Using xor encryption in the following use case

Cryptography Asked by Kaa on December 31, 2021

I use an encryption scheme based on a symmetric cipher, with the corresponding symmetric key encrypted with RSA/OAEP using the public RSA key of the recipient.
I now want to use ECC crypto in replacement of RSA. Looking at the openssl API I can see that there is no RSA equivalent ECC encryption of a key, but only key derivation.
As the same symmetric key has to be encrypted for several different recipients, each of them owning its own encryption public ECC key, I can’t directly use the derived key as the symmetric key.

So I am considering doing this:

  • create a "one time" ECC key pair,
  • derive a shared secret with this key and the recipient public key,
  • xor the symmetric key with the derived shared secret, ensuring that the latter is at least as long as the symmetric key,
  • sign the public part of the "one time" ECC key and transmit it along with the xor encrypted symmetric key so the recipient will be able to decrypt it.

I think that using xor encryption here is safe as:

  • the derived shared secret is supposed to be random looking and will never be reused, as one of the keys used for derivation is a one time key,
  • the derived shared secret is at least as long as the xor-ed content.

But maybe have I missed something?

One Answer

It sounds like you're looking to implement something very similar to what was asked about here, with the addition of a signature of the ephemeral public key. But as poncho's answer points out, the potential malleability of the XORed key and the ciphertext could potentially pose some problems. The way the shared secret is derived may also introduce the possibility for issues here, though following the ECIES method with a KDF should help.

For the sake of differentiating this question from Maarten Bodewes's question, I'll assume you're more interested in replacing your existing scheme than implementing exactly what you've described. One potential option to consider to using standard ECIES (using an ephemeral key and KDF to generate a new symmetric key) to encrypt the symmetric key of your original data. This would certainly have both some computational and size overhead, but should achieve your goal.

Here you could still sign the ECIES output (or probably just the ephemeral public key) if that authentication is important to your system. But if you can afford the overhead that might be a safer/less experimental approach.

Answered by thesquaregroot on December 31, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP