Proxy re-encryption, MLS messaging, and zero-knowledge proofs for the ourochronos ecosystem
Reason this release was yanked:
Not ready for use
Project description
our-crypto
Cryptographic abstractions for proxy re-encryption, MLS group messaging, and zero-knowledge proofs in the ourochronos ecosystem.
Overview
our-crypto provides abstract interfaces with both mock and real implementations for three cryptographic primitives used across the ourochronos stack:
- Proxy Re-Encryption (PRE) — Allows a proxy to transform ciphertext from one key to another without decrypting it. Used for secure federation aggregation where a relay can re-encrypt shared beliefs without seeing the plaintext.
- MLS (Messaging Layer Security) — Group key agreement per RFC 9420 with forward secrecy, post-compromise security, and epoch-based key ratcheting. Powers encrypted group communication.
- Zero-Knowledge Proofs (ZKP) — Proves compliance properties (consent, policy adherence, domain membership) without revealing underlying data.
Backend Status
| Primitive | Mock | Real | Crypto Library | Notes |
|---|---|---|---|---|
| PRE | MockPREBackend |
X25519PREBackend |
cryptography (X25519 + HKDF + AES-256-GCM) |
Trusted-proxy ECIES. Blind PRE upgrade path via pairing-based crypto. |
| MLS | MockMLSBackend |
HKDFMLSBackend |
cryptography (X25519 + HKDF + Ed25519) |
Flat member list. Full TreeKEM upgrade path for O(log n) updates. |
| ZKP | MockZKPBackend |
SigmaZKPBackend |
cryptography (SHA-256) + optional py-ecc (BLS12-381) |
Sigma protocols with Fiat-Shamir. Pedersen commitments when py-ecc installed. |
Install
pip install our-crypto
Runtime dependency: cryptography>=42.0 (PyCA, audited).
Optional for BLS12-381 Pedersen commitments in ZKP:
pip install our-crypto[zkp]
Usage
Factory Functions
from our_crypto import create_pre_backend, create_mls_backend, create_zkp_backend
# Mock backends (for testing)
pre = create_pre_backend("mock")
mls = create_mls_backend("mock")
zkp = create_zkp_backend("mock")
# Real backends (for production)
pre = create_pre_backend("x25519")
mls = create_mls_backend("hkdf")
zkp = create_zkp_backend("sigma")
Proxy Re-Encryption
from our_crypto import create_pre_backend
backend = create_pre_backend("x25519")
# Generate keypairs
alice = backend.generate_keypair(b"alice")
bob = backend.generate_keypair(b"bob")
# Encrypt for Alice
ciphertext = backend.encrypt(b"shared belief data", alice.public_key)
# Generate re-encryption key (Alice -> Bob)
rekey = backend.generate_rekey(alice.private_key, bob.public_key)
# Re-encrypt without decrypting (proxy operation)
re_encrypted = backend.re_encrypt(ciphertext, rekey)
# Bob decrypts
plaintext = backend.decrypt(re_encrypted, bob.private_key)
MLS Group Messaging
from our_crypto import create_mls_backend
backend = create_mls_backend("hkdf")
# Create a group
group = backend.create_group(b"group-123", creator_id=b"alice")
# Add members (epoch advances, key schedule ratchets)
group = backend.add_member(group.group_id, b"bob", b"bob-key-package")
# Get current key schedule (HKDF-derived)
key_schedule = backend.get_key_schedule(group.group_id)
Zero-Knowledge Proofs
from our_crypto import create_zkp_backend, ComplianceProofType
backend = create_zkp_backend("sigma")
backend.setup(ComplianceProofType.HAS_CONSENT)
# Prove consent without revealing the record
prover = backend.create_prover(ComplianceProofType.HAS_CONSENT)
proof = prover.prove(
private_inputs={"consent_record": b"..."},
public_inputs={"user_id": "alice", "action": "read"},
)
# Verify independently
verifier = backend.create_verifier(ComplianceProofType.HAS_CONSENT)
result = verifier.verify(proof, {"user_id": "alice", "action": "read"})
assert result.valid
API
PRE
| Class | Description |
|---|---|
PREBackend |
Abstract interface for proxy re-encryption |
MockPREBackend |
In-memory mock implementation (XOR, no real crypto) |
X25519PREBackend |
Real ECIES implementation (X25519 + HKDF + AES-256-GCM) |
PREKeyPair, PREPublicKey, PREPrivateKey |
Key types |
ReEncryptionKey |
Unidirectional re-encryption key with optional expiration |
PRECiphertext |
Encrypted data container |
MLS
| Class | Description |
|---|---|
MLSBackend |
Abstract interface for MLS group operations |
MockMLSBackend |
In-memory mock implementation (SHA-256 derivation) |
HKDFMLSBackend |
Real implementation (X25519 DH + HKDF + Ed25519 signatures) |
MLSGroup, MLSMember |
Group and member state |
MLSKeySchedule |
Epoch-based key schedule |
MLSProposal, MLSCommit |
Add/Remove/Update proposals |
ZKP
| Class | Description |
|---|---|
ZKPBackend, ZKPProver, ZKPVerifier |
Abstract interfaces |
MockZKPBackend, MockZKPProver, MockZKPVerifier |
Mock implementations |
SigmaZKPBackend, SigmaZKPProver, SigmaZKPVerifier |
Real Sigma protocol implementations |
ComplianceProof |
Proof with metadata and expiration |
ComplianceProofType |
HAS_CONSENT, WITHIN_POLICY, NOT_REVOKED, MEMBER_OF_DOMAIN |
VerificationResult |
Verification outcome with timing |
Factory Functions
| Function | Backends |
|---|---|
create_pre_backend(backend) |
"mock" | "x25519" |
create_mls_backend(backend) |
"mock" | "hkdf" |
create_zkp_backend(backend) |
"mock" | "sigma" |
Development
# Install with dev dependencies
make dev
# Run linters
make lint
# Run tests
make test
# Run tests with coverage
make test-cov
# Auto-format
make format
State Ownership
None. This package is stateless — it provides interfaces and implementations only. Real backends maintain in-memory state for their operation (DEK cache for PRE, group state for MLS, parameters for ZKP) but persist nothing.
Part of Valence
This brick is part of the Valence knowledge substrate. See our-infra for ourochronos conventions.
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
our_crypto-0.1.0.tar.gz
(50.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file our_crypto-0.1.0.tar.gz.
File metadata
- Download URL: our_crypto-0.1.0.tar.gz
- Upload date:
- Size: 50.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
657bbcf8e3b562020e3151b794a5362168cf6cee2232ef37d22230a4e7a358ed
|
|
| MD5 |
bfa3606aced3dd088fad8bd3ce2f6711
|
|
| BLAKE2b-256 |
473fe5511f7a0d51fb06a0e07acd24dd29c24b4c6ea1fbc4a15d5febbbab4378
|
File details
Details for the file our_crypto-0.1.0-py3-none-any.whl.
File metadata
- Download URL: our_crypto-0.1.0-py3-none-any.whl
- Upload date:
- Size: 37.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
86432b25ba008c64e6b7f7f1eb108d750ac52e5c06c0e0fe368099a39e1e81ac
|
|
| MD5 |
91a48d30886de0dcf6272f3dabb84aac
|
|
| BLAKE2b-256 |
b42cdf4332605bf5136af68517e47770c08740dd003983a0de100e523db164c5
|
