[Cryptography] Announcing XSTREAM v0.1: misuse-resistant public-key cryptography combining X25519+HKDF+Miscreant

Fri Jan 5 16:38:00 EST 2018

I'm pleased to announce the initial release of XSTREAM: a misuse-resistant
public key cryptography library built on top of Miscreant which provides
incremental/streaming encryption support:

https://github.com/miscreant/xstream

FAQ available here:

https://github.com/miscreant/xstream/wiki/FAQ

XSTREAM is based on the STREAM construction, described here:

https://github.com/miscreant/miscreant/wiki/STREAM

## Supported Languages

Like Miscreant, XSTREAM is available for 5 different programming languages:
Go, JavaScript/TypeScript, Python, Ruby, and Rust.

Miscreant has also recently been ported to .NET/C# and we hope to have a C#
XSTREAM available soon too.

## What is it useful for?

XSTREAM is intended for encrypting data-at-rest while supporting
incremental processing, such as encrypting files, database records, or
other "blobs" of data processed a chunk-at-a-time, so if you're encrypting
a 100GB file you don't need 100GB of RAM to encrypt it, but can instead
encrypt it in smaller chunks with a size of your own choosing. The
underlying STREAM construction ensures data is both authenticated and
processed in-order, with out-of-order or truncated data manifesting as a
MAC verification failure.

It is NOT designed to be a transport encryption protocol used to secure
data-in-motion, e.g. as part of an interactive network service. For those
use cases, we recommend you use TLS or Noise.

## Construction

XSTREAM's encryptor accepts a static X25519 public key as an argument.
Internally it randomly generates an ephemeral secret scalar value (i.e.
X25519 secret key), performs elliptic curve Diffie-Hellman, then uses the
resulting shared secret as an input to HKDF-SHA-256, which it uses to
derive a symmetric key for use with STREAM (using AES-128-PMAC-SIV as the
default cipher).

Conceptually XSTREAM is similar to NaCl's crypto_box() with an ephemeral
key, or libsodium's crypto_box_seal() which handles generating the random
ephemeral secret key for you. However, XSTREAM gracefully tolerates things
like RNG failures thanks to its nonce reuse misuse resistance[1], whereas
ciphers like (X)Salsa20 and (X)ChaCha20 leak the XOR of the plaintexts
under these conditions, and the Poly1305 authenticator leaks the
authentication key.

However, before you choose XSTREAM over crypto_box()/crypto_box_seal(),
please see the warning below.

[1]: XSTREAM is built on the misuse resistant AES-SIV and AES-PMAC-SIV
symmetric ciphers as implemented in Miscreant. You can read more about it
here:
https://github.com/miscreant/miscreant/wiki/Nonce-Reuse-Misuse-Resistance

## WARNING

This is v0.1 of an unreviewed cryptography library. It should go without
saying that you shouldn't use it for anything serious yet.

That said, even if you're feeling a bit YOLO and want to use it anyway,
there's good reason not to yet: the design is not frozen and likely to
change. There is presently an open issue which is likely to result in
breaking changes:

https://github.com/miscreant/xstream/issues/15

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180105/d77afbc0/attachment.html>