veil_seal_open/veil_seal_open.rs
1//! Demonstrates the VEIL cipher: seal any `bincode`-encodable struct into opaque
2//! bytes and open it back with the same key.
3//!
4//! What VEIL guarantees:
5//! - Output has no recognisable structure
6//! - Every output byte depends on the full input AND the key
7//! - Without the exact key the bytes cannot be inverted
8//!
9//! Run with:
10//! ```sh
11//! cargo run --example veil_seal_open --features serialization
12//! ```
13
14use bincode::{Encode, Decode};
15use toolkit_zero::serialization::{seal, open};
16
17// Any struct that derives bincode::Encode + bincode::Decode can be sealed.
18#[derive(Debug, PartialEq, Encode, Decode)]
19struct Payload {
20 user: String,
21 score: u32,
22 tags: Vec<String>,
23}
24
25fn main() {
26 let key = "my-secret-key";
27
28 let original = Payload {
29 user: "alice".into(),
30 score: 9001,
31 tags: vec!["rust".into(), "crypto".into()],
32 };
33
34 println!("Original : {original:?}");
35
36 // ── Seal ──────────────────────────────────────────────────────────────────
37 // Transforms Payload into an opaque byte blob.
38 let blob = seal(&original, Some(key)).expect("seal failed");
39 println!("Sealed : {} bytes (opaque — no structure visible)", blob.len());
40
41 // ── Open ──────────────────────────────────────────────────────────────────
42 // Reconstructs Payload from the opaque blob using the same key.
43 let recovered: Payload = open(&blob, Some(key)).expect("open failed");
44 println!("Recovered: {recovered:?}");
45
46 assert_eq!(original, recovered, "round-trip mismatch!");
47 println!("\nRound-trip successful ✓");
48
49 // ── Wrong key rejects ─────────────────────────────────────────────────────
50 let bad: Result<Payload, _> = open(&blob, Some("wrong-key"));
51 assert!(bad.is_err(), "wrong key should fail to open");
52 println!("Wrong-key rejection ✓");
53}