{"id":35240072,"url":"https://github.com/jedisct1/zig-ipcrypt","last_synced_at":"2026-04-01T20:44:43.421Z","repository":{"id":288418350,"uuid":"968020994","full_name":"jedisct1/zig-ipcrypt","owner":"jedisct1","description":"A Zig implementation of the IP address encryption and obfuscation methods specified in the ipcrypt document.","archived":false,"fork":false,"pushed_at":"2025-09-10T15:41:22.000Z","size":22,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-29T05:54:31.139Z","etag":null,"topics":["address","encryption","ip","ipcipher","ipcrypt","ipcrypt2","obfuscation","zig","zig-package"],"latest_commit_sha":null,"homepage":"","language":"Zig","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jedisct1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-17T11:25:00.000Z","updated_at":"2025-09-10T15:40:35.000Z","dependencies_parsed_at":"2025-04-18T01:51:49.575Z","dependency_job_id":"40ca2c0b-a737-4c63-99cd-fed4377a5898","html_url":"https://github.com/jedisct1/zig-ipcrypt","commit_stats":null,"previous_names":["jedisct1/zig-ipcrypt"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/jedisct1/zig-ipcrypt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fzig-ipcrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fzig-ipcrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fzig-ipcrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fzig-ipcrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jedisct1","download_url":"https://codeload.github.com/jedisct1/zig-ipcrypt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fzig-ipcrypt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291785,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["address","encryption","ip","ipcipher","ipcrypt","ipcrypt2","obfuscation","zig","zig-package"],"created_at":"2025-12-30T04:55:23.032Z","updated_at":"2026-04-01T20:44:43.414Z","avatar_url":"https://github.com/jedisct1.png","language":"Zig","funding_links":[],"categories":[],"sub_categories":[],"readme":"# zig-ipcrypt\n\nA Zig implementation of the IP address encryption and obfuscation methods specified in the [ipcrypt document](https://datatracker.ietf.org/doc/draft-denis-ipcrypt/) (\"Methods for IP Address Encryption and Obfuscation\").\n\n## Overview\n\nThis library implements four variants of IP address encryption as specified in the ipcrypt draft:\n\n1. **Deterministic** (`Deterministic`): Format-preserving encryption using AES-128\n2. **Prefix-preserving** (`Pfx`): Maintains network prefix relationships using dual AES-128\n3. **Non-deterministic with KIASU-BC** (`Nd`): Uses an 8-byte tweak\n4. **Non-deterministic with AES-XTS** (`Ndx`): Uses a 16-byte tweak\n\n## Tradeoffs\n\nEach variant offers different tradeoffs between security, performance, and format preservation:\n\n### Deterministic\n\n- **Pros**:\n  - Format-preserving (output is a valid IP address)\n  - Smallest output size (16 bytes)\n  - Fastest performance (single AES-128 operation)\n- **Cons**:\n  - Reveals repeated inputs (same input always produces same output)\n  - No protection against correlation attacks\n  - Network structure is completely scrambled\n\n### Prefix-preserving (ipcrypt-pfx)\n\n- **Pros**:\n  - Preserves network prefix relationships (addresses from same subnet share encrypted prefix)\n  - Enables network-level analytics while protecting individual addresses\n  - Maintains native address sizes (4 bytes for IPv4, 16 bytes for IPv6)\n  - Deterministic (allows duplicate detection)\n- **Cons**:\n  - Reveals network structure (by design, for analytics)\n  - Slower than other deterministic methods (bit-by-bit processing)\n  - Requires 32-byte key (two AES-128 keys)\n  - Same input always produces same output\n\n### Non-deterministic with KIASU-BC\n\n- **Pros**:\n  - Resists correlation attacks (same input produces different outputs)\n  - Moderate output size (24 bytes)\n  - Good performance (AES-128 with tweak modification)\n- **Cons**:\n  - Not format-preserving\n  - 8-byte tweak has lower collision resistance than 16-byte tweak\n  - Birthday bound of 2^32 operations per (key,ip)\n\n### Non-deterministic with AES-XTS\n\n- **Pros**:\n  - Resists correlation attacks\n  - Highest collision