's signing functions are accessed from multiple threads. - ///
- /// - /// After calling - /// () - /// or (), the - /// , - /// , - /// , - /// , and - /// functions can be - /// used as usual. They will call into the hash vtable as required. The same - /// security considerations and semantics apply. - /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_sign_public_key_custom_hash(ref Byte32 public_key, in Byte32 secret_key, in Monocypher.crypto_sign_vtable hash); - - /// - /// - /// These functions are variants of the - /// family - /// of functions: They provide the ability to replace the EdDSA hash function with - /// any user-provided hash function. - ///
- /// This is a highly advanced feature. Interoperability - /// of public key signatures with other cryptographic libraries can normally be - /// achieved by using - /// or - /// - /// already. This interface is exposed only for completeness and to handle special - /// situations (e.g. to use the hash function of the future winner of the NIST - /// lightweight crypto competition on a device with highly constrained resources - /// or taking advantage of hardware support for cryptographic hash functions). - /// Whenever possible, these functions should be avoided. - ///
- /// - /// To make available a custom hash algorithm for use with these functions, a - /// crypto_sign_vtable structure must be - /// provided. It is defined as: - ///
- /// 
-        /// 
-        /// typedef struct { 
-        ///     void (*hash)(uint8_t hash[64], const uint8_t *message, 
-        ///                  size_t message_size); 
-        ///     void (*init  )(void *ctx); 
-        ///     void (*update)(void *ctx, const uint8_t *message, 
-        ///                    size_t message_size); 
-        ///     void (*final )(void *ctx, uint8_t hash[64]); 
-        ///     size_t ctx_size; 
-        /// } crypto_sign_vtable;
-        /// 
-        ///
- ///
- /// - /// The context argument to the functions shall be referred to as “outer - /// signing context”. The outer signing context must contain a - /// crypto_sign_ctx_abstract as - /// its first member. Other than that, the outer - /// signing context may be defined freely. Logically, it is required to contain - /// some kind of hash context as well, else it cannot work as a custom hash - /// function. - ///
- /// - /// Because the calling code cannot know the real type of the outer signing context, - /// it is cast to void * when calling the hash - /// functions in the vtable, but the argument - /// to the functions in the vtable is always guaranteed to be the outer signing - /// context. - ///
- /// - /// The hash functions must not fail. If they somehow can fail, they have no way to - /// propagate its error status, and thus the only ways to handle errors are to - /// either assume an error never occurs (if reasonable), or to induce a crash in - /// the code when an error occurs. - ///
- /// - /// The fields of crypto_sign_vtable are: - ///
- ///
- /// - ///
- ///
- /// Function that computes a 64-byte hash for a given message and writes the - /// computed hash to . The output length - /// must be exactly 64 bytes. This will normally - /// be constructed using the functions that provide the - /// , - /// and - /// members. - ///
- ///
- /// - ///
- ///
- /// Function that initialises the hash context of an outer signing - /// context. - ///
- ///
- /// - ///
- ///
- /// Function that updates the hash context of an outer signing context. It - /// must be able to handle message sizes of at least 32 bytes. - ///
- ///
- /// - ///
- ///
- /// Function that finalises the hash context of an outer signing context and - /// writes the computed hash to . The - /// output length must be exactly 64 bytes. This - /// function should wipe the hash context with - /// if it contains - /// pointers to objects outside the outer signing context. Monocypher takes - /// care of wiping the outer signing context. - ///
- ///
- /// - ///
- ///
- /// The size of the outer signing context as determined by - /// sizeof(). - ///
- /// - ///
- ///
- /// - /// The functions indicated in the - /// crypto_sign_vtable must be thread-safe if any - /// of Monocypher's signing functions are accessed from multiple threads. - ///
- /// - /// After calling - /// () - /// or (), the - /// , - /// , - /// , - /// , and - /// functions can be - /// used as usual. They will call into the hash vtable as required. The same - /// security considerations and semantics apply. - /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// See Monocypher manual for more details. - public static unsafe void crypto_sign_public_key_custom_hash(Span public_key, ReadOnlySpan secret_key, in Monocypher.crypto_sign_vtable hash) - { - ExpectSize32(nameof(public_key), public_key.Length); - ExpectSize32(nameof(secret_key), secret_key.Length); - crypto_sign_public_key_custom_hash(ref public_key.AsByte32(), in secret_key.AsByte32(), in hash); - } - - /// - /// - /// These functions are variants of the - /// family - /// of functions: They provide the ability to replace the EdDSA hash function with - /// any user-provided hash function. - ///
- /// This is a highly advanced feature. Interoperability - /// of public key signatures with other cryptographic libraries can normally be - /// achieved by using - /// or - /// - /// already. This interface is exposed only for completeness and to handle special - /// situations (e.g. to use the hash function of the future winner of the NIST - /// lightweight crypto competition on a device with highly constrained resources - /// or taking advantage of hardware support for cryptographic hash functions). - /// Whenever possible, these functions should be avoided. - ///
- /// - /// To make available a custom hash algorithm for use with these functions, a - /// crypto_sign_vtable structure must be - /// provided. It is defined as: - ///
- /// 
-        /// 
-        /// typedef struct { 
-        ///     void (*hash)(uint8_t hash[64], const uint8_t *message, 
-        ///                  size_t message_size); 
-        ///     void (*init  )(void *ctx); 
-        ///     void (*update)(void *ctx, const uint8_t *message, 
-        ///                    size_t message_size); 
-        ///     void (*final )(void *ctx, uint8_t hash[64]); 
-        ///     size_t ctx_size; 
-        /// } crypto_sign_vtable;
-        /// 
-        ///
- ///
- /// - /// The context argument to the functions shall be referred to as “outer - /// signing context”. The outer signing context must contain a - /// crypto_sign_ctx_abstract as - /// its first member. Other than that, the outer - /// signing context may be defined freely. Logically, it is required to contain - /// some kind of hash context as well, else it cannot work as a custom hash - /// function. - ///
- /// - /// Because the calling code cannot know the real type of the outer signing context, - /// it is cast to void * when calling the hash - /// functions in the vtable, but the argument - /// to the functions in the vtable is always guaranteed to be the outer signing - /// context. - ///
- /// - /// The hash functions must not fail. If they somehow can fail, they have no way to - /// propagate its error status, and thus the only ways to handle errors are to - /// either assume an error never occurs (if reasonable), or to induce a crash in - /// the code when an error occurs. - ///
- /// - /// The fields of crypto_sign_vtable are: - ///
- ///
- /// - ///
- ///
- /// Function that computes a 64-byte hash for a given message and writes the - /// computed hash to . The output length - /// must be exactly 64 bytes. This will normally - /// be constructed using the functions that provide the - /// , - /// and - /// members. - ///
- ///
- /// - ///
- ///
- /// Function that initialises the hash context of an outer signing - /// context. - ///
- ///
- /// - ///
- ///
- /// Function that updates the hash context of an outer signing context. It - /// must be able to handle message sizes of at least 32 bytes. - ///
- ///
- /// - ///
- ///
- /// Function that finalises the hash context of an outer signing context and - /// writes the computed hash to . The - /// output length must be exactly 64 bytes. This - /// function should wipe the hash context with - /// if it contains - /// pointers to objects outside the outer signing context. Monocypher takes - /// care of wiping the outer signing context. - ///
- ///
- /// - ///
- ///
- /// The size of the outer signing context as determined by - /// sizeof(). - ///
- /// - ///
- ///
- /// - /// The functions indicated in the - /// crypto_sign_vtable must be thread-safe if any - /// of Monocypher's signing functions are accessed from multiple threads. - ///
- /// - /// After calling - /// () - /// or (), the - /// , - /// , - /// , - /// , and - /// functions can be - /// used as usual. They will call into the hash vtable as required. The same - /// security considerations and semantics apply. - /// - /// - /// See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_sign_init_first_pass_custom_hash(ref Monocypher.crypto_sign_ctx_abstract ctx, in Byte32 secret_key, in Byte32 public_key, in Monocypher.crypto_sign_vtable hash); - - /// - /// - /// These functions are variants of the - /// family - /// of functions: They provide the ability to replace the EdDSA hash function with - /// any user-provided hash function. - ///
