Skip to content
/ hpke-php Public

PHP Implementation of RFC 9180 (Hybrid Public-Key Encryption)

License

ISC license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

paragonie/hpke-php

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
phpunit.xml
phpunit.xml
 
 
psalm.xml
psalm.xml
 
 

Repository files navigation

Hybrid Public-Key Encryption (HPKE, RFC 9180) for PHP

Build Status Latest Stable Version Total Downloads Latest Unstable Version License

Installation

composer require paragonie/hpke

Usage

Instantiating HPKE

First, you need to decide on an HPKE ciphersuite. You can build these yourself by component, or use the standard modes that ship with RFC 9180:

  • DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM
  • DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305
  • DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM
  • DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM
  • DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305
  • DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM

To instantiate one of these ciphersuites, you can use the Factory class, like so:

<?php
use ParagonIE\HPKE\Factory;

// Either approach will work fine.
$ciphersuite = Factory::init('DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM');
$otherCS = Factory::dhkem_p256sha256_hkdf_sha256_chacha20poly1305();

Generating and Managing Key Pairs

Once you've instantiated your ciphersuite, you can now use it to generate/load keys.

<?php
use ParagonIE\HPKE\HPKE;
use ParagonIE\HPKE\KEM\DHKEM\{DecapsKey, EncapsKey};
use Mdanter\Ecc\Serializer\{
    PublicKey\PemPublicKeySerializer,
    PrivateKey\PemPrivateKeySerializer
};

/** @var HPKE $hpke */

/**
 * @var EncapsKey $public
 * @var DecapsKey $secret
 */
[$secret, $public] = $hpke->kem->generateKeys();

// You can now use Easy-ECC or PHP-ECC to manage these keys:
$decapsulationKeyToSaveToDisk = (new PemPrivateKeySerializer())
    ->serialize($secret->toPrivateKey());

$encapsKeySharePublicly = (new PemPublicKeySerializer())
    ->serialize($public->toPublicKey());

Setting Up Encryption Contexts

To set up an encryption context, simply use the setupBaseSender() and setupBaseReceiver() APIs.

<?php
use ParagonIE\HPKE\HPKE;
use ParagonIE\HPKE\KEM\DHKEM\{DecapsKey, EncapsKey};

/** 
 * @var HPKE $hpke 
 * @var EncapsKey $public
 * @var DecapsKey $secret
 */
 
const INFO = 'my custom protocol name';

// On one side
[$enc, $sender] = $hpke->setupBaseSender($public, INFO);

// On te other
$receiver = $hpke->setupBaseReceiver($secret, $enc, INFO);

// And now you can encrypt/decrypt:
$encrypted1 = $sender->seal('test message', 'first message AAD');
$decrypted1 = $receiver->open($encrypted1, 'first message AAD');

// The sequence is advanced automatically by our API

One-Shot Encryption API

<?php
use ParagonIE\HPKE\HPKE;
use ParagonIE\HPKE\KEM\DHKEM\{DecapsKey, EncapsKey};

/** 
 * @var HPKE $hpke 
 * @var EncapsKey $public
 * @var DecapsKey $secret
 */
 
const INFO = 'my custom protocol name';

// Sending (encryption)
$sealed = $hpke->sealBase($public, 'plaintext message', 'aad', INFO);

// Receiving (decryption)
$opened = $hpke->openBase($secret, $sealed, 'aad', INFO);

About

PHP Implementation of RFC 9180 (Hybrid Public-Key Encryption)

Resources

Readme

License

ISC license
Activity
Custom properties

Stars

2 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 2

Version 0.2.0 Latest
Feb 5, 2025
+ 1 release

Packages

No packages published

Languages