resistance (16-byte tweak)\n  - Birthday bound of 2^64 operations per (key,ip)\n- **Cons**:\n  - Not format-preserving\n  - Largest output size (32 bytes)\n  - Requires two AES-128 keys\n  - Slightly slower performance (two sequential AES operations)\n\n## Key and Tweak Sizes\n\n| Variant       | Key Size                              | Tweak Size          | Output Size                                   |\n| ------------- | ------------------------------------- | ------------------- | --------------------------------------------- |\n| Deterministic | 16 bytes (128 bits)                   | None                | 16 bytes (format-preserving)                  |\n| Pfx           | 32 bytes (256 bits, two AES-128 keys) | None                | 4 bytes (IPv4) or 16 bytes (IPv6)             |\n| Nd            | 16 bytes (128 bits)                   | 8 bytes (64 bits)   | 24 bytes (8-byte tweak + 16-byte ciphertext)  |\n| Ndx           | 32 bytes (256 bits, two AES-128 keys) | 16 bytes (128 bits) | 32 bytes (16-byte tweak + 16-byte ciphertext) |\n\n## Usage\n\n### Deterministic Encryption\n\n```zig\nconst ipcrypt = @import(\"ipcrypt\");\n\n// Initialize with a 16-byte key\nconst key = [_]u8{0x2b} ** 16;\nconst deterministic = ipcrypt.Deterministic.init(key);\n\n// Convert IP address to Ip16 format\nconst ip = try ipcrypt.Ip16.fromString(\"192.0.2.1\");\n\n// Encrypt\nconst encrypted = deterministic.encrypt(ip);\n\n// Decrypt\nconst decrypted = deterministic.decrypt(encrypted);\n```\n\n### Prefix-Preserving Encryption\n\n```zig\nconst ipcrypt = @import(\"ipcrypt\");\n\n// Initialize with a 32-byte key (two AES-128 keys)\nconst key = [_]u8{0x01, 0x23, ...}; // 32 bytes, K1 != K2\nconst pfx = try ipcrypt.Pfx.init(key);\n\n// Convert IP address to Ip16 format\nconst ip = try ipcrypt.Ip16.fromString(\"10.0.0.47\");\n\n// Encrypt - preserves network prefix\nconst encrypted = pfx.encrypt(ip);\n// Result: IPs from same network share encrypted prefix\n\n// Decrypt\nconst decrypted = pfx.decrypt(encrypted);\n```\n\n### Non-deterministic Encryption (KIASU-BC)\n\n```zig\nconst ipcrypt = @import(\"ipcrypt\");\n\n// Initialize with a 16-byte key\nconst key = [_]u8{0x2b} ** 16;\nconst nd = ipcrypt.Nd.init(key);\n\n// Convert IP address to Ip16 format\nconst ip = try ipcrypt.Ip16.fromString(\"2001:db8::1\");\n\n// Encrypt with random tweak\nconst encrypted = nd.encrypt(ip);\n\n// Encrypt with specific tweak\nconst tweak = [_]u8{0x2b} ** 8;\nconst encrypted_with_tweak = nd.encryptWithTweak(ip, tweak);\n\n// Decrypt\nconst decrypted = nd.decrypt(encrypted);\n```\n\n### Non-deterministic Encryption (AES-XTS)\n\n```zig\nconst ipcrypt = @import(\"ipcrypt\");\n\n// Initialize with a 32-byte key\nconst key = [_]u8{0x2b} ** 32;\nconst ndx = ipcrypt.Ndx.init(key);\n\n// Convert IP address to Ip16 format\nconst ip = try ipcrypt.Ip16.fromString(\"2001:db8::1\");\n\n// Encrypt with random tweak\nconst encrypted = ndx.encrypt(ip);\n\n// Encrypt with specific tweak\nconst tweak = [_]u8{0x2b} ** 16;\nconst encrypted_with_tweak = ndx.encryptWithTweak(ip, tweak);\n\n// Decrypt\nconst decrypted = ndx.decrypt(encrypted);\n```\n\n## Building\n\nAdd this to your `build.zig.zon`:\n\n```zig\n.{\n    .name = \"ipcrypt\",\n    .url = \"https://github.com/yourusername/zig-ipcrypt/archive/refs/tags/v0.1.0.tar.gz\",\n    .hash = \"1220...\",\n}\n```\n\nThen in your `build.zig`:\n\n```zig\nconst ipcrypt = b.dependency(\"ipcrypt\", .{\n    .target = target,\n    .optimize = optimize,\n});\nexe.addModule(\"ipcrypt\", ipcrypt.module(\"ipcrypt\"));\n```\n\n## License\n\nISC License\n\n## References\n\n- [ipcrypt specification](https://github.com/jedisct1/draft-denis-ipcrypt)\n- [AES-128](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf)\n- [KIASU-BC](https://eprint.iacr.org/2014/831)\n- [AES-XTS](https://standards.ieee.org/ieee/1619/2041/)\n- [Sum of PRPs](https://link.springer.com/chapter/10.1007/3-540-45539-6_34) (Security basis for ipcrypt-pfx)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjedisct1%2Fzig-ipcrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjedisct1%2Fzig-ipcrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjedisct1%2Fzig-ipcrypt/lists"}