I use an encryption scheme based on a symmetric cipher, with the corresponding symmetric key encrypted with RSA/OAEP using the public RSA key of the recipient.
I now want to use ECC crypto in replacement of RSA. Looking at the openssl API I can see that there is no RSA equivalent ECC encryption of a key, but only key derivation.
As the same symmetric key has to be encrypted for several different recipients, each of them owning its own encryption public ECC key, I can’t directly use the derived key as the symmetric key.
So I am considering doing this:
I think that using xor encryption here is safe as:
But maybe have I missed something?
It sounds like you're looking to implement something very similar to what was asked about here, with the addition of a signature of the ephemeral public key. But as poncho's answer points out, the potential malleability of the XORed key and the ciphertext could potentially pose some problems. The way the shared secret is derived may also introduce the possibility for issues here, though following the ECIES method with a KDF should help.
For the sake of differentiating this question from Maarten Bodewes's question, I'll assume you're more interested in replacing your existing scheme than implementing exactly what you've described. One potential option to consider to using standard ECIES (using an ephemeral key and KDF to generate a new symmetric key) to encrypt the symmetric key of your original data. This would certainly have both some computational and size overhead, but should achieve your goal.
Here you could still sign the ECIES output (or probably just the ephemeral public key) if that authentication is important to your system. But if you can afford the overhead that might be a safer/less experimental approach.
Answered by thesquaregroot on December 31, 2021
Get help from others!