tahoe-ssk: An implementation of the Tahoe-LAFS SSK cryptographic protocols

[ bsd3, cryptography, library, parsers, program, security ] [ Propose Tags ]

This currently includes a partial implementation of SDMF. A future version may include an implementation of MDMF.

[Skip to Readme]


Maintainer's Corner

Package maintainers

For package maintainers and hackage trustees


  • No Candidates
Versions [RSS],
Change log CHANGELOG.md
Dependencies asn1-encoding (>=0.9.6 && <0.10), asn1-types (>=0.3.4 && <0.4), base (>=4.7 && <5), base32 (>=0.2.1 && <0.3), binary (>=0.8.6 && <0.9), bytestring (>= && <0.11), cereal (>= && <0.6), containers (>= && <0.7), cryptonite (>=0.27 && <0.30), megaparsec (>=8.0 && <9.3), memory (>=0.15 && <0.17), tahoe-capabilities (>=0.1 && <0.2), tahoe-chk (>=0.2 && <0.3), tahoe-ssk, text (>= && <1.3), x509 (>=1.7.5 && <1.8) [details]
License BSD-3-Clause
Author Jean-Paul Calderone
Maintainer exarkun@twistedmatrix.com
Category Cryptography, Library, Parsers, Security
Home page https://whetstone.private.storage/PrivateStorage/tahoe-ssk
Source repo head: git clone gitlab@whetstone.private.storage:privatestorage/tahoe-ssk.git
Uploaded by jcalderone at 2023-10-10T12:34:46Z
Reverse Dependencies 2 direct, 0 indirect [details]
Executables encode-ssk, make-keypairs
Downloads 15 total (4 in the last 30 days)
Rating (no votes yet) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs uploaded by user [build log]
All reported builds failed as of 2023-10-10 [all 1 reports]

Readme for tahoe-ssk-

[back to package description]


What is it?

Tahoe-SSK is a Haskell implementation of the Tahoe-LAFS SSK crytographic protocols. This includes (S)mall (D)istributed (M)utable (F)iles (SDMF) and (M)edium (D)istributed (M)utable (F)iles (MDMF). It aims for bit-for-bit compatibility with the original Python implementation.

It will not include an implementation of any network protocol for transferring SSK shares. However, its APIs are intended to be easy to integrate with such an implementation.

What is the current state?

  • SDMF write, read, and verify capabilities can be parsed and serialized.

  • SDMF shares can be deserialized, decoded, and decrypted.

    • The cryptographic integrity is not verified:
      • a share's block hashes are not checked against the share's block hash tree
      • the root of the computed share hash tree is not checked against share's pre-computed share hash tree root
    • The cryptographic authenticity is not verified:
      • signatures on the data are not checked
  • Plaintext can be encrypted, encoded into shares, and the shares serialized to bytes.

    • Not all fields of the shares contain correctly initialized values.
    • Enough fields are correctly populated to recover the original plaintext.

Why does it exist?

A Haskell implementation can be used in places the original Python implementation cannot be (for example, runtime environments where it is difficult to have a Python interpreter). Additionally, with the benefit of the experience gained from creating and maintaining the Python implementation, a number of implementation decisions can be made differently to produce a more efficient, more flexible, simpler implementation and API. Also, the Python implementation claims no public library API for users outside of the Tahoe-LAFS project itself.

Cryptographic Library Choice

This library uses cryptonite for cryptography, motivated by the following considerations.

SDMF uses

  • SHA256 for tagged hashes for key derivation and for integrity (XXX right word?) checks on some data.
  • AES128 for encryption of the signature key and the application plaintext data.
  • RSA for signatures proving write authority.

There are a number of Haskell libraries that provide all of these:

  • Crypto

    • Does not support the AES mode we require (CTR).
  • HsOpenSSL

    • Bindings to a C library, OpenSSL, which may complicate the build process.
    • OpenSSL's security and reliability track record also leaves something to be desired.
  • cryptonite

    • Has all of the primitive cryptographic functionality we need.

We want a library that:

  • Can be used with reflex-platform
    • ghc 8.6.5 compatible
  • Can be cross-compiled to different targets from x86_64-linux
    • Mainly armeabi and armv7
  • Is suitable for real-world security purposes
    • not a demo or a toy library
      • documents its limitations
    • is well-tested
    • avoids real-world pitfalls (side-channel attacks, etc), not just textbook issues
    • has more than a handful of other users
    • is well-maintained
      • developers are responsive to security reports
      • has a channel for security-related disclosures
      • has sound documentation for proper, safe usage

And, of course, implements the required functionality.


There are a number of Haskell libraries that provide this primitive:

  • Crypto
  • HsOpenSSL
  • SHA
  • cryptohash
  • cryptonite
  • dhall
  • hashing
  • nettle
  • sbv
  • tls


  • Crypto
  • HsOpenSSL
  • cipher-aes
  • cipher-aes128
  • crypto
  • cryptocipher
  • cryptonite
  • cryptostore
  • nettle


SDMF depends on RSA for signatures proving write authority.

  • Crypto
  • HsOpenSSL
  • RSA
  • cryptonite