Deterministic Authenticated Encryption with Associated Data

These encryption algorithms are required to provide:

  • determinism: given the same inputs, the same outputs result.

  • divergence: if any bit of any input differs, the outputs must be unrelated.

  • key commitment: only one key will successfully decrypt the ciphertext.

  • associated data commitment: the associated data must match to decrypt the ciphertext.

  • conditional chosen plaintext attack resistance: if associated data varies and is not under control of the attacker, the ciphertexts are indistinguishable under adaptive chosen plaintext attacks.

Operations

  • FromMaster(domain, master_key): Derive a shared encryption key from a master key.

  • FromPlaintext(domain, convergence_domain, plaintext, associated_data): Derive a shared encryption key from the plaintext.

  • Encrypt(domain, shared_key, plaintext, associated_data): Encrypt a plaintext with a given key and domain, in the context of the given data.

  • Decrypt(domain, shared_key, ciphertext, associated_data): Decrypt a cipher with a given key and domain, in the context of the given data. If the domain, key, or associated data do not go with the ciphertext, fail.

Implementations may also provide a combination FromPlaintext and Encrypt that returns both the shared key and ciphertext.

Serialization

Shared Keys are serialized with an 8 tag followed by the serialization of the contained key.

Implementations

XChaCha8-Blake3-SIV

The DAEAD for generation 1 is an encrypt+MAC scheme constructed from the Blake3 Stateful Hash Object and the extended nonce ChaCha construction with 8 rounds. This construction is crafted to allow convergent encryption in two passes, in which the first pass derives the shared key and IV, the second pass encrypts.

  • FromMaster invokes Blake3 with the domain "XChaCha8-Blake3-SIV: Derivation From Master Key", feeds in the provided domain, demarcates, feeds in the master key, finalizes.

  • FromPlaintext invokes Blake3 with the domain "XChaCha8-Blake3-SIV: Derivation From Plaintext", feeds in the provided domain, demarcates, feeds in the plaintext, demarcates, feeds in the associated data, demarcates, feeds in "shared key generation", feeds in the convergence domain, finalizes.

  • Encrypt:

    • Derives the IV by invoking Blake3 with the domain "XChaCha8-Blake3-SIV: Derivation From Plaintext", feeds in the provided domain, demarcates, feeds in the plaintext, demarcates, feeds in the associated data, demarcates, feeds in "initialization vector generation", feeds in the shared key, finalizes, truncates to 24 bytes.
    • Derives the encryption key from the shared key by invoking Blake3 with the domain "XChaCha8-Blake3-SIV: Encryption Key Derivation", feeds in the shared key, finalizes.
    • Emits the IV, and then applies XChaCha8 to the plaintext.

  • Decrypt:

    • Derives the encryption key from the shared key by invoking Blake3 with the domain "XChaCha8-Blake3-SIV: Encryption Key Derivation", feeds in the shared key, finalizes.
    • Splits the IV off the front of the ciphertext.
    • Applies XChaCha8 to the ciphertext.
    • Derives the test IV by invoking Blake3 with the domain "XChaCha8-Blake3-SIV: Derivation From Plaintext", feeds in the provided domain, demarcates, feeds in the plaintext, demarcates, feeds in the associated data, demarcates, feeds in "initialization vector generation", feeds in the shared key, finalizes, truncates to 24 bytes.
    • Checks the IV against the test IV, if equal emits the ciphertext, otherwise errors.