Rekrypt
Professional proxy re-encryption library based on Curve25519 (ECC) for Rust and WebAssembly.
https://github.com/user-attachments/assets/64e1568e-75d8-4266-8e52-345594fe212f
Installation
⚠️ Notice: This project is under active development. NPM and Cargo packages are not yet published. Please build from source for now.
# NPM (coming soon)
# Cargo (coming soon)
For now, please build from source (see below).
Build from Source
This project provides a unified Makefile for building all components:
# Quick start - build everything
# Or build specific components
# Cross-compile FFI for multiple platforms
# Run tests
# Development
Quick Start
import init from 'rekrypt';
await ;
const sdk = ;
// Generate keypair
const alice = sdk.;
// Encrypt
const data = .;
const encrypted = sdk.;
// Decrypt
const decrypted = sdk.;
See docs/ for complete examples and API reference.
Using FFI Library (Go Example)
package main
/*
#cgo LDFLAGS: -L./rekrypt-ffi/lib/linux-x64 -lrekrypt_ffi
#include <stdint.h>
extern int rekrypt_version();
*/
import "C"
import "fmt"
func main()
More examples in rekrypt-ffi/.
Supported Platforms
WebAssembly
- All modern browsers (Chrome, Firefox, Safari, Edge)
- Node.js with WASM support
- Deno and Bun
FFI Library (Native)
Rekrypt provides native FFI libraries for multiple platforms:
| Platform | Architecture | Status |
|---|---|---|
| Linux | x86_64 (Intel/AMD) | Supported |
| Linux | ARM64 (ARMv8) | Supported |
| Windows | x86_64 (64-bit) | Supported |
| macOS | x86_64 (Intel) | Supported |
| macOS | ARM64 (Apple Silicon) | Supported |
Language Bindings: C, C++, Go (CGO), Python (ctypes), Node.js (FFI), Rust, and any language with C FFI support.
See rekrypt-ffi/ for FFI usage examples.
Documentation
API Documentation
- Rust API Docs: Run
make doc-openor visit https://docs.rs/rekrypt (after publishing) - GitHub Pages: https://stevenleep.github.io/rekrypt/ (auto-deployed on push)
Guides
- API Reference - Complete API documentation
- Usage Examples - Code examples
- Publishing Guide - How to publish documentation and packages
- Cross-Compilation Guide - Build FFI for multiple platforms
- Architecture & Design - System architecture and cryptographic design
- Internal Implementation - Deep dive into implementation details
- Security Guide - Security best practices
- Streaming Guide - Large file handling
- Deployment Guide - Production deployment and scaling
What is Proxy Re-Encryption?
Allows a semi-trusted proxy to transform ciphertext from one key to another without learning the plaintext.
Alice encrypts → Transform Key → Proxy transforms → Bob decrypts
(Alice grants) (Zero knowledge)
Core Technology: Curve25519 (ECC) - Modern elliptic curve cryptography, NOT RSA
Benefits: Zero-trust proxy, key isolation, flexible delegation, one-to-many sharing.
Proxy Re-Encryption Flow
Alice Business Server Proxy Server Bob
│ │ │ │
│ 1. Encrypt │ │ │
│ encrypt(data, │ │ │
│ alice.pubKey) │ │ │
│ │ │ │
│ 2. Upload │ │ │
├─────────────────►│ │ │
│ Ciphertext + │ Store encrypted │ │
│ Capsule │ data │ │
│ │ │ │
│ 3. Grant Access │ │ │
│ transformKey = │ │ │
│ generateTransformKey( │ │
│ alice.privKey,│ │ │
│ bob.pubKey) │ │ │
│ │ │ │
│ 4. Send Key │ │ │
├─────────────────►│ │ │
│ │ │ │
│ │ 5. Request Transform│ │
│ ├────────────────────►│ │
│ │ Ciphertext + │ │
│ │ TransformKey │ │
│ │ │ │
│ │ │ 6. Transform │
│ │ │ (Zero Knowledge) │
│ │ │ ⚠️ CANNOT see │
│ │ │ plaintext │
│ │ │ │
│ │ 7. Transformed │ │
│ │◄────────────────────┤ │
│ │ Ciphertext │ │
│ │ (for Bob) │ │
│ │ │ │
│ │ 8. Bob requests access │
│ │◄───────────────────────────────────────┤
│ │ │ │
│ │ 9. Send Transformed │ │
│ ├───────────────────────────────────────►│
│ │ │ │
│ │ │ 10. Decrypt │
│ │ │ decryptDelegated(
│ │ │ bob.privKey) │
│ │ │ │
│ │ │ ┌──────────┐ │
│ │ │ │Plaintext │◄───┤
│ │ │ └──────────┘ │
Key Points:
• Alice's private key never leaves her device
• Proxy transforms without seeing plaintext
• Bob decrypts without Alice's key
• Business server stores encrypted data only
License
AGPL-3.0
Copyright (C) 2025 stenvenleep