Developer Documentation
Search…
Introduction
How PAD Works
Applying for a new PAD Instance
Setting up a Trustee
Code Samples for Encryptor and Decryptor
Node.js
React Native
Code Samples for Auditor
API Description
Building a Find Me App With PAD
Glossary
Powered By GitBook
Node.js

cryptoUtil

In the following sections, we will use different cryptographic primitives to implement parts of the PAD protocol. Here we provide a cryptoUtil.js Node.js script with these cryptographic primitives. (Requires Node.js v14+)
1
// cryptoUtil.js
2
const crypto = require('crypto');
3
4
const EPHEMERAL_KEY_SIZE = 16;
5
6
/**
7
* @typedef {Object} SymCiphertext
8
* @property {string} ciphertext
9
* @property {string} iv
10
*/
11
/**
12
* @typedef {Object} HybridCiphertext
13
* @property {SymCiphertext} encryptedMessage
14
* @property {string} encryptedEphemeralKey
15
*/
16
17
/**
18
* @param {object} options
19
* @param {Object.<string, crypto.KeyObject>}
20
*/
21
exports.generateSigningKeyPair = (options={type: 'ec', namedCurve:'prime256v1'}) => {
22
return crypto.generateKeyPairSync(options.type, options);
23
}
24
25
/**
26
* @param {Buffer} data
27
* @param {Buffer} symKey
28
* @param {string} algorithm
29
* @return {SymCiphertext}
30
*/
31
function encryptSym(data, symKey, algorithm='aes-128-cbc') {
32
const iv = crypto.randomBytes(16);
33
const cipher = crypto.createCipheriv(algorithm, symKey, iv);
34
let ciphertext = cipher.update(data);
35
ciphertext = Buffer.concat([ciphertext, cipher.final()]);
36
return {
37
ciphertext: ciphertext.toString('base64'),
38
iv: iv.toString('base64'),
39
};
40
}
41
exports.encryptSym = encryptSym;
42
43
/**
44
* @param {SymCiphertext} ciphertext
45
* @param {symKey} string
46
* @param {string} algorithm
47
* @return {Buffer}
48
*/
49
function decryptSym(ciphertext, symKey, algorithm) {
50
const iv = Buffer.from(ciphertext.iv, 'base64');
51
const decipher = crypto.createDecipheriv(algorithm, symKey, iv);
52
let data = decipher.update(Buffer.from(ciphertext.ciphertext, 'base64'));
53
data = Buffer.concat([data, decipher.final()]);
54
return data;
55
}
56
exports.decryptSym = decryptSym;
57
58
/**
59
* @param {Buffer} data
60
* @param {crypto.KeyLike} encKey
61
* @return {Buffer | HybridCiphertext} the ciphertext as a bytes string
62
*/
63
function encryptAsym(data, encKey) {
64
try {
65
return crypto.publicEncrypt(encKey, data);
66
} catch (err) {
67
if (err.code === 'ERR_OSSL_RSA_DATA_TOO_LARGE_FOR_KEY_SIZE') {
68
// avoid infinite recursive calls
69
if (data.length <= EPHEMERAL_KEY_SIZE) {
70
throw new Error('Ephemeral key size is too large for the encryption key type');
71
}
72
return encryptHybrid(data, encKey);
73
}
74
throw err;
75
}
76
}
77
exports.encryptAsym = encryptAsym;
78
79
/**
80
* @param {Buffer | HybridCiphertext} ciphertext
81
* @param {crypto.KeyLike} decKey
82
* @return {Buffer}
83
*/
84
function decryptAsym(ciphertext, decKey) {
85
if (Buffer.isBuffer(ciphertext)) {
86
return crypto.privateDecrypt(decKey, ciphertext);
87
}
88
return decryptHybrid(ciphertext, decKey);
89
}
90
exports.decryptAsym = decryptAsym;
91
92
/**
93
* @param {Buffer} data
94
* @param {crypto.KeyLike} encKey
95
* @return {HybridCiphertext}
96
*/
97
function encryptHybrid(data, encKey) {
98
const ephemeralKey = crypto.randomBytes(EPHEMERAL_KEY_SIZE);
99
const encryptedMessage = encryptSym(data, ephemeralKey);
100
const encryptedEphemeralKey = encryptAsym(ephemeralKey, encKey).toString('base64');
101
// encryptedEphemeralKey must be returned by crypto.publicEncrypt, i.e. a Buffer
102
return { encryptedMessage, encryptedEphemeralKey };
103
}
104
exports.encryptHybrid = encryptHybrid;
