1## Introduction {#crypto-introduction}
2
3This library provides bindings  to  functionality   of  OpenSSL  that is
4related to cryptography and authentication,   not  necessarily involving
5connections, sockets or streams.
6
7## Design principle: Secure default algorithms {#crypto-secure-defaults}
8
9A basic design principle of this library is that its _default algorithms
10are  cryptographically secure_  at the  time of  this writing.   We will
11_change_ the default algorithms if an  attack on them becomes known, and
12replace them by new defaults that are deemed appropriate at that time.
13
14This may mean, for example, that where `sha256` is currently the default
15algorithm, `blake2s256` or  some other algorithm may  become the default
16in the future.
17
18To  preserve interoperability  and compatibility  and at  the same  time
19allow us to transparently update default algorithms of this library, the
20following conventions are used:
21
22    1. If an explicit algorithm is specified as an option, then that
23       algorithm is used.
24    2. If _no_ algorithm is specified, then a cryptographically secure
25       algorithm is used.
26    3. If an option that normally specifies an algorithm is present,
27       and a _logical variable_ appears instead of a concrete algorithm,
28       then that variable is unified with the secure default value.
29
30This  allows application  programmers to  inspect _which_  algorithm was
31actually used, and store it for later reference.
32
33For example:
34
35==
36?- crypto_data_hash(test, Hash, [algorithm(A)]).
37Hash = '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08',
38A = sha256.
39==
40
41This  shows that  at  the  time of  this  writing,  `sha256` was  deemed
42sufficiently secure, and was used as default algorithm for hashing.
43
44You therefore must not rely on  _which_ concrete algorithm is being used
45by  default.  However,  you  can  rely on  the  fact  that  the  default
46algorithms are  secure. In other words,  if they are _not_  secure, then
47this is a mistake in this library,  and we ask you to please report such
48a situation as an urgent security issue.
49
50## Representing binary data {#crypto-binary-data}
51
52In the context  of this library, _bytes_ can be  represented as lists of
53integers between  0 and  255. Such  lists can be  converted to  and from
54_hexadecimal notation_ with the following bidirectional relation:
55
56  * [[hex_bytes/2]]
57
58## Cryptographically secure random numbers {#crypto-random}
59
60Almost  all  cryptographic  applications  require  the  availability  of
61numbers that are sufficiently  unpredictable.  Examples are the creation
62of  keys,  nonces  and  salts.   With this  library,  you  can  generate
63cryptographically strong pseudo-random numbers for such use cases:
64
65  * [[crypto_n_random_bytes/2]]
66
67## Hashes {#crypto-hash}
68
69A **hash**, also called **digest**, is  a way to verify the integrity of
70data.  In typical  cases, a hash is significantly shorter  than the data
71itself,  and already  miniscule changes  in the  data lead  to different
72hashes.
73
74The  hash functionality  of this  library subsumes  and extends  that of
75`library(sha)`, `library(hash_stream)` and `library(md5)` by providing a
76unified interface to all available digest algorithms.
77
78The underlying  OpenSSL library  (`libcrypto`) is dynamically  loaded if
79_either_ `library(crypto)`  or `library(ssl)` are loaded.  Therefore, if
80your application uses `library(ssl)`,  you can use `library(crypto)` for
81hashing without increasing the memory  footprint of your application. In
82other cases, the specialised hashing  libraries are more lightweight but
83less general alternatives to `library(crypto)`.
84
85### Hashes of data and files {#crypto-hash-basic}
86
87The most important predicates to compute hashes are:
88
89  * [[crypto_data_hash/3]]
90  * [[crypto_file_hash/3]]
91
92### Hashes of passwords {#crypto-hash-password}
93
94For  the  important  case  of  deriving  hashes  from  _passwords_,  the
95following specialised predicates are provided:
96
97  * [[crypto_password_hash/2]]
98  * [[crypto_password_hash/3]]
99
100### HMAC-based key derivation function (HKDF) {#crypto-hkdf}
101
102The following  predicate implements  the _Hashed  Message Authentication
103Code  (HMAC)-based key  derivation function_,  abbreviated as  HKDF.  It
104supports a wide range of  applications and requirements by concentrating
105possibly  dispersed  entropy  of  the input  keying  material  and  then
106expanding it to the desired length. The number and lengths of the output
107keys depend on the specific  cryptographic algorithms for which the keys
108are needed.
