I know that RSA can be used for both, encryption and signature. What about EC? I know about ECDSA/EdDSA, but to my knowledge it can only be used to sign. I also know about ECDH, but it is a key agreement protocol. Is there some elliptic curve based public key encryption algorithm?
Asked
Active
Viewed 8,308 times
2 Answers
15
Yes, there is an elliptic curve-based public key encryption
Let $a$ be Alice's private key and $P=[a]G$ be her public key. Bob, who wants to send an encrypted message to Alice, does the following :
- Bob chooses a random number $r$, $1\leq r\leq n-1$ and computes $[r]G$
- Bob then computes $M+[r]P$. Here the message $M$ (a binary string) has been represented as a point in $\langle G\rangle$
- Bob sends the encrypted text pair $\langle [r]G,M+[r]P\rangle$ to Alice
On receiving this encrypted text Alice decrypts in the following manner
- Alice extracts $[r]G$ and computes $a\cdot([r]G)=r\cdot([a]G)=[r]P$
- Alice extracts the second part of the pair $M+[r]P$ and subtracts out $[r]P$ to obtain $M+[r]P-[r]P=M$
There is a drawback in this as a block of plaintext has to be converted to a point before being encrypted, denoted by $M$ above. After the decryption, it has to be reconverted to plain text.
Note: $[r]P$ is the scalar multiplication i.e. add $P$ itself $r$-times.
13
You can lookup ECIES which is the Integrated Encryption Scheme used with Elliptic Curve cryptography.
It it's based on DH calculations. This means that it requires a symmetric cipher. Basically you must use a hybrid cryptosystem. So it cannot directly encrypt plaintext as possible in RSA-PKCS#1 v1.5 or OAEP. It also means that it has some overhead (which is largely negated by the small key size, of course).
Basically IES turns any DH problem into an encryption scheme. You would still need to choose the key derivation function, cipher and mode of encryption. To my knowledge there isn't such a thing as fully standardized IES.
Maarten Bodewes
- 96,351
- 14
- 169
- 323