105
106
/**
107
* @param {HybridCiphertext} ciphertext
108
* @param {crypto.KeyLike} decKey
109
* @return {Buffer}
110
*/
111
function decryptHybrid(ciphertext, decKey) {
112
const encryptedEphemeralKey = Buffer.from(ciphertext.encryptedEphemeralKey, 'base64');
113
const ephemeralKey = decryptAsym(encryptedEphemeralKey, decKey);
114
const {encryptedMessage} = ciphertext;
115
const data = decryptSym(encryptedMessage, ephemeralKey);
116
return data;
117
}
118
exports.decryptHybrid = decryptHybrid;
119
120
/**
121
* @param {string | Buffer} data
122
* @param {crypto.KeyLike} signingKey
123
* @param {string} algorithm
124
* @return {Buffer}
125
*/
126
function sign(data, signingKey, algorithm='SHA256') {
127
const sign = crypto.createSign(algorithm);
128
sign.update(data);
129
sign.end();
130
const signature = sign.sign(signingKey);
131
return signature;
132
}
133
exports.sign = sign;
134
135
/**
136
* @param {string | Buffer} data
137
* @param {crypto.KeyLike} verificationKey
138
* @param {string | Buffer} signature
139
* @param {string} algorithm
140
* @return {boolean}
141
*/
142
function verify(data, verificationKey, signature, algorithm='SHA256') {
143
if (typeof signature === 'string') {
144
signature = Buffer.from(signature, 'base64');
145
}
146
const verify = crypto.createVerify('SHA256');
147
verify.update(data);
148
verify.end();
149
const verification = verify.verify(verificationKey, signature);
150
return verification;
151
};
152
exports.verify = verify;
153
154
/**
155
* @param {...(string | Buffer)} data
156
* @return {Buffer}
157
*/
158
function hash(...data) {
159
const sha256 = crypto.createHash('sha256');
160
for (const d of data) {
161
sha256.update(d);
162
}
163
return sha256.digest();
164
}
165
exports.hash = hash;
166
167
/**
168
* @param {Buffer} a
169
* @param {Buffer} b
170
* @return {Buffer}
171
*/
172
function xor(a, b) {
173
assert(a.length === b.length);
174
const result = a.map((byte, i) => byte ^ b[i]);
175
return Buffer.from(result);
176
}
177
exports.xor = xor;
Copied!
  • EPHEMERAL_KEY_SIZE (global variable): is the number of random bytes of the ephemeral keys used in a hybrid (symmetric & asymmetric) encryption.
  • encryptSym (function): performs a symmetric encryption. Algorithm: AES-128-CBC.
  • decryptSym (function): performs a symmetric decryption. Algorithm: AES-128-CBC
  • encryptAsym (function): performs an asymmetric encryption. If the data to be encrypted is too large, it uses a hybrid encryption instead. Algorithm: depends on input key type
  • decryptAsym (function): performs an asymmetric decryption. If the ciphertext is a result from a hybrid encryption, then it uses hybrid decryption; Otherwise, it uses asymmetric decryption. Algorithm: depends on input key type
  • encryptHybrid (function): performs a hybrid encryption: performs a symmetric encryption on the data with an ephemeral key, then performs an asymmetric encryption on the ephemeral key with the encryption key.
  • decryptHybrid (function): performs a hybrid decryption: retrieve the ephemeral key with an asymmetric decryption. Then it performs a symmetric decryption on the payload with the ephemeral key.
  • sign (function): digitally signs a piece of data with a signing key. Algorithm: depends on input key type; data is first hashed with SHA256;
  • verify (function): verifies if a signature matches with the alleged data and verification key. Algorithm: depends on input key type; data is first hashed with SHA256.
  • hash (function): hashes the data in the argument list. Algorithm: SHA256
  • xor (function): performs exclusive-or on two binary arrays

