Lib.rs

Cryptography
#aead #authenticated-encryption #siv #hs1

no-std hs1-siv

Pure Rust implementation of the HS1-SIV Authenticated Encryption with Additional Data Cipher. Based on ChaCha.

Owned by David Hoppenbrouwers.

3 unstable releases

new 0.2.0-pre.0 Jan 28, 2025
0.1.1 Jan 22, 2025
0.1.0 Jan 22, 2025

#1451 in Cryptography

Download history 247/week @ 2025-01-21

247 downloads per month

Apache-2.0 OR MIT

33KB
749 lines

Pure Rust implementation of HS1-SIV.

HS1-SIV is based on the ChaCha stream cipher. The tag is generated using a new hashing algorithm. It also doubles as a SIV (synthetic IV), providing resistance against nonce reuse.

The algorithm is configurable:

  • B: Block size, as a multiple of 16.
  • T: "collision level" (higher is more secure).
  • R: ChaCha rounds.
  • L: Tag length in bytes.

3 standard settings are provided:

Name B T R L
Hs1SivLo 4 2 8 8
Hs1SivMe 4 4 12 16
Hs1SivHi 4 6 20 32

Security per setting is (n = amount of messages generated):

Name Key search SIV collision
Hs1SivLo n/(2^256) (n^2)/(2^56) + (n^2)/(2^64)
Hs1SivMe n/(2^256) (n^2)/(2^112) + (n^2)/(2^128)
Hs1SivHi n/(2^256) (n^2)/(2^168) + (n^2)/(2^256)

Dependencies

~540KB
~12K SLoC