109
110  * [[crypto_data_hkdf/4]]
111
112### Hashing incrementally {#crypto-hash-incremental}
113
114The   following   predicates   are    provided   for   building   hashes
115_incrementally_.   This  works  by  first creating  a  **context**  with
116crypto_context_new/2, then using this context with crypto_data_context/3
117to  incrementally  obtain  further  contexts, and  finally  extract  the
118resulting hash with crypto_context_hash/2.
119
120  * [[crypto_context_new/2]]
121  * [[crypto_data_context/3]]
122  * [[crypto_context_hash/2]]
123
124The following hashing predicates work over _streams_:
125
126  * [[crypto_open_hash_stream/3]]
127  * [[crypto_stream_hash/2]]
128
129## Digital signatures {#crypto-signatures}
130
131A digital **signature**  is a relation between a key  and data that only
132someone who knows the key can compute.
133
134_Signing_ uses  a _private_  key, and _verifying_  a signature  uses the
135corresponding _public_ key of the  signing entity. This library supports
136both  RSA  and ECDSA  signatures.  You  can use  load_private_key/3  and
137load_public_key/2 to load keys from files and streams.
138
139In typical cases, we use this mechanism  to sign the _hash_ of data. See
140[hashing](<#crypto-hash>).  For this  reason,  the following  predicates
141work on the _hexadecimal_ representation of  hashes that is also used by
142crypto_data_hash/3 and related predicates.
143
144Signatures are also  represented in hexadecimal notation,  and you can
145use hex_bytes/2 to convert them to and from lists of bytes (integers).
146
147### ECDSA {#crypto-ECDSA}
148
149  * [[ecdsa_sign/4]]
150  * [[ecdsa_verify/4]]
151
152### RSA {#crypto-RSA}
153
154  * [[rsa_sign/4]]
155  * [[rsa_verify/4]]
156
157## Asymmetric encryption and decryption {#crypto-asymmetric}
158
159The  following  predicates  provide   _asymmetric_  RSA  encryption  and
160decryption.  This  means that the key  that is used for  _encryption_ is
161different from the one used to _decrypt_ the data:
162
163  * [[rsa_private_decrypt/4]]
164
165## Symmetric encryption and decryption {#crypto-symmetric}
166
167The   following   predicates    provide   _symmetric_   encryption   and
168decryption. This means that the _same_ key is used in both cases.
169
170  * [[crypto_data_encrypt/6]]
171  * [[crypto_data_decrypt/6]]
172
173## Number theory {#crypto-numbertheory}
174
175This  library provides  operations  from number  theory that  frequently
176arise   in  cryptographic   applications,  complementing   the  existing
177built-ins and GMP bindings:
178
179   * [[crypto_modular_inverse/3]]
180   * [[crypto_generate_prime/3]]
181   * [[crypto_is_prime/2]]
182
183## Elliptic curves {#crypto-ec}
184
185This  library  provides  functionality   for  reasoning  over  _elliptic
186curves_. Elliptic curves are represented as opaque objects.  You acquire
187a handle for an elliptic curve via crypto_name_curve/2.
188
189A _point_ on a curve is  represented by the Prolog term =|point(X, Y)|=,
190where  `X`  and `Y`  are  integers  that  represent the  point's  affine
191coordinates.
