Expand description
Bytes-in / bytes-out cryptographic core of the oboron protocol.
obcrypt implements oboron’s authenticated core encryption schemes
operating on raw byte slices. It does not encode the output (no
base64, no base32) and does not validate UTF-8 — plaintext bytes
pass through unchanged.
Keys do have a canonical text form: hex (128 lowercase
characters). Key::from_hex / Key::to_hex handle that — see
Key for rationale.
For the full string-in / string-out oboron protocol — with obtext
encoding and format strings — see the
oboron crate, which depends
on this one. The unauthenticated and obfuscation schemes live in the
separate obu layer.
§Quick start
use obcrypt::{encrypt, decrypt, Key, Scheme};
let key = Key::random();
let ct = encrypt(b"secret data", Scheme::Dsiv, &key)?;
let pt = decrypt(&ct, Scheme::Dsiv, &key)?;
assert_eq!(pt, b"secret data");§Schemes
| Scheme | Properties | Algorithm | Key material |
|---|---|---|---|
Scheme::Dsiv | deterministic | AES-SIV | full 64-byte master |
Scheme::Dgcmsiv | deterministic | AES-GCM-SIV | HKDF-derived |
Scheme::Psiv | probabilistic | AES-SIV | full 64-byte master |
Scheme::Pgcmsiv | probabilistic | AES-GCM-SIV | HKDF-derived |
All four are authenticated: decrypt returns
Error::DecryptionFailed on tampering, a wrong key, or the wrong
scheme. Deterministic variants (dsiv, dgcmsiv) leak plaintext
equality (same plaintext + key → same output); use a probabilistic
variant when that isn’t acceptable.
Plus testing-only schemes behind the mock feature flag — mock1
(identity) and mock2 (reverse), which perform no encryption
and are not selectable through Scheme::from_str.
§Output format
The output is exactly the scheme’s AEAD output — there is no scheme
marker. The scheme is supplied by the caller to both encrypt and
decrypt (oboron’s no-marker model: supplying the wrong scheme
fails the authentication check). Per-scheme byte layouts:
- deterministic:
siv-tag || ciphertext(dsiv) orciphertext || tag(dgcmsiv). - probabilistic: a fresh nonce is prepended.
§API
Each operation has an owned form (returns a fresh Vec<u8>) and
an _into form (appends to a caller buffer; zero extra
allocation on the AEAD path):
encrypt/encrypt_into—(plaintext, scheme, key)decrypt/decrypt_into—(scheme_output, scheme, key)
Keys come last; data first. The per-scheme primitives live under
schemes for callers that already know the scheme statically.
§Security model
Symmetric authenticated encryption over a 64-byte master key.
- Authenticity: every scheme is authenticated via the AEAD tag.
- Determinism: deterministic variants leak plaintext equality.
- Key derivation: the SIV schemes use the master key directly;
the GCM-SIV schemes derive a 32-byte key with
HKDF-Expandover the master (HMAC-SHA-256, infogcmsiv, shared by both GCM-SIV schemes; Extract is skipped, as the master is already a uniform pseudorandom key). - Nonce handling: probabilistic schemes draw a fresh nonce per call from the OS RNG. AES-SIV and AES-GCM-SIV are nonce-misuse resistant — even under accidental reuse they degrade only to the equality-leak property of the deterministic variants.
- Side channels: obcrypt relies on the underlying
aes-siv,aes-gcm-siv, andhkdfcrates for constant-time primitives where applicable; no extra side-channel hardening is added here. - Key zeroization:
KeyisZeroizeOnDrop; derived GCM-SIV subkeys are held inZeroizingbuffers.
See SECURITY.md
for the full threat model and reporting policy.
§Cargo features
default = ["dgcmsiv", "pgcmsiv", "dsiv", "psiv"]— every production scheme.- Per-scheme:
dgcmsiv,pgcmsiv,dsiv,psiv. mock— adds the testing-onlymock1/mock2schemes (no encryption; not parseable from a string).
Schemes are individually gated so binary size scales with the schemes you actually use.
Modules§
- schemes
- Per-scheme raw cryptographic primitives.
Structs§
- Key
- 64-byte symmetric master key for obcrypt operations.
Enums§
- Error
- All errors that can occur in obcrypt operations.
- Scheme
- Scheme identifier — selects the algorithm + properties.
Functions§
- decrypt
- Decrypt
scheme_outputunderscheme, returning the plaintext. - decrypt_
into - Decrypt
scheme_outputunderscheme, appending the plaintext toout. - encrypt
- Encrypt
plaintextunderscheme, returning the scheme output bytes. - encrypt_
into - Encrypt
plaintextunderscheme, appending the output toout. - generate_
key - Generate a cryptographically secure random 64-byte
Key.