- /// This is a highly advanced feature. Interoperability - /// of public key signatures with other cryptographic libraries can normally be - /// achieved by using - /// or - /// - /// already. This interface is exposed only for completeness and to handle special - /// situations (e.g. to use the hash function of the future winner of the NIST - /// lightweight crypto competition on a device with highly constrained resources - /// or taking advantage of hardware support for cryptographic hash functions). - /// Whenever possible, these functions should be avoided. - ///
- /// - /// To make available a custom hash algorithm for use with these functions, a - /// crypto_sign_vtable structure must be - /// provided. It is defined as: - ///
- /// 
-        /// 
-        /// typedef struct { 
-        ///     void (*hash)(uint8_t hash[64], const uint8_t *message, 
-        ///                  size_t message_size); 
-        ///     void (*init  )(void *ctx); 
-        ///     void (*update)(void *ctx, const uint8_t *message, 
-        ///                    size_t message_size); 
-        ///     void (*final )(void *ctx, uint8_t hash[64]); 
-        ///     size_t ctx_size; 
-        /// } crypto_sign_vtable;
-        /// 
-        ///
- ///
- /// - /// The context argument to the functions shall be referred to as “outer - /// signing context”. The outer signing context must contain a - /// crypto_sign_ctx_abstract as - /// its first member. Other than that, the outer - /// signing context may be defined freely. Logically, it is required to contain - /// some kind of hash context as well, else it cannot work as a custom hash - /// function. - ///
- /// - /// Because the calling code cannot know the real type of the outer signing context, - /// it is cast to void * when calling the hash - /// functions in the vtable, but the argument - /// to the functions in the vtable is always guaranteed to be the outer signing - /// context. - ///
- /// - /// The hash functions must not fail. If they somehow can fail, they have no way to - /// propagate its error status, and thus the only ways to handle errors are to - /// either assume an error never occurs (if reasonable), or to induce a crash in - /// the code when an error occurs. - ///
- /// - /// The fields of crypto_sign_vtable are: - ///
- ///
- /// - ///
- ///
- /// Function that computes a 64-byte hash for a given message and writes the - /// computed hash to . The output length - /// must be exactly 64 bytes. This will normally - /// be constructed using the functions that provide the - /// , - /// and - /// members. - ///
- ///
- /// - ///
- ///
- /// Function that initialises the hash context of an outer signing - /// context. - ///
- ///
- /// - ///
- ///
- /// Function that updates the hash context of an outer signing context. It - /// must be able to handle message sizes of at least 32 bytes. - ///
- ///
- /// - ///
- ///
- /// Function that finalises the hash context of an outer signing context and - /// writes the computed hash to . The - /// output length must be exactly 64 bytes. This - /// function should wipe the hash context with - /// if it contains - /// pointers to objects outside the outer signing context. Monocypher takes - /// care of wiping the outer signing context. - ///
- ///
- /// - ///
- ///
- /// The size of the outer signing context as determined by - /// sizeof(). - ///
- /// - ///
- ///
- /// - /// The functions indicated in the - /// crypto_sign_vtable must be thread-safe if any - /// of Monocypher's signing functions are accessed from multiple threads. - ///
- /// - /// After calling - /// () - /// or (), the - /// , - /// , - /// , - /// , and - /// functions can be - /// used as usual. They will call into the hash vtable as required. The same - /// security considerations and semantics apply. - /// + public static extern void crypto_poly1305_init(ref Monocypher.crypto_poly1305_ctx ctx, in Byte32 key); + + /// + /// Function crypto_poly1305_init /// /// See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// See Monocypher manual for more details. - public static unsafe void crypto_sign_init_first_pass_custom_hash(ref Monocypher.crypto_sign_ctx_abstract ctx, ReadOnlySpan secret_key, ReadOnlySpan public_key, in Monocypher.crypto_sign_vtable hash) + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_poly1305_init(ref Monocypher.crypto_poly1305_ctx ctx, ReadOnlySpan key) { - ExpectSize32(nameof(secret_key), secret_key.Length); - ExpectSize32(nameof(public_key), public_key.Length); - crypto_sign_init_first_pass_custom_hash(ref ctx, in secret_key.AsByte32(), in public_key.AsByte32(), in hash); + ExpectSize32(nameof(key), key.Length); + crypto_poly1305_init(ref ctx, in key.AsByte32()); } /// - /// - /// These functions are variants of the - /// family - /// of functions: They provide the ability to replace the EdDSA hash function with - /// any user-provided hash function. - ///
- /// This is a highly advanced feature. Interoperability - /// of public key signatures with other cryptographic libraries can normally be - /// achieved by using - /// or - /// - /// already. This interface is exposed only for completeness and to handle special - /// situations (e.g. to use the hash function of the future winner of the NIST - /// lightweight crypto competition on a device with highly constrained resources - /// or taking advantage of hardware support for cryptographic hash functions). - /// Whenever possible, these functions should be avoided. - ///
- /// - /// To make available a custom hash algorithm for use with these functions, a - /// crypto_sign_vtable structure must be - /// provided. It is defined as: - ///
- /// 
-        /// 
-        /// typedef struct { 
-        ///     void (*hash)(uint8_t hash[64], const uint8_t *message, 
-        ///                  size_t message_size); 
-        ///     void (*init  )(void *ctx); 
-        ///     void (*update)(void *ctx, const uint8_t *message, 
-        ///                    size_t message_size); 
-        ///     void (*final )(void *ctx, uint8_t hash[64]); 
-        ///     size_t ctx_size; 
-        /// } crypto_sign_vtable;
-        /// 
-        ///
- ///
- /// - /// The context argument to the functions shall be referred to as “outer - /// signing context”. The outer signing context must contain a - /// crypto_sign_ctx_abstract as - /// its first member. Other than that, the outer - /// signing context may be defined freely. Logically, it is required to contain - /// some kind of hash context as well, else it cannot work as a custom hash - /// function. - ///
- /// - /// Because the calling code cannot know the real type of the outer signing context, - /// it is cast to void * when calling the hash - /// functions in the vtable, but the argument - /// to the functions in the vtable is always guaranteed to be the outer signing - /// context. - ///
- /// - /// The hash functions must not fail. If they somehow can fail, they have no way to - /// propagate its error status, and thus the only ways to handle errors are to - /// either assume an error never occurs (if reasonable), or to induce a crash in - /// the code when an error occurs. - ///
- /// - /// The fields of crypto_sign_vtable are: - ///
- ///
- /// - ///
- ///
- /// Function that computes a 64-byte hash for a given message and writes the - /// computed hash to . The output length - /// must be exactly 64 bytes. This will normally - /// be constructed using the functions that provide the - /// , - /// and - /// members. - ///
- ///
- /// - ///
- ///
- /// Function that initialises the hash context of an outer signing - /// context. - ///
- ///
- /// - ///
- ///
- /// Function that updates the hash context of an outer signing context. It - /// must be able to handle message sizes of at least 32 bytes. - ///
- ///
- /// - ///
- ///
- /// Function that finalises the hash context of an outer signing context and - /// writes the computed hash to . The - /// output length must be exactly 64 bytes. This - /// function should wipe the hash context with - /// if it contains - /// pointers to objects outside the outer signing context. Monocypher takes - /// care of wiping the outer signing context. - ///
- ///
- /// - ///
- ///
- /// The size of the outer signing context as determined by - /// sizeof(). - ///
- /// - ///
- ///
- /// - /// The functions indicated in the - /// crypto_sign_vtable must be thread-safe if any - /// of Monocypher's signing functions are accessed from multiple threads. - ///
- /// - /// After calling - /// () - /// or (), the - /// , - /// , - /// , - /// , and - /// functions can be - /// used as usual. They will call into the hash vtable as required. The same - /// security considerations and semantics apply. - /// + /// Function crypto_poly1305_update /// /// See Monocypher manual for more details. - /// A 64-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_check_init_custom_hash(ref Monocypher.crypto_check_ctx_abstract ctx, in Byte64 signature, in Byte32 public_key, in Monocypher.crypto_sign_vtable hash); + public static extern void crypto_poly1305_update(ref Monocypher.crypto_poly1305_ctx ctx, IntPtr message, Monocypher.size_t message_size); /// - /// - /// These functions are variants of the - /// family - /// of functions: They provide the ability to replace the EdDSA hash function with - /// any user-provided hash function. - ///
