ECIES - what symmetric cipher is being used? If none - why?
101 views
Skip to first unread message
Mobile Mouse
Nov 17, 2013, 11:05:47 AM11/17/13
to Crypto++ Mailing List
I’ve started writing interoperability tests (obviously data-wise only :) between Crypto++ and BouncyCastle (Java).
Looking at ECIES, I’ve stumbled upon a strange thing. Both http://en.wikipedia.org/wiki/Integrated_Encryption_Scheme and BouncyCastle define ECIES as a hybrid encryption scheme, and require use of both hash for MAC (i.e., SHA1) and symmetric cipher for the actual encryption (i.e., AES).
Crypto++ however does not seem to use either hash or symmetric cipher at all.
What gives? An old version incompatible with the current ECIES standard http://www.secg.org/download/aid-780/sec1-v2.pdf? Or am I missing anything?
I’d appreciate any help and/or guidance.
Thanks!
Jeffrey Walton
Dec 5, 2013, 2:23:49 AM12/5/13
to cryptop...@googlegroups.com
Hi Mouse,
From ecccrpyto.h, around line 250:
//! Elliptic Curve Integrated Encryption Scheme, AKA <a href="http://www.weidai.com/scan-mirror/ca.html#ECIES">ECIES</a>
/*! Default to (NoCofactorMultiplication and DHAES_MODE = false) for compatibilty with SEC1 and Crypto++ 4.2.
The combination of (IncompatibleCofactorMultiplication and DHAES_MODE = true) is recommended for best
efficiency and security. */
template <class EC, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = false>
struct ECIES
: public DL_ES<
DL_Keys_EC<EC>,
DL_KeyAgreementAlgorithm_DH<typename EC::Point, COFACTOR_OPTION>,
DL_KeyDerivationAlgorithm_P1363<typename EC::Point, DHAES_MODE, P1363_KDF2<SHA1> >,
DL_EncryptionAlgorithm_Xor<HMAC<SHA1>, DHAES_MODE>,
ECIES<EC> >
{
static std::string CRYPTOPP_API StaticAlgorithmName() {return "ECIES";} // TODO: fix this after name is standardized
};
In this case, SECG may not be the proper reference (its hard to tell sometimes). Alos, there's an interop bug between Crypto++ and Bouncy Castle, if I recall correctly. It has to do with the width of an integer (4 vs 8).
The cofactor can be 1, 2 or 4. I seem to recall a cofactor of 1 and DHAES = true has the best security properties.
Jeff
From ecccrpyto.h, around line 250:
//! Elliptic Curve Integrated Encryption Scheme, AKA <a href="http://www.weidai.com/scan-mirror/ca.html#ECIES">ECIES</a>
/*! Default to (NoCofactorMultiplication and DHAES_MODE = false) for compatibilty with SEC1 and Crypto++ 4.2.
The combination of (IncompatibleCofactorMultiplication and DHAES_MODE = true) is recommended for best
efficiency and security. */
template <class EC, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = false>
struct ECIES
: public DL_ES<
DL_Keys_EC<EC>,
DL_KeyAgreementAlgorithm_DH<typename EC::Point, COFACTOR_OPTION>,
DL_KeyDerivationAlgorithm_P1363<typename EC::Point, DHAES_MODE, P1363_KDF2<SHA1> >,
DL_EncryptionAlgorithm_Xor<HMAC<SHA1>, DHAES_MODE>,
ECIES<EC> >
{
static std::string CRYPTOPP_API StaticAlgorithmName() {return "ECIES";} // TODO: fix this after name is standardized
};
In this case, SECG may not be the proper reference (its hard to tell sometimes). Alos, there's an interop bug between Crypto++ and Bouncy Castle, if I recall correctly. It has to do with the width of an integer (4 vs 8).
The cofactor can be 1, 2 or 4. I seem to recall a cofactor of 1 and DHAES = true has the best security properties.
Jeff
Reply all
Reply to author
Forward
0 new messages