Skip to content
You are reading GoQuorum development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Cryptographic elliptic curves

By default Tessera’s Enclave uses the jnacl implementation of the NaCl library to encrypt and decrypt private payloads.

NaCl provides public-key authenticated encryption by using curve25519xsalsa20poly1305, a combination of the:

  1. Curve25519 Diffie-Hellman key-exchange function: based on fast arithmetic on a strong elliptic curve
  2. Salsa20 stream cipher: encrypts a message using the shared secret
  3. Poly1305 message-authentication code: authenticates the encrypted message using a shared secret.

The NaCl primitives provide good security and speed and is sufficient in most circumstances.

Configure an alternative cryptographic elliptic curve

You can replace the NaCl primitives with alternative curves and symmetric ciphers by supplying a compatible JCA provider (for example SunEC provider) and the necessary Tessera configuration.

The same enclave encryption process is used regardless of whether the NaCl or JCA encryptor is configured.

Example JCA encryptor configuration

"encryptor":{
    "type":"EC",
    "properties":{
        "symmetricCipher":"AES/GCM/NoPadding",
        "ellipticCurve":"secp256r1",
        "nonceLength":"24",
        "sharedKeyLength":"32"
    }
}

If type is set to CUSTOM, it provides support for an external encryptor implementation to integrate with Tessera. The pilot third party integration is Unbound Tech’s Unbound Key Control (UKC) encryptor (jar available at com.github.unbound-tech:encryption-ub:<version>).

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on Tessera Slack channel.
For paid professional support by ConsenSys, contact us at quorum@consensys.net