- /// This is a highly advanced feature. Interoperability - /// of public key signatures with other cryptographic libraries can normally be - /// achieved by using - /// or - /// - /// already. This interface is exposed only for completeness and to handle special - /// situations (e.g. to use the hash function of the future winner of the NIST - /// lightweight crypto competition on a device with highly constrained resources - /// or taking advantage of hardware support for cryptographic hash functions). - /// Whenever possible, these functions should be avoided. - ///
- /// - /// To make available a custom hash algorithm for use with these functions, a - /// crypto_sign_vtable structure must be - /// provided. It is defined as: - ///
- /// 
-        /// 
-        /// typedef struct { 
-        ///     void (*hash)(uint8_t hash[64], const uint8_t *message, 
-        ///                  size_t message_size); 
-        ///     void (*init  )(void *ctx); 
-        ///     void (*update)(void *ctx, const uint8_t *message, 
-        ///                    size_t message_size); 
-        ///     void (*final )(void *ctx, uint8_t hash[64]); 
-        ///     size_t ctx_size; 
-        /// } crypto_sign_vtable;
-        /// 
-        ///
- ///
- /// - /// The context argument to the functions shall be referred to as “outer - /// signing context”. The outer signing context must contain a - /// crypto_sign_ctx_abstract as - /// its first member. Other than that, the outer - /// signing context may be defined freely. Logically, it is required to contain - /// some kind of hash context as well, else it cannot work as a custom hash - /// function. - ///
- /// - /// Because the calling code cannot know the real type of the outer signing context, - /// it is cast to void * when calling the hash - /// functions in the vtable, but the argument - /// to the functions in the vtable is always guaranteed to be the outer signing - /// context. - ///
- /// - /// The hash functions must not fail. If they somehow can fail, they have no way to - /// propagate its error status, and thus the only ways to handle errors are to - /// either assume an error never occurs (if reasonable), or to induce a crash in - /// the code when an error occurs. - ///
- /// - /// The fields of crypto_sign_vtable are: - ///
- ///
- /// - ///
- ///
- /// Function that computes a 64-byte hash for a given message and writes the - /// computed hash to . The output length - /// must be exactly 64 bytes. This will normally - /// be constructed using the functions that provide the - /// , - /// and - /// members. - ///
- ///
- /// - ///
- ///
- /// Function that initialises the hash context of an outer signing - /// context. - ///
- ///
- /// - ///
- ///
- /// Function that updates the hash context of an outer signing context. It - /// must be able to handle message sizes of at least 32 bytes. - ///
- ///
- /// - ///
- ///
- /// Function that finalises the hash context of an outer signing context and - /// writes the computed hash to . The - /// output length must be exactly 64 bytes. This - /// function should wipe the hash context with - /// if it contains - /// pointers to objects outside the outer signing context. Monocypher takes - /// care of wiping the outer signing context. - ///
- ///
- /// - ///
- ///
- /// The size of the outer signing context as determined by - /// sizeof(). - ///
- /// - ///
- ///
- /// - /// The functions indicated in the - /// crypto_sign_vtable must be thread-safe if any - /// of Monocypher's signing functions are accessed from multiple threads. - ///
- /// - /// After calling - /// () - /// or (), the - /// , - /// , - /// , - /// , and - /// functions can be - /// used as usual. They will call into the hash vtable as required. The same - /// security considerations and semantics apply. - /// + /// Function crypto_poly1305_update /// /// See Monocypher manual for more details. - /// A 64-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// See Monocypher manual for more details. - public static unsafe void crypto_check_init_custom_hash(ref Monocypher.crypto_check_ctx_abstract ctx, ReadOnlySpan signature, ReadOnlySpan public_key, in Monocypher.crypto_sign_vtable hash) + /// See Monocypher manual for more details. + public static unsafe void crypto_poly1305_update(ref Monocypher.crypto_poly1305_ctx ctx, ReadOnlySpan message) { - ExpectSize64(nameof(signature), signature.Length); - ExpectSize32(nameof(public_key), public_key.Length); - crypto_check_init_custom_hash(ref ctx, in signature.AsByte64(), in public_key.AsByte32(), in hash); + fixed(void* message_ptr = message) + crypto_poly1305_update(ref ctx, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); } /// - /// - /// These functions allow obfuscating X25519 public keys by making them appear - /// effectively indistinguishable from random noise. This is of interest for key - /// exchange protocols that require indistinguishability from randomness, such as - /// padded uniform random blobs (PURBs). They are intended for ephemeral - /// (short-lived, possibly just one-time) X25519 keys, not for long-term public - /// keys. After an initial key exchange involving hidden keys, subsequent key - /// exchange messages should be encrypted instead; see, for example, the Noise - /// protocol. This is an advanced feature – - /// unless you are implementing an protocol that requires indistinguishability of - /// all communications from random noise, consider - /// - /// instead. - ///
- /// - /// For understanding what these functions do, it is important to note that a - /// “public key” in this context refers to a - /// point on Curve25519. This also means that these - /// functions are not compatible with - /// and related functions. - ///
- /// () takes a public key - /// and a - /// , hiding the public key it so that it is - /// effectively indistinguishable from random noise. Note that only - /// or - /// can - /// generate a suitable public key; the - /// function is - /// insufficient. The must be chosen at - /// random. Even then, this operation may fail: Not - /// all curve points are capable of being hidden. In this case, - /// () must be tried - /// again with a new key pair; the does not - /// need to be changed. On average, two attempts are needed. Once a suitable - /// public key has been found, - /// () always succeeds - /// for it. Given the same values for and - /// , - /// () yields the same - /// output value . - ///
- /// () performs the inverse - /// operation: It decodes a hidden point to a curve point on Curve25519. - ///
- /// () is a convenience - /// function that generates a secret key and its corresponding public key, which - /// is effectively indistinguishable from random noise, from a random seed. - /// The execution time of this function is - /// unpredictable because it may take many failures until a key pair could be - /// generated successfully. - /// () uses - /// internally; - /// if code size is an important concern, its functionality can be replicated with - /// instead. - ///
- /// + /// Function crypto_poly1305_final /// - /// A 32-byte buffer. A point on the curve, which is a Curve25519 public key generated with - /// either - /// or - /// . - /// A 32-byte buffer. The hidden encoding of a point on the curve which is effectively - /// indistinguishable from random. + /// See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_hidden_to_curve(ref Byte32 curve, in Byte32 hidden); + public static extern void crypto_poly1305_final(ref Monocypher.crypto_poly1305_ctx ctx, ref Byte16 mac); /// - /// - /// These functions allow obfuscating X25519 public keys by making them appear - /// effectively indistinguishable from random noise. This is of interest for key - /// exchange protocols that require indistinguishability from randomness, such as - /// padded uniform random blobs (PURBs). They are intended for ephemeral - /// (short-lived, possibly just one-time) X25519 keys, not for long-term public - /// keys. After an initial key exchange involving hidden keys, subsequent key - /// exchange messages should be encrypted instead; see, for example, the Noise - /// protocol. This is an advanced feature – - /// unless you are implementing an protocol that requires indistinguishability of - /// all communications from random noise, consider - /// - /// instead. - ///
- /// - /// For understanding what these functions do, it is important to note that a - /// “public key” in this context refers to a - /// point on Curve25519. This also means that these - /// functions are not compatible with - /// and related functions. - ///
- /// () takes a public key - /// and a - /// , hiding the public key it so that it is - /// effectively indistinguishable from random noise. Note that only - /// or - /// can - /// generate a suitable public key; the - /// function is - /// insufficient. The must be chosen at - /// random. Even then, this operation may fail: Not - /// all curve points are capable of being hidden. In this case, - /// () must be tried - /// again with a new key pair; the does not - /// need to be changed. On average, two attempts are needed. Once a suitable - /// public key has been found, - /// () always succeeds - /// for it. Given the same values for and - /// , - /// () yields the same - /// output value . - ///
