Skip to content

docs: align README Security section with AES-256-GCM-SIV/BE32#27

Merged
darkmaster0345 merged 1 commit into
mainfrom
neuron-encrypt/fix-readme-security-spec
Jun 19, 2026
Merged

docs: align README Security section with AES-256-GCM-SIV/BE32#27
darkmaster0345 merged 1 commit into
mainfrom
neuron-encrypt/fix-readme-security-spec

Conversation

@darkmaster0345

@darkmaster0345 darkmaster0345 commented Jun 19, 2026

Copy link
Copy Markdown
Owner

Summary by Sourcery

Update security documentation to reflect the AES-256-GCM-SIV BE32 streaming design and current key-derivation parameters.

Documentation:

  • Clarify the VAULTX03 streaming nonce size and how EncryptorBE32 expands it internally.
  • Revise the security parameter table to describe AES-256-GCM-SIV BE32 streaming, updated Argon2id lanes, and GHASH-based integrity.
  • Document separate key-derivation flows and salt sizes for VAULTX03 and VAULTX02 formats, including Argon2id parallelism.
  • Align the documented security guarantees with GCM-SIV authentication tags and the 56-bit per-file nonce scheme.

Summary by CodeRabbit

  • Documentation
    • Updated README with clarifications on the VAULTX03 encryption format and key derivation process.
    • Revised security threat model documentation to reflect current cryptographic implementation details.
    • Enhanced explanations of the cipher suite and authentication mechanisms.

@sourcery-ai

sourcery-ai Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Documentation-only PR updating the README security and streaming format sections to accurately describe the VAULTX03 AES-256-GCM-SIV/BE32 implementation, Argon2id parameters, and integrity/nonce properties.

Flow diagram for VAULTX03 key derivation and nonce handling

flowchart TD
  P[passphrase]
  S[16-byte OsRng salt]
  P -->|combine| A[Argon2id
m=64MB, t=3, p=4]
  S --> A
  A --> M[64-byte master_key]
  M --> K[HKDF-SHA512 → 32-byte encryption_key]
  M --> N[HKDF-SHA512 → 32-byte nonce_seed]

  N --> R[OsRng 7-byte stream_nonce per file]
  R --> E[EncryptorBE32]
  E --> X[12-byte nonce
7-byte stream_nonce
+ 4-byte counter
+ 1-byte flag]
  K --> C[AES-256-GCM-SIV
1 MB chunks]
  X --> C
  C --> T[128-bit auth tag per chunk]
Loading

File-Level Changes

Change Details Files
Clarified VAULTX03 streaming nonce format and internal expansion in the README.
  • Specify that the stream nonce is 56 bits (7 bytes) generated per file
  • Explain that EncryptorBE32 expands the 7-byte nonce to a 12-byte nonce by appending a 5-byte counter and 1-byte flag
  • Retain description of AES-256-GCM-SIV chunked encryption semantics
README.md
Updated the security parameters table to reflect AES-256-GCM-SIV BE32 streaming, Argon2id parallelism, and integrity mechanism.
  • Change V3 encryption description from XChaCha20-Poly1305 to AES-256-GCM-SIV (BE32 streaming) with 56-bit stream nonce and per-chunk 128-bit auth tag
  • Clarify that V2 legacy encryption uses AES-256-GCM-SIV with a 96-bit nonce and 128-bit auth tag
  • Update Argon2id parameters to use 4 lanes instead of 1
  • Clarify integrity is provided by GHASH (GCM-SIV) and add a Memory Hygiene row documenting Zeroizing usage
README.md
Expanded key-derivation documentation to distinguish VAULTX03 and VAULTX02 and align with current Argon2id and salt sizes.
  • Add separate key-derivation diagrams/sections for V3 (VAULTX03) and V2 (VAULTX02)
  • Document that V3 uses a 16-byte salt and V2 uses a 32-byte salt
  • Update both flows to explicitly use Argon2id with 64 MB, 3 passes, and 4 lanes before HKDF expansion to enc/nonces
README.md
Aligned threat model bullets with AES-256-GCM-SIV / BE32 behavior for authentication and nonces.
  • Change ciphertext-tampering protection description from Poly1305 to GCM-SIV authentication tag (GHASH) per 1 MB chunk
  • Update nonce-reuse description to explain 7-byte (56-bit) random nonce per file that EncryptorBE32 expands with a per-chunk counter, and that this keeps collision probability negligible
README.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@darkmaster0345 darkmaster0345 merged commit c66187f into main Jun 19, 2026
3 of 5 checks passed
@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 14fc6ab1-22b5-4af8-9346-c42b5a3f24ad

