abcrypt is a modern file encryption format with the data authenticity. This document describes the abcrypt encrypted data format.
abcrypt is a modern file encryption format inspired by the scrypt encrypted data format. abcrypt uses Argon2 for key derivation, BLAKE2b-512-MAC for header integrity checking and XChaCha20-Poly1305 for encryption.
Argon2 is the key derivation function from RFC 9106.
BLAKE2b-512-MAC is the keyed hash function based on BLAKE2 standardized in RFC 7693. This uses BLAKE2b and always outputs a 64-byte MAC.
XChaCha20-Poly1305 is the AEAD algorithm from draft-irtf-cfrg-xchacha.
An abcrypt file is composed of two parts: the header containing the required data and the payload encrypted with the derived key.
| Offset | Bytes | Description | Detail |
|---|---|---|---|
\$0\$ |
\$7\$ |
Magic number ("abcrypt"). |
|
\$7\$ |
\$1\$ |
Version number. |
|
\$8\$ |
\$4\$ |
Argon2 type. |
|
\$12\$ |
\$4\$ |
Argon2 version. |
|
\$16\$ |
\$4\$ |
Memory size |
|
\$20\$ |
\$4\$ |
Number of iterations |
|
\$24\$ |
\$4\$ |
Degree of parallelism |
|
\$28\$ |
\$32\$ |
Salt for Argon2. |
|
\$60\$ |
\$24\$ |
Nonce for XChaCha20-Poly1305. |
|
\$84\$ |
\$64\$ |
MAC of the header. |
|
\$148\$ |
\$n\$ |
Ciphertext. |
|
\$148 + n\$ |
\$16\$ |
MAC of the ciphertext. |
All multibyte values are stored in little-endian.
The derived key for computing the header MAC and the derived key for encryption are produced by Argon2.
derivedKey = Argon2(
password = password,
salt = header[28..60],
parallelism = header[24..28],
tagLength = 96,
memoryCost = header[16..20],
timeCost = header[20..24],
version = header[12..16],
secretKey = [],
associatedData = [],
type = header[8..12],
)
The size of secretKey (pepper) and associatedData (associated data) are
zero (empty).
The resulting derived key (derivedKey) length is 96 bytes. The first 32 bytes
of derivedKey are the XChaCha20-Poly1305 key (encryptionKey) for
encryption, and the last 64 bytes are the BLAKE2b-512-MAC key
(headerMacKey) for computing the header MAC.
encryptionKey = derivedKey[..32] headerMacKey = derivedKey[32..]
type, version,
memoryCost, timeCost,
parallelism, and salt used when
encrypting are stored in the header, and these stored values are used when
decrypting.
A 7-byte string for identifying the abcrypt encrypted data format. The value is
"abcrypt" (61 62 63 72 79 70 74 in hex).
A 1-byte version number of the abcrypt encrypted data format. The current value is 1.
| Value | Description |
|---|---|
\$0\$ |
Argon2d. |
\$1\$ |
Argon2i. |
\$2\$ |
Argon2id. |
The Argon2 type is represented as 4 bytes in little-endian.
| Value | Description |
|---|---|
\$16\$ |
Version 0x10 (16 in decimal). |
\$19\$ |
Version 0x13 (19 in decimal). |
The Argon2 version is represented as 4 bytes in little-endian.
| Parameter | Minimum value | Maximum value | Description |
|---|---|---|---|
|
\$8 xx p\$ |
\$2^(32) - 1\$ |
Memory size in KiB. |
|
\$1\$ |
\$2^(32) - 1\$ |
Number of iterations. |
|
\$1\$ |
\$2^(24) - 1\$ |
Degree of parallelism. |
Each parameter is represented as 4 bytes in little-endian.
A 24-byte nonce for XChaCha20-Poly1305.
|
Note
|
The nonce should be generated from a CSPRNG. |
The MAC (authentication tag) of the header. The MAC is computed with BLAKE2b-512-MAC over the whole header up to and including the nonce (first 84 bytes of the header).
mac = BLAKE2b(
data = header[..84],
digestLength = 64,
key = headerMacKey,
salt = [],
personalization = [],
)
The size of salt and personalization (personalization string) are zero
(empty).
The payload is encrypted with XChaCha20-Poly1305.
ciphertext = XChaCha20-Poly1305(
plaintext = plaintext,
aad = [],
key = encryptionKey,
nonce = header[60..84],
)
The size of aad (additional authenticated data) is zero (empty).
nonce used when encrypting is stored in the
header, and the stored value is used when decrypting.
|
Important
|
The abcrypt encrypted data format uses a postfix tag. |
When transferring abcrypt files over the Internet, the appropriate MIME type is
application/x-abcrypt.