- /// () performs the inverse - /// operation: It decodes a hidden point to a curve point on Curve25519. - ///
- /// () is a convenience - /// function that generates a secret key and its corresponding public key, which - /// is effectively indistinguishable from random noise, from a random seed. - /// The execution time of this function is - /// unpredictable because it may take many failures until a key pair could be - /// generated successfully. - /// () uses - /// internally; - /// if code size is an important concern, its functionality can be replicated with - /// instead. - ///
- /// + /// Function crypto_poly1305_final /// - /// A 32-byte buffer. A point on the curve, which is a Curve25519 public key generated with - /// either - /// or - /// . - /// A 32-byte buffer. The hidden encoding of a point on the curve which is effectively - /// indistinguishable from random. - public static unsafe void crypto_hidden_to_curve(Span curve, ReadOnlySpan hidden) + /// See Monocypher manual for more details. + /// A 16-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_poly1305_final(ref Monocypher.crypto_poly1305_ctx ctx, Span mac) { - ExpectSize32(nameof(curve), curve.Length); - ExpectSize32(nameof(hidden), hidden.Length); - crypto_hidden_to_curve(ref curve.AsByte32(), in hidden.AsByte32()); + ExpectSize16(nameof(mac), mac.Length); + crypto_poly1305_final(ref ctx, ref mac.AsByte16()); } /// @@ -3744,66 +1486,67 @@ public static unsafe void crypto_hidden_to_curve(Span curve, ReadOnlySpan< /// (short-lived, possibly just one-time) X25519 keys, not for long-term public /// keys. After an initial key exchange involving hidden keys, subsequent key /// exchange messages should be encrypted instead; see, for example, the Noise - /// protocol. This is an advanced feature – - /// unless you are implementing an protocol that requires indistinguishability of + /// Protocol Framework. This is an advanced feature. + /// Unless you are implementing an protocol that requires indistinguishability of /// all communications from random noise, consider - /// - /// instead. + /// instead. Both this + /// family of functions and + /// should be used as a + /// building block to implement a key exchange protocol. ///
/// /// For understanding what these functions do, it is important to note that a /// “public key” in this context refers to a /// point on Curve25519. This also means that these /// functions are not compatible with - /// and related functions. + /// and related + /// functions. ///
- /// () takes a public key + /// () takes a public key /// and a - /// , hiding the public key it so that it is + /// , hiding the public key so that it is /// effectively indistinguishable from random noise. Note that only /// or /// can /// generate a suitable public key; the /// function is /// insufficient. The must be chosen at - /// random. Even then, this operation may fail: Not - /// all curve points are capable of being hidden. In this case, - /// () must be tried - /// again with a new key pair; the does not + /// random. Even then, this operation may fail + /// because not all curve points are capable of being hidden. In this case, + /// () must be tried again + /// with a new key pair, though does not /// need to be changed. On average, two attempts are needed. Once a suitable /// public key has been found, - /// () always succeeds - /// for it. Given the same values for and + /// () always succeeds for + /// it. Given the same values for and /// , - /// () yields the same + /// () yields the same /// output value . ///
- /// () performs the inverse + /// () performs the inverse /// operation: It decodes a hidden point to a curve point on Curve25519. ///
- /// () is a convenience + /// () is a convenience /// function that generates a secret key and its corresponding public key, which /// is effectively indistinguishable from random noise, from a random seed. /// The execution time of this function is /// unpredictable because it may take many failures until a key pair could be /// generated successfully. - /// () uses + /// () uses /// internally; /// if code size is an important concern, its functionality can be replicated with /// instead. ///
/// /// - /// A 32-byte buffer. A point on the curve, which is a Curve25519 public key generated with + /// A 32-byte buffer. A point on the curve which is a Curve25519 public key generated with /// either /// or /// . /// A 32-byte buffer. The hidden encoding of a point on the curve which is effectively /// indistinguishable from random. - /// A 1-byte random number, which influences the final output of - /// (). [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern int crypto_curve_to_hidden(ref Byte32 hidden, in Byte32 curve, byte tweak); + public static extern void crypto_elligator_map(ref Byte32 curve, in Byte32 hidden); /// /// @@ -3814,310 +1557,137 @@ public static unsafe void crypto_hidden_to_curve(Span curve, ReadOnlySpan< /// (short-lived, possibly just one-time) X25519 keys, not for long-term public /// keys. After an initial key exchange involving hidden keys, subsequent key /// exchange messages should be encrypted instead; see, for example, the Noise - /// protocol. This is an advanced feature – - /// unless you are implementing an protocol that requires indistinguishability of + /// Protocol Framework. This is an advanced feature. + /// Unless you are implementing an protocol that requires indistinguishability of /// all communications from random noise, consider - /// - /// instead. + /// instead. Both this + /// family of functions and + /// should be used as a + /// building block to implement a key exchange protocol. ///
/// /// For understanding what these functions do, it is important to note that a /// “public key” in this context refers to a /// point on Curve25519. This also means that these /// functions are not compatible with - /// and related functions. + /// and related + /// functions. ///
- /// () takes a public key + /// () takes a public key /// and a - /// , hiding the public key it so that it is + /// , hiding the public key so that it is /// effectively indistinguishable from random noise. Note that only /// or /// can /// generate a suitable public key; the /// function is /// insufficient. The must be chosen at - /// random. Even then, this operation may fail: Not - /// all curve points are capable of being hidden. In this case, - /// () must be tried - /// again with a new key pair; the does not + /// random. Even then, this operation may fail + /// because not all curve points are capable of being hidden. In this case, + /// () must be tried again + /// with a new key pair, though does not /// need to be changed. On average, two attempts are needed. Once a suitable /// public key has been found, - /// () always succeeds - /// for it. Given the same values for and + /// () always succeeds for + /// it. Given the same values for and /// , - /// () yields the same + /// () yields the same /// output value . ///
- /// () performs the inverse + /// () performs the inverse /// operation: It decodes a hidden point to a curve point on Curve25519. ///
- /// () is a convenience + /// () is a convenience /// function that generates a secret key and its corresponding public key, which /// is effectively indistinguishable from random noise, from a random seed. /// The execution time of this function is /// unpredictable because it may take many failures until a key pair could be /// generated successfully. - /// () uses + /// () uses /// internally; /// if code size is an important concern, its functionality can be replicated with /// instead. ///
/// /// - /// A 32-byte buffer. A point on the curve, which is a Curve25519 public key generated with + /// A 32-byte buffer. A point on the curve which is a Curve25519 public key generated with /// either /// or /// . /// A 32-byte buffer. The hidden encoding of a point on the curve which is effectively /// indistinguishable from random. - /// A 1-byte random number, which influences the final output of - /// (). - public static unsafe int crypto_curve_to_hidden(Span hidden, ReadOnlySpan curve, byte tweak) + public static unsafe void crypto_elligator_map(Span curve, ReadOnlySpan hidden) { - ExpectSize32(nameof(hidden), hidden.Length); ExpectSize32(nameof(curve), curve.Length); - return crypto_curve_to_hidden(ref hidden.AsByte32(), in curve.AsByte32(), tweak); + ExpectSize32(nameof(hidden), hidden.Length); + crypto_elligator_map(ref curve.AsByte32(), in hidden.AsByte32()); } /// - /// - /// These functions allow obfuscating X25519 public keys by making them appear - /// effectively indistinguishable from random noise. This is of interest for key - /// exchange protocols that require indistinguishability from randomness, such as - /// padded uniform random blobs (PURBs). They are intended for ephemeral - /// (short-lived, possibly just one-time) X25519 keys, not for long-term public - /// keys. After an initial key exchange involving hidden keys, subsequent key - /// exchange messages should be encrypted instead; see, for example, the Noise - /// protocol. This is an advanced feature – - /// unless you are implementing an protocol that requires indistinguishability of - /// all communications from random noise, consider - /// - /// instead. - ///