Encrypting

An Encryption is a JSON object which has the following form:
1
{
2
"description": string,
3
"tokenHash": 256-bit-hex-string,
4
"ciphertext": hybrid-ciphertext,
5
"trusteeShares": {
6
[trusteeId]: {
7
"encrypted": base64-string,
8
"hashed": 256-bit-hex-string,
9
},
10
},
11
"validatorShares": {
12
[validatorId]: {
13
"encrypted": hybrid-ciphertext,
14
},
15
},
16
}
Copied!
, where hybrid-ciphertext has the form
1
{
2
"encryptedMessage": {
3
"ciphertext": base64-string,
4
"iv": base64-string,
5
},
6
"encryptedEphemeralKey": base64-string,
7
}
Copied!
The encryption phase involves the encryptor sending an Encryption to the PAD server. Thus, it is essential to understand how it is created. We will go through its properties one by one.
  • "description": Description of the encryption. This can be an arbitrary string.
  • "tokenHash": Hased value of a token. tokenHash = SHA256(token).
  • "ciphertext": The ciphertext of the secret encrypted with the decryptor's public key and the symmetric key k.
  • "trusteeShares": A dictionary containing all the encrypted and hashed trustee shares.
    • [trusteeId]: A dictionary entry where the key is a trustee's ID, and the value is an object of encrypted and hashed trustee shares.
      • "encrypted": The trustee's share of the masked symmetric key k \oplus R used to encrypt the secret, encoded as a base64 string.
      • "hashed": SHA256 of the trustee's share, encoded as a hex string.
  • "validatorShares": A dictionary containing all the encrypted validator shares.
    • [validatorId]: A dictionary entry where the key is a validator's ID, and the value is an object of encrypted validator shares.
      • "encrypted": The validator's share of the mask R to the symmetric key used to encrypt the secret together with the decryptor's public key. Since the public key is large, the validator's shares are large too. Thus, the encryption of a validator's share uses an ephemeral key as a symmetric key. k and decryptor's key.

Creating token and tokenHash

A token is a random number sent from the encryptor to the decryptor for her to later request for a piece of encryptor's data. It is essential to keep it secret between the encryptor and decryptor until the data request phase. An encryption's ID is tokenHash, the hash value of token. For portability and readability, both token and tokenHash are represented as hexadecimal strings.
Important: note that token should be taken as a lowercase string when hashed into tokenHash.
1
// create-token-and-hash.js
2
const crypto = require('crypto');
3
const {hash} = require('./cryptoUtil');
4
5
const token = crypto.randomBytes(16).toString('hex'); // 'd1fbe8b5f3ffd7a16a2aa400ebc0194f'
6
const tokenHash = hash(token).toString('hex'); // '5892a6c7ad71b358df760b4291a8adf974f77bd9d3f16c4fd38c58147e80f401'
Copied!

Creating ciphertext

The ciphertext part of an encryption should be encrypted with the symmetric key first, then the decryptor's encryption key. To ensure integrity, a digital signature from the encryptor against the ciphertext in the first encryption should be attached before the second encryption. In general, the first step creates the ciphertext
c=SymEnck(token,s)c = SymEnc_{k}(token, s)
 Then the second step creates
AsymEncBek(c,SignAsk(c))AsymEnc_{Bek}(c, Sign_{Ask}(c))
 For example, suppose secret = "my_secret" is the encryptor's secret, the following code snippet generates c.
1
// create-ciphertext-first-step.js
2
const crypto = require('crypto');
3
const {encryptSym} = require('./cryptoUtil');
4
5
const token = /* from create-token-and-hash.js */;
6
const secret = 'my_secret';
7
const dataJson = {token, secret};
8
const data = JSON.stringify(dataJson);
9
10
const k = crypto.randomBytes(16);
11
const c = encryptSym(data, k);
Copied!
With c, the ciphertext can be created like this:
1
// create-ciphertext-second-step.js
2
const crypto = require('crypto');
3
const fs = require('fs');
4
const {encryptAsym} = require('./cryptoUtil');
5
6
const c = /* from create-ciphertext-first-step.js */;
7
const encryptorSigningKey = fs.readFileSync('/path/to/encryptor/signing-key.pem');
8
const decryptorEncryptionKey = fs.readFileSync('/path/to/decryptor/encryption-key.pem');
9
const payload = JSON.stringify(c);
10
const signature = sign(payload, encryptorSigningKey).toString('base64');
11
const signedPayloadString = JSON.stringify({payload, signature});
12
const signedPayload = Buffer.from(signedPayloadString);
13
14
const ciphertext = encryptHybrid(signedPayload, decryptorEncryptionKey);
Copied!

