-
Notifications
You must be signed in to change notification settings - Fork 2
Home
-
Codex – General Normative
- Appendix I – X.509 Public Key Infrastructure — CRL, CSR, and Certificates
- Appendix II – Identity-Based Cryptography — IBE, Threshold IBE, and Key Management
- Appendix III – Bulk Encryption — Block Ciphers, Stream Ciphers, and AEAD Modes
- Appendix IV – Hash Functions, MACs, KDFs, and Password Hashing Schemes (PHS)
- Appendix V – Digital Signatures — Classical, Modern, Post-Quantum Schemes
- Appendix VI – Asymmetric Encryption — Classical, Modern, Post-Quantum Schemes
- History – History of Cryptography
EDGE Toolkit is a cryptographic toolkit designed to provide secure, high-performance primitives for modern systems, particularly those operating in distributed and edge environments. Its design emphasizes correctness, composability, and resistance to common implementation errors. The toolkit organizes cryptographic functionality along three main axes:
- Key model: symmetric vs. asymmetric
- Reversibility: whether original data can be recovered
- Security objective: confidentiality, integrity, authentication, or key agreement/derivation
By structuring cryptographic primitives in this way, edgetk aims to make correct usage more intuitive while reducing the likelihood of misuse.
Figure #1
%% EDGETk Architecture - Core on the left, Symmetric above Asymmetric
graph LR
A[EDGETk Core]
%% Subgraphs for vertical stacking
subgraph SymmetricModules[Symmetric]
direction TB
B[Key Derivation / Passwords]
C[MACs]
D[Hashing / Digest]
E[Transformations / Modes of Operation]
B --> B1[HKDF, PBKDF2, Argon2, Lyra2, Scrypt, Bcrypt, Makwa]
C --> C1[CMAC, PMAC, GMAC, VMAC, HMAC]
D --> D1[SHA-1/2/3, RIPEMD128/160/256/320, Whirlpool, Kupyna, Streebog, CubeHash, SipHash64/128]
E --> E1[AES, Camellia, SEED, SM4, HIGHT, Kalyna, Magma, HC-128, Rabbit, Trivium, PRESENT, CLEFIA, LEA]
end
subgraph AsymmetricModules[Asymmetric]
direction TB
F[Key Agreement]
G[Digital Signatures]
H[Identity-Based Encryption / Signatures]
I[Secure Transport / TCP Server]
F --> F1[ECDH, VKO, X25519, X448, ML-KEM, EG, ECKA-EG]
G --> G1[RSA, ECDSA, EdDSA, GOST, SLH-DSA, ML-DSA, LMS, BLS]
H --> H1[Boneh-Franklin IBE, Barreto IBS, Bilinear Pairings]
I --> I1[TLS 1.3, TLCP, X509 CSRs, CRLs, Certificates]
end
%% Connect Core to top-level Symmetric and Asymmetric
A --> SymmetricModules
A --> AsymmetricModules
Symmetric cryptography relies on a single shared secret key used by both the sender and the receiver. Because it avoids the computational overhead of public-key operations, it is significantly more efficient and is therefore the standard approach for encrypting large volumes of data.
Reversible symmetric cryptography refers to encryption schemes where ciphertext can be transformed back into the original plaintext using the same secret key.
The primary goal of bulk encryption is confidentiality: ensuring that unauthorized parties cannot access the content of the data.
Modern symmetric encryption schemes are typically implemented as Authenticated Encryption with Associated Data (AEAD), which simultaneously provides:
- Confidentiality: the plaintext is hidden
- Integrity: tampering with ciphertext is detectable
- Authenticity: the data origin can be verified (implicitly through possession of the key)
Two widely used AEAD constructions are:
- AES-GCM (Advanced Encryption Standard in Galois/Counter Mode): a hardware-accelerated block cipher mode widely supported across platforms.
- ChaCha20-Poly1305: a stream cipher combined with a MAC, optimized for software performance and commonly used in mobile and low-power environments.
Key considerations for bulk encryption include:
- Nonce/IV uniqueness: reuse can break security guarantees
- Key lifecycle management: secure generation, storage, and rotation
- Proper use of authenticated modes to avoid separate encryption and MAC composition errors
Typical applications include file encryption, secure network communication, and data-at-rest protection.
Irreversible primitives do not allow recovery of the original input. Instead, they produce fixed-size outputs that serve as verifiable representations of data.
