It is possible to describe elliptic curve analogues of all the variants of the ElGamal public-key encryption scheme [3]. We describe one such variant, the Elliptic Curve Integrated Encryption Scheme (ECIES), proposed by Abdalla, Bellare and Rogaway [1].
The elliptic curve domain parameters are \(D=(q,\mbox{FR},S,a,b,P,n,h)\), and an entity A's key pair is \((d,Q)\) (see elliptic curve keys). E denotes a symmetric cryptosystem such as the Rijndael/AES, and MAC (see MAC algorithms) denotes a message authentication code algorithm such as HMAC. In order to encrypt a message m to A, an entity B does the following:
- 1.
Select \(k \in_R [1,n-1]\).
- 2.
Compute \(R=kP\) and \(Z=kQ\).
- 3.
Derive two keys \(k_1\) and \(k_2\) from Z and R.
- 4.
Compute \(c=E_{k_1}(m)\) and \(t=\mbox{MAC}_{k_2}(c)\).
- 5.
Send \((R,c,t)\) to A.
A decrypts using her private key d as follows:
- 1.
Compute \(Z=dR\).
- 2.
Derive two keys \(k_1\) and \(k_2\) from Z and R.
- 3.
Compute
...
; reject the ciphertext if t≠t′.