TZDC prevents catastrophic data breaches by ensuring stolen data automatically becomes useless through:
- Temporal Encryption: Time-bound keys that automatically expire, making data permanently inaccessible after configurable windows
- Cryptographic Sharding: Data fragmentation using Shamir's Secret Sharing where individual shards are meaningless in isolation
- Zero-Knowledge Proofs: Verify data properties without revealing the underlying data
Traditional encryption has a critical weakness: if an attacker steals encrypted data and eventually obtains the key, all historical data becomes compromised. TZDC solves this by:
- β Automatic Breach Mitigation: Data self-destructs after expirationβno manual intervention needed
- β Zero Single Point of Failure: Sharding eliminates centralized vulnerability
- β Privacy-Preserving AI: Train ML models on sensitive data with automatic post-training deletion
- β Compliance-Ready: Built for GDPR, HIPAA, PCI-DSS requirements
git clone https://github.com/jayeshthk/TZDC.git
cd TZDC
#create a virtual env
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
Requirements: Python 3.10+
from tzdc import TZDCClient, TimeWindow
# Initialize client with 1-hour expiration
client = TZDCClient(time_window=TimeWindow.HOUR_1)
# Encrypt sensitive data
sensitive_data = b"Patient medical records: diabetes diagnosis"
shards = client.encrypt_and_shard(
data=sensitive_data,
resource_id="patient_12345",
total_shards=5,
threshold=3 # Any 3 shards can reconstruct
)
# Store shards separately (e.g., different servers/regions)
for i, shard in enumerate(shards):
client.storage.store(f"shard_{i}", serialize_shard(shard))
# Later: Reconstruct with any 3 shards
retrieved_shards = [deserialize_shard(client.storage.retrieve(f"shard_{i}"))
for i in range(3)]
original_data = client.reconstruct_and_decrypt(retrieved_shards)
# After 1 hour: Data becomes permanently inaccessible!from tzdc import TZDCClient, TimeWindow
from datetime import datetime, timedelta
client = TZDCClient(time_window=TimeWindow.HOURS_24)
# Protect training data with 24-hour expiration
training_data = load_sensitive_dataset()
shards = client.encrypt_and_shard(
data=training_data,
resource_id="ml_batch_001",
total_shards=3,
threshold=2,
custom_expiry=datetime.utcnow() + timedelta(hours=24)
)
# Distribute shards to training nodes
for i, shard in enumerate(shards):
send_to_training_node(node_id=i, shard=shard)
# After training completes, data is permanently deleted
# No manual cleanup neededβbuilt-in temporal expirationfrom tzdc import TZDCClient, TimeWindow
client = TZDCClient(time_window=TimeWindow.HOURS_24)
# Temporary specialist access to patient records
patient_data = b"Patient: John Doe, Diagnosis: Diabetes Type 2"
# Create zero-knowledge commitment for audit trail
commitment, salt = client.create_commitment(
patient_data,
resource_id="patient_12345"
)
# Encrypt with automatic expiration
shards = client.encrypt_and_shard(
patient_data,
resource_id="patient_12345",
total_shards=5,
threshold=3
)
# Specialist accesses data (requires 3 of 5 shards)
# After 24 hours, access automatically revokesfrom tzdc import TZDCClient, TimeWindow
client = TZDCClient(
time_window=TimeWindow.DAYS_7,
enable_audit_log=True,
audit_log_path="financial_audit.log"
)
# Process transaction with 7-day retention
transaction = b"Transaction: $10,000 from Account A to Account B"
shards = client.encrypt_and_shard(
transaction,
resource_id="txn_001",
total_shards=5,
threshold=3
)
# Store in distributed ledger
keys = client.store_shards(shards, prefix="txn")
# Auditor can access within 7 days
# After 7 days: automatic deletion per compliance policy
# View immutable audit trail
logs = client.get_audit_logs(resource_id="txn_001")βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TZDCClient β
β High-level API for encryption, sharding, and ZK proofs β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β β β
βββββββββΌβββββββββββ ββββββββΌββββββββββ βββββββββΌβββββββββββ
β TemporalKey β β ShardManager β β ZeroKnowledge β
β Manager β β β β Prover β
β β β Shamir's β β β
β HKDF-SHA256 β β Secret β β Commitments & β
β PBKDF2 β β Sharing β β Range Proofs β
β Auto-expiration β β (K-of-N) β β β
ββββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββββ
β β β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β
βββββββββββΌββββββββββ
β EncryptionEngine β
β AES-256-GCM β
β ChaCha20-Poly1305 β
βββββββββββββββββββββ
β
βββββββββββΌββββββββββ
β StorageAdapter β
β Filesystem / S3 β
β Redis / PostgreSQLβ
βββββββββββββββββββββ
-
Encryption Phase:
Raw Data β Temporal Key Generation β AES-256-GCM Encryption β Shamir's Secret Sharing β N Shards β Distributed Storage -
Decryption Phase:
Retrieve K Shards β Lagrange Interpolation β Reconstruct Encrypted Data β Temporal Key Validation β AES-256-GCM Decryption β Original Data -
Expiration:
Time Window Expires β Temporal Key Becomes Invalid β Decryption Permanently Fails β Data Protection Guaranteed
- HKDF-SHA256: Cryptographically secure key derivation
- PBKDF2: Key stretching with 100,000 iterations
- Time-slotted keys: Automatic rotation and invalidation
- No key storage: Keys regenerated deterministically from master secret
- Shamir's Secret Sharing: Information-theoretic security
- Threshold scheme: K-of-N reconstruction (e.g., 3-of-5)
- Individual shard encryption: Each shard encrypted with unique temporal key
- Checksum validation: SHA-256 checksums prevent corruption
- AES-256-GCM: Industry-standard authenticated encryption
- ChaCha20-Poly1305: Alternative high-performance cipher
- Automatic nonce generation: 96-bit cryptographically secure nonces
- Tampering detection: Authentication tags prevent modification
- Hash commitments: SHA-256 based commitments
- Range proofs: Prove value within range without revealing value
- Membership proofs: Prove element in set without revealing element
- Audit trails: Verify operations without exposing data
Main high-level interface for all TZDC operations.
class TZDCClient:
def __init__(
self,
master_secret: Optional[bytes] = None,
time_window: Union[TimeWindow, int] = TimeWindow.HOUR_1,
storage_adapter: Optional[StorageAdapter] = None,
cipher_type: CipherType = CipherType.AES_256_GCM,
enable_audit_log: bool = True,
audit_log_path: Optional[Path] = None
)encrypt_and_shard(data, resource_id, total_shards=5, threshold=3, context="default", custom_expiry=None)
Encrypt data with temporal key and split into cryptographic shards.
- Returns:
List[Shard] - Raises:
EncryptionError,ValueError
reconstruct_and_decrypt(shards, context="default")
Reconstruct data from shards and decrypt using temporal key.
- Returns:
bytes(original data) - Raises:
KeyExpiredError,InsufficientShardsError,DecryptionError
encrypt_with_temporal_key(data, context="default", custom_expiry=None)
Simple encryption without sharding.
- Returns:
Tuple[bytes, bytes, TemporalKey](ciphertext, nonce, key)
create_commitment(data, resource_id)
Create zero-knowledge commitment.
- Returns:
Tuple[Commitment, bytes](commitment, salt)
verify_commitment(commitment, data, salt, resource_id)
Verify data against commitment.
- Returns:
bool
Predefined time windows for key expiration:
TimeWindow.SECONDS_30 # 30 seconds
TimeWindow.MINUTES_5 # 5 minutes
TimeWindow.MINUTES_15 # 15 minutes
TimeWindow.HOUR_1 # 1 hour
TimeWindow.HOURS_24 # 24 hours
TimeWindow.DAYS_7 # 7 days
TimeWindow.DAYS_30 # 30 daysfrom tzdc import LocalFileSystemAdapter
adapter = LocalFileSystemAdapter(base_path="./tzdc_storage")from tzdc import StorageAdapter
class MyStorageAdapter(StorageAdapter):
def store(self, key: str, data: bytes) -> bool:
# Implementation
pass
def retrieve(self, key: str) -> Optional[bytes]:
# Implementation
pass
def delete(self, key: str) -> bool:
# Implementation
pass
def list_keys(self, prefix: str = "") -> List[str]:
# Implementation
passfrom tzdc import TZDCClient
# Custom time window (2 hours = 7200 seconds)
client = TZDCClient(time_window=7200)
# Or use timedelta for custom expiry
from datetime import datetime, timedelta
custom_expiry = datetime.utcnow() + timedelta(days=3, hours=6)
shards = client.encrypt_and_shard(
data=data,
resource_id="resource_001",
custom_expiry=custom_expiry
)from tzdc import TZDCClient
with TZDCClient(time_window=3600) as client:
shards = client.encrypt_and_shard(data, "resource_001")
# Automatic cleanup on exit# Coming in v1.1.0
import asyncio
from tzdc import AsyncTZDCClient
