C.1. Encryption

Generate a random 24-byte nonce. • Concatenate the caller’s 32-byte key and the random nonce and hash them with SHA-512. Use the first 32 bytes of the hash as a one-time key, and the second 32 bytes as a key commitment.

Split the message into 16 KiB chunks, with a short final chunk that may be empty. • Encrypt each chunk with AES-GCM using the one-time key. For the AES-GCM nonce, use the little-endian encoding of either twice the chunk index (for non-final chunks) or twice the chunk index plus one (for the final chunk). • Concatenate the random nonce, the key commitment, and all the encrypted chunks to produce the ciphertext.

PreviousC. AESNextC.2. Decryption

Last updated