def test_encrypt_decrypt_associated_data(): key = os.urandom(32) aad = b'secret code 1234' dem = UmbralDEM(key) plaintext = b'peace at dawn' ciphertext0 = dem.encrypt(plaintext, authenticated_data=aad) ciphertext1 = dem.encrypt(plaintext, authenticated_data=aad) assert ciphertext0 != plaintext assert ciphertext1 != plaintext assert ciphertext0 != ciphertext1 assert ciphertext0[:DEM_NONCE_SIZE] != ciphertext1[:DEM_NONCE_SIZE] cleartext0 = dem.decrypt(ciphertext0, authenticated_data=aad) cleartext1 = dem.decrypt(ciphertext1, authenticated_data=aad) assert cleartext0 == plaintext assert cleartext1 == plaintext # Attempt decryption with invalid associated data with pytest.raises(InvalidTag): cleartext2 = dem.decrypt(ciphertext0, authenticated_data=b'wrong data')
def decrypt(ciphertext: bytes, capsule: Capsule, decrypting_key: UmbralPrivateKey, check_proof: bool = True) -> bytes: """ Opens the capsule and gets what's inside. We hope that's a symmetric key, which we use to decrypt the ciphertext and return the resulting cleartext. """ if not isinstance(ciphertext, bytes) or len(ciphertext) < DEM_NONCE_SIZE: raise ValueError( "Input ciphertext must be a bytes object of length >= {}".format( DEM_NONCE_SIZE)) if capsule._attached_cfrags: # Since there are cfrags attached, we assume this is Bob opening the Capsule. # (i.e., this is a re-encrypted capsule) encapsulated_key = _open_capsule(capsule, decrypting_key, check_proof=check_proof) capsule_bytes = capsule._original_to_bytes() else: # Since there aren't cfrags attached, we assume this is Alice opening the Capsule. # (i.e., this is an original capsule) encapsulated_key = _decapsulate_original(decrypting_key, capsule) capsule_bytes = bytes(capsule) dem = UmbralDEM(encapsulated_key) cleartext = dem.decrypt(ciphertext, authenticated_data=capsule_bytes) return cleartext
def encrypt(alice_pubkey: UmbralPublicKey, plaintext: bytes) -> Tuple[bytes, Capsule]: """ Performs an encryption using the UmbralDEM object and encapsulates a key for the sender using the public key provided. Returns the ciphertext and the KEM Capsule. """ key, capsule = _encapsulate(alice_pubkey.point_key, SecretBox.KEY_SIZE) dem = UmbralDEM(key) ciphertext = dem.encrypt(plaintext) return ciphertext, capsule
def encrypt(alice_pubkey: UmbralPublicKey, plaintext: bytes) -> Tuple[bytes, Capsule]: """ Performs an encryption using the UmbralDEM object and encapsulates a key for the sender using the public key provided. Returns the ciphertext and the KEM Capsule. """ key, capsule = _encapsulate(alice_pubkey, DEM_KEYSIZE) capsule_bytes = bytes(capsule) dem = UmbralDEM(key) ciphertext = dem.encrypt(plaintext, authenticated_data=capsule_bytes) return ciphertext, capsule
def encrypt(alice_pubkey: UmbralPublicKey, plaintext: bytes, params: UmbralParameters=None) -> Tuple[bytes, Capsule]: """ Performs an encryption using the UmbralDEM object and encapsulates a key for the sender using the public key provided. Returns the ciphertext and the KEM Capsule. """ params = params if params is not None else default_params() key, capsule = _encapsulate(alice_pubkey.point_key, CHACHA20_KEY_SIZE, params=params) capsule_bytes = bytes(capsule) dem = UmbralDEM(key) ciphertext = dem.encrypt(plaintext, authenticated_data=capsule_bytes) return ciphertext, capsule
def decrypt(ciphertext: bytes, capsule: Capsule, decrypting_key: UmbralPrivateKey, check_proof: bool = True) -> bytes: """ Opens the capsule and gets what's inside. We hope that's a symmetric key, which we use to decrypt the ciphertext and return the resulting cleartext. """ if capsule._attached_cfrags: # Since there are cfrags attached, we assume this is Bob opening the Capsule. # (i.e., this is a re-encrypted capsule) encapsulated_key = _open_capsule(capsule, decrypting_key, check_proof=check_proof) dem = UmbralDEM(encapsulated_key) original_capsule_bytes = capsule._original_to_bytes() cleartext = dem.decrypt(ciphertext, authenticated_data=original_capsule_bytes) else: # Since there aren't cfrags attached, we assume this is Alice opening the Capsule. # (i.e., this is an original capsule) decapsulated_key = _decapsulate_original(decrypting_key, capsule) dem = UmbralDEM(decapsulated_key) capsule_bytes = bytes(capsule) cleartext = dem.decrypt(ciphertext, authenticated_data=capsule_bytes) return cleartext
