Author: Bernard van Gastel
License: Apache License 2.0
Same library in different languages:
- libpep-cpp (C++);
- libpep on crates.io (Rust).
Platforms:
- FreeBSD;
- Linux;
- macOS;
- Windows;
- and probably others like Android/iOS/etc.
This library implements the PEP encryption based on ElGamal, and operations on these encrypted messages. A message M can be encrypted for a receiver which has public key Y associated with it, belonging to secret key y. This encryption is random: every time a different random r is used, resulting in different ciphertexts (encrypted messages). We represent this encryption function as EG(r, M, Y).
The library supports three operations on ciphertext in (= EG(r, M, Y), encrypting message M for public key Y with random r):
out = rerandomize(in, s): scrambles a ciphertext. Bothinandoutcan be decrypted by the same secret keyy, both resulting in the same decrypted messageM. However, the binary form ofinandoutdiffers. Spec:in = EG(r, M, Y)is transformed toout = EG(r+s, M, Y);out = reshuffle(in, n): modifies a ciphertextin(an encrypted form ofM), so that after decryption ofoutthe decrypted message will be equal ton*M. Spec:in = EG(r, M, Y)is transformed toout = EG(r, n*M, Y).out = rekey(in, k): ifincan be decrypted by secret keyy, thenoutcan be decrypted by secret keyk*y. Decryption will both result in messageM. Spec:in = EG(r, M, Y)is transformed toout = EG(r, M, k*Y).
The rekey(in, k) and reshuffle(in, n) can be combined in a RKS(in, k, n).
There are also zero knowledge proof version of these operations. These are needed so that a party can prove to another party that it has applied the operation on the input data, without revealing the factors used in the operation.
When distributing trust over multiple central servers, these zero knowledge proofs are essential, so that a malfunctioning server can not violate security guarantees of the system.
For pseudonimisation, the core operation is reshuffle with n. It modifies a main pseudonym with a factor n that is specific to a user (or user group) receiving the pseudonym. After applying a user specific factor, a pseudonym is called a local pseudonym.
Using only a reshuffle is insufficient, as the pseudonym is still encrypted with the public key Y (which can be decrypted by the secret key y). To allow a user to decrypt the encrypted pseudonym, a rekey with k is needed, in combination with a protocol to hand the user the secret key k*y. The factor k is typically tied to the current session of a user.
To make pseudonyms harder to trace, rerandomize is applied frequently. This way a binary compare of the encrypted pseudonym will not leak any information.
We are using the Ristretto encoding on a Curve25519. We are using the libsodium implementation. In the source code, scalars are lower case and group elements are upper case. There are a number of arithmetic rules for scalars and group elements: group elements can be added and subtracted from each other. Scalars support addition, subtraction, and multiplication. A scalar can be converted to a group element (by multiplying with the special generator G), but not the other way around. Group elements can also be multiplied by a scalar.
Group elements have an almost 32 byte range (top bit is always zero, and some other values are invalid). Therefore, not all AES-256 keys (using the full 32 bytes range) are valid group elements. But all group elements are valid AES-256 keys. Group elements can be generated by GroupElement::Random() or GroupElement::FromHash(..). Scalars are also 32 bytes, and can be generated with Scalar::Random() or Scalar::FromHash(..).
The zero knowledge proofs are offline Schnorr proofs, based on a Fiat-Shamir transform.
The key derivation function used is Blake2b. The hashing algorithm used is SHA512.
Unit tests can be easily added by adding a unit-tests/foo.test.cpp file.
Build using cmake:
cmake .
cmake --build .
and then run the executable peptest for the unit tests, or the executable libpepcli for the command line interface to the top level PEP API.
For macOS, there is an easier method which installs libpepcli:
brew tap bvgastel/libpep-cpp https://github.com/bvgastel/libpep-cpp
brew install --HEAD bvgastel/libpep-cpp/libpep-cpp
Update with brew reinstall bvgastel/libpep-cpp/libpep-cpp.
Based on the article by Eric Verheul and Bart Jacobs, Polymorphic Encryption and Pseudonymisation in Identity Management and Medical Research. In Nieuw Archief voor Wiskunde (NAW), 5/18, nr. 3, 2017, p. 168-172. A local copy is available in docs/naw5-2017-18-3-168.pdf. This article does not contain the zero knowledge proofs.