29

I've searched some information on ECC, but so far I have only found Diffie-Hellman key-exchange implementations using ECC, but I don't want to exchange keys, I want to encrypt & decrypt data like in ElGamal.

I know that ElGamal with elliptic curves should be possible (Since ElGamal is based on DH), but I have no idea how. So, could anyone tell me how to implement ElGamal using elliptic curves?

I think I do not need too much background information;

  1. What is the private, what is the public key?
  2. How to encrypt messages?
  3. How to decrypt messages?

should be enough.

tripleee
  • 127
  • 6
CriticalError
  • 393
  • 1
  • 3
  • 4

1 Answers1

40

Your answer is in the paper Elliptic curve cryptosystems from Neal Koblitz:

  • Set up an elliptic curve $E$ over a field $\mathbb{F}_q$ and a point $P$ of order $N$ just the same as for EC-DDH as system parameters.
  • You need a public known function $f : m \mapsto P_m$, which maps messages $m$ to points $P_m$ on $E$. It should be invertible, and one way is to use $m$ in the curve's equation as $x$ and calculate the according $y$.
  • Choose a secret key $x \in_R [1,N-1]$ randomly, publish the point $Y=x P$ as public key.
  • Encryption: choose random $k\in_R [1,N-1]$ , then calculate $C=kP$ and $C'=kY$ and calculate $P_m = f(m)$. The ciphertext is the tuple $(C, C'+P_m)$.
  • Decryption: From a ciphertext $(C,D)$ calculate $C' = xC$, and retrieve the point $P_m$ with $P_m = D-C' = (k(xP)+P_m)-(x(kP))$. Then calculate the message $m$ with $f^{-1}(P_m)$.
lovesh
  • 528
  • 2
  • 11
tylo
  • 12,864
  • 26
  • 40