Owner: @Marcin Pawlowski

Introduction

The message encapsulation mechanism is part of the Blend Protocol and it describes the cryptographic operations necessary for building and processing messages by a Blend node.

This document is part of the Formatting section. Please read through that document to better understand the context of the encapsulation mechanism and constructions used here.

Notation

$\mathbf K^{n}h = \{(K^{n}{0}, k^{n}{0}, \pi{Q}^{K_{0}^{n}}),...,(K^{n}{h-1}, k^{n}{h-1}, \pi_{Q}^{K_{h-1}^{n}}) \}$ is a collection of $h$ key pairs for a node $n$ with proofs of quota, where $K_{i}^{n}$ is the $i$-th public key and $k_{i}^{n}$ is its corresponding private key, and $\pi_{Q}^{K_{i}^{n}}$ is its proof of quota.
```
Ed25519PublicKey = bytes
Ed25519PrivateKey = bytes
KEY_SIZE = 32
ProofOfQuota = bytes
PROOF_OF_QUOTA_SIZE = 160

KeyCollection = List[KeyPair]

class KeyPair:
	signing_public_key: Ed25519PublicKey
	signing_private_key: Ed25519PrivateKey
	proof_of_quota: ProofOfQuota
```
- For more information about key generation mechanism please refer to Key Types and Generation Specification.
- For more information about proof of quota please refer to Proof of Quota.
$P^n$ is a public key of the node $n$, which is globally accessible using the Service Declaration Protocol (SDP). We are using this notation to distinguish the origin of the key, hence the following simplified notation.
- For more information about Service Declaration Protocol please refer to Service Declaration Protocol.
$\mathcal{N} = \text{SDP}(s)$ is the set of nodes globally accessible using the SDP.
```
class Node:
	signing_public_key: Ed25519PublicKey
```
$N =|\mathcal{N}|$ is the number of nodes globally accessible using the SDP.
$\kappa^{n,m}{i} = k^{n}{i} \cdot P^{m} = K^{n}_{i} \cdot p^{m}$, is a shared key calculated between node $n$ and node $m$ using the $i$-th key of the node $n$, $P^{m}$ is the public key of the node $m$ retrieved from the SDP protocol and $p^m$ is its corresponding private key.
```
SharedKey = bytes  # KEY_SIZE
```
$\pi^{K^{n}{l},m}{S}$ is the proof of selection of the public key $K^{n}_l$ to the node index $m$ from a set of all nodes $N$.
```
ProofOfSelection = bytes
PROOF_OF_SELECTION_SIZE = 32
```
- For more information about the proof of selection, please refer to Proof of Selection.
$H_\mathbf{N}()$ is a domain-separated hash function dedicated to the node index selection (the implementation of the hash function is blake2b).
$H_\mathbf{I}()$ is a domain-separated hash function dedicated to the initialization of the blend header (the implementation of the hash function is blake2b).
$H_\mathbf{b}()$ is a domain-separated hash function dedicated to the blend header encryption operations (the implementation of the hash function is blake2b).
$H_\mathbf{P}()$ is a domain-separated hash function dedicated to the payload encryption operations (the implementation of the hash function is blake2b).
```
def blake2b512(data: bytes) -> bytes:
	return Blake2b.hash512(data)
```
$\beta_{max}$ is the maximal number of blending headers in the private header.
```
ENCAPSULATION_COUNT: int
```
$\text {CSPRBG}()$ is a cryptographically secure pseudo-random bits generator, it is implemented as BLAKE2b-Based PRNG Construction.
$\text {CSPRBG}()_{x}$ is a cryptographically secure pseudo-random bits generator whose output is restricted to $x$ bits, it is implemented as BLAKE2b-Based PRNG Construction.
```
def pseudo_random(key: bytes, size: int) -> bytes:
	rand = BlakeRng.from_seed(blake2b512(key)).generate(size)
	assert len(rand) == size
	return rand
```
$|t|$ returns the length of the $t$ expressed in bits.

$\oplus$ is a XOR operation.

def xor(a: bytes, b: bytes) -> bytes:
	assert len(a) == len(b)
	return bytes(x ^ y for x, y in zip(a, b))