© 2023 Blockchain Commons
Authors: Wolf McNally, Christopher Allen
Date: December 9, 2023
Revised: December 9, 2023
Gordian Envelope can be used to encrypt and sign data. For encryption, Envelope supports both symmetric and public key encryption. Envelope also supports sharding using SSKR.
Gordian Envelope supports industry standard IETF-ChaCha20-Poly1305 symmetric encryption as described in BCR-2023-004. Using a symmetric crypto-key
defined in BCR-2020-001, the Envelope API specifically encrypts the subject of the envelope, transforming it into an instance of encrypted
(ibid.) and, leaving its assertions unencrypted. For example:
"Secret" [
"assertion1": "value1"
"assertion2": "value2"
]
becomes:
ENCRYPTED [
"assertion1": "value1"
"assertion2": "value2"
]
If the entire contents of an envelope are to be encrypted, it must first be wrapped, so all of its assertions are included:
{
"Secret" [
"assertion1": "value1"
"assertion2": "value2"
]
}
Now the entire contents of the envelope are encrypted:
ENCRYPTED
Note that in both cases, the digest associated with the envelope does not change, as the encrypted
message declares the digest of the unencrypted envelope as described in BCR-2023-004.
Symmetric key encryption is a building block of both the public key encryption and the sharding using SSKR described below.
A "sealed message" (crypto-sealed
) as described in BCR-2023-011 is a message that has been encrypted to a specific recipient using their public key (crypto-pubkeys
) (ibid.) in such a way that only the recipient and not even the sender can decrypt it later. Creating a sealed message involves several steps:
-
Create a Unique Symmetric Key: A unique symmetric key (the content key) is generated for encrypting the payload.
-
Ephemeral Sender Key Pair and Encryption: An ephemeral sender public-private key pair is created. The symmetric key is then encrypted using the recipient's public key through this ephemeral key pair.
-
Discard the Ephemeral Private Key: The ephemeral private key is discarded after its one-time use, enhancing security by ensuring that even the sender cannot decrypt the message once it's sent.
Gordian Envelope supports multi-recipient public key encryption by adding one or more hasRecipient: SealedMessage
assertions to the envelope. Only a single content key is used, but that key is separately encrypted to each recipient's public key base, one per recipient. For example, a message encrypted to two recipients would look like this:
ENCRYPTED [
'hasRecipient': SealedMessage
'hasRecipient': SealedMessage
]
As the sealed message gives no indicator of which recipient it is for, a recipient must try to decrypt each sealed message in turn until one succeeds. Once it has the content key, it can decrypt the envelope's subject.
A signature (signature
) (ibid.) supports either BIP-340 Schnorr (preferred) or ECDSA-25519-doublesha256. The signature is generated by signing the digest of the subject envelope. The signature is then added to the envelope as a verifiedBy
assertion. Multiple signers can be supported by adding multiple verifiedBy
assertions:
ENCRYPTED [
'verifiedBy': Signature
'verifiedBy': Signature
]
The above is an example of encrypt-then-sign. Sign-then-encrypt is also supported, by first adding the verifiedBy
assertion before encrypting the envelope:
"Payload" [
'verifiedBy': Signature
]
then wrapping the entire envelope:
{
"Payload" [
'verifiedBy': Signature
]
}
and finally encrypting the entire envelope:
ENCRYPTED
Sharding is a technique for splitting a secret into multiple shares, such that a minimum number of shares are required to reconstruct the secret. SSKR is a standard for sharding secrets, defined in BCR-2020-011. As with public key encryption, an ephemeral content key can be used to encrypt the payload, and then the content key can be sharded using SSKR. A set of envelopes can each be generated and distributed, each containing a unique sskrAssertion
containing a share of the content key:
ENCRYPTED [
'sskrShare': SSKRShare
]
A minimum number of shares can be used to reconstruct the content key, which can then be used to decrypt the envelope subject.
All of the above techniques can be combined. For example, a message can be signed:
"Payload" [
'verifiedBy': Signature
]
then wrapped:
{
"Payload" [
'verifiedBy': Signature
]
}
then encrypted:
ENCRYPTED
then a content key generated which is used to add a hasRecipient
assertion:
ENCRYPTED [
'hasRecipient': SealedMessage
]
then the content key sharded using SSKR:
ENCRYPTED [
'hasRecipient': SealedMessage
'sskrShare': SSKRShare
]
This results in a set of envelopes, the payload of which can be decrypted by a specific holder of the recipient's private key, or by collecting a quorum of SSKR shares.