Integrated Encryption Scheme (IES) is a

hybrid encryption In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiv ...

scheme which provides

semantic security In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the cip ...

against an

adversary An adversary is generally considered to be a person, group, or force that opposes and/or attacks. Adversary may also refer to: * Satan ("adversary" in Hebrew), in Judeo-Christian religion Entertainment Fiction * Adversary (comics), villain fro ...

who is able to use chosen-plaintext or chosen-ciphertext attacks. The security of the scheme is based on the computational

Diffie–Hellman problem The Diffie–Hellman problem (DHP) is a mathematical problem first proposed by Whitfield Diffie and Martin Hellman in the context of cryptography. The motivation for this problem is that many security systems use one-way functions: mathematical op ...

.
Two variants of IES are specified:

Discrete Logarithm In mathematics, for given real numbers ''a'' and ''b'', the logarithm log''b'' ''a'' is a number ''x'' such that . Analogously, in any group ''G'', powers ''b'k'' can be defined for all integers ''k'', and the discrete logarithm log''b ...

Integrated Encryption Scheme (DLIES) and

Elliptic Curve In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point . An elliptic curve is defined over a field and describes points in , the Cartesian product of with itself. I ...

Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two variants are identical up to the change of an underlying group.

Informal description of DLIES

As a ''brief and informal'' description and overview of how IES works, a Discrete Logarithm Integrated Encryption Scheme (DLIES) is used, focusing on illuminating the reader's understanding, rather than precise technical details. #

Alice Alice may refer to: * Alice (name), most often a feminine given name, but also used as a surname Literature * Alice (''Alice's Adventures in Wonderland''), a character in books by Lewis Carroll * ''Alice'' series, children's and teen books by ...

learns Bob's public key

g^x

through a public key infrastructure or some other distribution method.
Bob knows his own private key

x

. # Alice generates a fresh, ephemeral value

y

, and its associated public value

g^y

. # Alice then computes a symmetric key

k

using this information and a

key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cry ...

(KDF) as follows:

k = \textrm(g^)

# Alice computes her ciphertext

c

from her actual message

m

(by symmetric encryption of

m

) encrypted with the key

k

(using an authenticated encryption scheme) as follows:

c = E(k; m)

# Alice transmits (in a single message) both the public ephemeral

g^y

and the ciphertext

c

. # Bob, knowing

x

and

g^y

, can now compute

k = \textrm(g^)

and decrypt

m

from

c

. Note that the scheme does not provide Bob with any assurance as to who really sent the message: This scheme does nothing to stop anyone from pretending to be Alice.

Formal description of ECIES

Required information

To send an encrypted message to Bob using ECIES, Alice needs the following information: * The cryptography suite to be used, including a

(e.g., ''ANSI-X9.63-KDF with SHA-1 option''), a

message authentication code In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...

(e.g., ''HMAC-SHA-1-160 with 160-bit keys'' or ''HMAC-SHA-1-80 with 80-bit keys'') and a symmetric encryption scheme (e.g., ''

TDEA In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Stand ...

in CBC mode'' or ''XOR encryption scheme'') — noted

E

. * The elliptic curve domain parameters:

(p,a,b,G,n,h)

for a curve over a prime field or

(m,f(x),a,b,G,n,h)

for a curve over a binary field. * Bob's public key

K_B

, which Bob generates it as follows:

K_B = k_B G

, where

k_B \in

, n-1 The comma is a punctuation mark that appears in several variants in different languages. It has the same shape as an apostrophe or single closing quotation mark () in many typefaces, but it differs from them in being placed on the baseline ...

/math> is the private key he chooses at random. * Some optional shared information:

S_1

and

S_2

O

which denotes the

point at infinity In geometry, a point at infinity or ideal point is an idealized limiting point at the "end" of each line. In the case of an affine plane (including the Euclidean plane), there is one ideal point for each pencil of parallel lines of the plane. ...

Encryption

To encrypt a message

m

Alice does the following: # generates a random number

r \in

/math> and calculates

R = r G

# derives a shared secret:

S = P_x

, where

P = (P_x, P_y) = r K_B

(and

P \ne O

) # uses a KDF to derive symmetric encryption keys and MAC keys:

k_E \,  k_M = \textrm(S\, S_1)

# encrypts the message:

c = E(k_E; m)

# computes the tag of encrypted message and

S_2

d = \textrm(k_M; c \,  S_2)

# outputs

R \,  c \,  d

Decryption

To decrypt the ciphertext

R \,  c \,  d

Bob does the following: # derives the shared secret:

S = P_x

, where

P = (P_x, P_y) = k_B R

(it is the same as the one Alice derived because

P = k_B R = k_B r G = r k_B G = r K_B

), or outputs ''failed'' if

P=O

# derives keys the same way as Alice did:

k_E \,  k_M = \textrm(S\, S_1)

# uses MAC to check the tag and outputs ''failed'' if

d \ne \textrm(k_M; c \,  S_2)

# uses symmetric encryption scheme to decrypt the message

m = E^(k_E; c)

References

SECG In cryptography, the Standards for Efficient Cryptography Group (SECG) is an international consortium founded by Certicom in 1998. The group exists to develop commercial standards for efficient and interoperable cryptography based on elliptic curve ...

Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography
Version 2.0, May 21, 2009. * Gayoso Martínez, Hernández Encinas, Sánchez Ávila:
A Survey of the Elliptic Curve Integrated Encryption Scheme
', Journal of Computer Science and Engineering, 2, 2 (2010), 7–13. * Ladar Levison
Code for using ECIES to protect data (ECC + AES + SHA)
openssl-devel mailing list, August 6, 2010. * IEEE 1363a (non-public standard) specifies DLIES and ECIES * ANSI X9.63 (non-public standard) * ISO/IEC 18033-2 (non-public standard) * Victor Shoup
A proposal for an ISO standard for public key encryption
Version 2.1, December 20, 2001. * Abdalla, Michel and Bellare, Mihir and Rogaway, Phillip
DHIES: An Encryption Scheme Based on the Diffie–Hellman Problem
IACR Cryptology ePrint Archive, 1999. {{Cryptography navbox, public-key Cryptographic protocols