gazagnaire.org / ocaml-streaming-aead
Streaming Authenticated Encryption (OAE2) for large data - Tink-compatible AES-256-GCM segments
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

ocaml-streaming-aead / README.md
at main 1.8 kB view raw view code
Thomas Gazagnaire Skip MDX execution on opam install README blocks
05715fdd

Streaming-AEAD -- Streaming Authenticated Encryption (OAE2) for large data#

Streaming AEAD provides authenticated encryption for data streams too large to process in a single operation. Each segment is independently encrypted and authenticated, with protection against reordering and truncation attacks. Compatible with Google Tink's streaming AEAD format.

Installation#

Install with opam:

$ opam install streaming-aead

If opam cannot find the package, it may not yet be released in the public opam-repository. Add the overlay repository, then install it:

$ opam repo add samoht https://tangled.org/gazagnaire.org/opam-overlay.git
$ opam update
$ opam install streaming-aead

Usage#

Simple encrypt/decrypt#

let key = Streaming_aead.generate_key ()
let ciphertext = Streaming_aead.encrypt_all ~key plaintext
match Streaming_aead.decrypt_all ~key ciphertext with
| Ok plaintext -> ()
| Error e -> Fmt.epr "Error: %a@." Streaming_aead.pp_error e

With additional authenticated data (AAD)#

let ciphertext = Streaming_aead.encrypt_all ~key ~aad:"file-id:42" plaintext
match Streaming_aead.decrypt_all ~key ~aad:"file-id:42" ciphertext with
| Ok plaintext -> ()
| Error _ -> ()

API#

Key Management#

  • generate_key -- Generate a random 256-bit key
  • key_of_bytes / key_to_bytes -- Serialize/deserialize keys

Encrypt/Decrypt#

  • encrypt_all -- Encrypt entire payload with optional AAD and segment size
  • decrypt_all -- Decrypt and verify entire payload

Constants#

  • default_segment_size -- Default segment size for streaming
  • header_size -- Size of the stream header
  • segment_overhead -- Per-segment authentication overhead

Licence#

ISC