Secret sharing

The essential part of creating trusteeShares and validatorShares is secret sharing. We use the library secrets.js-grempe. In PAD, we also support 1 to be the thresholds. Moreover, we assumed the number of trustees and validators in instances is at most 256, it suffices to use 8 bits for secret sharing indices.
1
// secret-sharing.js
2
const sss = require('secrets.js-grempe');
3
4
const BITS = '8';
5
6
/**
7
* @param {Buffer} s
8
* @param {number} n
9
* @param {number} t
10
* @return {Buffer[]}
11
*/
12
function split(s, n, t) {
13
assert(n >= t);
14
let sharesBytes;
15
if (n === 1) {
16
const id = Buffer.alloc(1,1);
17
const prefix = Buffer.alloc(1,1);
18
sharesBytes = [Buffer.concat([id, prefix, s])];
19
} else {
20
const sHex = s.toString('hex');
21
const shares = sss.share(sHex, n, t);
22
sharesBytes = shares.map((share) =>
23
// remove 'bits' part with slice
24
Buffer.from(share.slice(1), 'hex'),
25
);
26
}
27
return sharesBytes;
28
}
29
exports.split = split;
30
31
/**
32
* @param {Buffer[]} shares
33
* @return {Buffer}
34
*/
35
function combine(shares) {
36
const combinedHex = sss.combine(
37
shares.map((share) => BITS + share.toString('hex')),
38
);
39
return Buffer.from(combinedHex, 'hex');
40
}
41
exports.combine = combine;
Copied!

Creating trusteeShares

To create trusteeShares, the encryptor should first have knowledge about the settings of the instance, including the trustee threshold and the list of trustees referencing the instance (check out GET /metadata and GET /all-trustees/{trustee-id}. These information are also in one of the first few blocks on the ledger). The symmetric key k is then masked with a random number. This masked symmetric key is the secret shared among the trustees. After that, each share of trustees' is encrypted with their individual encryption key (the mapping between secret sharing index and trustee does not matter, but we recommend following the order in the instance's metadata. For example, trustee1 may hold a share of index 00 in an encryption, but hold another share of index 01 in another encryption). For auditing purposes, the hash of each share before encrypting should also be included, so that after a trustee post her share, consistency can be checked.
1
const crypto = require('crypto');
2
const {encryptAsym, hash, xor} = require('./cryptoUtil');
3
const {split} = require('./secret-sharing');
4
5
/**
6
* @param {Buffer} maskedSymKey
7
* @param {object} trustees
8
* @param {number} trusteeThreshold
9
* @return {object}
10
*/
11
function createTrusteeShares(maskedSymKey, trustees, trusteeThreshold) {
12
const n = Object.keys(trustees).length;
13
const shares = split(maskedSymKey, n, trusteeThreshold);
14
const trusteeShares = {};
15
for (const [i, [trustee, {encryptionKey}]] of Object.entries(trustees).entries()) {
16
const encryptedShare = encryptAsym(shares[i], encryptionKey);
17
const hashedShare = hash(shares[i]);
18
trusteeShares[trustee] = {
19
encrypted: encryptedShare.toString('base64'),
20
hashed: hashedShare.toString('hex'),
21
};
22
}
23
return trusteeShares;
24
}
25
26
const k = /* from create-ciphertext-first-step.js */;
27
const R = crypto.randomBytes(16);
28
29
// the masked symmetric key maskedK is the secret to be shared
30
const maskedK = xor(k, R);
31
32
const trustees = {
33
'trustee1': {
34
encryptionKey: /* trustee1's encryption key */,
35
},
36
'trustee2': {
37
encryptionKey: /* trustee2's encryption key */,
38
},
39
};
40
const trusteeThreshold = 2;
41
const trusteeShares = createTrusteeShares(maskedK, trustees, trusteeThreshold);
Copied!

