Improve documentation

qm3ster · Mar 4, 2022 · 87732e4 · 87732e4
1 parent c0e952e
commit 87732e4
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,3 +16,7 @@ poly1305 = "0.7.2"
 subtle = "2.4.1"
 typenum = "1.15.0"
 universal-hash = "0.4.1"
+
+[dev-dependencies]
+base64 = "0.13.0"
+rand = "0.8.5"
diff --git a/README.md b/README.md
@@ -13,10 +13,27 @@
 
 Here lies an implementation of ["Deterministic Authenticated Encryption with no noNCEnse" by Taylor ‘Riastradh’ Campbell](https://github.com/riastradh/daence).
 
+## Security Warning
+**No** security audits of this crate have ever been performed, and it has not been thoroughly assessed to ensure its operation is constant-time on common CPU architectures.
+
+**USE AT YOUR OWN RISK!**
+
+## Description
+
 Rumor has it that this [`AEAD`](https://en.wikipedia.org/wiki/Authenticated_encryption) construct thrives in abscence of nonces.
 
+That property, combined with a tag size of only 12 bytes, allows using it for extremely size-constrained messages.
+
 It seems like it works, I am going to use it, and so can you.
 
+Notably, at the time of writing, it is probably as constant-time as the underlying `poly1305::Poly1305`, `chacha20::hchacha`, `chacha20::XChaCha20` and `<[u8] as subtle::ConstantTimeEq>::ct_eq`.</br>
+There is no flow control, and all of these get called on the entire relevant portions of the data for any and all keys, additional data, cyphertext, and tag.
+
+⚠ That said, **neither this implementation, nor the original specification have been sufficiently peer reviewed**, and using this today may be unreasonable for many usecases. ⚠</br>
+I personally have several questions for the specification...</br>
+If you have the space for it, you may want to use [`AES-GCM-SIV`](https://github.com/RustCrypto/AEADs/tree/master/aes-gcm-siv).
+If you additionaly have a source of nonces, and are confident they will not be reused, you may use [`ChaCha20Poly1305`](https://github.com/RustCrypto/AEADs/tree/master/chacha20poly1305).
+
 Currently, only the later XChaCha20 (as opposed to the Salsa20) variant is implemented.
 
 Contributions are welcome, including documentation, benchmarks, and *especially* implementing the [`aead` traits](https://docs.rs/aead/latest/aead/#traits).

diff --git a/examples/basic/main.rs → examples/basic.rs b/examples/basic/main.rs → examples/basic.rs
diff --git a/examples/basic/Cargo.toml b/examples/basic/Cargo.toml
diff --git a/src/chacha.rs b/src/chacha.rs
@@ -27,13 +27,13 @@ impl<A: AsRef<[u8]>> ChaChaDaence<A> {
         Self { cha, p1, p2, ad }
     }
 
-    /// Encrypts a message `msg` in place `msg` in place, and writes authentication tago to `tag`.
+    /// Writes authentication tag to `tag` and encrypts the message `msg` in place.
     pub fn encrypt(&self, msg: &mut [u8], tag: &mut [u8; 24]) {
         self.compressauth(msg, tag);
         chacha20::XChaCha20::new(&self.cha, (&*tag).into()).apply_keystream(msg);
     }
 
-    /// Authenticates and decrypts a message `msg` in place using `tag`
+    /// Decrypts and authenticates a message `msg` in place using `tag`
     /// If authentication fails, will zero-out the message instead.
     ///
     /// # Errors

diff --git a/src/lib.rs b/src/lib.rs
@@ -1,5 +1,6 @@
 #![warn(clippy::pedantic, clippy::nursery)]
-/// Welcome.
-/// You probably want `ChaChaDaence` below.
+//! Welcome.
+//! You probably want the `ChaChaDaence` below.
+
 mod chacha;
 pub use chacha::ChaChaDaence;