Cloudproof Encryption is fundamentally the combination of 2 schemes: one for encryption using attributes (a hybrid KP-ABE + AES scheme) and one for quick, secure searches (an SSE scheme).
Cryptographic systems and primitives used by Cosmian Data Confidential are based on recent public cryptographic research and primitives developed by Cosmian cryptographers in partnership with world renowned Cryptographic Laboratories such as the ENS Crypto. Lab and the KU Leuven COSIC lab and Cosmian scientific advisors, namely Pr. David Pointcheval and Pr. Nigel Smart
The research papers are available either publicly or through NDA while in a patenting process. See below for details.
The source code of the implementations is open-sourced or available under NDA while being patented. See below for details.
Hybrid Attribute Encryption Scheme: Covercrypt¶
Cosmian uses a hybrid encryption scheme (KEM DEM): symmetric encryption of the clear text with a randomly generated ephemeral symmetric key, itself encrypted using a public key encryption scheme.
Symmetric key encryption: AES-256 GCM¶
When encrypting an arbitrary-sized clear text, a random 256bit ephemeral key is first generated using a Cryptographically Secure Pseudo-Random Number Generator (CS-PRNG).
This key is used to encrypt the data using AES-256 GCM. Whenever possible, the library will attempt to use the AES native CPU instructions when they are available for speed. Cosmian uses the Rust implementation of AES-256 GCM.
The result of this first encryption is a ciphertext starting with a 96bit Nonce, followed by the data encrypted in counter mode, which length is equal to that of the clear text and ending with a 128bit authentication tag.
Public Key Encryption¶
The generated symmetric key is then encapsulated using a public key scheme. The mechanism is available in 2 flavors:
- classic only: using Elliptic Curve encryption over Curve 25519
- hybridized: the classic scheme hybridized with a post-quantum scheme: Kyber 768
Details of Covercrypt cryptography and implementation in Rust are found on Github
The encryption of the symmetric key results in an encrypted “header” which is usually pre-prepended to the ciphertext generated by the symmetric key encryption. Using the native library, it is possible to generate the encrypted header and the symmetric ciphertext separately.
Searchable Encryption Scheme: Findex¶
Cosmian has developed a new fast Symmetric Searchable Scheme (SSE) codenamed Findex. The scheme is not publicly available while being patented, but we can disclose it under NDA.
Likewise, and for the same reason, the Rust implementation is not yet publicly available but is available under NDA.