{"id":21331548,"url":"https://github.com/lukechampine/adiantum","last_synced_at":"2025-07-12T10:30:49.172Z","repository":{"id":57498388,"uuid":"169898204","full_name":"lukechampine/adiantum","owner":"lukechampine","description":"Go implementation of Adiantum","archived":false,"fork":false,"pushed_at":"2024-05-24T14:01:01.000Z","size":1754,"stargazers_count":86,"open_issues_count":0,"forks_count":8,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-10-29T00:20:24.589Z","etag":null,"topics":["adiantum","encryption","fde","hbsh","hpolyc"],"latest_commit_sha":null,"homepage":null,"language":"Assembly","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lukechampine.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-09T18:21:35.000Z","updated_at":"2024-09-07T09:00:33.000Z","dependencies_parsed_at":"2024-05-13T00:19:02.058Z","dependency_job_id":"910ab3fa-c8c4-4f95-8ad3-9b52271e53f7","html_url":"https://github.com/lukechampine/adiantum","commit_stats":{"total_commits":47,"total_committers":2,"mean_commits":23.5,"dds":"0.23404255319148937","last_synced_commit":"2c7a2874163eede7e5de7ea5c8c4f4d1ba065233"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukechampine%2Fadiantum","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukechampine%2Fadiantum/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukechampine%2Fadiantum/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukechampine%2Fadiantum/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lukechampine","download_url":"https://codeload.github.com/lukechampine/adiantum/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225814913,"owners_count":17528295,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adiantum","encryption","fde","hbsh","hpolyc"],"created_at":"2024-11-21T22:42:13.555Z","updated_at":"2024-11-21T22:42:14.004Z","avatar_url":"https://github.com/lukechampine.png","language":"Assembly","funding_links":[],"categories":[],"sub_categories":[],"readme":"adiantum\n--------\n\n[![GoDoc](https://godoc.org/lukechampine.com/adiantum?status.svg)](https://godoc.org/lukechampine.com/adiantum)\n[![Go Report Card](http://goreportcard.com/badge/lukechampine.com/adiantum)](https://goreportcard.com/report/lukechampine.com/adiantum)\n\n```\ngo get lukechampine.com/adiantum\n```\n\nThis repo contains an implementation of [Adiantum](https://github.com/google/adiantum), a tweakable and length-preserving\nencryption cipher.\n\nAdiantum is an instance of HBSH, an encryption mode designed for disk\nencryption. In addition to being tweakable and length-preserving, HBSH is a\n\"super-pseudorandom permutation\", meaning that changing a single bit of the\nplaintext scrambles the entire ciphertext; this is in contrast to the most\ncommon disk encryption mode, XTS, where one bitflip scrambles only 16 bytes of\nthe ciphertext.\n\nHBSH is a construction, not a primitive. Specifically, it is built from a stream\ncipher, a block cipher, and a hash function. The [original paper](https://eprint.iacr.org/2018/720.pdf) provides a proof\nthat this construction is secure if the underlying primitives are secure.\n\nAdiantum uses XChaCha12 for its stream cipher, AES for its block cipher, and NH\nand Poly1305 for hashing. The paper also describes a closely-related instance of\nHBSH called HPolyC, which is slower on large messages, but more key-agile and\nsimpler to implement.\n\nThis repo currently contains implementations of Adiantum and HPolyC, with 8, 12,\nand 20-round variants. (12 rounds is the standard variant.) You can also\nimplement your own HBSH variants using the `hbsh` package.\n\n\n## Usage\n\n```go\nimport \"lukechampine.com/adiantum\"\n\nfunc main() {\n    key := make([]byte, 32) // in practice, read this from crypto/rand\n    cipher := adiantum.New(key)\n    tweak := make([]byte, 12) // can be any length\n    plaintext := []byte(\"Hello, world!\")\n    ciphertext := cipher.Encrypt(plaintext, tweak)\n    recovered := cipher.Decrypt(ciphertext, tweak)\n    println(string(recovered)) // Hello, world!\n}\n```\n\nTo use Adiantum for disk encryption, simply set the tweak equal to the disk\nsector index. For example, to encrypt *n* consecutive 4096-byte sectors,\nincrement the tweak by 1 after encrypting each sector.\n\nIt is important to understand the threat model for disk encryption.\nSpecifically, disk encryption is most effective when the attacker only sees one\nversion of the disk contents. It is less effective when the attacker can sample\nthe contents at will. This is because writing the same sector to the same\nlocation will result in the same ciphertext. As such, an attacker with multiple\nsamples can detect if you \"undo\" a disk write by overwriting a sector with a\nprevious version of that sector. Worse, an attacker can replace a sector with a\npreviously-written sector, and it will decrypt just fine. [See\nhere](https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/) for a more\ndetailed critique of disk encryption and some recommended alternatives.\n\n\n## Benchmarks\n\nTested on an i5-7600K @ 3.80GHz. Results will likely be slower on non-amd64\narchitectures.\n\n```\nBenchmarkAdiantum/XChaCha8_Encrypt-4      1479 ns/op     2768.92 MB/s      0 allocs/op\nBenchmarkAdiantum/XChaCha8_Decrypt-4      1477 ns/op     2772.76 MB/s      0 allocs/op\nBenchmarkAdiantum/XChaCha12_Encrypt-4     1748 ns/op     2341.98 MB/s      0 allocs/op\nBenchmarkAdiantum/XChaCha12_Decrypt-4     1748 ns/op     2342.57 MB/s      0 allocs/op\nBenchmarkAdiantum/XChaCha20_Encrypt-4     2288 ns/op     1789.87 MB/s      0 allocs/op\nBenchmarkAdiantum/XChaCha20_Decrypt-4     2283 ns/op     1793.88 MB/s      0 allocs/op\n\nBenchmarkHPolyC/XChaCha8_Encrypt-4        3448 ns/op     1285.53 MB/s      0 allocs/op\nBenchmarkHPolyC/XChaCha8_Decrypt-4        3437 ns/op     1289.96 MB/s      0 allocs/op\nBenchmarkHPolyC/XChaCha12_Encrypt-4       3719 ns/op     1186.35 MB/s      0 allocs/op\nBenchmarkHPolyC/XChaCha12_Decrypt-4       3709 ns/op     1184.61 MB/s      0 allocs/op\nBenchmarkHPolyC/XChaCha20_Encrypt-4       4258 ns/op     1026.22 MB/s      0 allocs/op\nBenchmarkHPolyC/XChaCha20_Decrypt-4       4245 ns/op     1028.97 MB/s      0 allocs/op\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukechampine%2Fadiantum","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flukechampine%2Fadiantum","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukechampine%2Fadiantum/lists"}