📥 Commits

Reviewing files that changed from the base of the PR and between edfc2f2 and 78684aa.

📒 Files selected for processing (1)
  • README.md

📝 Walkthrough

Walkthrough

README documentation for Neuron Encrypt's VAULTX03 format is updated: the nonce field description is revised to a 7-byte OsRng nonce expanded to 12 bytes by EncryptorBE32; the Cipher Suite/Key Derivation section switches V3 to AES-256-GCM-SIV (BE32), adjusts Argon2id to p=4, and corrects V3/V2 salt sizes; and the Threat Model bullets are aligned to per-chunk GCM-SIV tags and the updated nonce scheme.

Changes

VAULTX03 Documentation Update

Layer / File(s) Summary
VAULTX03 nonce, cipher suite, and key derivation docs
README.md
Nonce field revised to 7-byte OsRng expanded by EncryptorBE32 to 12-byte; V3 streaming AEAD changed from XChaCha20-Poly1305 to AES-256-GCM-SIV (BE32); Argon2id updated to p=4; V3 salt set to 16 bytes vs V2's 32 bytes; HKDF derivation framing and GCM-SIV/GHASH integrity description rewritten.
Threat model alignment
README.md
Ciphertext tampering bullet updated to reference per-1MB chunk GCM-SIV authentication tags; nonce reuse bullet updated to reference the 7-byte per-file nonce and EncryptorBE32 per-chunk counter expansion.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 A nonce of seven bytes, so fresh and bright,
GCM-SIV guards each chunk through the night,
Argon2id lanes now number four,
Salts and keys aligned once more,
The vault stands secure — hop along, all's right! 🔐

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch neuron-encrypt/fix-readme-security-spec

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The description of integrity as GHASH (GCM-SIV) is slightly misleading since AES-GCM-SIV uses POLYVAL rather than GHASH; consider updating the wording to reflect the actual primitive used or use a more generic "Carter–Wegman MAC" description.
  • The claim that a fresh 56-bit nonce per file makes collision probability negligible could be tightened by briefly quantifying the birthday-bound (e.g., safe up to ~2^28 files) or otherwise framing the security level so readers understand the operational limits of the scheme.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The description of integrity as `GHASH (GCM-SIV)` is slightly misleading since AES-GCM-SIV uses POLYVAL rather than GHASH; consider updating the wording to reflect the actual primitive used or use a more generic "Carter–Wegman MAC" description.
- The claim that a fresh 56-bit nonce per file makes collision probability negligible could be tightened by briefly quantifying the birthday-bound (e.g., safe up to ~2^28 files) or otherwise framing the security level so readers understand the operational limits of the scheme.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 78684aad7f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread README.md
- **Magic**: Literal `b"VAULTX03"` — identifies the streaming format version
- **Salt**: 128-bit fresh `OsRng`-generated per file
- **Nonce**: 56-bit fresh `OsRng`-generated per file; `EncryptorBE32` appends an internal 5-byte counter/flag (12 bytes total internally)
- **Nonce**: 56-bit (7 bytes) fresh `OsRng`-generated per file; `EncryptorBE32` expands this to a 12-byte nonce internally by appending a 5-byte counter + 1-byte flag

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Correct the BE32 nonce expansion byte count

For anyone implementing or verifying VAULTX03 from the README, this describes a 7-byte prefix plus a 5-byte counter plus a 1-byte flag, which totals 13 bytes even though the expanded AEAD nonce is 12 bytes. The implementation documents the internal suffix as 5 bytes total (4-byte counter + 1-byte flag) in neuron-encrypt/src/crypto.rs:53-54, so this should say 4-byte counter + 1-byte flag or 5-byte counter/flag to avoid misdocumenting the file format.

