Decryptor
Last updated
Last updated
POST /data-requests
Decryptor requests encryptor's data by posting a data request to the ledger through this endpoint. After sufficient number of trustees and validators observe the data request and have responded to it, the decryptor will be able to decrypt the secret.
| Name | In | Type | Required | Description |
|---|---|---|---|---|
Example
| Status | Meaning | Description | Schema |
|---|---|---|---|
The data request is successfully posted on the ledger.
Example
Input is malformed. Check that:
token is a string
token is a 128-bit hex string
Example 1
Example 2
API key is missing or incorrect.
Example
The data request has already been posted.
Example
GET /encryptions/{token-hash}/ciphertext
Retrieve the ciphertext part of an Encryption. After decrypting it with decryptor's decryption key, one should find a payload encrypted with a symmetric key together with a digital signature by the encryptor. The decryptor will not have sufficient information to further decrypt unless there are anough trustees and validators who have responded to the data request. See the code samples to see how decryptions are done.
Example
GET /encryptions/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/ciphertext
Successfully retrieved the ciphertext from the encryption.
Schema
Example
API key is missing or incorrect.
Example
The encryption does not exist.
Example
GET /data-requests/{token}/trustee-responses
Retrieves all trustee responses for a data request signed by the corresponding Trustee. Sufficient number of individual trustees' responses reconstruct to a masked symmetric key. See code samples for details.
Note 1: The path parameter is the token which should be kept secret until the data request related to the token has been posted. Therefore, this endpoint should be called only after the data request is posted onto the ledger.
Note 2: This endpoint returns successful status even if not enough trustees have responded. User should check if the number of responses is at least the secret sharing threshold before attempting to reconstruct the secret. Otherwise a garbage value will be reconstructed.
Example
GET /data-requests/{token}/trustee-responses
Successfully retrieved trustee responses for a data request.
Schema
Example
Request is malformed.
Example
API key is missing or incorrect.
Example
The data request does not exist.
Example
GET /data-requests/{token}/validator-responses
Retrieves all validator responses for a data request signed by the corresponding Validator. Sufficient number of individual validators' responses reconstruct to a mask that together with trustees' responses reveals a symmetric key. The combined results also reveals the decryptor's identity. See code samples
Note 1: The path parameter is the token which should be kept secret until the data request related to the token has been posted. Therefore, this endpoint should be called only after the data request is posted onto the ledger.
Note 2: This endpoint returns successful status even if not enough validators have responded. User should check if the number of responses is at least the secret sharing threshold before attempting to reconstruct the secret. Otherwise a garbage value will be reconstructed.
Example
GET /data-requests/{token}/validator-responses
Successfully retrieved validator responses for a data request.
Schema
Example
Request is malformed.
Example
API key is missing or incorrect.
Example
The data request does not exist.
Example
A data request, containing a token whose hash value was provided by the encryptor at encryption time.
Example
A piece of asymmetrically encrypted ciphertext. It is created by first generating a symmetric ephemeral key, encrypt symmetrically the message using the ephemeral key, then encrypt asymmetrically the ephemeral key by an encryption key. All binary data are encoded in base64. For details, read the code samples.
Example
A base64-encoded binary data.
Example
A 128-bit random string kept secret between the encryptor and decryptor after encryption stage and before data request stage. It identifies a data request. Its hash value identifies an encryption. The decryptor posts it on the ledger at data request stage.
Example
A Sha256 hash value as a hexidecimal string.
Example
ID of a trustee. It contains only alphanumerical characters, underscores (_) and dashes (-). It has length inclusively between 3 and 30.
Example
ID of a validator. It contains only alphanumerical characters, underscores (_) and dashes (-). It has length inclusively between 3 and 30.
Example
A trustee response to a data request. It contains the decrypted trustee share for the decryptor to perform a full decryption on a secret. It also consists of metadata for identifying the corresponding data request.
Example
A trustee response attached with a digital signature for everyone to validate the response's integrity.
Note that the trustee response is represented as a string (instead of an object). This ensures that there is a unified way to verify the signature.
Example
A digital signature. It consists of the metadata of the signer, including its ID, and the signature payload encoded in base64.
Schema
Metadata of a participant in PAD. It can currently be used to describe a trustee or a validator.
Example
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| Status | Meaning | Description | Schema |
|---|---|---|---|
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| Status | Meaning | Description | Schema |
|---|---|---|---|
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| Status | Meaning | Description | Schema |
|---|---|---|---|
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| Type | Restrictions |
|---|---|
| Type | Restrictions |
|---|---|
| Type | Restrictions |
|---|---|
| Type | Restrictions |
|---|---|
| Type | Restrictions |
|---|---|
| Name | Type | Required | Description |
|---|---|---|---|
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| Property | Value |
|---|---|
| Name | Type | Required | Description |
|---|---|---|---|
| Name | Type | Required | Description |
|---|---|---|---|
| Name | Type | Required | Description |
|---|---|---|---|
| Property | Value |
|---|---|
-
body
true
none
200
Succeeded
400
Bad Request
Invalid token
401
API key is missing or invalid
409
Conflict
token-hash
path
true
Hash value of the token
200
Succeeded
Inline
401
API key is missing or invalid
404
Not found
Encryption not found
ok
boolean
true
none
none
ciphertext
true
none
none
token
body
true
none
200
Succeeded
Inline
400
Bad Request
Token is invalid in format
401
API key is missing or invalid
404
Not found
Encryption not found
ok
boolean
true
none
none
trusteeResponses
dict<TrusteeId, SignedTrusteeResponse>
true
none
none
token
body
true
none
200
Succeeded
Inline
400
Bad Request
Token is invalid in format
401
API key is missing or invalid
404
Not found
Encryption not found
ok
boolean
true
none
none
validatorResponses
dict<ValidatorId, ValidatorResponse>
true
none
none
token
true
none
none
encryptedMessage
object
true
none
Cipher of a message encrypted with an ephemeral key
» ciphertext
true
none
none
» iv
true
none
none
encryptedEphemeralKey
true
none
The ephemeral key encrypted by an asymmetric encryption key
string
none
string
/[0-9a-fA-Z]{32}/
string
/[0-9a-fA-F]{64}/
string
[a-zA-Z0-9-_]{3,30}
string
[a-zA-Z0-9-_]{3,30}
ok
boolean
true
The request is successful or not
message
string
true
none
padName
true
none
The instance where the data request is posted
token
true
none
The ID of the data request
trusteeShare
true
none
The decrypted trustee share
type
enum
true
none
Type of response
trusteeId
true
none
ID of the responding trustee
type
"trustee_response"
trusteeResponse
string<TrusteeResponse>
true
none
signature
true
none
signerMetadata
false
none
payload
false
none
id
true
/[0-9a-zA-Z-_]{3,30}/
fullName
string
true
/Trustee-[0-9a-zA-Z_]+/ or /Validator-[0-9a-zA-Z_]+/
role
enum
true
none
role
Trustee
role
Validator
role
Server