Counter Mode(CTR)

AES requires a initial vector(IV), aka nonce. The following is a example of AES 256 CTR mode with a random 256-bit key and 0 as IV:

In practice key should derive key from password with a secure KDF, and iv should be a random number.

ghci> import Crypto.Random
ghci> import Crypto.Cipher.Types
ghci> import Crypto.Cipher.AES (AES256)
ghci> import Crypto.Error
ghci> do
ghci| cipher <- (getRandomBytes 32 :: IO ByteString) >>= (throwCryptoErrorIO . cipherInit) :: IO AES256
ghci| return $ ctrCombine cipher nullIV ("message"::ByteString)

Galois/Counter Mode Synthetic Initialization Vector (GCM-SIV)

CTR is good enough for common encryption case, while GCM1-SIV2 added Authenticated Encryption with Additional Data (AEAD)3, and SIV to nonce misuse-resistant.

AEAD basically bind extra data, or context to cipher text and generate a MAC, aka authentication tag, to be able to verify cipher text’s integrity(not tampered), and authenticity(not cut-and-paste).

The following is example of AES-GCM-SIV encryption of “message” with additional data “context” and a nonce.

ghci> import Crypto.Cipher.AESGCMSIV
ghci> do
ghci| key :: ByteString <- getRandomBytes 32
ghci| nonce <- generateNonce
ghci| throwCryptoErrorIO $ do
ghci| aes :: AES256 <- cipherInit key
ghci| return $ encrypt aes nonce ("context" :: ByteString) ("message" :: ByteString)
(AuthTag {unAuthTag = "\239|\229V\USNT3\ACKf\NAK\STXC\251\134\FS"},"\149\229\142SW\209Z")

Links to this note