A cryptographic hash function takes an input of arbitrary size and produces a fixed-length output called a digest. These functions are deterministic and designed with the following security properties:
- Preimage resistance: given a hash output, it should be computationally infeasible to find an input that produces it.
- Second-preimage resistance: given an input, it should be infeasible to find a different input with the same hash.
- Collision resistance: it should be infeasible to find any two distinct inputs that produce the same hash.
Hash functions are considered irreversible because reconstructing the original input from the digest is computationally infeasible.
Common hash functions include SHA-256 and SHA-3. They are used in:
- Data integrity verification
- Digital signatures (as a preprocessing step)
- Password storage (when combined with salting and key stretching)
- Content addressing and fingerprinting
A Message Authentication Code (MAC) is a keyed function that produces a fixed-size tag from a message and a secret key. Unlike hash functions, MACs require a shared secret and provide:
- Integrity: detection of any modification to the message
- Authenticity: assurance that the message was generated by someone with access to the key
A widely used construction is HMAC (Hash-based Message Authentication Code), which combines a hash function with a secret key in a secure way. Another example is Poly1305, often used alongside ChaCha20.
MACs are irreversible in the sense that the original message cannot be derived from the MAC value, and the key cannot be inferred from observing MACs.
Common use cases include API request signing, secure messaging, and protocol-level message validation.
Asymmetric cryptography uses a pair of mathematically related keys:
- A public key, which can be shared openly
- A private key, which must remain secret
Operations performed with one key can only be reversed or verified using the other. This model enables secure communication between parties that have not previously shared a secret.
In this context, "reversible" refers to constructions where one operation (e.g., encryption or signing) can be verified or reversed using the corresponding key.
Digital signature schemes allow a party to sign data using a private key, producing a signature that can be verified by anyone with the corresponding public key.
They provide three essential guarantees:
- Authenticity: the signer is identified as the holder of the private key
- Integrity: any modification to the signed data invalidates the signature
- Non-repudiation: the signer cannot plausibly deny having produced the signature
In practice, data is first hashed, and the signature algorithm is applied to the hash rather than the raw data.
Common algorithms include:
- ECDSA (Elliptic Curve Digital Signature Algorithm)
- EdDSA (Edwards-curve Digital Signature Algorithm), particularly Ed25519, which offers better safety properties and simpler implementation
Digital signatures are used in software distribution, secure communication protocols, identity systems, and blockchain technologies.
ElGamal-based key wrapping is a public-key encryption technique used to securely encapsulate symmetric keys.
Instead of encrypting large datasets directly with asymmetric cryptography (which is inefficient), a random symmetric key is generated and then encrypted using the recipient’s public key. The encrypted symmetric key can only be recovered using the corresponding private key.
This approach enables hybrid encryption systems, combining:
- The efficiency of symmetric encryption for data
- The secure key distribution properties of asymmetric encryption
ElGamal operates over groups (commonly elliptic curves in modern variants) and relies on the hardness of the discrete logarithm problem.
Irreversible asymmetric primitives are primarily used for deriving shared secrets rather than encrypting or signing data directly. The resulting shared secret cannot be used to reconstruct the original private keys.
ECDH is a key agreement protocol that allows two parties to derive a shared secret over an insecure channel.
Each party generates:
- A private key (kept secret)
- A public key (shared openly)
By combining their private key with the other party’s public key, both parties independently compute the same shared secret. An eavesdropper observing only the public keys cannot feasibly derive this secret.
The security of ECDH relies on the hardness of the elliptic curve discrete logarithm problem.
The shared secret is typically passed through a key derivation function (KDF) before being used as a symmetric key.
ECDH is widely used in:
- TLS (Transport Layer Security)
- Secure messaging protocols
- VPNs and encrypted tunnels
X25519 is a specific instantiation of elliptic curve Diffie-Hellman using Curve25519. It is designed for simplicity, performance, and resistance to implementation errors.
Key properties include:
- A fixed, well-studied curve with safe parameters
- Resistance to common side-channel attacks
- Minimal configuration, reducing the risk of misuse
- High performance across a wide range of platforms
X25519 is considered a modern standard for key agreement and is used in protocols such as TLS 1.3, Signal, and other secure communication systems.
Like ECDH, it produces a shared secret that is then processed by a key derivation function.
Future expansions of the edgetk Wiki may include:
- Hybrid cryptographic constructions combining symmetric and asymmetric techniques
- Formal threat models and attacker assumptions
- Detailed API documentation and usage examples
- Common pitfalls and misuse patterns in cryptographic implementations
- Key management strategies, including generation, storage, rotation, and derivation