Comment on page
Within the nocturne protocol, notes created via a JoinSplit are encrypted and then published on-chain in a manner such that only the recipient's viewing key can decrypt it. This allows users to privately and trustlessly detect incoming notes.
Nocturne uses a variant of Hybrid Public Key Encryption (HPKE) to accomplish this. Before we describe Nocturne's scheme in detail, for context, we'll describe at a high level how HPKE works:
- 1.The Sender...
- 1.generates an ephemeral, single-use symmetric encryption key.
- 2.uses the recipient's public key to "encapsulate" the symmetric encryption key. Only the recipient can "decapsulate" it. This mechanism is commonly referred to as a Key Encapsulation Module (KEM).
- 3.encrypts the message using the symmetric key using an authenticated encryption scheme to prevent malicious actors from modifying the ciphertext in transit.
- 4.sends encapsulated key along with the ciphertext to the recipient
- 2.The recipient...
- 1.attempts to decapsulate the encapsulated key. If it succeeds, they can recover the ephemeral secret key. If it fails, they reject the message.
- 2.attempts to decrypt the message using the symmetric encryption key. If it fails, they reject the message.
Public key encryption allows us to encrypt a message to the recipient without sharing secret information but is slow. On the other hand, symmetric key encryption is fast but requires a secret to be shared between parties. HPKE gives us the best of both worlds, which is important because we need to encrypt many notes on resource-constrained devices, but we also have no trustless mechanism for sharing secret keys.
Context out of the way, we'll now describe Nocturne's note encryption scheme in detail. First, some definitions:
- is the set of all-byte strings.is the set of all byte strings of any length.
- : a function that uniformly samples a random element of Baby Jubjub's scalar field.
- : A secret, random field element from which the protocol is "seeded".
- : A Baby Jubjub curve point that "encapsulates". Specifically, it's the sender's portion of a non-interactive Diffie-Hellman exchange (see below).
- : a shared "secret" Baby Jubjub curve point used to deriveusing. It is shared between the sender and the receiver via a non-interactive Diffie-Hellman exchange (see below).
- : A 32-byte ephemeral encryption key used for the symmetric part of the encryption scheme
- : A key derivation function that derives a 32-byte key from an arbitrary-length byte string representing the "input keying material", orfor short. We use it to derivefrom. We use HKDF as defined by [RFC-5869](https://datatracker.ietf.org/doc/html/rfc5869) and instantiate it over SHA256.
- : The symmetric encryption part of our HPKE scheme. In case it's not clear from the name, we use the ChaCha20Poly1305 encryption scheme. It has two methods:
- : encrypts the givenusing the given 32-byteand 12-byte.
- : attempts to decrypt the givenusing the givenand. If it fails, it returns an error ().
- : a function that derives a 12-byte nonce forfrom.
Spelled out, encryption takes as input:
- the message
- and the recipient's canonical address, which we use as their public key in this scheme (the corresponding secret key is their viewing key)
And proceeds as follows:
- 2.(thepart of Diffie-Hellman)
- 3.(thepart of Diffie-Hellman, whereis the recipient's)
Decryption takes as input:
- the ciphertext
- the encapsulated secret
- the recipient's viewing key
And proceeds as follows:
- 1.(the receiver's side of Diffie-Hellman,)
- 5.if, reject the message
- 6.otherwise, parsefrom
- 7.(extra check requiring the sender to prove that they know)
- 8.if, reject the message
- 9.otherwise, return