Useful? React with 👍 / 👎.

Comment thread README.md
- Ciphertext tampering: Every 1 MB chunk has an independent Poly1305 authentication tag. Corruption of any byte fails decryption of that chunk.
- Nonce reuse: Each encryption generates a fresh 24-byte random nonce via `OsRng`. With 192-bit nonces, collision probability is negligible even at billions of files.
- Ciphertext tampering: Every 1 MB chunk has an independent GCM-SIV authentication tag (GHASH). Corruption of any byte fails decryption of that chunk.
- Nonce reuse: Each encryption generates a fresh 7-byte (56-bit) random nonce via `OsRng`. `EncryptorBE32` expands it to 12 bytes internally with a per-chunk counter. Fresh nonce per file makes collision probability negligible.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Do not call 56-bit random nonce collisions negligible

For high-volume or automated use, this new 56-bit nonce statement overstates the collision margin: with only 7 random bytes and no uniqueness tracking in encrypt_file, birthday probability is already about 6.7% at 100 million encryptions and effectively certain around 1 billion. The old 192-bit claim made that wording true, but with VAULTX03 this should either quantify the risk or rely on AES-GCM-SIV's nonce-misuse resistance instead of saying random per-file collisions are negligible.

Useful? React with 👍 / 👎.

@kilo-code-bot

kilo-code-bot Bot commented Jun 19, 2026

Copy link
Copy Markdown

Code Review Roast 🔥

Verdict: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
🚨 critical 0
⚠️ warning 0
💡 suggestion 1
🤏 nitpick 0
Issue Details (click to expand)
File Line Roast
README.md 106 Nonce description has a math error: "5-byte counter + 1-byte flag" = 6 bytes, but BE32 appends only 5 bytes total (4-byte counter + 1-byte flag)

🏆 Best part: Finally got the V3 nonce size right at 7 bytes (56-bit) instead of the 24-byte XChaCha nonce. I was half-expecting to find a 192-bit nonce still lingering around like a bad smell.

💀 Worst part: The nonce math doesn't add up. You claim BE32 appends "a 5-byte counter + 1-byte flag" which totals 6 bytes, but the code comment (crypto.rs:53) and the actual BE32 spec both confirm it's 4-byte counter + 1-byte flag = 5 bytes. Seven bytes plus five bytes equals twelve, not thirteen. Did the Counter class teach you nothing about addition?

📊 Overall: Like a math test with one wrong answer — technically proficient but leaves me questioning your arithmetic homework.

Files Reviewed (1 files)
  • README.md — 1 issue

Reviewed by laguna-m.1-20260312:free · 702,817 tokens

Comment thread README.md
- **Magic**: Literal `b"VAULTX03"` — identifies the streaming format version
- **Salt**: 128-bit fresh `OsRng`-generated per file
- **Nonce**: 56-bit fresh `OsRng`-generated per file; `EncryptorBE32` appends an internal 5-byte counter/flag (12 bytes total internally)
- **Nonce**: 56-bit (7 bytes) fresh `OsRng`-generated per file; `EncryptorBE32` expands this to a 12-byte nonce internally by appending a 5-byte counter + 1-byte flag

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥 The Roast: Quick math check: 7 bytes + 5 bytes + 1 byte = 13 bytes, not 12. Your calculator needs recalibration. The BE32 construction splits the 12-byte nonce as 7-byte stream_nonce + 4-byte counter + 1-byte flag, not 5-byte counter.

🩹 The Fix: Change '5-byte counter + 1-byte flag' to '4-byte counter + 1-byte flag' to accurately reflect the BE32 nonce expansion.

📏 Severity: suggestion


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant