Gateway provides an SDK and gRPC API to interact with Transform Encryption.

Key generation (e.g. keypairs, transformation keys) and encryption should be performed on the client.

SDK

LanguageLibrary
Rusthttps://github.com/GatewayLabs/gtw-recrypt
Typescript / Javascripthttps://github.com/GatewayLabs/recrypt-wasm-binding

Some operations require a signing_keypair to provide computation provenance.

For example; Who performed what operation

1. Generate Key Pair

Generate a new encryption (private & public) keypair. This will follow standard KPI practices where the public key encrypts data and the corresponding private key decrypts the ciphertext.

2. Encrypt Data

Encrypt data using a public key.

3. Generate Transform Key

Generate a transform key for re-encryption using the sender’s private key and the recipient’s public key.

The transformation key is a unique primitive that does not expose either crypto artifact in plaintext.

4. Transform Ciphertext

Transforms (re-encrypts) a ciphertext using a transform key.

Public API (Quickstart)

Node Endpoints

API Requests

1. Generate Key Pair

Generates a new public-private key pair for encryption.

Avoid using this gRPC endpoint in production environments to avoid private key exposure.

rpc GenerateKeyPair(Empty) returns (EncodedKeyPair);

message EncodedKeyPair {
    string pubkey_base64 = 1;
    string privkey_base64 = 10;
}

const response = await client.GenerateKeyPair();
// Returns: { pubkey_base64: "...", privkey_base64: "..." }

2. Encrypt Data

Encrypts data using a public key.

Avoid using this gRPC endpoint in production environments to avoid known-cipher vulnerabilities.

rpc Encrypt(EncryptRequest) returns (EncryptReply);

message EncryptRequest {
    string data = 1;
    string pubkey_base64 = 2;
    bool is_data_base64 = 10;
}

message EncryptReply {
    string cipher_base64 = 1;
    float length = 10;
}

const response = await client.Encrypt({
  data: "Hello, World!",
  pubkey_base64: publicKey,
  is_data_base64: false,
});
// Returns: { cipher_base64: "...", length: 13 }

3. Generate Transform Key

Generates a transform key for re-encryption.

Avoid using this gRPC endpoint in production environments to avoid private key exposure.

rpc GenerateTransformKey(GenerateTransformKeyRequest) returns (EncodedPayload);

message GenerateTransformKeyRequest {
    string to_pubkey_base64 = 1;
    string from_privkey_base64 = 10;
}

message EncodedPayload {
    string payload_base64 = 1;
}

const response = await client.GenerateTransformKey({
  to_pubkey_base64: recipientPublicKey,
  from_privkey_base64: senderPrivateKey,
});
// Returns: { payload_base64: "..." }

4. Transform Ciphertext

Transforms (re-encrypts) a ciphertext using a transform key.

rpc Transform(TransformRequest) returns (EncodedPayload);

message TransformRequest {
    string cipher_base64 = 1;
    string transformkey_base64 = 2;
}

const response = await client.Transform({
  cipher_base64: encryptedData,
  transformkey_base64: transformKey,
});
// Returns: { payload_base64: "..." }

5. Decrypt Data

Decrypts a ciphertext using a private key.

Avoid using this gRPC endpoint in production environments to avoid private key exposure.

rpc Decrypt(DecryptRequest) returns (EncodedPayload);

message DecryptRequest {
    string cipher_base64 = 1;
    string privkey_base64 = 2;
    float length = 3;
}

const response = await client.Decrypt({
  cipher_base64: transformedData,
  privkey_base64: recipwwientPrivateKey,
  length: originalLength,
});
// Returns: { payload_base64: "..." }

Best Practices

  1. Security

    • Secure private key storage
    • Validate public keys
    • Implement proper key rotation

  2. Connection Management

    • Reuse client instances
    • Implement connection pooling
    • Handle reconnection gracefully

  3. Error Handling

    • Implement retries with backoff
    • Use backup nodes when primary is unavailable
    • Validate inputs before sending

  4. Performance

    • Batch operations when possible
    • Cache transform keys
    • Monitor response times

Rate Limits

EnvironmentRequests/SecondBurst Limit
Production100200
Testnet50100

Monitoring

Service status can be monitored at https://status.gateway.tech/pre

BenchmarksExamples