Cryptography Asked by Kaa on December 31, 2021

I use an encryption scheme based on a symmetric cipher, with the corresponding symmetric key encrypted with RSA/OAEP using the public RSA key of the recipient.

I now want to use ECC crypto in replacement of RSA. Looking at the openssl API I can see that there is no RSA equivalent ECC encryption of a key, but only key derivation.

As the same symmetric key has to be encrypted for several different recipients, each of them owning its own encryption public ECC key, I can’t directly use the derived key as the symmetric key.

So I am considering doing this:

- create a "one time" ECC key pair,
- derive a shared secret with this key and the recipient public key,
- xor the symmetric key with the derived shared secret, ensuring that the latter is at least as long as the symmetric key,
- sign the public part of the "one time" ECC key and transmit it along with the xor encrypted symmetric key so the recipient will be able to decrypt it.

I think that using xor encryption here is safe as:

- the derived shared secret is supposed to be random looking and will never be reused, as one of the keys used for derivation is a one time key,
- the derived shared secret is at least as long as the xor-ed content.

But maybe have I missed something?

It sounds like you're looking to implement something very similar to what was asked about here, with the addition of a signature of the ephemeral public key. But as poncho's answer points out, the potential malleability of the XORed key and the ciphertext could potentially pose some problems. The way the shared secret is derived may also introduce the possibility for issues here, though following the ECIES method with a KDF should help.

For the sake of differentiating this question from Maarten Bodewes's question, I'll assume you're more interested in replacing your existing scheme than implementing exactly what you've described. One potential option to consider to using standard ECIES (using an ephemeral key and KDF to generate a new symmetric key) to encrypt the symmetric key of your original data. This would certainly have both some computational and size overhead, but should achieve your goal.

Here you could still sign the ECIES output (or probably just the ephemeral public key) if that authentication is important to your system. But if you can afford the overhead that might be a safer/less experimental approach.

Answered by thesquaregroot on December 31, 2021

Get help from others!

Recent Answers

- Peter Machado on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- haakon.io on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?

Recent Questions

- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP