http://debianws.lexgopc.com/wiki143/index.php?action=history&feed=atom&title=Integrated_Encryption_SchemeIntegrated Encryption Scheme - Revision history2026-05-05T18:53:14ZRevision history for this page on the wikiMediaWiki 1.43.1http://debianws.lexgopc.com/wiki143/index.php?title=Integrated_Encryption_Scheme&diff=2312928&oldid=previmported>LR.127: Adding local short description: "Hybrid encryption in cryptography", overriding Wikidata description "in cryptography, a public key cryptosystem"2024-11-28T17:32:30Z<p>Adding local <a href="https://en.wikipedia.org/wiki/Short_description" class="extiw" title="wikipedia:Short description">short description</a>: "Hybrid encryption in cryptography", overriding Wikidata description "in cryptography, a public key cryptosystem"</p>
<p><b>New page</b></p><div>{{Short description|Hybrid encryption in cryptography}}<br />
{{Multiple issues|<br />
{{Citation style|date=October 2017}}<br />
{{No footnotes|date=October 2017}}<br />
}}<br />
<br />
'''Integrated Encryption Scheme''' ('''IES''') is a [[hybrid encryption]] scheme which provides [[semantic security]] against an [[Adversary (cryptography)|adversary]] who is able to use [[Chosen-plaintext attack|chosen-plaintext]] or [[Chosen-ciphertext attack|chosen-ciphertext]] attacks. The security of the scheme is based on the computational [[Diffie–Hellman problem]].<br/><br />
Two variants of IES are specified: [[Discrete logarithm|Discrete Logarithm]] Integrated Encryption Scheme (DLIES) and [[Elliptic curve|Elliptic Curve]] Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two variants are identical up to the change of an underlying group{{clarify|date=August 2021}}.<br />
<br />
==Informal description of DLIES==<br />
As a ''brief and informal'' description and overview of how IES works, a Discrete Logarithm Integrated Encryption Scheme (DLIES) is used, focusing on illuminating the reader's understanding, rather than precise technical details.<br />
<br />
# [[Alice and Bob|Alice]] learns [[Alice and Bob|Bob's]] public key <math>g^x</math> through a public key infrastructure or some other distribution method.<br/>Bob knows his own private key <math>x</math>.<br />
# Alice generates a fresh, ephemeral value <math>y</math>, and its associated public value <math>g^y</math>.<br />
# Alice then computes a symmetric key <math>k</math> using this information and a [[key derivation function]] (KDF) as follows: <math>k = \textrm{KDF}(g^{xy})</math><br />
# Alice computes her ciphertext <math>c</math> from her actual message <math>m</math> (by symmetric encryption of <math>m</math>) encrypted with the key <math>k</math> (using an [[Authenticated_encryption|authenticated encryption scheme]]) as follows: <math>c = E(k; m)</math><br />
# Alice transmits (in a single message) both the public ephemeral <math>g^y</math> and the ciphertext <math>c</math>.<br />
# Bob, knowing <math>x</math> and <math>g^y</math>, can now compute <math>k = \textrm{KDF}(g^{xy})</math> and decrypt <math>m</math> from <math>c</math>.<br />
<br />
Note that the scheme does not provide Bob with any assurance as to who really sent the message: This scheme does nothing to stop anyone from pretending to be Alice.<br />
<br />
==Formal description of ECIES==<br />
===Required information===<br />
To send an encrypted message to Bob using ECIES, Alice needs the following information:<br />
