Secret-key encryption: Crypto.Saltine.Core.Stream

The stream function produces a sized stream ByteString as a function of a secret key and a nonce. The xor function encrypts a message ByteString using a secret key and a nonce. The xor function guarantees that the ciphertext has the same length as the plaintext, and is the plaintext xor stream k n. Consequently xor can also be used to decrypt.

The stream function, viewed as a function of the nonce for a uniform random key, is designed to meet the standard notion of unpredictability ("PRF"). For a formal definition see, e.g., Section 2.3 of Bellare, Kilian, and Rogaway, "The security of the cipher block chaining message authentication code," Journal of Computer and System Sciences 61 (2000), 362–399; http://www-cse.ucsd.edu/~mihir/papers/cbc.html. This means that an attacker cannot distinguish this function from a uniform random function. Consequently, if a series of messages is encrypted by xor with a different nonce for each message, the ciphertexts are indistinguishable from uniform random strings of the same length.

Note that the length is not hidden. Note also that it is the caller's responsibility to ensure the uniqueness of nonces—for example, by using nonce 1 for the first message, nonce 2 for the second message, etc. Nonces are long enough that randomly generated nonces have negligible risk of collision.

Saltine does not make any promises regarding the resistance of crypto_stream to "related-key attacks." It is the caller's responsibility to use proper key-derivation functions.

Crypto.Saltine.Core.Stream is crypto_stream_xsalsa20, a particular cipher specified in "Cryptography in NaCl" (http://nacl.cr.yp.to/valid.html), Section 7. This cipher is conjectured to meet the standard notion of unpredictability.

This is version 2010.08.30 of the stream.html web page.