fix: seed is part of store operation

Memo Ugurbil · Memo Ugurbil · commit fcfaee846f59 · 2025-04-01T14:25:29.000-05:00
diff --git a/src/nilql/nilql.py b/src/nilql/nilql.py
@@ -362,7 +362,7 @@ def generate(
 
         if (
             (not isinstance(operations, dict)) or
-            (not set(operations.keys()).issubset({'store', 'seed', 'match', 'sum'}))
+            (not set(operations.keys()).issubset({'store', 'match', 'sum'}))
         ):
             raise ValueError('valid operations specification is required')
 
@@ -393,14 +393,6 @@ def generate(
                 bytes.__new__(bcl.secret, _random_bytes(32, seed))
             )
 
-        if secret_key['operations'].get('seed'):
-            # Symmetric key for encrypting the plaintext or the shares of a plaintext.
-            secret_key['material'] = (
-                bcl.symmetric.secret()
-                if seed is None else
-                bytes.__new__(bcl.secret, _random_bytes(32, seed))
-            )
-
         if secret_key['operations'].get('match'):
             # Salt for deterministic hashing of the plaintext.
             secret_key['material'] = _random_bytes(64, seed)
@@ -743,41 +735,19 @@ def encrypt(
         shares = []
         aggregate = bytes(len(buffer))
         for _ in range(len(key['cluster']['nodes']) - 1):
-            mask = _random_bytes(len(buffer))
+            if len(buffer) >= 64:
+                seed = _random_bytes(64)
+                mask = _random_bytes(len(buffer), seed)
+                shares.append(optional_enc(seed))
+            else:
+                mask = _random_bytes(len(buffer))
+                shares.append(optional_enc(mask))
             aggregate = bytes(a ^ b for (a, b) in zip(aggregate, mask))
-            shares.append(optional_enc(mask))
         shares.append(optional_enc(
             bytes(a ^ b for (a, b) in zip(aggregate, buffer))
         ))
         return list(map(_pack, shares))
 
-    # Encrypt a plaintext for storage and retrieval.
-    if key['operations'].get('seed'):
-        # For single-node clusters, the data is encrypted using a symmetric key.
-        if len(key['cluster']['nodes']) == 1:
-            return _pack(
-                bcl.symmetric.encrypt(key['material'], bcl.plain(buffer))
-            )
-
-        # For multiple-node clusters, the ciphertext is secret-shared using XOR
-        # (with each share symmetrically encrypted in the case of a secret key).
-        optional_enc = (
-            (lambda s: bcl.symmetric.encrypt(key['material'], bcl.plain(s)))
-            if 'material' in key else
-            (lambda s: s)
-        )
-        seeds = []
-        aggregate = bytes(len(buffer))
-        for _ in range(len(key['cluster']['nodes']) - 1):
-            seed = _random_bytes(64)
-            seeds.append(optional_enc(seed))
-            mask = _random_bytes(len(buffer), seed)
-            aggregate = bytes(a ^ b for (a, b) in zip(aggregate, mask))
-        share = optional_enc(
-            bytes(a ^ b for (a, b) in zip(aggregate, buffer))
-        )
-        return list(map(_pack, seeds)) + [_pack(share)]
-
     # Encrypt (i.e., hash) a plaintext for matching.
     if key['operations'].get('match'):
         # The deterministic salted hash of the encoded plaintext is the ciphertext.
@@ -978,43 +948,11 @@ def decrypt(
             except Exception as exc:
                 raise error from exc
 
-        bytes_ = bytes(len(shares[0]))
-        for share_ in shares:
-            bytes_ = bytes(a ^ b for (a, b) in zip(bytes_, share_))
-
-        return _decode(bytes_)
-
-    # Decrypt a value that was encrypted for storage and retrieval.
-    if key['operations'].get('seed'):
-        # For single-node clusters, the plaintext is encrypted using a symmetric key.
-        if len(key['cluster']['nodes']) == 1:
-            try:
-                return _decode(
-                    bcl.symmetric.decrypt(
-                        key['material'],
-                        bcl.cipher(_unpack(ciphertext))
-                    )
-                )
-            except Exception as exc:
-                raise error from exc
-
-        # For multiple-node clusters, the ciphertext is secret-shared using XOR
-        # (with each share symmetrically encrypted in the case of a secret key).
-        shares = [_unpack(share) for share in ciphertext]
-        if 'material' in key:
-            try:
-                shares = [
-                    bcl.symmetric.decrypt(key['material'], bcl.cipher(share))
-                    for share in shares
-                ]
-            except Exception as exc:
-                raise error from exc
-
-        bytes_ = bytes(len(shares[-1]))
+        bytes_ = bytes(shares[-1])
         for share_ in shares[:-1]:
-            share_ = _random_bytes(len(bytes_), share_)
+            if len(bytes_) != len(share_):
+                share_ = _random_bytes(len(bytes_), share_)
             bytes_ = bytes(a ^ b for (a, b) in zip(bytes_, share_))
-        bytes_ = bytes(a ^ b for (a, b) in zip(bytes_, shares[-1]))
 
         return _decode(bytes_)
 
diff --git a/test/test_nilql.py b/test/test_nilql.py
@@ -313,15 +313,13 @@ def test_encrypt_decrypt_for_seed(self):
         """
         Test encryption and decryption for storing.
         """
-        for cluster in [{'nodes': [{}]}, {'nodes': [{}, {}, {}]}]:
-            sk = nilql.SecretKey.generate(cluster, {'seed': True})
-
-            plaintext = 123
-            decrypted = nilql.decrypt(sk, nilql.encrypt(sk, plaintext))
-            self.assertEqual(decrypted, plaintext)
+        for cluster in [{'nodes': [{}, {}, {}]}]:
+            sk = nilql.SecretKey.generate(cluster, {'store': True})
 
-            plaintext = 'abc'
-            decrypted = nilql.decrypt(sk, nilql.encrypt(sk, plaintext))
+            plaintext = "Bart Simpson is a fictional character in the American animated television series The Simpsons who is part of the Simpson family. Described as one of the 100 most important people of the 20th century by Time, Bart was created and designed by Matt Groening in James L. Brooks's office. Bart, alongside the rest of the family, debuted in the short 'Good Night' on The Tracey Ullman Show on April 19, 1987. Two years later, the family received their own series, which premiered on Fox on December 17, 1989. Born on April Fools' Day according to Groening, Bart is ten years old; he is the eldest child and only son of Homer and Marge Simpson, and has two sisters, Lisa and Maggie. Voiced by Nancy Cartwright (pictured), Bart is known for his mischievousness, rebelliousness, and disrespect for authority, as well as his prank calls to Moe, chalkboard gags in the opening sequence, and catchphrases. Bart is considered an iconic fictional television character of the 1990s and has been called an American cultural icon."
+            e = nilql.encrypt(sk, plaintext)
+            self.assertEqual((len(e[0]), len(e[1]), len(e[2])), (140, 140, 1408))
+            decrypted = nilql.decrypt(sk, e)
             self.assertEqual(decrypted, plaintext)
 
     def test_encrypt_for_match(self):
