Matematicheskie Voprosy Kriptografii [Mathematical Aspects of Cryptography]
RUS  ENG    JOURNALS   PEOPLE   ORGANISATIONS   CONFERENCES   SEMINARS   VIDEO LIBRARY   PACKAGE AMSBIB  
General information
Latest issue
Archive
Impact factor
Guidelines for authors

Search papers
Search references

RSS
Latest issue
Current issues
Archive issues
What is RSS



Mat. Vopr. Kriptogr.:
Year:
Volume:
Issue:
Page:
Find






Personal entry:
Login:
Password:
Save password
Enter
Forgotten password?
Register


Matematicheskie Voprosy Kriptografii [Mathematical Aspects of Cryptography], 2024, Volume 15, Issue 2, Pages 101–136
DOI: https://doi.org/10.4213/mvk472
(Mi mvk472)
 

Privacy and integrity properties of $\mathrm{ECIES}$ scheme

K. D. Tsaregorodtsev

JSC «NPK Kryptonite», Moscow
References:
Abstract: We analyze $\mathrm{ECIES}$ scheme in the provable security framework. The object of study ($\mathrm{ECIES}$) is an asymmetric (hybrid) authenticated encryption scheme based on the key exchange scheme $\mathsf{KE}$ and AE(AD)-scheme $\mathsf{AE}$. The encryption process consists of two steps: (a) generating ephemeral pair and session secret key $K$ using $\mathsf{KE}$, (b) encrypting the message $m$ under the key $K$ using $\mathsf{AE}$ and sending results to the recipient.
We show that the adversarial advantage against $\mathrm{ECIES}$ scheme in the (standard) $\mathsf{LOR-CCA}$ and $\mathsf{INT-CTXT}$ models can be upper bounded by the adversarial advantage against $\mathsf{KE}$ in the $\mathsf{mODH}$ model (Oracle Diffie-Hellman Model with multiple queries) and against $\mathsf{AE}$ in the (standard) $\mathsf{LOR-CCA}$ and $\mathsf{INT-CTXT}$ models respectively. The security in these models implies the following informal properties: (a) the adversary is unable to extract any useful information about plaintext from the given ciphertext (except for its length); (b) if the adversary is given some ephemeral public key (chosen by the honest party), it is unable to form the ciphertext that may be correctly decrypted under this key (for instance, it cannot modify messages formed by honest senders).
We point out some differences in our analysis compared to the previous ones: (a) only the confidentiality of the $\mathrm{ECIES}$ scheme was analyzed; integrity of the scheme (either in the $\mathsf{INT-CTXT}$ or $\mathsf{INT-PTXT}$ models) is not considered; (b) the confidentiality model in previous analysis (LOR-CCA-fg/IND-CCA2) allows only one encryption challenge query to the $\mathcal{O}_{\mathrm{enc}}^b$ oracle; generalization to the case of $q_e$ queries to the encryption oracle seems not to be the immediate consequence; however, the possibility to do a number of queries can make a difference in practice; (c) the analysis given in the previous papers could be slightly more general: it allows any AE(AD)-scheme to be used instead of concrete Encrypt-then-MAC approach.
Hence, we show that it is possible to separate key generation step and encryption process in generic $\mathrm{ECIES}$ scheme and study them independently, which allows one to develop more modular security solutions. The scheme can be used as a building block of more involved protocols (e.g., as a part of user anonymous authentication in 5G-AKA protocol).
Key words: $\mathrm{ECIES}$, provable security.
Received 06.IX.2023
Document Type: Article
UDC: 519.719.2
Language: Russian
Citation: K. D. Tsaregorodtsev, “Privacy and integrity properties of $\mathrm{ECIES}$ scheme”, Mat. Vopr. Kriptogr., 15:2 (2024), 101–136
Citation in format AMSBIB
\Bibitem{Tsa24}
\by K.~D.~Tsaregorodtsev
\paper Privacy and integrity properties of $\mathrm{ECIES}$ scheme
\jour Mat. Vopr. Kriptogr.
\yr 2024
\vol 15
\issue 2
\pages 101--136
\mathnet{http://mi.mathnet.ru/mvk472}
\crossref{https://doi.org/10.4213/mvk472}
Linking options:
  • https://www.mathnet.ru/eng/mvk472
  • https://doi.org/10.4213/mvk472
  • https://www.mathnet.ru/eng/mvk/v15/i2/p101
  • Citing articles in Google Scholar: Russian citations, English citations
    Related articles in Google Scholar: Russian articles, English articles
    Математические вопросы криптографии
    Statistics & downloads:
    Abstract page:35
    Full-text PDF :2
    References:7
    First page:2
     
      Contact us:
     Terms of Use  Registration to the website  Logotypes © Steklov Mathematical Institute RAS, 2024