Foundational crypto for FoF Mode 2 (public body + FoF-gated comments)
and Mode 1 (FoFClosed; later). Implements the dual-derivation wrap
slot from docs/fof-spec/layer-2-mode2-fof-comments.md:
- Each slot is sealed under one V_x and dual-derived:
read part → 32B CEK (read capability for the post)
sign part → 32B priv_x (per-V_x signing capability)
- Both halves use ChaCha20-Poly1305 with deterministic key+nonce
derived from (V_x, slot_binder_nonce) via blake3::derive_key with
distinct sub-contexts. Receiver trial-decrypts: success on both
halves yields OpenedWrapSlot{cek, priv_x_seed}.
- 2-byte prefilter tag = blake3-derive("...prefilter", nonce||V_x)[..2].
Receivers precompute one per held V_x per post; skip non-matching
slots entirely. Cuts trial-decrypt cost by ~2^16.
slot_binder_nonce (32B random per-post) replaces the spec's literal
"post_id in HKDF info" — PostId = BLAKE3(post) would be circular here.
Same anti-replay property: unique per publish, recipient-free, in the
post header in plaintext.
Also adds derive_cek_comments(cek, slot_binder_nonce) for the
comment-body encryption key (distinct from the post body CEK; lets
Mode 2 keep body public but comments private).
4 unit tests: slot roundtrip, wrong-binder-fails, prefilter tag
stability + keying, cek_comments distinct-per-post.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
74fec3b1fb