def decrypt(ciphertext: bytes, capsule: Capsule, priv_key: UmbralPrivateKey, alice_pub_key: UmbralPublicKey=None, params: UmbralParameters=None, check_proof=True) -> bytes: """ Opens the capsule and gets what's inside. We hope that's a symmetric key, which we use to decrypt the ciphertext and return the resulting cleartext. """ params = params if params is not None else default_params() if capsule._attached_cfrags: # Since there are cfrags attached, we assume this is Bob opening the Capsule. # (i.e., this is a re-encrypted capsule) bob_priv_key = priv_key encapsulated_key = _open_capsule(capsule, bob_priv_key, alice_pub_key, params=params, check_proof=check_proof) dem = UmbralDEM(encapsulated_key) original_capsule_bytes = capsule._original_to_bytes() cleartext = dem.decrypt(ciphertext, authenticated_data=original_capsule_bytes) else: # Since there aren't cfrags attached, we assume this is Alice opening the Capsule. # (i.e., this is an original capsule) encapsulated_key = _decapsulate_original(priv_key.bn_key, capsule, params=params) dem = UmbralDEM(encapsulated_key) capsule_bytes = bytes(capsule) cleartext = dem.decrypt(ciphertext, authenticated_data=capsule_bytes) return cleartext
def decrypt(ciphertext: bytes, capsule: Capsule, priv_key: UmbralPrivateKey, alice_pub_key: UmbralPublicKey = None) -> bytes: """ Opens the capsule and gets what's inside. We hope that's a symmetric key, which we use to decrypt the ciphertext and return the resulting cleartext. """ if capsule._attached_cfrags: # Since there are cfrags attached, we assume this is Bob opening the Capsule. bob_priv_key = priv_key key = _open_capsule(capsule, bob_priv_key, alice_pub_key) dem = UmbralDEM(key) original_capsule_bytes = capsule._original_to_bytes() cleartext = dem.decrypt(ciphertext, authenticated_data=original_capsule_bytes) else: # Since there aren't cfrags attached, we assume this is Alice opening the Capsule. key = _decapsulate_original(priv_key.bn_key, capsule) dem = UmbralDEM(key) capsule_bytes = bytes(capsule) cleartext = dem.decrypt(ciphertext, authenticated_data=capsule_bytes) return cleartext
def decrypt(ciphertext: bytes, capsule: Capsule, decrypting_key: UmbralPrivateKey, check_proof: bool = True) -> bytes: """ Opens the capsule and gets what's inside. We hope that's a symmetric key, which we use to decrypt the ciphertext and return the resulting cleartext. """ if not isinstance(ciphertext, bytes) or len(ciphertext) < DEM_NONCE_SIZE: raise ValueError( "Input ciphertext must be a bytes object of length >= {}".format( DEM_NONCE_SIZE)) elif not isinstance(capsule, Capsule) or not capsule.verify(): raise Capsule.NotValid elif not isinstance(decrypting_key, UmbralPrivateKey): raise TypeError("The decrypting key is not an UmbralPrivateKey") if capsule._attached_cfrags: # Since there are cfrags attached, we assume this is Bob opening the Capsule. # (i.e., this is a re-encrypted capsule) encapsulated_key = _open_capsule(capsule, decrypting_key, check_proof=check_proof) else: # Since there aren't cfrags attached, we assume this is Alice opening the Capsule. # (i.e., this is an original capsule) encapsulated_key = _decapsulate_original(decrypting_key, capsule) dem = UmbralDEM(encapsulated_key) try: cleartext = dem.decrypt(ciphertext, authenticated_data=bytes(capsule)) except InvalidTag as e: raise UmbralDecryptionError() from e return cleartext
def test_encrypt_decrypt(): key = os.urandom(32) dem = UmbralDEM(key) plaintext = b'peace at dawn' ciphertext0 = dem.encrypt(plaintext) ciphertext1 = dem.encrypt(plaintext) assert ciphertext0 != plaintext assert ciphertext1 != plaintext # Ciphertext should be different even with same plaintext. assert ciphertext0 != ciphertext1 # Nonce should be different assert ciphertext0[:DEM_NONCE_SIZE] != ciphertext1[:DEM_NONCE_SIZE] cleartext0 = dem.decrypt(ciphertext0) cleartext1 = dem.decrypt(ciphertext1) assert cleartext0 == plaintext assert cleartext1 == plaintext