VernamVeil: A Fresh Take on Function-Based Encryption

Programming

Cryptography often feels like an ancient dark art, full of math-heavy concepts, rigid key sizes, and strict protocols. But what if you could rethink the idea of a “key” entirely? What if the key wasn’t a fixed blob of bits, but a living, breathing function?

VernamVeil is an experimental cipher that explores exactly this idea. The name pays tribute to Gilbert Vernam, one of the minds behind the theory of the One-Time Pad. VernamVeil is written in pure Python (with an optional Numpy dependency for vectorisation) designed for developers curious about cryptography’s inner workings, providing a playful and educational space to build intuition about encryption. The main algorithm is about 200 lines of Python code (excluding documentation, comments and empty lines) with no external dependencies other than standard Python libraries.

It’s important to note from the start: I am an ML scientist with zero understanding of the inner workings of cryptography. I wrote this prototype library as a fun weekend project to explore the domain and learn the basic concepts. As a result, VernamVeil is not intended for production use or protecting real-world sensitive data. It is a learning tool, an experiment rather than a security guarantee. You can find the full code on GitHub.

Why Functions Instead of Keys?

Traditional symmetric ciphers rely on static keys, fixed-length secrets that can, if mishandled or repeated, reveal vulnerabilities. VernamVeil instead uses a function to generate the keystream dynamically: fx(i, seed) -> bytes.

This simple change unlocks several advantages:

No obvious repetition: As long as the function and seed are unpredictable, the keystream remains fresh.
Mathematical flexibility: You can craft fx functions using creative mathematical expressions, polynomials, or even external data sources.
Potentially infinite streams: Inspired by the One-Time Pad, VernamVeil enables keystreams as long as necessary, avoiding reuse across large datasets.

In short, instead of relying on the secrecy of a fixed string, VernamVeil relies on the richness and unpredictability of mathematical behavior. And above all, it’s modular; you can define your own fx which will serve as your very own secret key.

Key Features and Quick Example

VernamVeil introduces a range of ideas to enhance security and teach good cryptographic hygiene:

Customizable Key Stream: Use any function that takes an index and a seed to dynamically produce bytes. The function and initial key together are your secret key.
Symmetric Process: The same function and seed are used for encryption and decryption.
Obfuscation Techniques: Real chunks are padded with random noise, mixed with fake (decoy) chunks, and shuffled based on a seed.
Seed Evolution: After each chunk, the seed is refreshed, ensuring small input changes lead to large output differences.
Message Authentication: Built-in MAC-based verification to detect tampering.
Highly Configurable: Adjust chunk size, padding randomness, decoy rate, and more to experiment with different levels of obfuscation and performance.
Vectorisation: Some operations can be optionally vectorised using Numpy. A pure Python fallback is also available.

Here’s a quick example of encrypting and decrypting messages:

from vernamveil import FX, VernamVeil


def keystream_fn(i: int, seed: bytes) -> int:
    # Simple but cryptographically unsafe fx; see repo for a better example
    b = seed[i % len(seed)]
    result = ((i ** 2 + i * b + b ** 2) * (i + 7))
    result &= 0xFFFFFFFFFFFFFFFF
    return result.to_bytes(8, "big")

fx = FX(keystream_fn, block_size=8, vectorise=False)


cipher = VernamVeil(fx)
seed = cipher.get_initial_seed()
encrypted, _ = cipher.encode(b"Hello!", seed)
decrypted, _ = cipher.decode(encrypted, seed)

This simple workflow already shows off several core ideas: the evolving seed, the use of a custom fx, and how reversible encryption/decryption are when set up properly.

Under the Hood: How VernamVeil Works

VernamVeil layers several techniques together to create encryption that feels playful but still introduces important cryptographic principles. Let’s walk through the key steps:

1. Splitting and Delimiters

First, the message is divided into chunks of a configurable size (default 32 bytes). Real chunks are padded with random bytes both before and after. Between each chunk, a random delimiter is inserted, but crucially, the delimiter itself is encrypted later on, meaning its boundary-marking role is hidden in the final ciphertext.

This makes it extremely difficult to identify where real data is located.

