Required information To send an encrypted message to Bob using ECIES, Alice needs the following information: • The cryptography suite to be used, including a
key derivation function (e.g.,
ANSI-X9.63-KDF with SHA-1 option), a
message authentication code system (e.g.,
HMAC-SHA-1-160 with 160-bit keys or
HMAC-SHA-1-80 with 80-bit keys) and a
symmetric encryption scheme (e.g.,
TDEA in CBC mode or
XOR encryption scheme) — noted E. • The elliptic curve domain parameters: (p,a,b,G,n,h) for a curve over a prime field or (m,f(x),a,b,G,n,h) for a curve over a binary field. • Bob's public key K_B, which Bob generates it as follows: K_B = k_B G, where k_B \in [1, n-1] is the private key he chooses at random. • Some optional shared information: S_1 and S_2 • O which denotes the
point at infinity.
Encryption To encrypt a message m Alice does the following: • generates a random number r \in [1, n-1] and calculates R = r G • derives a shared secret: S = P_x, where P = (P_x, P_y) = r K_B (and P \ne O) • uses a
KDF to derive symmetric encryption keys and
MAC keys: k_E \| k_M = \textrm{KDF}(S\|S_1) • encrypts the message: c = E(k_E; m) • computes the tag of encrypted message and S_2: d = \textrm{MAC}(k_M; c \| S_2) • outputs R \| c \| d
Decryption To decrypt the ciphertext R \| c \| d Bob does the following: • derives the shared secret: S = P_x, where P = (P_x, P_y) = k_B R (it is the same as the one Alice derived because P = k_B R = k_B r G = r k_B G = r K_B), or outputs
failed if P=O • derives keys the same way as Alice did: k_E \| k_M = \textrm{KDF}(S\|S_1) • uses
MAC to check the tag and outputs
failed if d \ne \textrm{MAC}(k_M; c \| S_2) • uses symmetric encryption scheme to decrypt the message m = E^{-1}(k_E; c) ==References==