Creating validatorShares

This is similar to creating trusteeShares, except the secret shared among the validators is the mask R together with the decryptor's public key to identify him.
1
const crypto = require('crypto');
2
const {split} = require('./secret-sharing');
3
4
/**
5
* @param {Buffer} RAndBvkPayload
6
* @param {object} validators
7
* @param {number} validatorThreshold
8
* @return {object}
9
*/
10
function createValidatorShares(RAndBvkPayload, validators, validatorThreshold) {
11
const nPrime = Object.keys(validators).length;
12
const shares = split(RAndBvkPayload, nPrime, validatorThreshold);
13
const validatorShares = {};
14
for (const [i, [validator, {encryptionKey}]] of Object.entries(validators).entries()) {
15
const encryptedShare = encryptHybrid(shares[i], encryptionKey);
16
validatorShares[validator] = {
17
encrypted: encryptedShare,
18
};
19
}
20
return validatorShares;
21
}
22
23
const R = /* from create-trustee-shares.js */;
24
const bvk = /* decryptor's verification key or identity */;
25
26
const RAndBvkJson = {
27
mask: R.toString("base64"),
28
decryptorIdentity: bvk.toString(),
29
};
30
const RAndBvkPayload = Buffer.from(JSON.stringify(RAndBvkJson));
31
32
const validators = {
33
'validator1': {
34
encryptionKey: /* validator1's encryption key */,
35
},
36
'validator2': {
37
encryptionKey: /* validator2's encryption key */,
38
},
39
};
40
const validatorThreshold = 2;
41
42
const validatorShares = createValidatorShares(RAndBvkPayload, validators, validatorThreshold);
Copied!

Creating channelKey

You will also need a signing key pair for creating the new channel. This ensures that only the encryptor can modify the Encryption object using endpoint for updating an Encryption in a channel.
This channel key pair should be generated freshly and must not be the key pair that identifies the encryptor. Only the public (verification) key is sent to the server. The encryptor should keep the private (signing) key so long as she would update the Encryption therein.
1
// generate-channel-key.js
2
const {generateSigningKeyPair} = require('./cryptoUtil');
3
4
const channelKeyPair = generateSigningKeyPair();
5
const channelSigningKey = channelKeyPair.privateKey;
6
const channelKey = channelKeyPair.publicKey.export({type: 'spki', format: 'pem'});
Copied!
That's it! We have gone through the steps of creating a new channel. Recall that the encryption is being sent to the PAD service server and the token is then shared with the decryptor out-of-band. The encryption channel allows the encryptor to update the secret which is useful in some use cases.

Updating Encryption object

Using the channel signing key and the token-hash, the encryptor can update her Encryption object in the channel associated with the token. The following code snippets show how one create encryptionPayload and signature required for the operation.
1
const {sign} = require('./cryptoUtil');
2
3
const channelSigningKey = /* from generate-channel-key.js */
4
const newEncryption = {
5
// the new encryption content...
6
};
7
8
const encryptionPayload = JSON.stringify(newEncryption);
9
const signatureBuffer = sign(encryptionPayload, channelSigningKey);
10
const signature = signatureBuffer.toString('base64');
Copied!

Decrypting

The decryption phase happens after the encryption has been uploaded, a data request has been posted, and sufficient number of trustees and validators, respectivelly, have responded. At this stage, the decryptor has enough information to decrypt the encryptor's secret.

