Encryption

Bitmessage uses the Elliptic Curve Integrated Encryption Scheme (ECIES)[1] to encrypt the payload of the Message and Broadcast objects.

The scheme uses Elliptic Curve Diffie-Hellman (ECDH)[2] to generate a shared secret used to generate the encryption parameters for Advanced Encryption Standard with 256bit key and Cipher-Block Chaining (AES-256-CBC)[3]. The encrypted data will be padded to a 16 byte boundary in accordance to PKCS7[4]. This means that the data is padded with N bytes of value N.

The Key Derivation Function (KDF)[5] used to generate the key material for AES is SHA512[6]. The Message Authentication Code (MAC) scheme used is HMACSHA256[7].

Format

(See also: Protocol specification)

In order to reconstitute a usable (65 byte) public key (starting with 0x04), the X and Y components need to be expanded by prepending them with 0x00 bytes until the individual component lengths are 32 bytes.

Encryption

1. The destination public key is called K.
2. Generate 16 random bytes using a secure random number generator. Call them IV.
3. Generate a new random EC key pair with private key called r and public key called R.
4. Do an EC point multiply with public key K and private key r. This gives you public key P.
5. Use the X component of public key P and calculate the SHA512 hash H.
6. The first 32 bytes of H are called key_e and the last 32 bytes are called key_m.
7. Pad the input text to a multiple of 16 bytes, in accordance to PKCS7.
8. Encrypt the data with AES-256-CBC, using IV as initialization vector, key_e as encryption key and the padded input text as payload. Call the output cipher text.
9. Calculate a 32 byte MAC with HMACSHA256, using key_m as salt and IV + R + cipher text as data. Call the output MAC.

The resulting data is: IV + R + cipher text + MAC

Decryption

1. The private key used to decrypt is called k.
2. Do an EC point multiply with private key k and public key R. This gives you public key P.
3. Use the X component of public key P and calculate the SHA512 hash H.
4. The first 32 bytes of H are called key_e and the last 32 bytes are called key_m.
5. Calculate MAC' with HMACSHA256, using key_m as salt and IV + R + cipher text as data.
6. Compare MAC with MAC'. If not equal, decryption will fail.
7. Decrypt the cipher text with AES-256-CBC, using IV as initialization vector, key_e as decryption key and the cipher text as payload. The output is the padded input text.

Partial Example

Public key K:

04 09 d4 e5  c0 ab 3d 25
fe 04 8c 64  c9 da 1a 24
2c 7f 19 41  7e 95 17 cd
26 69 50 d7  2c 75 57 13
58 5c 61 78  e9 7f e0 92
fc 89 7c 9a  1f 17 20 d5
77 0a e8 ea  ad 2f a8 fc
bd 08 e9 32  4a 5d de 18
57

Initialization Vector IV:

bd db 7c 28  29 b0 80 38
75 30 84 a2  f3 99 16 81

Randomly generated key pair with private key r and public key R:

5b e6 fa cd  94 1b 76 e9
d3 ea d0 30  29 fb db 6b
6e 08 09 29  3f 7f b1 97
d0 c5 1f 84  e9 6b 8b a4

04 02 93 21  3d cf 13 88
b6 1c 2a e5  cf 80 fe e6
ff ff c0 49  a2 f9 fe 73
65 fe 38 67  81 3c a8 12
92 df 94 68  6c 6a fb 56
5a c6 14 9b  15 3d 61 b3
b2 87 ee 2c  7f 99 7c 14
23 87 96 c1  2b 43 a3 86
5a

Derived public key P (point multiply r with K):

04 0d b8 e3  ad 8c 0c d7
3f a2 b3 46  71 b7 b2 47
72 9b 10 11  41 57 9d 19
9e 0d c0 bd  02 4e ae fd
89 ca c8 f5  28 dc 90 b6
68 11 ab ac  51 7d 74 97
be 52 92 93  12 29 be 0b
74 3e 05 03  f4 43 c3 d2
96

0d b8 e3 ad  8c 0c d7 3f
a2 b3 46 71  b7 b2 47 72
9b 10 11 41  57 9d 19 9e
0d c0 bd 02  4e ae fd 89

SHA512 of public key P X component (H):

17 05 43 82  82 67 86 71
05 26 3d 48  28 ef ff 82
d9 d5 9c bf  08 74 3b 69
6b cc 5d 69  fa 18 97 b4

f8 3f 1e 9c  c5 d6 b8 44
8d 39 dc 6a  9d 5f 5b 7f
46 0e 4a 78  e9 28 6e e8
d9 1c e1 66  0a 53 ea cd

Padded input:

54 68 65 20  71 75 69 63
6b 20 62 72  6f 77 6e 20
66 6f 78 20  6a 75 6d 70
73 20 6f 76  65 72 20 74
68 65 20 6c  61 7a 79 20
64 6f 67 2e  04 04 04 04

Cipher text:

64 20 3d 5b  24 68 8e 25
47 bb a3 45  fa 13 9a 5a
1d 96 22 20  d4 d4 8a 0c
f3 b1 57 2c  0d 95 b6 16
43 a6 f9 a0  d7 5a f7 ea
cc 1b d9 57  14 7b f7 23