Expand description
STREAM chunked AEAD construction (Hoang-Reyhanitabar-Rogaway-Vizár 2015).
STREAM wraps a nonce-based AEAD to provide streaming authenticated encryption with per-chunk authentication. Each chunk gets a unique nonce derived from a nonce prefix and a 32-bit counter; the final chunk is distinguished by a 1-byte flag.
§Nonce layout (12-byte AES-GCM)
┌────────────── 7 bytes ──────────────┬── 4 bytes ──┬─ 1 byte ─┐
│ nonce prefix │ counter │ flag │
└─────────────────────────────────────┴─────────────┴──────────┘flag = 0x00 for non-final chunks, 0x01 for the final chunk.
§Nonce layout (24-byte XChaCha20-Poly1305)
┌──────────────── 19 bytes ───────────────┬── 4 bytes ──┬─ 1 byte ─┐
│ nonce prefix │ counter │ flag │
└─────────────────────────────────────────┴─────────────┴──────────┘§Trait contract
The init method’s nonce parameter is the nonce prefix (not the
full per-chunk nonce). Its required length is NONCE_FULL - 5 bytes.
Each encrypt_update call encrypts one buffered chunk (not the
supplied chunk) — the supplied chunk is stored for the next call.
This “look-ahead by one chunk” is necessary so encrypt_finalize can
correctly tag the last chunk with flag=0x01.
Structs§
- Aes256
GcmStream - STREAM chunked AEAD using AES-256-GCM.
- ChaCha20
Poly1305 Stream - STREAM chunked AEAD using XChaCha20-Poly1305.