- /// - /// For understanding what these functions do, it is important to note that a - /// “public key” in this context refers to a - /// point on Curve25519. This also means that these - /// functions are not compatible with - /// and related functions. - ///
- /// () takes a public key - /// and a - /// , hiding the public key it so that it is - /// effectively indistinguishable from random noise. Note that only - /// or - /// can - /// generate a suitable public key; the - /// function is - /// insufficient. The must be chosen at - /// random. Even then, this operation may fail: Not - /// all curve points are capable of being hidden. In this case, - /// () must be tried - /// again with a new key pair; the does not - /// need to be changed. On average, two attempts are needed. Once a suitable - /// public key has been found, - /// () always succeeds - /// for it. Given the same values for and - /// , - /// () yields the same - /// output value . - ///
- /// () performs the inverse - /// operation: It decodes a hidden point to a curve point on Curve25519. - ///
- /// () is a convenience - /// function that generates a secret key and its corresponding public key, which - /// is effectively indistinguishable from random noise, from a random seed. - /// The execution time of this function is - /// unpredictable because it may take many failures until a key pair could be - /// generated successfully. - /// () uses - /// internally; - /// if code size is an important concern, its functionality can be replicated with - /// instead. - ///
- /// + /// Function crypto_elligator_rev /// - /// A 32-byte buffer. The hidden encoding of a point on the curve which is effectively - /// indistinguishable from random. - /// A 32-byte buffer. The secret key that was generated from the given - /// . - /// A 32-byte random number from which to derive a key pair. See - /// intro(3monocypher) for advice about - /// generating random bytes (use the operating system's random number - /// generator). The is wiped - /// automatically. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_hidden_key_pair(ref Byte32 hidden, ref Byte32 secret_key, ref Byte32 seed); + public static extern int crypto_elligator_rev(ref Byte32 hidden, in Byte32 curve, byte tweak); /// - /// - /// These functions allow obfuscating X25519 public keys by making them appear - /// effectively indistinguishable from random noise. This is of interest for key - /// exchange protocols that require indistinguishability from randomness, such as - /// padded uniform random blobs (PURBs). They are intended for ephemeral - /// (short-lived, possibly just one-time) X25519 keys, not for long-term public - /// keys. After an initial key exchange involving hidden keys, subsequent key - /// exchange messages should be encrypted instead; see, for example, the Noise - /// protocol. This is an advanced feature – - /// unless you are implementing an protocol that requires indistinguishability of - /// all communications from random noise, consider - /// - /// instead. - ///
- /// - /// For understanding what these functions do, it is important to note that a - /// “public key” in this context refers to a - /// point on Curve25519. This also means that these - /// functions are not compatible with - /// and related functions. - ///
- /// () takes a public key - /// and a - /// , hiding the public key it so that it is - /// effectively indistinguishable from random noise. Note that only - /// or - /// can - /// generate a suitable public key; the - /// function is - /// insufficient. The must be chosen at - /// random. Even then, this operation may fail: Not - /// all curve points are capable of being hidden. In this case, - /// () must be tried - /// again with a new key pair; the does not - /// need to be changed. On average, two attempts are needed. Once a suitable - /// public key has been found, - /// () always succeeds - /// for it. Given the same values for and - /// , - /// () yields the same - /// output value . - ///
- /// () performs the inverse - /// operation: It decodes a hidden point to a curve point on Curve25519. - ///
- /// () is a convenience - /// function that generates a secret key and its corresponding public key, which - /// is effectively indistinguishable from random noise, from a random seed. - /// The execution time of this function is - /// unpredictable because it may take many failures until a key pair could be - /// generated successfully. - /// () uses - /// internally; - /// if code size is an important concern, its functionality can be replicated with - /// instead. - ///
- /// + /// Function crypto_elligator_rev + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe int crypto_elligator_rev(Span hidden, ReadOnlySpan curve, byte tweak) + { + ExpectSize32(nameof(hidden), hidden.Length); + ExpectSize32(nameof(curve), curve.Length); + return crypto_elligator_rev(ref hidden.AsByte32(), in curve.AsByte32(), tweak); + } + + /// + /// Function crypto_elligator_key_pair /// - /// A 32-byte buffer. The hidden encoding of a point on the curve which is effectively - /// indistinguishable from random. - /// A 32-byte buffer. The secret key that was generated from the given - /// . - /// A 32-byte random number from which to derive a key pair. See - /// intro(3monocypher) for advice about - /// generating random bytes (use the operating system's random number - /// generator). The is wiped - /// automatically. - public static unsafe void crypto_hidden_key_pair(Span hidden, Span secret_key, Span seed) + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_elligator_key_pair(ref Byte32 hidden, ref Byte32 secret_key, ref Byte32 seed); + + /// + /// Function crypto_elligator_key_pair + /// + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_elligator_key_pair(Span hidden, Span secret_key, Span seed) { ExpectSize32(nameof(hidden), hidden.Length); ExpectSize32(nameof(secret_key), secret_key.Length); ExpectSize32(nameof(seed), seed.Length); - crypto_hidden_key_pair(ref hidden.AsByte32(), ref secret_key.AsByte32(), ref seed.AsByte32()); + crypto_elligator_key_pair(ref hidden.AsByte32(), ref secret_key.AsByte32(), ref seed.AsByte32()); } /// - /// - /// SHA-512 is a cryptographically secure hash, provided to enable compatibility - /// with other cryptographic systems. It is generally recommended to use - /// instead, as it both - /// performs faster on x86_64 CPUs and lacks many of the pitfalls of SHA-512. - ///
- /// - /// Note that SHA-512 itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// SHA-512 is vulnerable to length extension attacks; - /// using it as a message authentication code (MAC) algorithm or keyed hash - /// requires precautions. The - /// family of - /// functions provides HMAC with SHA-512. Use - /// to compare MACs - /// created this way. - ///
- /// + /// Function crypto_sha512_init /// - /// The output hash, which is always 64 bytes long. - /// The message to hash. May overlap with - /// . May be - /// NULL if - /// is 0. - /// Length of , in bytes. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] public static extern void crypto_sha512_init(ref Monocypher.crypto_sha512_ctx ctx); /// - /// - /// SHA-512 is a cryptographically secure hash, provided to enable compatibility - /// with other cryptographic systems. It is generally recommended to use - /// instead, as it both - /// performs faster on x86_64 CPUs and lacks many of the pitfalls of SHA-512. - ///
- /// - /// Note that SHA-512 itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// SHA-512 is vulnerable to length extension attacks; - /// using it as a message authentication code (MAC) algorithm or keyed hash - /// requires precautions. The - /// family of - /// functions provides HMAC with SHA-512. Use - /// to compare MACs - /// created this way. - ///
- /// + /// Function crypto_sha512_update /// - /// The message to hash. May overlap with - /// . May be - /// NULL if - /// is 0. - /// Length of , in bytes. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] public static extern void crypto_sha512_update(ref Monocypher.crypto_sha512_ctx ctx, IntPtr message, Monocypher.size_t message_size); /// - /// - /// SHA-512 is a cryptographically secure hash, provided to enable compatibility - /// with other cryptographic systems. It is generally recommended to use - /// instead, as it both - /// performs faster on x86_64 CPUs and lacks many of the pitfalls of SHA-512. - ///
- /// - /// Note that SHA-512 itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// SHA-512 is vulnerable to length extension attacks; - /// using it as a message authentication code (MAC) algorithm or keyed hash - /// requires precautions. The - /// family of - /// functions provides HMAC with SHA-512. Use - /// to compare MACs - /// created this way. - ///
- /// + /// Function crypto_sha512_update /// - /// The message to hash. May overlap with - /// . May be - /// NULL if - /// is 0. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. public static unsafe void crypto_sha512_update(ref Monocypher.crypto_sha512_ctx ctx, ReadOnlySpan message) { fixed(void* message_ptr = message) @@ -4125,58 +1695,18 @@ public static unsafe void crypto_sha512_update(ref Monocypher.crypto_sha512_ctx } /// - /// - /// SHA-512 is a cryptographically secure hash, provided to enable compatibility - /// with other cryptographic systems. It is generally recommended to use - /// instead, as it both - /// performs faster on x86_64 CPUs and lacks many of the pitfalls of SHA-512. - ///
