Integrated Encryption Scheme (IES) is a hybrid encryption scheme which provides

semantic security In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the cip ...

against an

adversary An adversary is generally considered to be a person, group, or force that opposes and/or attacks. Adversary may also refer to: * Satan ("adversary" in Hebrew), in Judeo-Christian religion Entertainment Fiction * Adversary (comics), villain fr ...

who is able to use chosen-plaintext or chosen-ciphertext attacks. The security of the scheme is based on the computational

Diffie–Hellman problem The Diffie–Hellman problem (DHP) is a mathematical problem first proposed by Whitfield Diffie and Martin Hellman in the context of cryptography. The motivation for this problem is that many security systems use one-way functions: mathematical ...

.
Two variants of IES are specified:

Discrete Logarithm In mathematics, for given real numbers ''a'' and ''b'', the logarithm log''b'' ''a'' is a number ''x'' such that . Analogously, in any group ''G'', powers ''b'k'' can be defined for all integers ''k'', and the discrete logarithm log' ...

Integrated Encryption Scheme (DLIES) and

Elliptic Curve In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point . An elliptic curve is defined over a field and describes points in , the Cartesian product of with itself. If ...

Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two variants are identical up to the change of an underlying group.

Informal description of DLIES

As a ''brief and informal'' description and overview of how IES works, a Discrete Logarithm Integrated Encryption Scheme (DLIES) is used, focusing on illuminating the reader's understanding, rather than precise technical details. #

Alice Alice may refer to: * Alice (name), most often a feminine given name, but also used as a surname Literature * Alice (''Alice's Adventures in Wonderland''), a character in books by Lewis Carroll * ''Alice'' series, children's and teen books by ...

learns Bob's public key

g^x

through a public key infrastructure or some other distribution method.
Bob knows his own private key

x

. # Alice generates a fresh, ephemeral value

y

, and its associated public value

g^y

. # Alice then computes a symmetric key

k

using this information and a

key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cryp ...

(KDF) as follows:

k = \textrm(g^)

# Alice computes her ciphertext

c

from her actual message

m

(by symmetric encryption of

m

) encrypted with the key

k

(using an authenticated encryption scheme) as follows:

c = E(k; m)

# Alice transmits (in a single message) both the public ephemeral

g^y

and the ciphertext

c

. # Bob, knowing

x

and

g^y

, can now compute

k = \textrm(g^)

and decrypt

m

from

c

. Note that the scheme does not provide Bob with any assurance as to who really sent the message: This scheme does nothing to stop anyone from pretending to be Alice.

Formal description of ECIES

Required information

To send an encrypted message to Bob using ECIES, Alice needs the following information: * The cryptography suite to be used, including a

(e.g., ''ANSI-X9.63-KDF with SHA-1 option''), a

message authentication code In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...

(e.g., ''HMAC-SHA-1-160 with 160-bit keys'' or ''HMAC-SHA-1-80 with 80-bit keys'') and a symmetric encryption scheme (e.g., '' TDEA in CBC mode'' or ''XOR encryption scheme'') — noted

E

. * The elliptic curve domain parameters:

(p,a,b,G,n,h)

for a curve over a prime field or

(m,f(x),a,b,G,n,h)

for a curve over a binary field. * Bob's public key

K_B

, which Bob generates it as follows:

K_B = k_B G

, where

k_B \in, n-1 /math> is the private key he chooses at random.
* Some optional shared information: S_1 and S_2 * O which denotes the

point at infinity In geometry, a point at infinity or ideal point is an idealized limiting point at the "end" of each line. In the case of an affine plane (including the Euclidean plane), there is one ideal point for each pencil of parallel lines of the plane. A ...

Encryption

To encrypt a message

m

Alice does the following: # generates a random number

r \in, n-1 /math> and calculates R = r G # derives a shared secret: S = P_x, where P = (P_x, P_y) = r K_B (and P \ne O)
# uses a KDF to derive symmetric encryption keys and

MAC Mac or MAC most commonly refers to: * Mac (computer), a family of personal computers made by Apple Inc. * Mackintosh, a raincoat made of rubberized cloth * A variant of the word macaroni, mostly used in the name of the dish mac and cheese * Mac, ...

keys:

k_E \,  k_M = \textrm(S\, S_1)

# encrypts the message:

c = E(k_E; m)

# computes the tag of encrypted message and

S_2

d = \textrm(k_M; c \,  S_2)

# outputs

R \,  c \,  d

Decryption

To decrypt the ciphertext

R \,  c \,  d

Bob does the following: # derives the shared secret:

S = P_x

, where

P = (P_x, P_y) = k_B R

(it is the same as the one Alice derived because

P = k_B R = k_B r G = r k_B G = r K_B

), or outputs ''failed'' if

P=O

# derives keys the same way as Alice did:

k_E \,  k_M = \textrm(S\, S_1)

# uses

to check the tag and outputs ''failed'' if

d \ne \textrm(k_M; c \,  S_2)

# uses symmetric encryption scheme to decrypt the message

m = E^(k_E; c)

References

* SECG
Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography
Version 2.0, May 21, 2009. * Gayoso Martínez, Hernández Encinas, Sánchez Ávila:
A Survey of the Elliptic Curve Integrated Encryption Scheme
', Journal of Computer Science and Engineering, 2, 2 (2010), 7–13. * Ladar Levison
Code for using ECIES to protect data (ECC + AES + SHA)
openssl-devel mailing list, August 6, 2010. * IEEE 1363a (non-public standard) specifies DLIES and ECIES * ANSI X9.63 (non-public standard) * ISO/IEC 18033-2 (non-public standard) * Victor Shoup
A proposal for an ISO standard for public key encryption
Version 2.1, December 20, 2001. * Abdalla, Michel and Bellare, Mihir and Rogaway, Phillip
DHIES: An Encryption Scheme Based on the Diffie–Hellman Problem
IACR Cryptology ePrint Archive, 1999. {{Cryptography navbox, public-key Cryptographic protocols