Skip to main content

Module crypto

aion_context

Module crypto 

Source
Expand description

Cryptographic primitives for AION v2

This module provides safe, ergonomic wrappers around battle-tested cryptographic libraries. All operations follow Tiger Style principles: explicit error handling, constant-time where applicable, and automatic zeroization of sensitive data.

§Cryptographic Algorithms

  • Ed25519: Digital signatures (RFC 8032, 128-bit security level)

    • Used for version signing and author authentication
    • Deterministic signatures, no nonce generation issues
    • Constant-time operations resistant to timing attacks

  • ChaCha20-Poly1305: Authenticated encryption (RFC 8439, 256-bit key)

    • AEAD cipher for rules encryption
    • Prevents tampering via authentication tag
    • Used in TLS 1.3 as mandatory cipher suite

  • BLAKE3: Cryptographic hashing (256-bit output)

    • 5x faster than SHA-256
    • Parallelizable for large data
    • Used for content hashing and integrity checks

  • HKDF: Key derivation function (RFC 5869, NIST approved)

    • HMAC-based key derivation with SHA-256
    • Derives multiple keys from master secret
    • Context separation via info parameter

§Security Properties

  • No panics: All errors explicitly handled
  • Constant-time: Ed25519 operations resistant to timing attacks
  • Zeroization: Signing keys automatically cleared on drop
  • Entropy: OS CSPRNG for key/nonce generation
  • Standards: RFC-compliant implementations

§Usage Examples

§Digital Signatures

use aion_context::crypto::SigningKey;

// Generate a new signing key
let signing_key = SigningKey::generate();
let message = b"Version 1: Updated fraud rules";

// Sign a message
let signature = signing_key.sign(message);

// Verify the signature
let verifying_key = signing_key.verifying_key();
assert!(verifying_key.verify(message, &signature).is_ok());

§Authenticated Encryption

use aion_context::crypto::{generate_nonce, encrypt, decrypt};

let key = [0u8; 32];  // In production, use proper key derivation
let nonce = generate_nonce();
let plaintext = b"sensitive rules data";
let aad = b"version metadata";

// Encrypt data
let ciphertext = encrypt(&key, &nonce, plaintext, aad).unwrap();

// Decrypt data
let recovered = decrypt(&key, &nonce, &ciphertext, aad).unwrap();
assert_eq!(recovered, plaintext);

§Hashing

use aion_context::crypto::{hash, keyed_hash};

// Content hashing
let data = b"file content";
let content_hash = hash(data);

// Keyed hashing (MAC)
let key = [0u8; 32];
let mac = keyed_hash(&key, data);

§Key Derivation

use aion_context::crypto::derive_key;

let master_secret = b"high entropy master key";
let salt = b"unique salt value";
let info = b"encryption-key-v1";

let mut derived_key = [0u8; 32];
derive_key(master_secret, salt, info, &mut derived_key).unwrap();
// derived_key now contains 32 bytes of derived key material
assert_eq!(derived_key.len(), 32);

Structs§

Ed25519SigningKey
ed25519 signing key which can be used to produce signatures.
Ed25519VerifyingKey
An ed25519 public key.
SigningKey
Signing key for Ed25519 signatures
VerifyingKey
Verifying key for Ed25519 signatures

Functions§

decrypt
Decrypt data using ChaCha20-Poly1305 (AEAD)
derive_key
Derive a key using HKDF-SHA256
encrypt
Encrypt data using ChaCha20-Poly1305 (AEAD)
generate_nonce
Generate a random nonce for ChaCha20-Poly1305
hash
Hash a message using BLAKE3
keyed_hash
Keyed hash using BLAKE3