- /// - /// Note that SHA-512 itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// SHA-512 is vulnerable to length extension attacks; - /// using it as a message authentication code (MAC) algorithm or keyed hash - /// requires precautions. The - /// family of - /// functions provides HMAC with SHA-512. Use - /// to compare MACs - /// created this way. - ///
- /// + /// Function crypto_sha512_final /// - /// A 64-byte buffer. The output hash, which is always 64 bytes long. /// See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] public static extern void crypto_sha512_final(ref Monocypher.crypto_sha512_ctx ctx, ref Byte64 hash); /// - /// - /// SHA-512 is a cryptographically secure hash, provided to enable compatibility - /// with other cryptographic systems. It is generally recommended to use - /// instead, as it both - /// performs faster on x86_64 CPUs and lacks many of the pitfalls of SHA-512. - ///
- /// - /// Note that SHA-512 itself is not suitable for hashing passwords and deriving keys - /// from them; use the - /// family of functions for that purpose instead. - ///
- /// - /// SHA-512 is vulnerable to length extension attacks; - /// using it as a message authentication code (MAC) algorithm or keyed hash - /// requires precautions. The - /// family of - /// functions provides HMAC with SHA-512. Use - /// to compare MACs - /// created this way. - ///
- /// + /// Function crypto_sha512_final /// - /// A 64-byte buffer. The output hash, which is always 64 bytes long. /// See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. public static unsafe void crypto_sha512_final(ref Monocypher.crypto_sha512_ctx ctx, Span hash) { ExpectSize64(nameof(hash), hash.Length); @@ -4184,64 +1714,62 @@ public static unsafe void crypto_sha512_final(ref Monocypher.crypto_sha512_ctx c } /// - /// - /// SHA-512 is a cryptographically secure hash, provided to enable compatibility - /// with other cryptographic systems. It is generally recommended to use + /// Hashing(), + /// (), + /// (), and + /// () implement SHA-512, a + /// cryptographically secure hash. They are provided to enable compatibility with + /// other cryptographic systems. It is generally recommended to use /// instead, as it both /// performs faster on x86_64 CPUs and lacks many of the pitfalls of SHA-512. ///
/// /// Note that SHA-512 itself is not suitable for hashing passwords and deriving keys - /// from them; use the + /// from them; use the /// family of functions for that purpose instead. ///
/// - /// SHA-512 is vulnerable to length extension attacks; - /// using it as a message authentication code (MAC) algorithm or keyed hash - /// requires precautions. The - /// family of - /// functions provides HMAC with SHA-512. Use - /// to compare MACs - /// created this way. + /// SHA-512 is vulnerable to length extension attacks, + /// and thus cannot directly be used for message authentication codes (MAC), nor + /// as a random oracle. For those, use the + /// () family of functions + /// instead. ///
/// /// - /// A 64-byte buffer. The output hash, which is always 64 bytes long. - /// The message to hash. May overlap with - /// . May be - /// NULL if + /// A 64-byte buffer. The output SHA-512 hash, which is always 64-bytes long. + /// The message to hash. May be NULL if /// is 0. /// Length of , in bytes. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] public static extern void crypto_sha512(ref Byte64 hash, IntPtr message, Monocypher.size_t message_size); /// - /// - /// SHA-512 is a cryptographically secure hash, provided to enable compatibility - /// with other cryptographic systems. It is generally recommended to use + /// Hashing(), + /// (), + /// (), and + /// () implement SHA-512, a + /// cryptographically secure hash. They are provided to enable compatibility with + /// other cryptographic systems. It is generally recommended to use /// instead, as it both /// performs faster on x86_64 CPUs and lacks many of the pitfalls of SHA-512. ///
/// /// Note that SHA-512 itself is not suitable for hashing passwords and deriving keys - /// from them; use the + /// from them; use the /// family of functions for that purpose instead. ///
/// - /// SHA-512 is vulnerable to length extension attacks; - /// using it as a message authentication code (MAC) algorithm or keyed hash - /// requires precautions. The - /// family of - /// functions provides HMAC with SHA-512. Use - /// to compare MACs - /// created this way. + /// SHA-512 is vulnerable to length extension attacks, + /// and thus cannot directly be used for message authentication codes (MAC), nor + /// as a random oracle. For those, use the + /// () family of functions + /// instead. ///
/// /// - /// A 64-byte buffer. The output hash, which is always 64 bytes long. - /// The message to hash. May overlap with - /// . May be - /// NULL if + /// A 64-byte buffer. The output SHA-512 hash, which is always 64-bytes long. + /// The message to hash. May be NULL if /// is 0. public static unsafe void crypto_sha512(Span hash, ReadOnlySpan message) { @@ -4251,207 +1779,166 @@ public static unsafe void crypto_sha512(Span hash, ReadOnlySpan mess } /// - /// - /// HMAC with SHA-512 is a cryptographically secure message authentication code - /// (MAC), provided to enable compatibility with other cryptographic systems. It - /// is generally recommended to use - /// instead, as - /// it performs faster on x86_64 CPUs. - ///
- /// + /// Function crypto_sha512_hmac_init /// - /// Some secret key. One cannot predict the final hash without it. Users may - /// want to wipe the key with - /// once they are done - /// with it. - /// Length of , in bytes. 32 is a good - /// default. Keys longer than 128 bytes will be reduced to 64 bytes by hashing - /// the key with SHA-512. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_hmac_sha512_init(ref Monocypher.crypto_hmac_sha512_ctx ctx, IntPtr key, Monocypher.size_t key_size); + public static extern void crypto_sha512_hmac_init(ref Monocypher.crypto_sha512_hmac_ctx ctx, IntPtr key, Monocypher.size_t key_size); /// - /// - /// HMAC with SHA-512 is a cryptographically secure message authentication code - /// (MAC), provided to enable compatibility with other cryptographic systems. It - /// is generally recommended to use - /// instead, as - /// it performs faster on x86_64 CPUs. - ///
- /// + /// Function crypto_sha512_hmac_init /// - /// Some secret key. One cannot predict the final hash without it. Users may - /// want to wipe the key with - /// once they are done - /// with it. /// See Monocypher manual for more details. - public static unsafe void crypto_hmac_sha512_init(ref Monocypher.crypto_hmac_sha512_ctx ctx, ReadOnlySpan key) + /// See Monocypher manual for more details. + public static unsafe void crypto_sha512_hmac_init(ref Monocypher.crypto_sha512_hmac_ctx ctx, ReadOnlySpan key) { fixed(void* key_ptr = key) - crypto_hmac_sha512_init(ref ctx, new IntPtr(key_ptr), (Monocypher.size_t)key.Length); + crypto_sha512_hmac_init(ref ctx, new IntPtr(key_ptr), (Monocypher.size_t)key.Length); } /// - /// - /// HMAC with SHA-512 is a cryptographically secure message authentication code - /// (MAC), provided to enable compatibility with other cryptographic systems. It - /// is generally recommended to use - /// instead, as - /// it performs faster on x86_64 CPUs. - ///
- /// + /// Function crypto_sha512_hmac_update /// - /// The message to compute the HMAC for. May overlap with - /// . May be - /// NULL if - /// is 0. - /// Length of , in bytes. /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_hmac_sha512_update(ref Monocypher.crypto_hmac_sha512_ctx ctx, IntPtr message, Monocypher.size_t message_size); + public static extern void crypto_sha512_hmac_update(ref Monocypher.crypto_sha512_hmac_ctx ctx, IntPtr message, Monocypher.size_t message_size); /// - /// - /// HMAC with SHA-512 is a cryptographically secure message authentication code - /// (MAC), provided to enable compatibility with other cryptographic systems. It - /// is generally recommended to use - /// instead, as - /// it performs faster on x86_64 CPUs. - ///
- /// + /// Function crypto_sha512_hmac_update /// - /// The message to compute the HMAC for. May overlap with - /// . May be - /// NULL if - /// is 0. /// See Monocypher manual for more details. - public static unsafe void crypto_hmac_sha512_update(ref Monocypher.crypto_hmac_sha512_ctx ctx, ReadOnlySpan message) + /// See Monocypher manual for more details. + public static unsafe void crypto_sha512_hmac_update(ref Monocypher.crypto_sha512_hmac_ctx ctx, ReadOnlySpan message) { fixed(void* message_ptr = message) - crypto_hmac_sha512_update(ref ctx, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); + crypto_sha512_hmac_update(ref ctx, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); } /// - /// - /// HMAC with SHA-512 is a cryptographically secure message authentication code - /// (MAC), provided to enable compatibility with other cryptographic systems. It - /// is generally recommended to use - /// instead, as - /// it performs faster on x86_64 CPUs. - ///
