Backward compatibility is broken.

• Implement fully commiting AEAD
• Improve signal handling
• Simplify padding: remove bilateral padding
• Increase max padding size to 25%
• Increase processed_comments_size to 1024 bytes
• Remove options: Set cusom settings, Set Fake MAC tag, Max pad size %
• Input file is now optional in actions 2, 6 (encrypt only Comments)
• Get pad_key from HKDF(pad_ikm), get pad_ikm from CSPRNG
• New PAD_KEY_SIZE: 8 bytes
• Remove some warings: The Moxie Principle is no longer violated
• Authenticate padding
• Truncate out file on error automatically, without confirmation. The same on signals (when SIGTERM, SIGHUP received)
• Simpler UI

• Updated documentation.
• Updated UI/logging.

BREAKING: Update key‑derivation and encryption schemes:

• Reduce symmetric key material to a reasonable size:
  • Use BLAKE2b‑256 instead of BLAKE2b‑512 for MAC and IKM hashing.
  • Reduce Argon2 tag size to 256 bits.
  • Minimum cryptoblob size reduced to 831 bytes.
• Use HKDF‑SHA256 to derive keys instead of splitting the Argon2 tag.
• Increase padding key size to 128 bits.
• Use a simple nonce counter starting at 0 for encryption.

Just bump version.

• Added dependency: colorama (Windows-specific)
• Minor refactoring
• Updated documentation

• Updated UI and logging.
• Updated and expanded documentation.
• Updated warnings.
• Improved error handling.
• Implemented output file truncation prior to removing the output file path.
• Prevented core dump generation on POSIX-compliant operating systems.

BREAKING:

• Increased Argon2 memory cost to 1 GiB.
• Modified encryption scheme: the nonce counter is now initialized with the Argon2 tag instead of zeroes, making nonce values secret.
• Reduced padding key size to 10 bytes.
• New way to split Argon2 tag:

+————————————————+——————————————+———————————————+
|                | pad_key_t:10 | Secret values |
|                +——————————————+ that define   |
|                | pad_key_s:10 | padding sizes |
|                +——————————————+———————————————+
| argon2_tag:128 | nonce_key:12 | Secret values |
|                +——————————————+ for data      |
|                | enc_key:32   | encryption    |
|                +——————————————+———————————————+
|                | mac_key:64   | Auth key      |
+————————————————+——————————————+———————————————+

• New license: 0BSD.
• New logo.
• Updated documentation.
• Updated Makefile.
• Updated UI and logging.
• New numbering of input options.
• Minor refactoring.

BREAKING CHANGES:

• RW chunk size increased to 16 MiB for better performance in actions 4, 6, and 9.
• Padding scheme extended by adding a constant padding part (255 bytes) to the total padding size.
• Changed MAC message structure: authenticate the total padded size before the header and footer padding sizes.

• Changed the numbering of input options:

+———————————————————————————+——————————————————————————+
| [00] Select an option     | [00] Select an action    |
+———————————————————————————+——————————————————————————+
| [10] Use custom settings? |                          |
| [11] Time cost            | [1x] Set custom settings |
| [12] Max padding size     |                          |
| [13] Set fake MAC tag?    |                          |
+———————————————————————————+——————————————————————————+
| [21] Input file path      |                          |
| [22] Comments             | [2x] Enter data,         |
| [23] Output file path     |      data location,      |
| [24] Output file size     |      data size           |
| [25] Start position       |                          |
| [26] End position         |                          |
+———————————————————————————+——————————————————————————+
| [31] Keyfile path         | [3x] Specify input       |
| [32] Passphrase           |      keying material     |
+———————————————————————————+——————————————————————————+
| [40] Proceed?             | [40] Confirm to continue |
+———————————————————————————+——————————————————————————+

• New limitations set to:
  • 2^64 B for output file size (in action 8).
  • 2^64-1 B for cryptoblob size.
  • 10^20 for maximum padding percentage.
  • 2048 B for normalized passphrase size.
• Replaced flat layout with src layout.
• Replaced pycryptodome's ChaCha20 implementation with cryptography's ChaCha20 implementation for better performance.
• Added dependency: cryptography.
• Removed dependency: pycryptodomex.
• Removed -d option.
• Renamed input option: Argon2 time cost renamed to Time cost.
• Replaced os.urandom() with secrets.token_bytes(), and hmac.compare_digests() with secrets.compare_digest().
• Fixed a bug in processing comments.
• Significantly improved debug messages.
• Sanitized logged strings, especially file paths.
• Italic formatting has been removed from log messages.
• Added new warnings.
• Added FAQ.md.
• Performed code refactoring.

BREAKING:

• New way to split Argon2 tag:

+————————————————+———————————————+————————————————+
|                | pad_key_t:16  | Secret values  |
|                +———————————————+ that define    |
|                | pad_key_hf:16 | padding sizes  |
| argon2_tag:128 +———————————————+————————————————+
|                | enc_key:32    | Encryption key |
|                +———————————————+————————————————+
|                | mac_key:64    | MAC key        |
+————————————————+———————————————+————————————————+

• New cryptoblob scheme:

+————————————————————————————————————————+—————————+
| Salt for key stretching (Argon2): 16 B |         |
+————————————————————————————————————————+ Random  |
| Randomized padding: 0-20% of the       | data    |
| unpadded cryptoblob size by default    |         |
+————————————————————————————————————————+—————————+
| Ciphertext (ChaCha20): 512+ B,         |         |
| consists of:                           |         |
| - Encrypted padded/truncated           | Random- |
|   comments, always 512 B               | looking |
| - Encrypted payload file               | data    |
|   contents, 0+ B                       |         |
+————————————————————————————————————————+         |
| Optional MAC tag (BLAKE2/random): 64 B |         |
+————————————————————————————————————————+—————————+
| Randomized padding: 0-20% of the       |         |
| unpadded cryptoblob size by default    | Random  |
+————————————————————————————————————————+ data    |
| Salt for prehashing (BLAKE2): 16 B     |         |
+————————————————————————————————————————+—————————+

• New salt handling:
  • Argon2 salt set to the beginning of the cryptoblob.
  • BLAKE2 salt set to the end of the cryptoblob.
• Updated padding scheme: calculate total padding size based on the unpadded size (ciphertext size + MAC tag size + salts size) instead of the ciphertext size.
• MAC message extended with sizes: added sizes of header padding, footer padding, and total padded size (cryptoblob size).
• Implemented Unicode Normalization Form C (NFC) (as requied by RFC 8265) for passphrases.

• Performed code refactoring.
• Added log_d(), log_i(), log_w(), log_e(); used them instead of raw print().
• Improved log and prompt messages.
• Replaced hashlib.blake2b with nacl.hashlib.blake2b.
• Added docstrings and comments.
• Improved error handling; handled nonce counter overflow and EOFError for every input().
• Changed the numbering of input options.
• Added limitations for input options set to: 1023 for passphrase size, 2^60 for output file size (in action 8), and 10^18 for maximum padding percentage.
• Applied strip() for integer and boolean input options.
• Improved type hinting using the features of Python 3.9; the minimum required version of Python has been updated to 3.9.
• Added pyproject.toml.
• Removed setup.py.

• Improve keyfile handling: all keyfiles from the specified directory are not accepted if there is no access to at least one subdirectory.
• Update UI.
• Update docs.
• Improve debug.

• Prevent an attempt to remove a non-existent output path.