Abcrypt Encrypted Data Format
abcrypt is a modern file encryption format with the data authenticity. This document describes the abcrypt encrypted data format.
Introduction
abcrypt is a modern file encryption format inspired by the scrypt encrypted data format. abcrypt uses Argon2id for key derivation, BLAKE2b-512-MAC for header integrity checking and XChaCha20-Poly1305 for encryption.
Conventions used in this document
Argon2 is the key derivation function from RFC 9106.
BLAKE2b-512-MAC is the keyed hash function based on BLAKE2 standardized in RFC 7693. This uses BLAKE2b and always outputs a 64-byte MAC.
XChaCha20-Poly1305 is the AEAD algorithm from draft-arciszewski-xchacha-03.
Format overview
An abcrypt file is composed of two parts: a header containing the required data and a file body encrypted with the derived key.
abcrypt files may use the extension .abcrypt.
| Offset | Bytes | Description | Detail |
|---|---|---|---|
Magic number ("abcrypt"). | |||
Version number. | |||
Memory size | |||
Number of iterations | |||
Degree of parallelism | |||
Salt. | |||
Nonce. | |||
MAC of the header. | |||
Ciphertext. | |||
MAC of the ciphertext. |
All multibyte values are stored in little-endian.
Key derivation
The derived key for computing the header MAC and the derived key for encryption are produced by Argon2. The abcrypt format uses Argon2id as the type and 0x13 (19) as the version.
derived_key = Argon2(
memoryCost = header[8..12],
timeCost = header[12..16],
parallelism = header[16..20],
output_len = 96,
algorithm = Argon2id,
version = 0x13,
pwd = password,
salt = header[20..52],
)The resulting derived key (derived_key) length is 96 bytes. The first 32
bytes of derived_key are for encryption (XChaCha20-Poly1305 key), and the
last 64 bytes are for computing the header MAC (BLAKE2b-512-MAC key).
memoryCost, timeCost,
parallelism, and salt used when encrypting
are stored in the header, and these stored values are used when decrypting.
Header format
Magic number
A 7-byte string for identifying the abcrypt format. The value is "abcrypt"
(61 62 63 72 79 70 74 in hex).
Argon2 parameters
| Parameter | Minimum value | Maximum value | Description |
|---|---|---|---|
| Memory size in KiB. | ||
| Number of iterations. | ||
| Degree of parallelism. |
Each parameter is represented as 4 bytes in little-endian.
Header MAC
The MAC (authentication tag) of the header. The MAC is computed with BLAKE2b-512-MAC over the whole header up to and including the nonce (first 76 bytes of the header).
mac = BLAKE2b(
data = header[..76],
output_size = 64,
key = derived_key[32..],
salt = [],
person = [],
)The size of salt and person (personalization string) is zero (empty).
File body
The file body is encrypted with XChaCha20-Poly1305.
ciphertext = XChaCha20-Poly1305(
key = derived_key[..32],
nonce = header[20..52],
plaintext = plaintext,
aad = [],
)The size of aad (additional authenticated data) is zero (empty).
| The abcrypt format uses a postfix tag. |
ABNF definition of the file format
abcrypt = header payload
; Header
header = signature version-number argon2-parameters salt nonce header-mac
signature = %s"abcrypt" ; magic number
version-number = OCTET
salt = 32OCTET ; 32-byte salt for Argon2
nonce = 24OCTET ; 24-byte nonce for XChaCha20-Poly1305
header-mac = 64OCTET ; BLAKE2b-512-MAC of the header
; Argon2 parameters
argon2-parameters = memory-cost time-cost parallelism
memory-cost = %x00000008-FFFFFFFF ; memory size in KiB
time-cost = %x00000001-FFFFFFFF ; number of iterations
parallelism = %x00000001-00FFFFFF ; degree of parallelism
; Payload
payload = ciphertext ciphertext-mac
ciphertext = *OCTET ; encrypted with XChaCha20
ciphertext-mac = 16OCTET ; Poly1305 of the ciphertext