Verifying responses correctness

It is important for the decryptor to check correctness and integrity of the trustee and validator responses. Checking correctness can be done by checking consistency between a response and its hash submitted by the encryptor at encryption time. Checking integrity involves verifying a signature against the response payload.
1
/* verify-responses.js */
2
const {hash, verify} = require('./cryptoUtil');
3
4
/**
5
* @typedef {Object} SignerMetadata
6
* @property {string} id
7
* @property {string} fullName
8
* @property {'Trustee' | 'Validator' | 'Server'} role
9
*/
10
/**
11
* @typedef {Object} SignedResponse
12
* @property {string} payload
13
* @property {{signerMetadata: SignerMetadata, payload: string}}
14
/**
15
* @param {string} token
16
* @param {Object<string, string>} trusteeVerificationKeys
17
* @param {Object<string, SignedResponse>} trusteeResponses
18
* @param {Object<string, string>} hashedTrusteeShares
19
*/
20
function verifyTrusteeResponses(token, trusteeVerificationKeys, trusteeResponses, hashedTrusteeShares) {
21
for (const [trusteeId, signedTrusteeShare] of Object.entries(trusteeResponses)) {
22
// check signature
23
const trusteeResponsePayload = signedTrusteeShare.trusteeResponse;
24
const vk = trusteeVerificationKeys[trusteeId];
25
const signature = signedTrusteeShare.signature.payload;
26
if (!verify(trusteeResponsePayload, vk, signature)) {
27
throw new Error('Signature not match with payload');
28
}
29
30
const trusteeResponse = JSON.parse(trusteeResponsePayload);
31
// check payload metadata
32
if (trusteeResponse.token !== token) {
33
throw new Error('Token mismatch');
34
}
35
if (trusteeResponse.type !== 'trustee_response') {
36
throw new Error('Object type mismatch');
37
}
38
// check signer consistency
39
const signer = signedTrusteeShare.signature.signerMetadata;
40
if (signer.id !== trusteeId ||
41
trusteeResponse.trusteeId !== trusteeId ||
42
signer.role !== 'Trustee') {
43
throw new Error('Wrong signer');
44
}
45
// check hash
46
const {trusteeShare} = trusteeResponse;
47
const hex = hash(Buffer.from(trusteeShare, 'base64')).toString('hex');
48
if (hex !== hashedTrusteeShares[trusteeId]) {
49
throw new Error('Wrong trustee share');
50
}
51
}
52
}
53
54
/**
55
* @param {string} token
56
* @param {Object<string, string>} validatorVerificationKeys
57
* @param {Object<string, SignedResponse>} validatorResponses
58
*/
59
function verifyValidatorResponses(token, validatorVerificationKeys, validatorResponses) {
60
for (const [validatorId, signedValidatorShare] of Object.entries(validatorResponses)) {
61
// check signature
62
const validatorResponsePayload = signedValidatorShare.validatorResponse;
63
const vk = validatorVerificationKeys[validatorId];
64
const signature = signedValidatorShare.signature.payload;
65
if (!verify(validatorResponsePayload, vk, signature)) {
66
throw new Error('Signature not match with payload');
67
}
68
69
const validatorResponse = JSON.parse(validatorResponsePayload);
70
// check payload metadata
71
if (validatorResponse.token !== token) {
72
throw new Error('Token mismatch');
73
}
74
if (validatorResponse.type !== 'validator_response') {
75
throw new Error('Object type mismatch');
76
}
77
// check signer consistency
78
const signer = signedValidatorShare.signature.signerMetadata;
79
if (signer.id !== validatorId ||
80
validatorResponse.validatorId !== validatorId ||
81
signer.role !== 'Validator') {
82
throw new Error('Wrong signer');
83
}
84
}
85
}
86
87
const token = /* token */;
88
/* these verification keys can be cached/stored locally */
89
const trusteeVerificationKeys = {
90
'trustee1': /* from GET /all-trustees/trustee1 */,
91
/* ... */
92
};
93
const validatorVerificationKeys = {
94
'validator1': /* from GET /all-validators/validator1 */,
95
/* ... */
96
};
97
const {trusteeResponses} = /* from GET /data-requests/{token}/trustee-responses */;
98
/*
99
{
100
"trustee100": {
101
"payload": "{\"token\":\"e3b0c44298fc1c149afbf4c8996fb924\",\"trusteeShare\":\"0110\",\"type\":\"trustee_response\",\"trusteeId\":\"trustee100\"}",
102
"signature": {
103
"signerMetadata": {
104
"id": "trustee100",
105
"fullName": "Trustee-100",
106
"role": "Trustee"
107
},
108
"payload": "MEUCIGUjs7m3ZaJxB7i9G2GjEI+LpkXcsed3fkVDdchB1W5WAiEAtUsM5m/ouA/eaJBk39DT0tDLc97TeM093s4vuws+fgc="
109
},
110
"submissionTime": "2021-09-13T11:42:50Z"
111
}
112
}
113
*/
114
const {validatorResponses} = /* from GET /data-requests/{token}/validator-responses */;
115
const {hashedTrusteeShares} = /* from GET /encryptions/{token-hash}/hashed-trustee-shares */;
116
verifyTrusteeResponses(
117
token,
118
trusteeVerificationKeys,
119
trusteeResponses,
120
hashedTrusteeShares,
121
);
122
verifyValidatorResponses(
123
token,
124
validaotrVerificationKeys,
125
validatorResponses,
126
);
Copied!

