7.5.2 Authenticated Public-Key Encryption
Authenticated public-key encryption also uses libsodium. Note that in encryption and decryption, we derive shared keys and use them to encrypt/decrypt the message as separate steps, firstly so we can cache the derived keys, and secondly because libsodium does not expose a function that directly supports using associated data in public-key encryption, only in symmetric encryption.
Box.KeyGen Input: None Output: an encryption key pair (pk Box, sk Box) To generate a key pair:
Return (pk Box, sk Box) as generated by crypto box keypair. Box.Enc Input: Sender’s secret key sk S Box and receiver’s public key pkR Box, a context string ContextKDF, a second context string Contextcipher, metadata Meta, and a message M. Output: a ciphertext C To encrypt:
Generate a 192-bit random string RandomNonce.
Compute K0 ← crypto box beforenm(pkR Box, sk S Box), which is the DH key-exchange of the public key pkR Box and the private key sk S Box.
Compute K ← HKDF(K0 , ContextKDF), using an empty HKDF salt parameter. (K may be cached for this key pair and context.)
Compute D ← SHA256(Contextcipher)||SHA256(Meta).
Compute C 0 ← crypto aead xchacha20poly1305 ietf encrypt(M, D, RandomNonce, K), which computes XChaCha20-Poly1305 over the plaintext M with the symmetric key K, the associated data D, and the nonce RandomNonce.
Output C ← (C 0 , RandomNonce). Box.Dec Input: Receiver’s secret key skR Box and sender’s public key pkS Box, a context string ContextKDF, a second context string Contextcipher, metadata Meta, and a ciphertext C. Output: a message M, or error To decrypt:
Parse C as (C 0 , RandomNonce).
Compute K0 ← crypto box beforenm(pkS Box, skR Box).
Compute K ← HKDF(K0 , ContextKDF), using an empty HKDF salt parameter. (K may be cached for this key pair and context.)
Compute D ← SHA256(Contextcipher)||SHA256(Meta).
Compute M ← crypto aead xchacha20poly1305 ietf decrypt(C 0 , D, RandomNonce, K). If decryption fails, output error. Otherwise output M.
Last updated