- /// + /// Function crypto_sha512_hmac_final /// - /// A 64-byte buffer. The output MAC, which is always 64 bytes long. /// See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_hmac_sha512_final(ref Monocypher.crypto_hmac_sha512_ctx ctx, ref Byte64 hmac); + public static extern void crypto_sha512_hmac_final(ref Monocypher.crypto_sha512_hmac_ctx ctx, ref Byte64 hmac); /// - /// - /// HMAC with SHA-512 is a cryptographically secure message authentication code - /// (MAC), provided to enable compatibility with other cryptographic systems. It - /// is generally recommended to use - /// instead, as - /// it performs faster on x86_64 CPUs. - ///
- /// + /// Function crypto_sha512_hmac_final /// - /// A 64-byte buffer. The output MAC, which is always 64 bytes long. /// See Monocypher manual for more details. - public static unsafe void crypto_hmac_sha512_final(ref Monocypher.crypto_hmac_sha512_ctx ctx, Span hmac) + /// A 64-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_sha512_hmac_final(ref Monocypher.crypto_sha512_hmac_ctx ctx, Span hmac) { ExpectSize64(nameof(hmac), hmac.Length); - crypto_hmac_sha512_final(ref ctx, ref hmac.AsByte64()); + crypto_sha512_hmac_final(ref ctx, ref hmac.AsByte64()); } /// - /// - /// HMAC with SHA-512 is a cryptographically secure message authentication code - /// (MAC), provided to enable compatibility with other cryptographic systems. It - /// is generally recommended to use - /// instead, as - /// it performs faster on x86_64 CPUs. - ///
- /// + /// Function crypto_sha512_hmac /// - /// A 64-byte buffer. The output MAC, which is always 64 bytes long. - /// Some secret key. One cannot predict the final hash without it. Users may - /// want to wipe the key with - /// once they are done - /// with it. - /// Length of , in bytes. 32 is a good - /// default. Keys longer than 128 bytes will be reduced to 64 bytes by hashing - /// the key with SHA-512. - /// The message to compute the HMAC for. May overlap with - /// . May be - /// NULL if - /// is 0. - /// Length of , in bytes. + /// A 64-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_hmac_sha512(ref Byte64 hmac, IntPtr key, Monocypher.size_t key_size, IntPtr message, Monocypher.size_t message_size); + public static extern void crypto_sha512_hmac(ref Byte64 hmac, IntPtr key, Monocypher.size_t key_size, IntPtr message, Monocypher.size_t message_size); /// - /// - /// HMAC with SHA-512 is a cryptographically secure message authentication code - /// (MAC), provided to enable compatibility with other cryptographic systems. It - /// is generally recommended to use - /// instead, as - /// it performs faster on x86_64 CPUs. - ///
- /// + /// Function crypto_sha512_hmac /// - /// A 64-byte buffer. The output MAC, which is always 64 bytes long. - /// Some secret key. One cannot predict the final hash without it. Users may - /// want to wipe the key with - /// once they are done - /// with it. - /// The message to compute the HMAC for. May overlap with - /// . May be - /// NULL if - /// is 0. - public static unsafe void crypto_hmac_sha512(Span hmac, ReadOnlySpan key, ReadOnlySpan message) + /// A 64-byte buffer. See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe void crypto_sha512_hmac(Span hmac, ReadOnlySpan key, ReadOnlySpan message) { ExpectSize64(nameof(hmac), hmac.Length); fixed(void* key_ptr = key) fixed(void* message_ptr = message) - crypto_hmac_sha512(ref hmac.AsByte64(), new IntPtr(key_ptr), (Monocypher.size_t)key.Length, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); + crypto_sha512_hmac(ref hmac.AsByte64(), new IntPtr(key_ptr), (Monocypher.size_t)key.Length, new IntPtr(message_ptr), (Monocypher.size_t)message.Length); } /// - /// - /// The () and - /// () functions provide - /// Ed25519 public key signatures and verification with SHA-512 as the underlying - /// hash function; they are interoperable with other Ed25519 implementations. If - /// you have no interoperability requirements, prefer - /// . - ///
- /// + /// Function crypto_sha512_hkdf_expand + /// + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_sha512_hkdf_expand(IntPtr okm, Monocypher.size_t okm_size, IntPtr prk, Monocypher.size_t prk_size, IntPtr info, Monocypher.size_t info_size); + + /// + /// Function crypto_sha512_hkdf_expand + /// + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe void crypto_sha512_hkdf_expand(Span okm, ReadOnlySpan prk, ReadOnlySpan info) + { + fixed(void* okm_ptr = okm) + fixed(void* prk_ptr = prk) + fixed(void* info_ptr = info) + crypto_sha512_hkdf_expand(new IntPtr(okm_ptr), (Monocypher.size_t)okm.Length, new IntPtr(prk_ptr), (Monocypher.size_t)prk.Length, new IntPtr(info_ptr), (Monocypher.size_t)info.Length); + } + + /// + /// Function crypto_sha512_hkdf /// + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] + public static extern void crypto_sha512_hkdf(IntPtr okm, Monocypher.size_t okm_size, IntPtr ikm, Monocypher.size_t ikm_size, IntPtr salt, Monocypher.size_t salt_size, IntPtr info, Monocypher.size_t info_size); + + /// + /// Function crypto_sha512_hkdf + /// + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + /// See Monocypher manual for more details. + public static unsafe void crypto_sha512_hkdf(Span okm, ReadOnlySpan ikm, ReadOnlySpan salt, ReadOnlySpan info) + { + fixed(void* okm_ptr = okm) + fixed(void* ikm_ptr = ikm) + fixed(void* salt_ptr = salt) + fixed(void* info_ptr = info) + crypto_sha512_hkdf(new IntPtr(okm_ptr), (Monocypher.size_t)okm.Length, new IntPtr(ikm_ptr), (Monocypher.size_t)ikm.Length, new IntPtr(salt_ptr), (Monocypher.size_t)salt.Length, new IntPtr(info_ptr), (Monocypher.size_t)info.Length); + } + + /// + /// Function crypto_ed25519_key_pair + /// + /// A 64-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. + /// A 32-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_ed25519_public_key(ref Byte32 public_key, in Byte32 secret_key); + public static extern void crypto_ed25519_key_pair(ref Byte64 secret_key, ref Byte32 public_key, ref Byte32 seed); /// - /// - /// The () and - /// () functions provide - /// Ed25519 public key signatures and verification with SHA-512 as the underlying - /// hash function; they are interoperable with other Ed25519 implementations. If - /// you have no interoperability requirements, prefer - /// . - ///
- /// + /// Function crypto_ed25519_key_pair /// + /// A 64-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_ed25519_public_key(Span public_key, ReadOnlySpan secret_key) + /// A 32-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_ed25519_key_pair(Span secret_key, Span public_key, Span seed) { + ExpectSize64(nameof(secret_key), secret_key.Length); ExpectSize32(nameof(public_key), public_key.Length); - ExpectSize32(nameof(secret_key), secret_key.Length); - crypto_ed25519_public_key(ref public_key.AsByte32(), in secret_key.AsByte32()); + ExpectSize32(nameof(seed), seed.Length); + crypto_ed25519_key_pair(ref secret_key.AsByte64(), ref public_key.AsByte32(), ref seed.AsByte32()); } /// @@ -4459,54 +1946,43 @@ public static unsafe void crypto_ed25519_public_key(Span public_key, ReadO /// The () and /// () functions provide /// Ed25519 public key signatures and verification with SHA-512 as the underlying - /// hash function; they are interoperable with other Ed25519 implementations. If + /// hash function. They are interoperable with other Ed25519 implementations. If /// you have no interoperability requirements, prefer - /// . + /// . ///
/// /// /// A 64-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. /// See Monocypher manual for more details. /// See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_ed25519_sign(ref Byte64 signature, in Byte32 secret_key, in Byte32 public_key, IntPtr message, Monocypher.size_t message_size); + public static extern void crypto_ed25519_sign(ref Byte64 signature, in Byte64 secret_key, IntPtr message, Monocypher.size_t message_size); /// /// /// The () and /// () functions provide /// Ed25519 public key signatures and verification with SHA-512 as the underlying - /// hash function; they are interoperable with other Ed25519 implementations. If + /// hash function. They are interoperable with other Ed25519 implementations. If /// you have no interoperability requirements, prefer - /// . + /// . ///
/// /// /// A 64-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. /// See Monocypher manual for more details. - public static unsafe void crypto_ed25519_sign(Span signature, ReadOnlySpan secret_key, ReadOnlySpan public_key, ReadOnlySpan message) + public static unsafe void crypto_ed25519_sign(Span signature, ReadOnlySpan secret_key, ReadOnlySpan message) { ExpectSize64(nameof(signature), signature.Length); - ExpectSize32(nameof(secret_key), secret_key.Length); - ExpectSize32(nameof(public_key), public_key.Length); + ExpectSize64(nameof(secret_key), secret_key.Length); fixed(void* message_ptr = message) - crypto_ed25519_sign(ref signature.AsByte64(), in secret_key.AsByte32(), in public_key.AsByte32(), new IntPtr(message_ptr), (Monocypher.size_t)message.Length); + crypto_ed25519_sign(ref signature.AsByte64(), in secret_key.AsByte64(), new IntPtr(message_ptr), (Monocypher.size_t)message.Length); } /// - /// - /// The () and - /// () functions provide - /// Ed25519 public key signatures and verification with SHA-512 as the underlying - /// hash function; they are interoperable with other Ed25519 implementations. If - /// you have no interoperability requirements, prefer - /// . - ///
