ECIES = non interactive version of ECDH + KDF + AES + MAC

ECIES is a hybrid encryption scheme that combines elliptic curve cryptography (ECC) and symmetric encryption to ensure strong security and efficiency. It is commonly used for its compact key sizes and robust cryptographic properties.

System Parameters

  1. Elliptic Curve Parameters:

    • $G$: A group of prime order $ n $.
    • $ G $: The generator of the group.
  2. Key Derivation Function (KDF): Used to derive symmetric keys from shared secrets.
  3. Message Authentication Code (MAC): Ensures message integrity.
  4. Symmetric Encryption: Commonly AES in CTR mode.

Key Generation

  1. Private Key: Randomly select $ d \in [1, n-1] $.

  2. Public Key: Compute $ Q = d \cdot G $.

    • Private Key: $ d $.
    • Public Key: $ Q $.

Encryption Process

  1. Generate Ephemeral Key Pair:

    • Select a random number $ k \in [1, n-1] $.
    • Compute ephemeral public key $ R = k \cdot G $.

  2. Compute Shared Secret:

    • Compute $ Z = k \cdot Q $, where $ Q $ is the receiver’s public key.
    • Extract the x-coordinate of $ Z $, denoted as $ x_z $.

  3. Derive Symmetric Keys:

    • Use KDF to derive symmetric keys:

      $$ (k_1, k_2) = \text{KDF}(x_z, R) $$

  4. Encrypt the Plaintext:

    • Encrypt plaintext $ m $ using $ k_1 $ with a symmetric encryption scheme:

      $$ C = \text{Enc}_{k_1}(m) $$

  5. Compute Authentication Tag:

    • Compute MAC using $ k_2 $:

      $$ t = \text{MAC}_{k_2}(C) $$

  6. Construct the Ciphertext:

    • The final ciphertext is:

      $$ (R, C, t) $$

      where:

      • $ R $: Ephemeral public key.
      • $ C $: Encrypted message.
      • $ t $: Authentication tag for integrity.

Decryption Process

  1. Recompute Shared Secret:

    • Using private key $ d $, compute $ Z' = d \cdot R $.
    • Extract the x-coordinate $ x_z' $.

  2. Derive Symmetric Keys:

    • Use KDF to derive:

      $$ (k_1', k_2') = \text{KDF}(x_z', R) $$

  3. Verify Integrity:

    • Compute:

      $$ t' = \text{MAC}_{k_2'}(C) $$

    • Check if $ t' = t $. If not, reject the ciphertext.

  4. Decrypt the Ciphertext:

    • Decrypt $ C $ using $ k_1' $:

      $$ m = \text{Dec}_{k_1'}(C) $$

Derivation

$$ Z = k \cdot Q = kd \cdot G = d \cdot R = Z' $$

Key Security Features

  1. Confidentiality:

    • ECC ensures the shared secret $ Z $ is secure.
    • Symmetric encryption protects the plaintext.

  2. Integrity:

    • MAC ensures ciphertext $ C $ has not been altered.

  3. Forward Secrecy:

    • Ephemeral keys ensure that past communications remain secure even if private keys are compromised later.

Applications

  • Secure messaging.
  • Encrypted file storage.
  • Key exchange protocols in TLS/SSL.