Cryptography Reference
In-Depth Information
3. There are several variants regarding the inputs of the KDF function. In the sim-
plest of them, KDF is applied only to the
x
-coordinate of the point
S
(together
with the output length
l
if this length is not fixed). This is efficient but has the dis-
advantage of leading to a phenomenon called
benign malleability
, which means
that an adversary is able to construct, given a ciphertext
(
R
,
c
,
t
)
corresponding
to the message
m
, another valid ciphertext for
m
. In this case
(
−
R
,
c
,
t
)
is also
valid for
m
because, at decryption, the opposite point
is obtained
instead of
S
. Since we are assuming that the output of KDF depends only on
the
x
-coordinate of
S
, and
x
−
S
=
hd
(
−
R
)
, the same values of
k
1
and
k
2
are
obtained and
m
is recovered. Thus the scheme is malleable and since, as we
have seen, CCA security implies non-malleability, this version of the scheme
cannot be CCA secure: more directly, an adversary may ask for a decryption of
(
−
(
S
)
=
x
(
−
S
)
. The term “benign” refers to the
fact that the definition of CCA security can be replaced by another one which
admits this kind of malleability and yet it is also useful because there are no
known real-world attacks that are able to exploit benign malleability. This kind
of malleability may be prevented by requiring that the KDF function takes as
input the point
S
instead of its
x
-coordinate. This way, if
R
is replaced by
R
,
c
,
t
)
to obtain a decryption of
(
R
,
c
,
t
)
−
R
,
then the decryption algorithm replaces
S
by
S
and the values of
k
1
and
k
2
which are obtained are different. Another possibility is to use, in addition to the
x
-coordinate
x
−
, the point
R
as input for KDF. It is clear that this suffices to
prevent benign malleability. Of course, this is also the case when the two points,
R
and
S
, are used as inputs for KDF as, for simplicity, we assumed in the above
description of the algorithm.
produce a CCA secure encryption scheme from a CPA secure scheme. The idea
is that, since the ciphertext is authenticated by a CMA secure MAC, an adversary
will be unable to generate a valid ciphertext to query the decryption oracle unless
the ciphertext has been obtained by querying the encryption oracle first—which
is useless because in that case the adversary already knows the plaintext. In
ECIES, the MAC is used as in this construction and with the same purpose.
(
S
)
We will leave writing a Maple implementation of ECIES as an exercise for the
industrious reader:
Exercise 11.29
Write an implementation of the ECIES algorithms using the EC
domain parameters of Example 11.25 (or some similar ones), the AES encryption
11.4.4.1 The Security of ECIES
The previous remarks contain some information about security aspects of ECIES but
do not tell us whether the scheme is secure or not. In [1] it was proved that ECIES
is CCA secure assuming that a non-standard variant of the Diffie-Hellman problem
