Skip to main content

Encryption

Platform PrivMX uses elliptic curve cryptography (ECC), a public-key cryptography technique that leverages the mathematical properties of elliptic curves. ECC enables secure cryptographic operations such as key exchange, digital signatures, and encryption.

Here are the general principles of elliptic curves:

  • ECC relies on elliptic curves as the fundamental mathematical technique. These curves are defined by the equation: y^2=x^3+ax+b, where a and b are constant parameters. Elliptic curves have unique properties that make them suitable for cryptography. ECC is a core component of the digital signature system used in Bitcoin.

  • ECC security is based on the computational complexity of discrete logarithms on elliptic curves (known as the Elliptic Curve Discrete Logarithm Problem, ECDLP). The digital signature algorithm using ECC is called ECDSA. ECC offers comparable security to the RSA algorithm but with significantly shorter key lengths.

  • ECC is an attractive algorithm for applications that require high-performance asymmetric encryption. It is particularly useful in resource-constrained computational environments, such as microprocessor cards.

PrivMX uses a 256-bit ECC key, and keys required for private or public key input should be provided in Wallet Import Format (WIF).

You can learn more about keys and how to generate them here.

Detailed Encryption Scenario

In the Bridge, end users can create Containers such as Threads, Stores, and Inboxes. Only an end user can create a Container, by providing a set of public keys for the users who should have access to the Container. A symmetric key for the Container (Container Encryption Key) is then generated by the Container author and securely stored on the server, encrypted using public keys of users assigned to the Container. This ensures that only the authorized users have access to the Container's Encryption Key. Unencrypted keys never leave User Endpoints.

When accessing a Container, the encrypted Container Encryption Key is sent to each user based on their assignment to the Container. Only the users with proper Private Keys can decrypt this key. Using the decrypted key, messages are encrypted and signed with the users’ Private Keys before being sent to the Bridge.

This process is handled by the PrivMX Endpoint Library and is completely seamless for Endpoint users.

Here's a visual reference for the encryption process in PrivMX:

encryption