Verifying ciphertext integrity

Recall that the ciphertext payload includes the encryptor's signature before encrypted with decryptor's encryption key. This ensures that the payload is not modified by third party, including the PAD server. The signature needs to be verified before decrypting.
1
/* verify-ciphertext.js */
2
const fs = require('fs');
3
const {decryptHybrid, verify} = require('./cryptoUtil');
4
5
/** @typedef {import ('crypto').KeyLike} KeyLike
6
/** @typedef {import ('./cryptoUtil').HybridCiphertext} HybridCiphertext
7
/** @typedef {import ('./cryptoUtil').SymCiphertext} SymCiphertext
8
9
/**
10
* @param {HybridCiphertext} ciphertext
11
* @param {KeyLike} decryptorDecryptionKey
12
* @param {KeyLike} encryptorVerificationKey
13
* @return {SymCiphertext}
14
*/
15
function decryptVerifyCiphertext(ciphertext, decryptorDecryptionKey, encryptorVerificationKey) {
16
const decrypted = decryptHybrid(ciphertext, decryptorDecryptionKey);
17
const signedPayloadString = decrypted.toString('utf8');
18
const {payload, signature} = JSON.parse(signedPayloadString);
19
if (!verify(payload, encryptorVerificationKey, signature)) {
20
throw new Error('Signature not match with payload');
21
}
22
const innerCiphertext = JSON.parse(payload);
23
return innerCiphertext;
24
}
25
26
const {ciphertext} = /* from GET /encryptions/{token-hash}/ciphertext */;
27
const decryptorDecryptionKey = fs.readFileSync('/path/to/decryptor/decryption-key.pem');
28
const encryptorVerificationKey = fs.readFileSync('/path/to/encryptor/verification-key.pem');
29
30
const c = decryptVerifyCiphertext(
31
ciphertext,
32
decryptorDecryptionKey,
33
encryptorVerificationKey,
34
);
Copied!

Reconstructing masked symmetric key from trustees

To perform the symmetric decryption we need sufficient responses from trustees and validators, respectively. Then those will combine to the masked symmetric key and the masked. We show how to reconstruct the masked symmetric key from trustees' responses in this section. Obviously, it has redundancy with our previous example. In actual implementation, these scripts can be merged. For example, parse the response, push the share to an array only if it is valid, then combine those later.
1
/* reconstruct-masked-k.js */
2
const {combine} = require('./secret-sharing.js');
3
4
const {trusteeResponses} = /* from GET /data-requests/{token}/trustee-responses */;
5
const trusteeShares = Object.values(trusteeResponses).map((signed) => {
6
const trusteeResponse = JSON.parse(signed.trusteeResponse);
7
const share = Buffer.from(trusteeResponse.trusteeShare, 'base64');
8
return share;
9
});
10
const maskedK = combine(trusteeShares);
Copied!

Reconstructing the mask from validators

1
/* resconstruct-r.js */
2
const {combine} = require('./secret-sharing.js');
3
4
const {validatorResponses} = /* from GET /data-requests/{token}/validator-responses */;
5
const validatorShares = Object.values(validatorResponses).map((signed) => {
6
const validatorResponse = JSON.parse(signed.validatorResponse);
7
const share = Buffer.from(validatorResponse.validatorShare, 'base64');
8
return share;
9
});
10
const RAndBvkPayload = combine(validatorShares);
11
const RAndBvkString = RAndBvkPayload.toString();
12
const RAndBvkJson = JSON.parse(RAndBvkString);
13
const R = Buffer.from(RAndBvkJson.mask, 'base64');
Copied!

Decrypting!

The decryptor now has everything to retrieve the encryptor's secret.
1
const {xor, decryptSym} = require('./cryptoUtil');
2
3
const maskedK = /* from reconstruct-masked-k.js */;
4
const R = /* from reconstruct-r.js */;
5
const c = /* from verify-ciphertext.js */;
6
7
const k = xor(maskedK, R);
8
const decrypted = decryptSym(c, k);
9
const dataJson = JSON.parse(decrypted.toString('utf8'));
10
const {token, secret} = dataJson;
11
if (token !== /* token */) {
12
throw new Error('Token mismatch');
13
}
14
console.log(secret); // my_secret
Copied!
Previous
Code Samples for Encryptor and Decryptor
Next
React Native
Last modified 5mo ago
Copy link
Contents
cryptoUtil
Encrypting
Creating token and tokenHash
Creating ciphertext
Secret sharing
Creating trusteeShares
Creating validatorShares
Creating channelKey
Updating Encryption object
Decrypting
Verifying responses correctness
Verifying ciphertext integrity
Reconstructing masked symmetric key from trustees
Reconstructing the mask from validators
Decrypting!