@spec auth(binary(), key()) :: signature()

crypto_auth equivalent

@spec box(binary(), nonce(), key(), key()) :: {binary(), Kcl.State.t()}

box up an authenticated packet

@spec derive_public_key(key(), key_variety()) :: key() | :error

derive a public key from a private key

@spec generate_key_pair(key_variety()) :: {key(), key()} | :error

generate a {private, public} key pair

@spec new_connection_state(key(), key() | nil, key()) :: Kcl.State.t()

create an inital state for a peer connection

A convenience wrapper around Kcl.State.init and Kcl.State.new_peer

@spec secretbox(binary(), nonce(), key()) :: binary()

box based on a shared secret

@spec secretunbox(binary(), nonce(), key()) :: binary() | :error

unbox based on a shared secret

pre-compute a shared key

Mainly useful in a situation where many messages will be exchanged.

@spec sign(binary(), key(), key()) :: signature()

sign a message

If only the secret key is provided, the public key will be derived therefrom. This can add significant overhead to the signing operation.

@spec sign_to_encrypt(key(), key_vis()) :: key()

convert a signing Ed25519 key to a Curve25519 encryption key

@spec unbox(binary(), nonce(), key(), key()) :: {binary(), Kcl.State.t()} | :error

unbox an authenticated packet

Returns :error when the packet contents cannot be authenticated, otherwise the decrypted payload and updated state.

@spec valid_auth?(signature(), binary(), key()) :: boolean()

Compare auth HMAC

@spec valid_signature?(signature(), binary(), key()) :: boolean()

validate a message signature