PZip uses AES-GCM with 256-bit keys, 96-bit nonces (by default), and 128-bit authentication tags. Keys are derived using one of the following, based on the source key material:
- PBKDF2-SHA256 with a configurable iteration count (currently 600,000) if the key material is a password
- HKDF-SHA256 if the key material is a random key
PZip also has the option to use raw keys with no derivation.
The PZip format is essentially an implemetation of the STREAM protocol, a nonce-based OAE scheme.
A random 96-bit nonce is generated by default for each file, but may also be supplied via the Python interface for systems that can more strongly guarantee uniqueness. When deriving keys, a random 256-bit salt is generated by default, but may also be provided manually.
The ciphertext of a PZip file is split into some number of blocks. Each block is independently encrypted, prefixed with the length of the block (and a set of flags), and has a 128-bit AES-GCM authentication tag appended to the end. The nonce for each block (Nb) is calculated as follows, for block number B and original file nonce N:
Bis converted to a 32-bit big endian unsigned integer, and left padded with zero bits to be the same length asN.Nis XOR-ed withBto get the block nonce,Nb.