- /// + /// Function crypto_ed25519_check /// /// A 64-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. @@ -4516,15 +1992,7 @@ public static unsafe void crypto_ed25519_sign(Span signature, ReadOnlySpan public static extern int crypto_ed25519_check(in Byte64 signature, in Byte32 public_key, IntPtr message, Monocypher.size_t message_size); /// - /// - /// The () and - /// () functions provide - /// Ed25519 public key signatures and verification with SHA-512 as the underlying - /// hash function; they are interoperable with other Ed25519 implementations. If - /// you have no interoperability requirements, prefer - /// . - ///
- /// + /// Function crypto_ed25519_check /// /// A 64-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. @@ -4538,127 +2006,49 @@ public static unsafe int crypto_ed25519_check(ReadOnlySpan signature, Read } /// - /// - /// These functions are variants of - /// and - /// . Prefer those - /// simpler functions if possible. - ///
- /// - /// These functions provide Ed25519 public key signatures and verification with - /// SHA-512 as the underlying hash function; they are interoperable with other - /// Ed25519 implementations. If you have no interoperability requirements, prefer - /// . - ///
- /// + /// Function crypto_ed25519_ph_sign /// - /// See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_ed25519_sign_init_first_pass(ref Monocypher.crypto_sign_ctx_abstract ctx, in Byte32 secret_key, in Byte32 public_key); + public static extern void crypto_ed25519_ph_sign(ref Byte64 signature, in Byte64 secret_key, in Byte64 message_hash); /// - /// - /// These functions are variants of - /// and - /// . Prefer those - /// simpler functions if possible. - ///
- /// - /// These functions provide Ed25519 public key signatures and verification with - /// SHA-512 as the underlying hash function; they are interoperable with other - /// Ed25519 implementations. If you have no interoperability requirements, prefer - /// . - ///
- /// + /// Function crypto_ed25519_ph_sign /// - /// See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_ed25519_sign_init_first_pass(ref Monocypher.crypto_sign_ctx_abstract ctx, ReadOnlySpan secret_key, ReadOnlySpan public_key) + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. + public static unsafe void crypto_ed25519_ph_sign(Span signature, ReadOnlySpan secret_key, ReadOnlySpan message_hash) { - ExpectSize32(nameof(secret_key), secret_key.Length); - ExpectSize32(nameof(public_key), public_key.Length); - crypto_ed25519_sign_init_first_pass(ref ctx, in secret_key.AsByte32(), in public_key.AsByte32()); + ExpectSize64(nameof(signature), signature.Length); + ExpectSize64(nameof(secret_key), secret_key.Length); + ExpectSize64(nameof(message_hash), message_hash.Length); + crypto_ed25519_ph_sign(ref signature.AsByte64(), in secret_key.AsByte64(), in message_hash.AsByte64()); } /// - /// - /// These functions are variants of - /// and - /// . Prefer those - /// simpler functions if possible. - ///
- /// - /// These functions provide Ed25519 public key signatures and verification with - /// SHA-512 as the underlying hash function; they are interoperable with other - /// Ed25519 implementations. If you have no interoperability requirements, prefer - /// . - ///
- /// + /// Function crypto_ed25519_ph_check /// - /// See Monocypher manual for more details. /// A 64-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. + /// A 64-byte buffer. See Monocypher manual for more details. [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_ed25519_check_init(ref Monocypher.crypto_check_ctx_abstract ctx, in Byte64 signature, in Byte32 public_key); + public static extern int crypto_ed25519_ph_check(in Byte64 signature, in Byte32 public_key, in Byte64 message_hash); /// - /// - /// These functions are variants of - /// and - /// . Prefer those - /// simpler functions if possible. - ///
- /// - /// These functions provide Ed25519 public key signatures and verification with - /// SHA-512 as the underlying hash function; they are interoperable with other - /// Ed25519 implementations. If you have no interoperability requirements, prefer - /// . - ///
- /// + /// Function crypto_ed25519_ph_check /// - /// See Monocypher manual for more details. /// A 64-byte buffer. See Monocypher manual for more details. /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_ed25519_check_init(ref Monocypher.crypto_check_ctx_abstract ctx, ReadOnlySpan signature, ReadOnlySpan public_key) + /// A 64-byte buffer. See Monocypher manual for more details. + public static unsafe int crypto_ed25519_ph_check(ReadOnlySpan signature, ReadOnlySpan public_key, ReadOnlySpan message_hash) { ExpectSize64(nameof(signature), signature.Length); ExpectSize32(nameof(public_key), public_key.Length); - crypto_ed25519_check_init(ref ctx, in signature.AsByte64(), in public_key.AsByte32()); - } - - /// - /// - /// These functions work like - /// and - /// , except - /// that they operate on Ed25519 key pairs rather than key pairs for EdDSA with - /// BLAKE2b. Please see the documentation for those functions for details. - /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - [DllImport(MonocypherDll, CallingConvention = CallingConvention.Cdecl)] - public static extern void crypto_from_ed25519_private(ref Byte32 x25519, in Byte32 eddsa); - - /// - /// - /// These functions work like - /// and - /// , except - /// that they operate on Ed25519 key pairs rather than key pairs for EdDSA with - /// BLAKE2b. Please see the documentation for those functions for details. - /// - /// - /// A 32-byte buffer. See Monocypher manual for more details. - /// A 32-byte buffer. See Monocypher manual for more details. - public static unsafe void crypto_from_ed25519_private(Span x25519, ReadOnlySpan eddsa) - { - ExpectSize32(nameof(x25519), x25519.Length); - ExpectSize32(nameof(eddsa), eddsa.Length); - crypto_from_ed25519_private(ref x25519.AsByte32(), in eddsa.AsByte32()); + ExpectSize64(nameof(message_hash), message_hash.Length); + return crypto_ed25519_ph_check(in signature.AsByte64(), in public_key.AsByte32(), in message_hash.AsByte64()); } } } diff --git a/src/Monocypher/runtimes/linux-arm/native/libmonocypher_native.so b/src/Monocypher/runtimes/linux-arm/native/libmonocypher_native.so index e5c0cec..236c4fb 100644 Binary files a/src/Monocypher/runtimes/linux-arm/native/libmonocypher_native.so and b/src/Monocypher/runtimes/linux-arm/native/libmonocypher_native.so differ diff --git a/src/Monocypher/runtimes/linux-arm64/native/libmonocypher_native.so b/src/Monocypher/runtimes/linux-arm64/native/libmonocypher_native.so index c9f0208..661f1c2 100644 Binary files a/src/Monocypher/runtimes/linux-arm64/native/libmonocypher_native.so and b/src/Monocypher/runtimes/linux-arm64/native/libmonocypher_native.so differ diff --git a/src/Monocypher/runtimes/linux-x64/native/libmonocypher_native.so b/src/Monocypher/runtimes/linux-x64/native/libmonocypher_native.so index 7dc794f..06b7cf7 100644 Binary files a/src/Monocypher/runtimes/linux-x64/native/libmonocypher_native.so and b/src/Monocypher/runtimes/linux-x64/native/libmonocypher_native.so differ diff --git a/src/Monocypher/runtimes/osx-arm64/native/libmonocypher_native.dylib b/src/Monocypher/runtimes/osx-arm64/native/libmonocypher_native.dylib index a8ccd77..22e390b 100755 Binary files a/src/Monocypher/runtimes/osx-arm64/native/libmonocypher_native.dylib and b/src/Monocypher/runtimes/osx-arm64/native/libmonocypher_native.dylib differ diff --git a/src/Monocypher/runtimes/osx-x64/native/libmonocypher_native.dylib b/src/Monocypher/runtimes/osx-x64/native/libmonocypher_native.dylib index 1476157..22e390b 100644 Binary files a/src/Monocypher/runtimes/osx-x64/native/libmonocypher_native.dylib and b/src/Monocypher/runtimes/osx-x64/native/libmonocypher_native.dylib differ diff --git a/src/Monocypher/runtimes/win-arm/native/monocypher_native.dll b/src/Monocypher/runtimes/win-arm/native/monocypher_native.dll index e78c149..8f03bcf 100644 Binary files a/src/Monocypher/runtimes/win-arm/native/monocypher_native.dll and b/src/Monocypher/runtimes/win-arm/native/monocypher_native.dll differ diff --git a/src/Monocypher/runtimes/win-arm64/native/monocypher_native.dll b/src/Monocypher/runtimes/win-arm64/native/monocypher_native.dll index 3c9b34c..6eb2753 100644 Binary files a/src/Monocypher/runtimes/win-arm64/native/monocypher_native.dll and b/src/Monocypher/runtimes/win-arm64/native/monocypher_native.dll differ diff --git a/src/Monocypher/runtimes/win-x64/native/monocypher_native.dll b/src/Monocypher/runtimes/win-x64/native/monocypher_native.dll index 6657918..fc1f36d 100644 Binary files a/src/Monocypher/runtimes/win-x64/native/monocypher_native.dll and b/src/Monocypher/runtimes/win-x64/native/monocypher_native.dll differ diff --git a/src/Monocypher/runtimes/win-x86/native/monocypher_native.dll b/src/Monocypher/runtimes/win-x86/native/monocypher_native.dll index ef6edf1..3c75c22 100644 Binary files a/src/Monocypher/runtimes/win-x86/native/monocypher_native.dll and b/src/Monocypher/runtimes/win-x86/native/monocypher_native.dll differ diff --git a/src/global.json b/src/global.json index 51a6483..2aa85a4 100644 --- a/src/global.json +++ b/src/global.json @@ -1,6 +1,6 @@ { "sdk": { - "version": "6.0.100", + "version": "8.0.100", "rollForward": "latestMinor", "allowPrerelease": false }