async def process_data():
client = AsyncTZDCClient()
shards = await client.encrypt_and_shard_async(data, "resource_001")
return shardsfrom tzdc import TZDCClient
# S3 Storage
from tzdc.storage import S3StorageAdapter
s3_adapter = S3StorageAdapter(bucket="my-tzdc-bucket")
client = TZDCClient(storage_adapter=s3_adapter)
# Redis Storage
from tzdc.storage import RedisStorageAdapter
redis_adapter = RedisStorageAdapter(host="localhost", port=6379)
client = TZDCClient(storage_adapter=redis_adapter)from tzdc import TZDCClient
client = TZDCClient()
# Encrypt multiple items
datasets = [
(b"data1", "resource_001"),
(b"data2", "resource_002"),
(b"data3", "resource_003"),
]
all_shards = []
for data, resource_id in datasets:
shards = client.encrypt_and_shard(data, resource_id)
all_shards.append((resource_id, shards))from tzdc import TZDCClient
from datetime import datetime, timedelta
client = TZDCClient(enable_audit_log=True)
# Get all encryption operations
encrypt_logs = client.get_audit_logs(operation="encrypt_and_shard")
# Get logs for specific resource
resource_logs = client.get_audit_logs(resource_id="patient_12345")
# Export audit logs
client.audit_logger.export_to_json("audit_export.json")
# Time-based filtering
start_time = datetime.utcnow() - timedelta(hours=24)
recent_logs = client.audit_logger.get_logs(start_time=start_time)python test_tzdc.py
Benchmarks on standard hardware (Apple M3 chip with an 8-core CPU and up to a 10-core GPU):
| Operation | Data Size | Time | Throughput |
|---|---|---|---|
| Encryption (AES-256-GCM) | 1 MB | ~8 ms | 125 MB/s |
| Decryption (AES-256-GCM) | 1 MB | ~10 ms | 100 MB/s |
| Shard Generation (5 shards) | 1 MB | ~15 ms | - |
| Shard Reconstruction | 3 shards | ~12 ms | - |
| Key Generation | - | ~2 ms | - |
| ZK Commitment | 1 KB | ~1 ms | - |
Memory overhead: ~1.8x original data size during operations.
-
Master Secret Management
# Generate and securely store master secret from tzdc import generate_master_secret master_secret = generate_master_secret() # Store in secure key management system (HSM, KMS, etc.)
-
Time Window Selection
- Use shortest feasible window for your use case
- Healthcare: 24 hours - 7 days
- Financial: 7 days - 30 days
- ML Training: Match training duration + buffer
-
Shard Distribution
- Store shards in geographically separate locations
- Use different cloud providers for redundancy
- Never store threshold number of shards together
-
Audit Logging
- Always enable audit logging in production
- Regularly export and archive audit logs
- Monitor for unauthorized access attempts
- No Post-Quantum Cryptography: Current version uses classical cryptography
- Clock Synchronization: Requires accurate system clocks for temporal keys
- Key Derivation: Master secret compromise compromises all derived keys
- Timing Attacks: Not protected against advanced timing side-channel attacks
TZDC protects against:
- β Data breaches (stolen encrypted data becomes useless after expiration)
- β Insider threats (sharding prevents single-point compromise)
- β Long-term data exposure (automatic expiration)
- β Unauthorized reconstruction (requires threshold shards)
TZDC does NOT protect against:
- β Master secret compromise (protects future data, not past)
- β Real-time man-in-the-middle attacks
- β Physical hardware attacks
- β Social engineering
We welcome contributions! See CONTRIBUTING.md for guidelines.
# Development setup
git clone https://github.com/jayeshthk/TZDC.git
cd tzdc-python
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Run tests
python test_tzdc.py
MIT License - see LICENSE file for details.
- Shamir's Secret Sharing: Adi Shamir (1979)
- Cryptography Library: Python Cryptographic Authority
- Inspired by: Time-lock puzzles, zero-knowledge proof systems
- Shamir, A. (1979). "How to share a secret". Communications of the ACM.
- Boneh, D., & Naor, M. (2000). "Timed commitments". CRYPTO 2000.
- Goldwasser, S., Micali, S., & Rackoff, C. (1989). "The knowledge complexity of interactive proof systems".
- Documentation: Docs.md
- Issues: https://github.com/jayeshthk/TZDC.git/issues
- Discussions: https://github.com/jayeshthk/TZDC.git/discussions
- Email: jayesh@arkvien.com