erlffx (erlffx v1.3.0)

Copy Markdown View Source

Format-preserving encryption using the FFX mode of operation.

erlffx implements the mechanism described in the 2010 paper "The FFX Mode of Operation for Format-Preserving Encryption" by Bellare, Rogaway and Spies. It enciphers a non-negative integer into another integer of the same length, under a chosen radix, so the ciphertext keeps the format of the plaintext. See the README for the paper link and examples.

  • AES-128 / AES-192 / AES-256 keys are supported (CBC mode).
  • Any positive word length is supported.
  • Any radix / alphabet size between 2 and 255 is acceptable (10 by default).
  • Optional 'tweak' values may be defined.
  • The number of Feistel rounds is configurable (10 by default).

Summary

Types

config()
optional_config_params()
radix()

Functions

config(AesKey, ValueLength)

Like config/3 but with default optional parameters.

config(AesKey, ValueLength, OptionalParams)

Builds an opaque encryption config/0.

decrypt(Config, EncryptedValue)

Deciphers EncryptedValue produced by encrypt/2, recovering the original Value.

encrypt(Config, Value)

Enciphers the non-negative integer Value under Config.

Types

config()

-opaque config()

optional_config_params()

-type optional_config_params() ::
          #{tweak => iodata(), radix => radix(), number_of_rounds => non_neg_integer()}.

radix()

-type radix() :: 2..255.

Functions

config(AesKey, ValueLength)

-spec config(AesKey, ValueLength) -> Config
                when AesKey :: iodata(), ValueLength :: pos_integer(), Config :: config().

Like config/3 but with default optional parameters.

config(AesKey, ValueLength, OptionalParams)

-spec config(AesKey, ValueLength, OptionalParams) -> Config
                when
                    AesKey :: iodata(),
                    ValueLength :: pos_integer(),
                    OptionalParams :: optional_config_params(),
                    Config :: config().

Builds an opaque encryption config/0.

  • AesKey must be a 16-, 24- or 32-byte (AES-128/192/256) key.
  • ValueLength is the word length, in digits of the chosen radix.
  • OptionalParams may set the tweak, the radix (2..255, default 10) and the number_of_rounds (default 10).

The same config/0 must be used to encrypt/2 and decrypt/2 a value.

decrypt(Config, EncryptedValue)

-spec decrypt(Config, EncryptedValue) -> Value
                 when
                     Config :: config(), EncryptedValue :: non_neg_integer(), Value :: non_neg_integer().

Deciphers EncryptedValue produced by encrypt/2, recovering the original Value.

Must be given the same config/0 that produced the ciphertext.

encrypt(Config, Value)

-spec encrypt(Config, Value) -> EncryptedValue
                 when
                     Config :: config(), Value :: non_neg_integer(), EncryptedValue :: non_neg_integer().

Enciphers the non-negative integer Value under Config.

Returns an integer of the same word length and radix. Reverse it with decrypt/2 using the same config/0.