According to Wikipedia the ECIES algorithm has two optional shared information $S_1$ and $S_2$. They are used as follows:
- Generate a random shared secret $Z$ according to ECIES, which will never be reused
- Derive symmetric keys $k_1|k_2=KDF(Z_x|S_1)$
- Encrypt the message $c=\text{ENCRYPT}_{k_1}(m)$
- Tag the encrypted message $t=\text{MAC}_{k_2}(c|S_2)$
Question 1: Assume:
- $S_1$ and $S_2$ are randomly generated for each message and send with it in plain text.
Whats the purpose of $S_1$ and $S_2$ in this case? Whats the use of $S_2$ if $S_1$ is set properly?
Question 2: Assume:
- $Z$ is not randomly generated for each message (e.g. using a static key pair)
- $S_1$ and $S_2$ are empty
Is this mode secure? Or should it be avoided?
Question 3: Assume:
- $Z$ is not randomly generated for each message (e.g. using a static key pair)
- $S_1$ is a unique endless counter and send with the message in plain text
What is the purpose of $S_2$? Is it less secure to not use $S_2$?
