Gateway provides an SDK and gRPC API to interact with Transform Encryption.

Key generation (e.g. keypairs, transformation keys) and encryption should be performed on the client.

SDK

LanguageLibrary
Rusthttps://github.com/GatewayLabs/gtw-recrypt
Typescript / Javascripthttps://github.com/GatewayLabs/recrypt-wasm-binding

Some operations require a signing_keypair to provide computation provenance.

For example; Who performed what operation

1. Generate Key Pair

Generate a new encryption (private & public) keypair. This will follow standard KPI practices where the public key encrypts data and the corresponding private key decrypts the ciphertext.

use recrypt_compute::crypto::encryption::recrypt::new_encryption_keypair;
// or for larger key size:
// use recrypt_compute::crypto::encryption::recrypt480::new_encryption_keypair;

let (priv_key, pub_key) = new_encryption_keypair();

2. Encrypt Data

Encrypt data using a public key.

use recrypt_compute::crypto::{encryption::recrypt::{new_encryption_keypair, encrypt}, signature::new_signing_keypair};

let data = "eu falo ingles";

let (\_, pubkey) = new_encryption_keypair();
let signing_keypair = new_signing_keypair();

let encryption = encrypt(data.as_bytes(), &pubkey, &signing_keypair).unwrap();

3. Generate Transform Key

Generate a transform key for re-encryption using the sender’s private key and the recipient’s public key.

The transformation key is a unique primitive that does not expose either crypto artifact in plaintext.

use recrypt_compute::crypto::{encryption::recrypt::{new_encryption_keypair, new_transform_key}, signature::ed25519::new_signing_keypair};

let (privkey, pubkey) = new_encryption_keypair();
let (privkey2, pubkey2) = new_encryption_keypair();
let signing_keypair = new_signing_keypair();

let transformkey = new_transform_key(&privkey, &pubkey2, &signing_keypair);

4. Transform Ciphertext

Transforms (re-encrypts) a ciphertext using a transform key.

transformed_data = transform(encryption.clone(), transformkey.clone(), &
signing_keypair3); ``` ```typescript TypeScript (WASM) let signing_keypair =
new_signing_keypair(); ```
</CodeGroup>

### 5. Decrypt Data

Decrypts a ciphertext using a private key.

<CodeGroup>
```rust Rust
use recrypt_compute::crypto::encryption::decrypt;
let unencryption = decrypt(&transformed_data, &privkey2, data.len()).unwrap();

Public API (Quickstart)

Node Endpoints

pre.gateway.tech:443 // Primary production node
pre-2.gateway.tech:443 // Secondary production node

API Requests

1. Generate Key Pair

Generates a new public-private key pair for encryption.

Avoid using this gRPC endpoint in production environments to avoid private key exposure.

rpc GenerateKeyPair(Empty) returns (EncodedKeyPair);

message EncodedKeyPair {
    string pubkey_base64 = 1;
    string privkey_base64 = 10;
}

const response = await client.GenerateKeyPair();
// Returns: { pubkey_base64: "...", privkey_base64: "..." }

2. Encrypt Data

Encrypts data using a public key.

Avoid using this gRPC endpoint in production environments to avoid known-cipher vulnerabilities.

rpc Encrypt(EncryptRequest) returns (EncryptReply);

message EncryptRequest {
    string data = 1;
    string pubkey_base64 = 2;
    bool is_data_base64 = 10;
}

message EncryptReply {
    string cipher_base64 = 1;
    float length = 10;
}

const response = await client.Encrypt({
  data: "Hello, World!",
  pubkey_base64: publicKey,
  is_data_base64: false,
});
// Returns: { cipher_base64: "...", length: 13 }

3. Generate Transform Key

Generates a transform key for re-encryption.

Avoid using this gRPC endpoint in production environments to avoid private key exposure.

rpc GenerateTransformKey(GenerateTransformKeyRequest) returns (EncodedPayload);

message GenerateTransformKeyRequest {
    string to_pubkey_base64 = 1;
    string from_privkey_base64 = 10;
}

message EncodedPayload {
    string payload_base64 = 1;
}

const response = await client.GenerateTransformKey({
  to_pubkey_base64: recipientPublicKey,
  from_privkey_base64: senderPrivateKey,
});
// Returns: { payload_base64: "..." }

4. Transform Ciphertext

Transforms (re-encrypts) a ciphertext using a transform key.

rpc Transform(TransformRequest) returns (EncodedPayload);

message TransformRequest {
    string cipher_base64 = 1;
    string transformkey_base64 = 2;
}

const response = await client.Transform({
  cipher_base64: encryptedData,
  transformkey_base64: transformKey,
});
// Returns: { payload_base64: "..." }

5. Decrypt Data

Decrypts a ciphertext using a private key.

Avoid using this gRPC endpoint in production environments to avoid private key exposure.

rpc Decrypt(DecryptRequest) returns (EncodedPayload);

message DecryptRequest {
    string cipher_base64 = 1;
    string privkey_base64 = 2;
    float length = 3;
}

const response = await client.Decrypt({
  cipher_base64: transformedData,
  privkey_base64: recipwwientPrivateKey,
  length: originalLength,
});
// Returns: { payload_base64: "..." }

Best Practices

  1. Security

    • Secure private key storage
    • Validate public keys
    • Implement proper key rotation

  2. Connection Management

    • Reuse client instances
    • Implement connection pooling
    • Handle reconnection gracefully

  3. Error Handling

    • Implement retries with backoff
    • Use backup nodes when primary is unavailable
    • Validate inputs before sending

  4. Performance

    • Batch operations when possible
    • Cache transform keys
    • Monitor response times

Rate Limits

EnvironmentRequests/SecondBurst Limit
Production100200
Testnet50100

Monitoring

Service status can be monitored at https://status.gateway.tech/pre

Was this page helpful?