This project implements the CFRG's draft-barnes-cfrg-hpke-01, Hybrid Public Key Encryption (HPKE). This branch differs from the original draft in the nonce generation for AEAD. Rather than stateful deriving of the nonce, this branch randomly generates the nonce and appends in the beggining of the ciphertext . For the original stateful implementation, look for branch draft-01.
Referenced from section 6:
BASEEncryption to a Public Key: the most basic function of an HPKE scheme is to enable encryption for the holder of a given KEM private key.PSKAuthentication using a Pre-Shared Key: This variant extends the base mechansism by allowing the recipient to authenticate that the sender possessed a given pre-shared key (PSK). We assume that both parties have been provisioned with both the PSK value "psk" and another octet string "pskID" that is used to identify which PSK should be used.AUTHAuthentication using an Asymmetric Key: This variant extends the base mechansism by allowing the recipient to authenticate that the sender possessed a given KEM private key. In other words, only two people could have produced this secret, so if the recipient is one, then the sender must be the other.
| Configuration Name | DH Group | KDF | AEAD |
|---|---|---|---|
| <mode>_X25519_SHA256_AES_GCM_128 | Curve25519 | HKDF-SHA256 | AES-GCM-128 |
| <mode>_X25519_SHA256_ChaCha20Poly1305 | Curve25519 | HKDF-SHA256 | ChaCha20Poly1305 |
| <mode>_X25519_SHA256_XChaCha20Blake2bSIV | Curve25519 | HKDF-SHA256 | XChaCha20Blake2b |
| <mode>_P256_SHA256_AES_GCM_128 | P-256 | HKDF-SHA256 | AES-GCM-128 |
| <mode>_P256_SHA256_ChaCha20Poly1305 | P-256 | HKDF-SHA256 | ChaCha20Poly1305 |
| <mode>_P256_SHA256_XChaCha20Blake2bSIV | P-256 | HKDF-SHA256 | XChaCha20Blake2b |
| <mode>_P521_SHA512_AES_GCM_256 | P-521 | HKDF-SHA512 | AES-GCM-256 |
| <mode>_P521_SHA512_ChaCha20Poly1305 | P-521 | HKDF-SHA512 | ChaCha20Poly1305 |
| <mode>_P521_SHA256_XChaCha20Blake2bSIV | P-521 | HKDF-SHA512 | XChaCha20Blake2b |
See section 6 for reference.
On top of the AEAD primitives from the draft, implements one more (experimental) AEAD construction with XChaCha20Blake2b in the synthetic IV construction (i.e. no nonce)
Examples: BASE_X25519_SHA256_AES_GCM_128, PSK_P256_SHA256_ChaCha20Poly1305, AUTH_P521_SHA512_ChaCha20Poly1305
- Run
go get -u https://github.com/danielhavir/go-hpke
package main
import (
"bytes"
"crypto/rand"
"fmt"
hpke "github.com/danielhavir/go-hpke"
)
func main() {
params, _ := hpke.GetParams(hpke.BASE_X25519_SHA256_XChaCha20Blake2bSIV)
random := rand.Reader
prv, pub, err := hpke.GenerateKeyPair(params, random)
if err != nil {
panic(fmt.Sprintf("failed to generate key pair: %s\n", err))
}
msg := []byte("Oh so very secret!")
ciphertext, ephemeral, err := hpke.EncryptBase(params, random, pub, msg, nil)
if err != nil {
panic(fmt.Sprintf("failed to encrypt message: %s\n", err))
}
plaintext, err := hpke.DecryptBase(params, prv, ephemeral, ciphertext, nil)
if err != nil {
panic(fmt.Sprintf("failed to decrypt ciphertext: %s\n", err))
}
if !bytes.Equal(msg, plaintext) {
panic("authentication failed")
} else {
fmt.Println("all good")
}
}- R. Barnes, K. Bhargavan - Hybrid Public Key Encryption draft-barnes-cfrg-hpke-00
- Go crypto package
- Go ecdh package