paragonie / ciphersweet

Fast, searchable field-level encryption for PHP projects
https://ciphersweet.paragonie.com
Other
437 stars 32 forks source link

Question: Is it possible to interact with the database using public / private keys #46

Closed jcalfee closed 5 years ago

jcalfee commented 5 years ago

I need Bob to create a row for Alice using Alice's public key. Alice would then of course search for that row using her private key. Is it possible to use ECC cryptography with ciphersweet?

paragonie-scott commented 5 years ago

The focus of this library is searchable symmetric encryption.

You can hack asymmetric cryptography into it (i.e. sodium_crypto_box_seal()). An earlier design included this as a feature, but it seemed unwieldy from an API perspective.

If you require custom development to support the asymmetric cryptography use cases, please email the CEO a request for a quote: info at paragonie dot com.

jcalfee commented 5 years ago

Thanks, I'll pass this info along.

jcalfee commented 5 years ago

I just found a write up under the solution linked from your page. The problem I see with this is that each blind index requires a distinct key but the only distinct key Bob has for Alice is publically known. So, in the case above Alice's distinct key is her public key. Key stretching is not strong enough to prevent an adversary from also analyzing the database to see if Alice got a message. There are too many users to establish a shared secret pairs to use as the blind index key. I believe that may be how you were going to use sodium_crypto_box_seal ..

Do you have an alternative way to do this?