Integrated Encryption Scheme Explained

Integrated Encryption Scheme (IES) is a hybrid encryption scheme which provides semantic security against an adversary who is able to use chosen-plaintext or chosen-ciphertext attacks. The security of the scheme is based on the computational Diffie–Hellman problem.
Two variants of IES are specified: Discrete Logarithm Integrated Encryption Scheme (DLIES) and Elliptic Curve Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two variants are identical up to the change of an underlying group.

Informal description of DLIES

As a brief and informal description and overview of how IES works, a Discrete Logarithm Integrated Encryption Scheme (DLIES) is used, focusing on illuminating the reader's understanding, rather than precise technical details.

  1. Alice learns Bob's public key

gx

through a public key infrastructure or some other distribution method.
Bob knows his own private key

x

.
  1. Alice generates a fresh, ephemeral value

y

, and its associated public value

gy

.
  1. Alice then computes a symmetric key

k

using this information and a key derivation function (KDF) as follows:

k=rm{KDF}(gxy)

  1. Alice computes her ciphertext

c

from her actual message

m

(by symmetric encryption of

m

) encrypted with the key

k

(using an authenticated encryption scheme) as follows:

c=E(k;m)

  1. Alice transmits (in a single message) both the public ephemeral

gy

and the ciphertext

c

.
  1. Bob, knowing

x

and

gy

, can now compute

k=rm{KDF}(gxy)

and decrypt

m

from

c

.

Note that the scheme does not provide Bob with any assurance as to who really sent the message: This scheme does nothing to stop anyone from pretending to be Alice.

Formal description of ECIES

Required information

To send an encrypted message to Bob using ECIES, Alice needs the following information:

E

.

(p,a,b,G,n,h)

for a curve over a prime field or

(m,f(x),a,b,G,n,h)

for a curve over a binary field.

KB

, which Bob generates it as follows:

KB=kBG

, where

kB\in[1,n-1]

is the private key he chooses at random.

S1

and

S2

O

which denotes the point at infinity.

Encryption

To encrypt a message

m

Alice does the following:
  1. generates a random number

r\in[1,n-1]

and calculates

R=rG

  1. derives a shared secret:

S=Px

, where

P=(Px,Py)=rKB

(and

P\neO

)
  1. uses a KDF to derive symmetric encryption keys and MAC keys:

kE\|kM=rm{KDF}(S\|S1)

  1. encrypts the message:

c=E(kE;m)

  1. computes the tag of encrypted message and

S2

:

d=rm{MAC}(kM;c\|S2)

  1. outputs

R\|c\|d

Decryption

To decrypt the ciphertext

R\|c\|d

Bob does the following:
  1. derives the shared secret:

S=Px

, where

P=(Px,Py)=kBR

(it is the same as the one Alice derived because

P=kBR=kBrG=rkBG=rKB

), or outputs failed if

P=O

  1. derives keys the same way as Alice did:

kE\|kM=rm{KDF}(S\|S1)

  1. uses MAC to check the tag and outputs failed if

d\nerm{MAC}(kM;c\|S2)

  1. uses symmetric encryption scheme to decrypt the message

m=E-1(kE;c)

References