1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

//! This module defines HPKE-based double encryption and decryption for use in
//! individual data tranformations as defined in
//! [`data_transformations`](crate::data_transformations).
//!
//! A plain text data value can be encrypted once to obtain a level-1
//! encryption of the data value.
//!
//! A level-1 encrypted data value can be encrypted a second time to obtain a
//! level-2 encryption of the data value.
//!
//! Only level-2 encrypted data values can be decrypted, and only if both
//! encryptions were performed towards the same receiver.

use libcrux::hpke::kem::Nsk;

use libcrux::hpke::{HpkeOpen, HpkeSeal};

use crate::SerializedHPKE;

use crate::data_types::{DataValue, EncryptedDataValue};

use libcrux::hpke::HPKEConfig;

use crate::error::Error;

use hacspec_lib::Randomness;

/// HPKE double encryption level 1 `info` string.
const HPKE_LEVEL_1_INFO: &[u8] = b"Hpke-Level-1";

/// HPKE double encryption level 2 `info` string.
const HPKE_LEVEL_2_INFO: &[u8] = b"Hpke-Level-2";

/// Level-1 encrypt a plain text data value.
///
/// Inputs:
/// - `data_value`: A plain text data value
/// - `ek`: The receivers public encryption key
/// - `randomness`: Random bytes
///
/// Output:
/// A level-1 encrypted data value.
///
/// Raises:
/// - `CorruptedData`: If the internal encryption fails.
///
/// Panics:
/// - on insufficient randomness
pub(crate) fn hpke_seal_level_1(
    data_value: &DataValue,
    ek: &[u8],
    randomness: &mut Randomness,
) -> Result<EncryptedDataValue, Error> {
    let HPKEConfig(_, kem, _, _) = crate::HPKE_CONF;
    let encrypted_data_value = EncryptedDataValue {
        attribute_name: data_value.attribute_name.clone(),
        value: SerializedHPKE::from_hpke_ct(&HpkeSeal(
            crate::HPKE_CONF,
            ek,
            HPKE_LEVEL_1_INFO,
            b"",
            &data_value.value,
            None,
            None,
            None,
            randomness.bytes(Nsk(kem)).unwrap().to_vec(),
        )?)
        .to_bytes(),
        encryption_level: 1u8,
    };
    Ok(encrypted_data_value)
}

/// Level-2 encrypt a level-1 encrypted data value.
///
/// Inputs:
/// - `data_value`: A level-1 encrypted data value
/// - `ek`: The receivers public encryption key
/// - `randomness`: Random bytes
///
/// Output:
/// A level-2 encrypted data value.
///
/// Raises:
/// - `InvalidInput`: If the input data value is not level-1 encrypted.
/// - `CorruptedData`: If the internal encryption fails.
///
/// Panics:
/// - on insufficient randomness
pub(crate) fn hpke_seal_level_2(
    data_value: &EncryptedDataValue,
    ek: &[u8],
    randomness: &mut Randomness,
) -> Result<EncryptedDataValue, Error> {
    if data_value.encryption_level != 1u8 {
        return Err(Error::InvalidInput);
    }

    let HPKEConfig(_, kem, _, _) = crate::HPKE_CONF;
    let data_value = EncryptedDataValue {
        attribute_name: data_value.attribute_name.clone(),
        value: SerializedHPKE::from_hpke_ct(&HpkeSeal(
            crate::HPKE_CONF,
            ek,
            HPKE_LEVEL_2_INFO,
            b"",
            &data_value.value,
            None,
            None,
            None,
            randomness.bytes(Nsk(kem)).unwrap().to_vec(),
        )?)
        .to_bytes(),
        encryption_level: 2u8,
    };
    Ok(data_value)
}

/// Decrypt a level-2 encrypted data value.
///
/// Inputs:
/// - `data_value`: A Level-2 encrypted data value
/// - `sk`: The receiver's decryption key
///
/// Outputs:
/// A plain text data value.
///
/// Raises:
/// - `InvalidInput`: If the input data value is not level-2 encrypted.
/// - `CorruptedData`: If the internal decryption fails, e.g. because of
///   inconsistent level-1 and level-2 receivers.
pub(crate) fn hpke_open_level_2(
    data_value: &EncryptedDataValue,
    sk: &[u8],
) -> Result<DataValue, Error> {
    if data_value.encryption_level != 2u8 {
        return Err(Error::InvalidInput);
    }

    let outer_encryption = SerializedHPKE::from_bytes(&data_value.value).to_hpke_ct();
    let inner_encryption = SerializedHPKE::from_bytes(&HpkeOpen(
        crate::HPKE_CONF,
        &outer_encryption,
        sk,
        HPKE_LEVEL_2_INFO,
        b"",
        None,
        None,
        None,
    )?)
    .to_hpke_ct();
    let data_value = DataValue {
        attribute_name: data_value.attribute_name.clone(),
        value: HpkeOpen(
            crate::HPKE_CONF,
            &inner_encryption,
            sk,
            HPKE_LEVEL_1_INFO,
            b"",
            None,
            None,
            None,
        )?,
    };
    Ok(data_value)
}