192
193The  following  predicates  are  provided for  reasoning  over  elliptic
194curves:
195
196    * [[crypto_name_curve/2]]
197    * [[crypto_curve_order/2]]
198    * [[crypto_curve_generator/2]]
199    * [[crypto_curve_scalar_mult/4]]
200
201## Example: Establishing a shared secret {#crypto-shared-secret}
202
203As one example that involves most predicates of this library, we explain
204a way to establish a _shared  secret_ over an insecure channel. We shall
205use _elliptic curves_ for this purpose.
206
207Suppose Alice  wants to establish  an encrypted connection with  Bob. To
208achieve this  even over a channel  that may be subject  to eavesdrooping
209and man-in-the-middle attacks, Bob performs the following steps:
210
211    1. Choose an elliptic curve `C`, using crypto_name_curve/2.
212    2. Pick a random integer _k_ such that _k_ is greater than 0 and
213       smaller than the order of `C`. This can be done using
214       crypto_curve_order/2 and crypto_n_random_bytes/2.
215    3. Use crypto_curve_generator/2 to obtain the generator `G` of `C`, and
216       use crypto_curve_scalar_mult/4 to compute the scalar product _k*G_.
217       We call this result `R`, denoting a point on the curve.
218    4. Sign `R` (using for example rsa_sign/4 or ecdsa_sign/4) and
219       send this to Alice.
220
221This mechanism hinges on a way for Alice to establish the _authenticity_
222of  the   signed  message   (using  predicates  like   rsa_verify/4  and
223ecdsa_verify/4),  for  example  by  means  of  a  public  key  that  was
224previously exchanged or is signed by a  trusted party in such a way that
225Alice can be sufficiently certain that it belongs to Bob.  However, none
226of these steps require any encryption!
227
228Alice in turn performs the following steps:
229
230    1. Create a random integer _j_ such that _j_ is greater than 0 and
231       smaller than the order of C. Alice can also use
232       crypto_curve_order/2 and crypto_n_random_bytes/2 for this.
233    2. Compute the scalar product _j*G_, where `G` is again the generator
234       of `C` as obtained via crypto_curve_generator/2.
235    3. Further, compute the scalar product _j*R_, which is a point on
236       the curve that we shall call Q. We can derive a _shared secret_
237       from `Q`, using for example crypto_data_hkdf/4, and encrypt any
238       message with it (using for example crypto_data_encrypt/6).
239    4. Send the point _j*G_ and the encrypted message to Bob.
240
241Bob  receives _j*G_  in plain  text and  can arrive  at the  same shared
242secret  by  performing   the  calculation  _k*(j*G)_,  which   is  -  by
243associativity and commutativity of  scalar multiplication - identical to
244the point _j*(k*G)_,  which is again Q from which  the shared secret can
245be derived, and the message can be decrypted with crypto_data_decrypt/6.
246
247This method is known as Diffie-Hellman-Merkle key exchange over elliptic
248curves, abbreviated as  ECDH. It provides forward secrecy  (FS): Even if
249the private key that was used  to establish the _authenticity_ of Bob is
250later compromised, the encrypted messages cannot be decrypted with it.
251
252A major attraction of using elliptic curves for this purpose is found in
253the  comparatively small  key size  that  suffices to  make any  attacks
254unrealistic as far as we currently know.  In particular, given any point
255on the curve,  we currently have no efficient way  to determine by which
256scalar the  generator was multiplied  to obtain that point.   The method
257described above relies on the hardness of this so-called _elliptic curve
258discrete logarithm  problem_ (ECDLP).   On the other  hand, some  of the
259named curves have  been suspected to be  chosen in such a  way that they
260could be prone to attacks that are not publicly known.
261
262As an  alternative to  ECDH, you  can use the  original DH  key exchange
263scheme,  where the  prime field  GF(p) is  used instead  of an  elliptic
264curve, and _exponentiation_  of a suitable generator is  used instead of
265scalar multiplication.  You can  use crypto_generate_prime/3 to generate
266a sufficiently large prime for this purpose.
267