X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/16efb197c59c4b4cfaef7b2f23bd39f70176dd9e..6a024d24d97cb5d42c0091571735475b849f59f4:/progs/catcrypt.1 diff --git a/progs/catcrypt.1 b/progs/catcrypt.1 index 597118f2..6c554408 100644 --- a/progs/catcrypt.1 +++ b/progs/catcrypt.1 @@ -134,6 +134,14 @@ A has the syntax .IR kem \c .RB [ / \c +.IR bulk \c +.RB [ \- \c +.IR cipher ] \c +.RB [ / \c +.IR hash ]] +or +.IR kem \c +.RB [ / \c .IR cipher \c .RB [ / \c .IR hash ]]. @@ -196,17 +204,86 @@ algorithm of the command (see .BR key (1)) to generate the key. +.TP +.B x25519 +This is Bernstein's Curve25519, a fast Diffie-Hellman using a specific +elliptic curve. +Use the +.B x25519 +algorithm of the +.B key add +command +(see +.BR key (1)) +to generate the key. +.TP +.B x448 +This is Hamburg's Curve25519, a strong Diffie-Hellman using a specific +elliptic curve. +Use the +.B x448 +algorithm of the +.B key add +command +(see +.BR key (1)) +to generate the key. +.PP +The bulk crypto transform is chosen based on the +.B bulk +attribute on the key, or, failing that, +from the +.I bulk +stated in the +.IR kemalgspec . +Run +.B catcrypt show bulk +for a list of supported bulk crypto transforms. +.TP +.B gencomp +A generic composition of +a cipher secure against chosen-plaintext attack, +and a message authentication code. +Makes use of +.B cipher +and +.B mac +attributes. +This is the default transform. +.TP +.B naclbox +Use Salsa20 or ChaCha and Poly1305 to secure the bulk data. +This is nearly the same as the NaCl +.B crypto_secretbox +construction, +except that +.B catcrypt +uses Salsa20 or ChaCha rather than XSalsa20, +because it doesn't need the latter's extended nonce. +The +.B cipher +attribute may be set to one of +.BR salsa20 , +.BR salsa20/12 , +.BR salsa20/8 , +.BR chacha20 , +.BR chacha12 , +or +.BR chacha8 ; +the default is +.BR salsa20 . .PP As well as the KEM itself, a number of supporting algorithms are used. These are taken from appropriately named attributes on the key or, failing that, derived from other attributes as described below. .TP .B cipher -This is the symmetric encryption algorithm used for bulk data -encryption. If there is no +This is the symmetric encryption algorithm +used by the bulk data transform. +If there is no .B cipher attribute then the -.I cipher +.I bulk in the .I kemalgspec is used; if that it absent, then the default of @@ -230,9 +307,13 @@ is used. Run for a list of supported symmetric encryption algorithms. .TP .B mac -This is the message authentication algorithm used during bulk data -encryption to ensure integrity of the encrypted message and defend -against chosen-ciphertext attacks. If there is no +This is the message authentication algorithm +used by the +.B gencomp +bulk data transform +to ensure integrity of the encrypted message and +defend against chosen-ciphertext attacks. +If there is no .B mac attribute then .IB hash -hmac @@ -348,6 +429,40 @@ command (see .BR key (1)) to generate the key. .TP +.B ed25519 +This is Bernstein, Duif, Lange, Schwabe, and Yang's Ed25519 algorithm. +More specifically, this is HashEd25519 +using the selected +.B hash +algorithm \(en by default +.BR sha512 . +Use the +.B ed25519 +algorithm of the +.B key add +command +(see +.BR key (1)) +to generate the key. +.TP +.B ed448 +This is Bernstein, Duif, Lange, Schwabe, and Yang's EdDSA algorithm, +using Hamburg's Ed448-Goldilocks elliptic curve, +as specified in RFC8032. +More specifically, this is HashEd448 +using the selected +.B hash +algorithm \(en by default +.BR sha3-512 . +Use the +.B ed448 +algorithm of the +.B key add +command +(see +.BR key (1)) +to generate the key. +.TP .B mac This uses a symmetric message-authentication algorithm rather than a digital signature. The precise message-authentication scheme used is @@ -387,6 +502,14 @@ and .BR eckcdsa , the default hash function is .BR has160 . +For +.BR ed25519 , +the default hash function is +.BR sha512 . +For +.BR ed448 , +the default hash function is +.BR shake256 . .PP Run .B catcrypt show hash