[−]Crate recrypt
Recrypt implements a set of cryptographic primitives for building a multi-hop proxy re-encryption scheme, known as Transform Encryption.
Start exploring the Api documentation
Basic Encrypt/Decrypt Example
use recrypt::prelude::*; use recrypt::Revealed; // create a new recrypt let mut recrypt = Recrypt::new(); // generate a plaintext to encrypt let pt = recrypt.gen_plaintext(); // generate a public/private keypair and some signing keys let (priv_key, pub_key) = recrypt.generate_key_pair().unwrap(); let signing_keypair = recrypt.generate_ed25519_key_pair(); // encrypt! let encrypted_val = recrypt.encrypt(&pt, &pub_key, &signing_keypair).unwrap(); // decrypt! let decrypted_val = recrypt.decrypt(encrypted_val, &priv_key).unwrap(); // plaintext recovered. assert_eq!(Revealed(pt), Revealed(decrypted_val))
Single-hop Transform Encryption Example
Encrypt a message to public key initial_pub_key
and decrypt it with target_priv_key
after transforming the encrypted message.
use recrypt::prelude::*; use recrypt::Revealed; // create a new recrypt let mut recrypt = Recrypt::new(); // generate a plaintext to encrypt let pt = recrypt.gen_plaintext(); // generate signing keys let signing_keypair= recrypt.generate_ed25519_key_pair(); // generate a public/private keypair to encrypt the data to initially. let (initial_priv_key, initial_pub_key) = recrypt.generate_key_pair().unwrap(); // encrypt the data to `initial_pub_key`! let encrypted_val = recrypt.encrypt(&pt, &initial_pub_key, &signing_keypair).unwrap(); // generate a second public/private keypair as the target of the transform. // after applying the transform, `target_priv_key` will be able to decrypt the data! let (target_priv_key, target_pub_key) = recrypt.generate_key_pair().unwrap(); // generate a transform key that will change which private key can decrypt the data let initial_to_target_transform_key = recrypt.generate_transform_key( &initial_priv_key, &target_pub_key, &signing_keypair).unwrap(); // Transform the plaintext to be encrypted to the target! // The data is _not_ decrypted here. Simply transformed! let transformed_val = recrypt.transform( encrypted_val, initial_to_target_transform_key, &signing_keypair).unwrap(); // decrypt the transformed value with the target private key and recover the plaintext let decrypted_val = recrypt.decrypt(transformed_val, &target_priv_key).unwrap(); // plaintext recovered. assert_eq!(Revealed(pt), Revealed(decrypted_val));
Constant Time and Equality
We have done a lot of work in recrypt-rs to ensure that operations dealing with secret data
are constant time and not susceptible to timing attacks.
The public API is also constant time, except for equality. In the future we might implement
constant time PartialEq
, but until then secret API values (Plaintext
, PrivateKey
, DerivedSymmetricKey
)
have equality only when wrapped in the Revealed
type.
Modules
api | |
api_480 | |
nonemptyvec | |
prelude | Convenience re-export of common structs and traits needed for using Recrypt |
Structs
Revealed | Marker struct to show potential weakness to side-channel attacks for normally secure types. Never wrapped around u8, u32, u64 as those are always assumed to be revealed. |