* The cryptography suite to be used, including a [[key derivation function]] (e.g., ''ANSI-X9.63-KDF with SHA-1 option''), a [[message authentication code|message authentication code system]] (e.g., ''HMAC-SHA-1-160 with 160-bit keys'' or ''HMAC-SHA-1-80 with 80-bit keys'') and a [[symmetric-key algorithm|symmetric encryption scheme]] (e.g., ''[[TDEA]] in [[cipher block chaining|CBC]] mode'' or ''XOR encryption scheme'') — noted <math>E</math>.<br />
* The elliptic curve domain parameters: <math>(p,a,b,G,n,h)</math> for a curve over a prime field or <math>(m,f(x),a,b,G,n,h)</math> for a curve over a binary field.<br />
* Bob's public key <math>K_B</math>, which Bob generates it as follows: <math>K_B = k_B G</math>, where <math>k_B \in [1, n-1]</math> is the private key he chooses at random.<br />
* Some optional shared information: <math>S_1</math> and <math>S_2</math><br />
* <math>O</math> which denotes the [[Elliptic curve#The group law|point at infinity]].<br />
<br />
===Encryption===<br />
To encrypt a message <math>m</math> Alice does the following:<br />
# generates a random number <math>r \in [1, n-1]</math> and calculates <math>R = r G</math><br />
# derives a shared secret: <math>S = P_x</math>, where <math>P = (P_x, P_y) = r K_B</math> (and <math>P \ne O</math>)<br />
# uses a [[Key derivation function|KDF]] to derive symmetric encryption keys and [[Message authentication code|MAC]] keys: <math>k_E \| k_M = \textrm{KDF}(S\|S_1)</math><br />
# encrypts the message: <math>c = E(k_E; m)</math><br />
# computes the tag of encrypted message and <math>S_2</math>: <math>d = \textrm{MAC}(k_M; c \| S_2)</math><br />
# outputs <math>R \| c \| d</math><br />
<br />
===Decryption===<br />
To decrypt the ciphertext <math>R \| c \| d</math> Bob does the following:<br />
# derives the shared secret: <math>S = P_x</math>, where <math>P = (P_x, P_y) = k_B R</math> (it is the same as the one Alice derived because <math>P = k_B R = k_B r G = r k_B G = r K_B</math>), or outputs ''failed'' if <math>P=O</math><br />
# derives keys the same way as Alice did: <math>k_E \| k_M = \textrm{KDF}(S\|S_1)</math><br />
# uses [[Message authentication code|MAC]] to check the tag and outputs ''failed'' if <math>d \ne \textrm{MAC}(k_M; c \| S_2)</math><br />
# uses symmetric encryption scheme to decrypt the message <math>m = E^{-1}(k_E; c)</math><br />
<br />
==References==<br />
* [[SECG]], [http://www.secg.org/sec1-v2.pdf Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography], Version 2.0, May 21, 2009.<br />
* Gayoso Martínez, Hernández Encinas, Sánchez Ávila: ''[https://www.researchgate.net/publication/255970113_A_Survey_of_the_Elliptic_Curve_Integrated_Encryption_Scheme A Survey of the Elliptic Curve Integrated Encryption Scheme]'', Journal of Computer Science and Engineering, 2, 2 (2010), 7–13.<br />
* Ladar Levison: [http://article.gmane.org/gmane.comp.encryption.openssl.devel/17997/ Code for using ECIES to protect data (ECC + AES + SHA)], openssl-devel mailing list, August 6, 2010.<br />
* [[IEEE_P1363#Traditional_public-key_cryptography_(IEEE_Std_1363-2000_and_1363a-2004)|IEEE 1363a]] (non-public standard) specifies DLIES and ECIES<br />
* ANSI X9.63 (non-public standard)<br />
* ISO/IEC 18033-2 (non-public standard)<br />
* Victor Shoup, [http://www.shoup.net/papers/iso-2_1.pdf A proposal for an ISO standard for public key encryption], Version 2.1, December 20, 2001.<br />
* Abdalla, Michel and Bellare, Mihir and Rogaway, Phillip: [http://web.cs.ucdavis.edu/~rogaway/papers/dhies.pdf DHIES: An Encryption Scheme Based on the Diffie–Hellman Problem], IACR Cryptology ePrint Archive, 1999.<br />
<br />
{{Cryptography navbox|public-key}}<br />
<br />
[[Category:Cryptographic protocols]]</div>imported>LR.127