CoverCrypt

Build status latest version

Implementation of the CoverCrypt algorithm which allows creating ciphertexts for a set of attributes and issuing user keys with access policies over these attributes.

Getting started

See examples/runme.rs for a code sample that introduces the main CoverCrypt functionalities. It can be run using cargo run --example runme.

Building and testing

To build the core only, run:

bash cargo build --release

To build everything:

bash cargo build --release --all-features

The code contains numerous tests that you can run using:

bash cargo test --release --all-features

Benchmarks can be run using (one can pass any feature flag):

bash bash ./benches/generate.sh

Features

In CoverCrypt, messages are encrypted using a symmetric scheme. The right management is performed by a novel asymmetric scheme which is used to encapsulate a symmetric key. This encapsulation is stored in an object called encrypted header, along with the symmetric ciphertext.

This design brings several advantages:

Key generation

Asymmetric keys must be generated beforehand. This is the role of a central authority, which is in charge of:

The CoverCrypt APIs exposes everything that is needed:

The key generations may be long if the policy contains many rights or if there are many users. But this is usually run once at setup. Key updates and refresh stay fast if the change in the policy is small.

Serialization

The size of the serialized keys and encapsulation is given by the following formulas:

c 3 * PRIVATE_KEY_LENGTH + LEB128_sizeof(partitions.len()) \ + sum(LEB128_sizeof(sizeof(partition)) + sizeof(partition) + PRIVATE_KEY_LENGTH + 1 [+ INDCPA_KYBER_PRIVATE_KEY_LENGTH])

c 2 * PUBLIC_KEY_LENGTH + LEB128_sizeof(partitions.len()) \ + sum(LEB128_sizeof(sizeof(partition)) + sizeof(partition) + PUBLIC_KEY_LENGTH + 1 [+ INDCPA_KYBER_PUBLIC_KEY_LENGTH])

c 2 * PRIVATE_KEY_LENGTH + LEB128_sizeof(partitions.len()) \ + partition.len() * (PRIVATE_KEY_LENGTH + 1 [+ INDCPA_KYBER_PRIVATE_KEY_LENGTH])

c 2 * PUBLIC_KEY_LENGTH + TAG_LENGTH + LEB128_sizeof(partitions.len()) + partition.len() * [INDCPA_KYBER_CIPHERTEXT_LENGTH | PUBLIC_KEY_LENGTH]

c sizeof(encapsulation) + DEM_ENCRYPTION_OVERHEAD + sizeof(plaintext)

NOTE: For our implementation CoverCryptX25519Aes256:

Secret key encapsulation

This is the core of the CoverCrypt scheme. It allows creating a symmetric key and its encapsulation for a given set of rights.

To ease the management of the encapsulations, an object EncryptedHeaderis provided in the API. An encrypted header holds an encapsulation and a symmetric ciphertext of an optional additional data. This additional data can be useful to store metadata.

Classic implementation sizes:

| Nb. of partitions | Encapsulation size (in bytes) | User decryption key size (in bytes) | |-------------------|-------------------------------|-------------------------------------| | 1 | 131 | 98 | | 2 | 164 | 131 | | 3 | 197 | 164 | | 4 | 230 | 197 | | 5 | 263 | 230 |

Post-quantum implementation sizes:

| Nb. of partitions | Encapsulation size (in bytes) | User decryption key size (in bytes) | |-------------------|-------------------------------|-------------------------------------| | 1 | 1187 | 1250 | | 2 | 2276 | 2435 | | 3 | 3365 | 3620 | | 4 | 4454 | 4805 | | 5 | 5543 | 5990 |

Note: encapsulations grow bigger with the size of the target set of rights and so does the encapsulation time.

Secret key decapsulation

A user can retrieve the symmetric key needed to decrypt a CoverCrypt ciphertext by decrypting the associated EncryptedHeader. This is only possible if the user secret keys contains the appropriate rights.

Benchmarks

The benchmarks presented in this section are run on a Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz.

Documentation

A formal description and proof of the CoverCrypt scheme is given in this paper. It also contains an interesting discussion about the implementation.

The developer documentation can be found on doc.rs