Encryption

Comprehensive encryption implementation across Oneliac systems.

Encryption Standards

Algorithm Selection

Data Type	Algorithm	Key Size	Mode
Patient Data	AES	256-bit	GCM
Communication	TLS	256-bit	1.3
Blockchain Keys	EdDSA	256-bit	Ed25519
IPFS Data	AES	256-bit	CBC-PKCS7

Data Encryption at Rest

File-Level Encryption

from oneliac.encryption import FileEncryption

encryptor = FileEncryption()

# Encrypt patient file
encrypted_file = encryptor.encrypt_file(
    input_path="patient_data.json",
    output_path="patient_data.encrypted",
    key=master_key
)

# Decrypt patient file
decrypted_data = encryptor.decrypt_file(
    input_path="patient_data.encrypted",
    key=master_key
)

Database Encryption

Field-level encryption in database:

from oneliac.models import Patient

class Patient(Base):
    patient_id: str  # Indexed, unencrypted
    name: Encrypted[str]  # AES-256-GCM encrypted
    ssn: Encrypted[str]
    dob: Encrypted[str]
    medical_history: Encrypted[JSON]

Encryption in Transit

HTTPS/TLS Configuration

server {
    listen 443 ssl http2;
    
    ssl_protocols TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
}

Certificate Management

Use certificates from trusted CAs
Minimum 2048-bit RSA (4096-bit preferred)
Certificate pinning for mobile clients
Automatic renewal with 30-day buffer

API Request Encryption

from oneliac.encryption import RequestEncryption

encryptor = RequestEncryption()

# Encrypt API request body
encrypted_request = encryptor.encrypt_request(
    data={"patient_id": "...", "sensitive_field": "..."},
    server_public_key=server_key
)

response = requests.post(
    "https://api.oneliac.com/endpoint",
    json={"encrypted_payload": encrypted_request}
)

Key Management

Key Derivation

from oneliac.encryption import KeyDerivation

kdf = KeyDerivation()

# Derive encryption key from master key
encryption_key = kdf.derive(
    master_key=master_secret,
    salt=random_salt,
    iterations=100000,
    algorithm="PBKDF2"
)

Key Storage

Master keys stored in HSM (Hardware Security Module)
Encryption keys rotated every 90 days
Per-patient encryption key option available
Keys never logged or exposed in error messages

Key Rotation

from oneliac.encryption import KeyManager

manager = KeyManager()

# Rotate encryption keys
manager.rotate_key(
    key_id="key_123",
    new_key=new_encryption_key,
    schedule="immediate"
)

Zero-Knowledge Proof Encryption

Proof Generation

Patient data never exposed to verifier:

from oneliac.zk import ZKProof

prover = ZKProof()

# Generate proof: patient eligible, no raw data exposed
proof = prover.prove(
    private_inputs={
        "patient_ssn": "123-45-6789",
        "coverage": 100
    },
    public_inputs=["0x..."],
    circuit="eligibility_check"
)

Commitment Scheme

Use Pedersen commitments:

commitment = prover.commit(
    plaintext=patient_data,
    random_value=blinding_factor
)

End-to-End Encryption

Implementation

from oneliac.e2e import E2EEncryption

e2e = E2EEncryption()

# User 1 encrypts message to User 2
encrypted_msg = e2e.encrypt(
    plaintext="sensitive message",
    recipient_public_key=user2_public_key
)

# User 2 decrypts with private key
decrypted_msg = e2e.decrypt(
    ciphertext=encrypted_msg,
    recipient_private_key=user2_private_key
)

Federated Learning Encryption

Gradient Encryption

from oneliac.federated import GradientEncryption

grad_encryptor = GradientEncryption()

# Encrypt model gradients before aggregation
encrypted_gradients = grad_encryptor.encrypt(
    gradients=local_gradients,
    public_key=federated_coordinator_key
)

Secure Aggregation

from oneliac.federated import SecureAggregation

aggregator = SecureAggregation()

# Aggregate encrypted gradients without decryption
global_update = aggregator.aggregate(
    encrypted_gradients=[...],
    num_parties=3
)

Blockchain Encryption

Private Key Management

from solders.keypair import Keypair

# Generate keypair for Solana account
keypair = Keypair()

# Store private key securely
encrypted_key = encryptor.encrypt(
    plaintext=keypair.secret,
    key=master_key
)

Transaction Privacy

All transactions to blockchain are on-chain visible
Use Solana's privacy programs for enhanced privacy
IPFS stores encrypted payloads

Security Considerations

Entropy Generation

Use cryptographically secure randomness:

import secrets

random_key = secrets.token_bytes(32)  # 256-bit random key

Side-Channel Protection

Constant-time comparisons for sensitive operations
No timing-dependent branches in cryptographic code
Regular security audits and penetration testing

Compliance

NIST Guidelines: SP 800-38D for AES-GCM
FIPS 140-2: Cryptographic module validation
PCI DSS: For payment card information
HIPAA: For healthcare data encryption

Monitoring

# Monitor encryption operations
encryptor.add_metrics_hook(
    metric_name="encryption_duration",
    tags={"algorithm": "AES-256"}
)

# Alert on encryption failures
encryptor.add_error_handler(
    handler=log_encryption_error,
    alert=True
)

Encryption Standards​

Algorithm Selection​

Data Encryption at Rest​

File-Level Encryption​

Database Encryption​

Encryption in Transit​

HTTPS/TLS Configuration​

Certificate Management​

API Request Encryption​

Key Management​

Key Derivation​

Key Storage​

Key Rotation​

Zero-Knowledge Proof Encryption​

Proof Generation​

Commitment Scheme​

End-to-End Encryption​

Implementation​

Federated Learning Encryption​

Gradient Encryption​

Secure Aggregation​

Blockchain Encryption​

Private Key Management​

Transaction Privacy​

Security Considerations​

Entropy Generation​

Side-Channel Protection​

Compliance​

Monitoring​