NuCypher

NuCypher KMS is a decentralized Key Management System (KMS) that addresses the limitations of using consensus networks to securely store and manipulate private, encrypted data. It provides encryption and cryptographic access control, performed by a decentralized network, leveraging proxy re-encryption. Unlike centralized KMS as a service solutions, it doesn’t require trusting a service provider. NuCypher KMS enables sharing of sensitive data for both decentralized and centralized applications, providing security infrastructure for applications from healthcare to identity management to decentralized content marketplaces. NuCypher KMS will be an essential part of decentralized applications, just as SSL/TLS is an essential part of every secure web application.

NuCypher is excited to announce the open source availability of NuCypher Kafka, a cryptosystem for granular, end-to-end encrypted message queues and streams. This release brings enterprise-grade security and PCI and HIPAA-compliance to the Kafka ecosystem, a key requirement for financial services, healthcare, and industrial IoT use cases.

The NuCypher cryptosystem relies on proxy re-encryption (PRE), a type of public-key encryption that allows a proxy entity to transform ciphertexts from one public key to another, without learning anything about the underlying message. PRE can be thought of as an improved, scalable PKI or multi-party TLS. Whereas traditional PKI is designed for 1-to-1 encrypted communication, PRE delivers similar security and performance guarantees for N-to-N encrypted communication. In our open source version, we use ElGamal on elliptic prime curves for encrypting and decrypting messages, and a variant of BBS98 for the re-encryption. In our commercial offering we have proxy re-encryption for ECIES.

The basic architecture of NuCypher Kafka is shown below. For simplicity, we assume one broker and one channel, although it’s trivial to expand to multiple brokers and channels.