# Note Encryption and Decryption

The **note plaintext** is $np = (d, v, rcm, memo)$ where `d`

is the *diversifier* of the note owner, `v`

is the plaintext value of the note, `rcm`

is the randomness used for the note commitment and memo. The note plaintext is encrypted using a symmetric key and becomes $C^{enc}$ in the `Output Description`

. The sender of the transaction knows the full address of the recipient, ($d$, $pk_d$), and creates this shared secret by doing:

- Sender chooses a random number to create an
*ephemeral secret key (***esk**) - Create an
*ephemeral public key (*by using scalar multiplication between the diversifier of the recipient represented as a field point and esk. This ephemeral public key is a publicly known component of the Output Description and is seen by everyone.**epk**)- $epk = esk * g_d$
- Note: $g_d$ is the diversifier,
`d`

, represented as a field a point on the JubJub curve so we can do scalar multiplication (elliptic curve multiplication) using it

- Note: $g_d$ is the diversifier,

- $epk = esk * g_d$
- Derive
`shared_secret`

using Diffie Hellman Key Exchange between $esk$ and $pk_d$ (diversified public address of the recipient)- The public key portion of the full public address, $pk_d$, is derived by multiplying the diversifier with the incoming view key
`(ivk)`

, meaning $pk_d = g_d * ivk$ - Therefore, each party has the same information to get to the shared secret
- Remember that $epk = esk * g_d$ where $g_d$ is the diversifier
- The
**sender**calculates $shared\_secret = esk * pk_d = esk * g_d * ivk$ - The
**recipient**calculates $shared\_secret = epk * ivk = esk * g_d * ivk$

- The public key portion of the full public address, $pk_d$, is derived by multiplying the diversifier with the incoming view key
- Now that each party has a shared secret they both can calculate using their own secret information and the ephemeral public key, to get the symmetric encryption key to encrypt the note plaintext, we
**hash**the shared secret with the ephemeral public key- $encryption\_key = hash(shared_secret, epk)$

- Using the
**encryption_key**the sender uses symmetric encryption to calculate $C^{enc}$ that is part of the Output Description- Anyone who possesses the
**recipient’s incoming view key (ivk)**can decrypt $C^{enc}$ and see the plaintext value of the note as they can calculate the`shared_secret`

and get the symmetric encryption key - To make the
**sender’s outgoing viewing key (ovk)**useful, we also include $C^{out}$ as part of the Output Description- Remember that the sender calculates their
`shared_secret`

using $esk$ and $pk_d$ so that is the necessary information we need to hide in $C^{out}$ - Here we also create a symmetric encryption key, by hashing (using Blake2b) the value commitment
`(cv)`

, the field element version of the note commitment`(cmu)`

, and the ephemeral public key`(epk)`

**symmetric_encryption_key**= Black2b_hasher(buffer =**ovk**, cv, cmu, epk)- Notice that the symmetric_encryption_key is created using all public values and the sender’s outgoing viewing key (ovk) so one must have access to the outgoing view key to decrypt the note sent by the sender

- Now that the sender has their symmetric_encryption_key they can create $C^{out}$ by using the
**symmetric_encryption_key**to encrypt $esk$ and $p_d$ encrypt- $C^{out}$ =
**SymmetricEncrypt(key=symmetric_encryption_key,**`esk`

concatenated with $pk_d$)

- $C^{out}$ =

- Remember that the sender calculates their

- Anyone who possesses the