Cryptography Reference
In-Depth Information
with the following algorithms:
•
Gen
ECIES
.
Input
: The EC domain parameters
(
p
,
a
,
b
,
G
,
n
,
h
)
.
Output
:
(
d
,
Q
)
, where
d
∈[
1
,
n
−
1
]
is the private key and
Q
∈
E
(
F
p
)
is the
public key.
1.
Pick
a (pseudo-) random
d
←[
1
,
n
−
1
]
.
2.
Compute
Q
:=
dG
∈
E
(
F
p
)
.
3.
Output
(
d
,
Q
)
.
•
Enc
ECIES
.
Input
: The EC domain parameters, the key derivation function KDF, the message
authentication code MAC, the symmetric encryption and decryption functions, a
public key
Q
}
∗
.
∈
E
(
F
p
)
, and a message
m
∈{
0
,
1
Output
: A ciphertext
(
R
,
c
,
t
)
.
1.
Choose
k
←[
1
,
n
−
1
]
.
2.
Compute
R
:=
kG
∈
E
(
F
p
)
and
S
:=
hkQ
∈
E
(
F
p
)
.
If
S
=
O
then go
to
Step 1.
3.
Set
k
1
||
k
2
:=
KDF
(
R
,
S
)
(where
k
1
and
k
2
have some specified lengths).
4.
Compute
c
:=
E
k
1
(
m
)
and
t
:=
MAC
k
2
(
c
)
.
5.
Output
(
R
,
c
,
t
)
.
•
Dec
ECIES
.
Input
: The EC domain parameters, KDF, MAC, the symmetric encryption and
decryption functions, a private key
d
∈[
1
,
n
−
1
]
, and a ciphertext
(
R
,
c
,
t
)
.
Output
: The message
m
or an “Invalid ciphertext” message.
1.
S
:=
hd R
;
if
S
=
O
then output
“Invalid ciphertext”.
2.
k
1
||
k
2
:=
KDF
(
R
,
S
)
.
t
:=
;
if
t
=
3.
MAC
k
2
(
c
)
t
then output
“Invalid ciphertext”.
4.
m
:=
D
k
1
(
c
)
.
5.
Output
m
.
Remarks 11.3
1. If
(
R
,
c
,
t
)
is an encryption of the message
m
, then when decrypting we obtain
hkQ
. Thus the value of
S
computed by
the decryption algorithm is the same as that computed at encryption and hence
the computed values of
k
1
and
k
2
are also the same. Therefore, the output of
the decryption algorithm is
D
k
1
(
S
=
hd R
=
hd
(
kG
)
=
hk
(
dG
)
=
c
)
=
D
k
1
(
E
k
1
(
m
))
=
m
and the message
m
is
recovered.
2. ECIES is similar to a one-pass Diffie-Hellman key agreement in which one of
the parties uses a long-term key (the private key
d
) instead of an ephemeral one.
From
dG
and
k
, a shared secret
dkG
is computed as in the DH protocol, and
used to obtain a “shared secret point”
S
=
hkdG
which, in turn, is used to derive
the keys
k
1
and
k
2
.