2. Obfuscation with Fake Chunks and Shuffling

Not all chunks are real. VernamVeil injects fake chunks that contain purely random bytes. Real and fake chunks are then shuffled deterministically, based on a derived shuffle seed.

This has several effects:

Attackers cannot easily distinguish real data from decoys.
Even if some structural patterns exist, they are deeply buried under obfuscation.

Together with encrypted delimiters, this makes message reconstruction without the correct seed and a strong function extremely difficult in practice.

3. XOR-Based Stream Cipher with Seed Evolution

The obfuscated message is then XOR’ed byte-by-byte with a keystream generated by your custom fx function.

However, there’s a crucial twist: the seed evolves over time. After processing each chunk, the seed is refreshed by hashing the current seed along with the data just encrypted (or decrypted).

This evolution achieves two goals:

Avalanche Effect: A one-byte change early in the message snowballs into major changes throughout the output.
Backward Secrecy: Backward secrecy is maintained because each seed is evolved by hashing the previous seed with the current plaintext chunk, so knowledge of the current seed does not allow derivation of any previous seeds.

The seed acts like a stateful chain, reventing repeated keystream patterns.

4. Message Authentication (MAC)

Finally, if enabled, VernamVeil adds a simple form of authenticated encryption:

A BLAKE2b HMAC of the ciphertext is computed.
The resulting tag is appended to the ciphertext.

When decrypting, the MAC tag is checked before decrypting the message. If the tag doesn’t match, decryption fails immediately, protecting against tampering and certain types of attacks like padding oracles.

For more information about the design, characteristics, caveats & best practices, and more technical examples, see the readme file on the repo.

Future Directions and Open Ideas

VernamVeil is an early prototype, and there’s plenty of room for experimentation and improvement. Here are some possible directions for the future:

Vectorised Operations: Switching from pure Python bytes to numpy, PyTorch, or TensorFlow arrays could massively accelerate key stream generation, chunk encryption, and random noise creation through vectorisation. Edit: This feature was added after the initial release and increased significantly the performance of the implementation.
Threading: A background thread could continuously prepare IO operations, so that encryption is never stalled. Edit: Asynchronous IO was added after the initial release.
Console Utility: Add a command-line interface (CLI) to allow users to run VernamVeil directly from the terminal with configurable parameters. Edit: This feature was added after the initial release.
Move to a Lower-Level Language: Python was chosen for clarity and ease of experimentation, but moving to a faster language like Rust, C++, or even Go could greatly improve speed and scalability. Edit: I’ve developed an optional C extension for significantly speeding up the hashing operations, after the initial release.
Improve Encryption Design: The core encryption model (XOR-based, function-driven) was built for educational clarity, not resilience against advanced attacks. There’s a lot of unexplored territory in designing more robust obfuscation layers, better keystream generators, and more secure authenticated encryption schemes. Edit: I’ve added Synthetic IV Seed Initialisation, switched to encrypt-then-MAC authentication, replaced hashing with HMAC and added strong fx examples and other features, after the initial release.

If you have more ideas or proposals, feel free to open a GitHub Issue. I’d love to brainstorm improvements together! And if you happen to be a cryptography expert, I would deeply appreciate any constructive criticism. VernamVeil was built as a learning exercise by someone outside the cryptography field, so it’s very likely that serious flaws or misconceptions remain. Additionally, due to my limited background in cryptography, some of the techniques I used may unknowingly reinvent existing concepts. In particular, if you recognise familiar patterns or standard practices that I didn’t name correctly or at all, I would be incredibly grateful if you could point them out. Learning the proper terminology and references would help me better understand and improve the project.

Closing Thoughts

VernamVeil doesn’t aim to replace serious cryptographic libraries like AES or ChaCha20. Instead, it’s a playground, a way to learn, tinker, and explore concepts like dynamic key generation, authenticated encryption, seed evolution, and obfuscation without getting lost in extremely dense math.

It shows that cryptography isn’t just about protecting secrets, it’s also about layering unpredictability, breaking assumptions, and thinking creatively about where vulnerabilities might hide.

If you’re curious about how real-world encryption primitives are constructed, or just want to explore math and code in a fun way, VernamVeil is an excellent starting point. I am looking forward to your comments and feedback.