Format Preserving Encryption¶
Format Preserving Encryption (FPE) is a cryptographic technique standardized in NIST SP 800-38G specification that allows the encryption of data while preserving its original format or structure. Unlike traditional encryption methods that transform data into ciphertext with a different format, FPE ensures that the encrypted output maintains the same format as the original input, such as preserving the length, character set, and other specific formatting requirements.
The purpose of Format Preserving Encryption is to provide confidentiality for sensitive data while minimizing the impact on applications or systems that rely on the original data format. This technique finds applications in scenarios where data format constraints are critical, such as databases, legacy systems, or data interchange processes.
FPE-FF1, the underlying cryptographic primitive, is a normalized algorithm that uses symmetric encryption, but it’s not as fast or secure as standardized symmetric (or public key) encryption methods like AES or ChaCha. It should only be used where the format of the ciphertext container is constrained (e.g., a fixed database schema that cannot be changed).
Cosmian FPE implementation supports the encryption of strings, floats and big integers.
In order to keep the format of the input plaintext, the alphabet used for plaintext must be specified.
There are multiple pre-defined alphabets available:
These alphabets can easily be extended with any character.
Implementations and quick start¶
FPE techniques are open-source and written in Rust. For the cryptographic documentation and implementation details, please check its Github repository.
Unless low-level programming in Rust, implementers should use those techniques through the various Cloudproof user libraries:
All these libraries are open-source and available on Github
The user libraries all contain extensive tests, and it is highly recommended to start by hacking those tests.
The library is published on npm: simply install the library in your
The library contains web assembly for cryptographic speed
4.0.0 is available on PyPI:
The most common example when using FPE is the encryption of credit card numbers. Here the alphabet
numeric is used (characters of this alphabet being 0123456789) as follow:
Warning encryption integers or big integers
When encrypting integers, the important parameters are
- `radix` is the base of the number representation (must be between 2 and 16 inclusive) - `digits` is the maximum number of digits in the representation. A value of 10 will limit the ciphertext output size to 10.
Also, integers must be passed as
Here are various examples for integers encryption:
Encrypting chinese plaintexts¶
chinese alphabet can be done as follow: