1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
//! The core of this program. Encrypt/decrypt, compress/decompress files.
//!
//! # Module Structure
//!
//! | Module | Contents |
//! |---|---|
//! | [`header`] | Constants (`MAGIC`, `VERSION`, `SALT_LEN`, …) and [`FileHeader`] |
//! | [`key`] | Key derivation (Argon2, key splitting, nonce derivation) + key cache |
//! | [`stream`] | Streaming `Read → Write` encrypt/decrypt primitives |
//! | [`file`] | File-to-file encrypt/decrypt with atomic writes & metadata preservation |
//! | [`batch`] | Parallel batch operations with shared key cache |
//! | [`repo`] | Repository-level encrypt/decrypt with salt cache integration |
//!
//! See the module-level docs of each submodule for details.
//!
//! # Nonce Derivation (Content-Based with File ID)
//!
//! Per-chunk nonces are derived from the file's random `File_ID` and the
//! chunk's own plaintext content using keyed Blake3:
//!
//! 1. A random 16-byte `File_ID` is generated once per file and stored in the
//! header. This ensures that even if two different files have identical
//! plaintext at chunk 0, they produce different nonces and ciphertexts.
//! 2. The Argon2-derived master key is split via `blake3::derive_key` into
//! `Key_ENC` (for XChaCha20-Poly1305 encryption) and `Key_MAC` (for nonce
//! generation).
//! 3. For each chunk `i`: `Nonce_i = Blake3_keyed(Key_MAC, File_ID || M_i ||
//! chunk_idx_le)[0..24]`
//! 4. The 24-byte nonce is stored in plaintext at the head of each encrypted
//! chunk.
//!
//! Different plaintext always produces a different nonce (within the same
//! file). The `File_ID` ensures cross-file uniqueness. The chunk index prevents
//! reordering attacks on identical 64 KB blocks.
//!
//! # Authenticated Additional Data (AAD)
//!
//! Each chunk's AAD binds the ciphertext to the full file header so that any
//! tampering with header fields (version, compression flag, salt, `file_id`,
//! reserved) is detected via Poly1305 authentication failure:
//!
//! ```text
//! AAD = HEADER (64B) || chunk_idx (8B LE) || is_last_chunk (1B) // 73 bytes
//! ```
//!
//! Each encrypted chunk layout: `[NONCE (24B)] [CIPHERTEXT] [TAG (16B)]`
pub use BatchSummary;
pub use ;
pub use ;
pub use derive_key;
pub use ;
pub use ;