crypto_kdf
API can derive up to 2^64 keys from a single master key and context, and individual subkeys can have an arbitrary length between 128 (16 bytes) and 512 bits (64 bytes).crypto_kdf_keygen()
function creates a master key.crypto_kdf_derive_from_key()
function derives a subkey_id
-th subkey subkey
of length subkey_len
bytes using the master key key
and the context ctx
.subkey_id
can be any value up to (2^64)-1
.subkey_len
must be between crypto_kdf_BYTES_MIN
(inclusive) and crypto_kdf_BYTES_MAX
(inclusive).ctx
is an 8 character string describing what the key is going to be used for.UserName
, __auth__
, pictures
, and userdata
.crypto_kdf_CONTEXTBYTES
bytes long.crypto_kdf_PRIMITIVE
crypto_kdf_BYTES_MIN
crypto_kdf_BYTES_MAX
crypto_kdf_CONTEXTBYTES
crypto_kdf_KEYBYTES
BLAKE2B-subkeylen(key=key, message={}, salt=subkey_id || {0}, personal=ctx || {0})
crypto_generichash_blake2b_salt_personal()
function can be used to derive a subkey between 128 and 512 bits long from a 128- to 512-bit key.appid
) is a 16-byte value that doesn't have to be secret. It can be used so that the same (masterkey, keyid)
tuple will produce a different output in different applications. It is not required, however: a NULL
pointer can be passed instead to use the default constant.keyid
) doesn't have to be secret either. This is a 16-bytes identifier that can be a simple counter and is used to derive more than one key out of a single master key.crypto_box_*
and crypto_secretbox_*
) and XChaCha20, ciphers such as AES-GCM and ChaCha20 require a nonce too short to be chosen randomly (64 or 96 bits). With 96-bit random nonces, 2^32 encryptions is the limit before the probability of duplicate nonces becomes too high.crypto_core_hchacha20()
function, which can be used as a PRF for that purpose:crypto_core_hchacha20_KEYBYTES
) secret key k
as well as a 16-byte (crypto_core_hchacha20_INPUTBYTES
) input in
and outputs a 32-byte (crypto_core_hchacha20_OUTPUTBYTES
) value indistinguishable from random data without knowing k
.crypto_core_hchacha20_CONSTBYTES
) constant c
can be specified to personalize the function to an application. c
can be left to NULL
to use the default constant.