Construct the encryption key corresponding to secret.

• raises Invalid_argument

  if the length of secret is not in key_sizes.

Key sizes allowed with this cipher.

The size of a single block.

add_ctr ctr n adds n to ctr.

next_ctr ~off msg ~ctr is the state of the counter after encrypting or decrypting msg at offset off with the counter ctr.

For protocols which perform inter-message chaining, this is the counter for the next message.

It is computed as C.add ctr (ceil (len msg / block_size)). Note that if len msg1 = k * block_size,

encrypt ~ctr msg1 || encrypt ~ctr:(next_ctr ~ctr msg1) msg2
  == encrypt ~ctr (msg1 || msg2)

ctr_of_octets buf converts the value of buf into a counter.

stream ~key ~ctr n is the raw keystream.

Keystream is the concatenation of successive encrypted counter states. If E(x) is the single block x encrypted under key, then keystream is the first n bytes of E(ctr) || E(add ctr 1) || E(add ctr 2) || ....

Note that

stream ~key ~ctr (k * block_size) || stream ~key ~ctr:(add ctr k) x
  == stream ~key ~ctr (k * block_size + x)

In other words, it is possible to restart a keystream at block_size boundaries by manipulating the counter.

encrypt ~key ~ctr msg is stream ~key ~ctr (len msg) lxor msg.

decrypt is encrypt.

stream_into ~key ~ctr dst ~off len is the raw key stream put into dst starting at off.

• raises Invalid_argument

  if Bytes.length dst - off < len.

encrypt_into ~key ~ctr src ~src_off dst ~dst_off len produces the key stream into dst at dst_off, and then xors it with src at src_off.

• raises Invalid_argument

  if dst_off < 0 || Bytes.length dst - dst_off < len.

• raises Invalid_argument

  if src_off < 0 || String.length src - src_off < len.

decrypt_into is encrypt_into.