Security and Practical Considerations When Implementing the Elliptic Curve Integrated Encryption Scheme

The most popular encryption scheme based on elliptic curves is the Elliptic Curve Integrated Encryption Scheme ECIES, which is included in ANSI X9.63, IEEE 1363a, ISO/IEC 18033-2, and SECG SEC 1. These standards offer many ECIES options, not always compatible, making it difficult to decide what parameters and cryptographic elements to use in a specific deployment scenario. In this work, the authors show that a secure and practical implementation of ECIES can only be compatible with two of the four previously mentioned standards. They also provide the list of functions and options that must be used in such an implementation. Finally, they present the results obtained when testing this ECIES version implemented as a Java application, which allows them to offer some comments about the performance and feasibility of their proposed solution.

[1]  Tommi Elo,et al.  Lessons learned on implementing ECDSA on a Java smart card , 2000 .

[2]  Carmen Sánchez Ávila,et al.  A comparison of the standardized versions of ECIES , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[3]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[4]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[5]  Shay Gueron,et al.  SHA-512/256 , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[6]  Alex Biryukov,et al.  Collisions for Step-Reduced SHA-256 , 2008, FSE.

[7]  Frederic P. Miller,et al.  Advanced Encryption Standard , 2009 .

[8]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[9]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[10]  Mihir Bellare,et al.  DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem , 1999, IACR Cryptol. ePrint Arch..

[11]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .

[12]  Mitsuru Matsui,et al.  A Description of the MISTY1 Encryption Algorithm , 2000, RFC.

[13]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[14]  Dmitry Khovratovich,et al.  Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[15]  Vincent Rijmen,et al.  Analysis of Step-Reduced SHA-256 , 2006, FSE.

[16]  Mitsuru Matsui,et al.  Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis , 2000, Selected Areas in Cryptography.

[17]  François Koeune,et al.  Ecies Security Evaluation of the Encryption Scheme and Primitives , 2022 .

[18]  Palash Sarkar,et al.  A combinatorial analysis of recent attacks on step reduced SHA-2 family , 2009, Cryptography and Communications.

[19]  Johannes Merkle,et al.  Elliptic Curve Cryptography (ecc) Brainpool Standard Curves and Curve Generation , 2010 .

[20]  Carlisle M. Adams,et al.  The CAST-128 Encryption Algorithm , 1997, RFC.

[21]  Mihir Bellare,et al.  Minimizing the use of random oracles in authenticated encryption schemes , 1997, ICICS.

[22]  V. Shoup,et al.  Information technology-Security techniques-Encryption algorithms-Part 2 : Asymmetric Ciphers , 2004 .

[23]  Palash Sarkar,et al.  New Collision Attacks against Up to 24-Step SHA-2 , 2008, INDOCRYPT.

[24]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[25]  Carmen Sánchez Ávila,et al.  A Java Implementation of the Elliptic Curve Integrated Encryption Scheme , 2010, Security and Management.

[26]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[27]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[28]  Florian Mendel,et al.  Collisions for 70-Step SHA-1: On the Full Cost of Collision Search , 2007, Selected Areas in Cryptography.

[29]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[30]  Helger Lipmaa,et al.  Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption , 2000 .

[31]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[32]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[33]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[34]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[35]  Vivek Kapoor,et al.  Elliptic curve cryptography , 2008, UBIQ.

[36]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[37]  Alex Biryukov,et al.  Second-Order Differential Collisions for Reduced SHA-256 , 2011, ASIACRYPT.

[38]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[39]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[40]  Carmen Sánchez Ávila,et al.  Analysis of ECIES and Other Cryptosystems Based on Elliptic Curves , 2011 .

[41]  Blake Rice,et al.  Elliptic Curve Cryptography with the TI-83 , 2009, Cryptologia.