abcrypt is a modern file encryption format with the data authenticity. This document describes the abcrypt encrypted data format.
abcrypt is a modern file encryption format inspired by the scrypt encrypted data format. abcrypt uses Argon2id for key derivation, BLAKE2b-512-MAC for header integrity checking and XChaCha20-Poly1305 for encryption.
Argon2 is the key derivation function from RFC 9106.
BLAKE2b-512-MAC is the keyed hash function based on BLAKE2 standardized in RFC 7693. This uses BLAKE2b and always outputs a 64-byte MAC.
XChaCha20-Poly1305 is the AEAD algorithm from draft-arciszewski-xchacha-03.
An abcrypt file is composed of two parts: a header containing the required data and a file body encrypted with the derived key.
abcrypt files may use the extension .abcrypt.
| Offset | Bytes | Description | Detail |
|---|---|---|---|
\$0\$ |
\$7\$ |
Magic number ("abcrypt"). |
|
\$7\$ |
\$1\$ |
Version number. |
|
\$8\$ |
\$4\$ |
Memory size |
|
\$12\$ |
\$4\$ |
Number of iterations |
|
\$16\$ |
\$4\$ |
Degree of parallelism |
|
\$20\$ |
\$32\$ |
Salt. |
|
\$52\$ |
\$24\$ |
Nonce. |
|
\$76\$ |
\$64\$ |
MAC of the header. |
|
\$140\$ |
\$n\$ |
Ciphertext. |
|
\$140 + n\$ |
\$16\$ |
MAC of the ciphertext. |
All multibyte values are stored in little-endian.
The derived key for computing the header MAC and the derived key for encryption are produced by Argon2. The abcrypt encrypted data format uses Argon2id as the type and 0x13 (19) as the version.
derived_key = Argon2(
memoryCost = header[8..12],
timeCost = header[12..16],
parallelism = header[16..20],
output_len = 96,
algorithm = Argon2id,
version = 0x13,
pwd = password,
salt = header[20..52],
)
The resulting derived key (derived_key) length is 96 bytes. The first 32
bytes of derived_key are for encryption (XChaCha20-Poly1305 key), and the
last 64 bytes are for computing the header MAC (BLAKE2b-512-MAC key).
memoryCost, timeCost,
parallelism, and salt used when encrypting
are stored in the header, and these stored values are used when decrypting.
A 7-byte string for identifying the abcrypt encrypted data format. The value is
"abcrypt" (61 62 63 72 79 70 74 in hex).
A 1-byte version number of the abcrypt encrypted data format. The current value is 0.
| Parameter | Minimum value | Maximum value | Description |
|---|---|---|---|
|
\$8 xx p\$ |
\$2^(32) - 1\$ |
Memory size in KiB. |
|
\$1\$ |
\$2^(32) - 1\$ |
Number of iterations. |
|
\$1\$ |
\$2^(24) - 1\$ |
Degree of parallelism. |
Each parameter is represented as 4 bytes in little-endian.
The MAC (authentication tag) of the header. The MAC is computed with BLAKE2b-512-MAC over the whole header up to and including the nonce (first 76 bytes of the header).
mac = BLAKE2b(
data = header[..76],
output_size = 64,
key = derived_key[32..],
salt = [],
person = [],
)
The size of salt and person (personalization string) is zero (empty).
The file body is encrypted with XChaCha20-Poly1305.
ciphertext = XChaCha20-Poly1305(
key = derived_key[..32],
nonce = header[20..52],
plaintext = plaintext,
aad = [],
)
The size of aad (additional authenticated data) is zero (empty).
|
Important
|
The abcrypt encrypted data format uses a postfix tag. |