Encryption

From Bitmessage Wiki
Jump to navigation Jump to search

Bitmessage uses the Elliptic Curve Integrated Encryption Scheme (ECIES)[1] to encrypt the payload of the Message and Broadcast objects.

The scheme uses Elliptic Curve Diffie-Hellman (ECDH)[2] to generate a shared secret used to generate the encryption parameters for Advanced Encryption Standard with 256bit key and Cipher-Block Chaining (AES-256-CBC)[3]. The encrypted data will be padded to a 16 byte boundary in accordance to PKCS7[4]. This means that the data is padded with N bytes of value N.

The Key Derivation Function (KDF)[5] used to generate the key material for AES is SHA512[6]. The Message Authentication Code (MAC) scheme used is HMACSHA256[7].

Format

(See also: Protocol specification)

Field Size Description Data type Comments
16 IV uchar[] Initialization Vector used for AES-256-CBC
2 uint16_t Curve type Elliptic Curve type 0x02CA (714)
2 uint16_t X length Length of X component of public key R
X length uchar[] X X component of public key R
2 uint16_t Y length Length of Y component of public key R
Y length uchar[] Y Y component of public key R
? encrypted uchar[] Cipher text
32 MAC uchar[] HMACSHA256 Message Authentication Code

In order to reconstitute a usable (65 byte) public key (starting with 0x04), the X and Y components need to be expanded by prepending them with 0x00 bytes until the individual component lengths are 32 bytes.


Encryption

  1. The destination public key is called K.
  2. Generate 16 random bytes using a secure random number generator. Call them IV.
  3. Generate a new random EC key pair with private key called r and public key called R.
  4. Do an EC point multiply with public key K and private key r. This gives you public key P.
  5. Use the X component of public key P and calculate the SHA512 hash H.
  6. The first 32 bytes of H are called key_e and the last 32 bytes are called key_m.
  7. Pad the input text to a multiple of 16 bytes, in accordance to PKCS7.
  8. Encrypt the data with AES-256-CBC, using IV as initialization vector, key_e as encryption key and the padded input text as payload. Call the output cipher text.
  9. Calculate a 32 byte MAC with HMACSHA256, using key_m as salt and IV + R + cipher text as data. Call the output MAC.

The resulting data is: IV + R + cipher text + MAC

Decryption

  1. The private key used to decrypt is called k.
  2. Do an EC point multiply with private key k and public key R. This gives you public key P.
  3. Use the X component of public key P and calculate the SHA512 hash H.
  4. The first 32 bytes of H are called key_e and the last 32 bytes are called key_m.
  5. Calculate MAC' with HMACSHA256, using key_m as salt and IV + R + cipher text as data.
  6. Compare MAC with MAC'. If not equal, decryption will fail.
  7. Decrypt the cipher text with AES-256-CBC, using IV as initialization vector, key_e as decryption key and the cipher text as payload. The output is the padded input text.

Partial Example

Public key K:

Data Comments
04 09 d4 e5  c0 ab 3d 25
fe 04 8c 64  c9 da 1a 24
2c 7f 19 41  7e 95 17 cd
26 69 50 d7  2c 75 57 13
58 5c 61 78  e9 7f e0 92
fc 89 7c 9a  1f 17 20 d5
77 0a e8 ea  ad 2f a8 fc
bd 08 e9 32  4a 5d de 18
57
Public key, 0x04 prefix, then 32 bytes X and 32 bytes Y.


Initialization Vector IV:

Data Comments
bd db 7c 28  29 b0 80 38
75 30 84 a2  f3 99 16 81
16 bytes generated with a secure random number generator.

Randomly generated key pair with private key r and public key R:

Data Comments
5b e6 fa cd  94 1b 76 e9
d3 ea d0 30  29 fb db 6b
6e 08 09 29  3f 7f b1 97
d0 c5 1f 84  e9 6b 8b a4
Private key r
04 02 93 21  3d cf 13 88
b6 1c 2a e5  cf 80 fe e6
ff ff c0 49  a2 f9 fe 73
65 fe 38 67  81 3c a8 12
92 df 94 68  6c 6a fb 56
5a c6 14 9b  15 3d 61 b3
b2 87 ee 2c  7f 99 7c 14
23 87 96 c1  2b 43 a3 86
5a
Public key R

Derived public key P (point multiply r with K):

Data Comments
04 0d b8 e3  ad 8c 0c d7
3f a2 b3 46  71 b7 b2 47
72 9b 10 11  41 57 9d 19
9e 0d c0 bd  02 4e ae fd
89 ca c8 f5  28 dc 90 b6
68 11 ab ac  51 7d 74 97
be 52 92 93  12 29 be 0b
74 3e 05 03  f4 43 c3 d2
96
Public key P
0d b8 e3 ad  8c 0c d7 3f
a2 b3 46 71  b7 b2 47 72
9b 10 11 41  57 9d 19 9e
0d c0 bd 02  4e ae fd 89
X component of public key P

SHA512 of public key P X component (H):

Data Comments
17 05 43 82  82 67 86 71
05 26 3d 48  28 ef ff 82
d9 d5 9c bf  08 74 3b 69
6b cc 5d 69  fa 18 97 b4
First 32 bytes of H called key_e
f8 3f 1e 9c  c5 d6 b8 44
8d 39 dc 6a  9d 5f 5b 7f
46 0e 4a 78  e9 28 6e e8
d9 1c e1 66  0a 53 ea cd
Last 32 bytes of H called key_m

Padded input:

Data Comments
54 68 65 20  71 75 69 63
6b 20 62 72  6f 77 6e 20
66 6f 78 20  6a 75 6d 70
73 20 6f 76  65 72 20 74
68 65 20 6c  61 7a 79 20
64 6f 67 2e  04 04 04 04
The quick brown fox jumps over the lazy dog.0x04,0x04,0x04,0x04

Cipher text:

Data Comments
64 20 3d 5b  24 68 8e 25
47 bb a3 45  fa 13 9a 5a
1d 96 22 20  d4 d4 8a 0c
f3 b1 57 2c  0d 95 b6 16
43 a6 f9 a0  d7 5a f7 ea
cc 1b d9 57  14 7b f7 23
3 blocks of 16 bytes of encrypted data.