RUS  ENG
Full version
JOURNALS // Matematicheskie Voprosy Kriptografii [Mathematical Aspects of Cryptography] // Archive

Mat. Vopr. Kriptogr., 2024 Volume 15, Issue 2, Pages 101–136 (Mi mvk472)

Privacy and integrity properties of $\mathrm{ECIES}$ scheme

K. D. Tsaregorodtsev

JSC «NPK Kryptonite», Moscow

Abstract: We analyze $\mathrm{ECIES}$ scheme in the provable security framework. The object of study ($\mathrm{ECIES}$) is an asymmetric (hybrid) authenticated encryption scheme based on the key exchange scheme $\mathsf{KE}$ and AE(AD)-scheme $\mathsf{AE}$. The encryption process consists of two steps: (a) generating ephemeral pair and session secret key $K$ using $\mathsf{KE}$, (b) encrypting the message $m$ under the key $K$ using $\mathsf{AE}$ and sending results to the recipient.
We show that the adversarial advantage against $\mathrm{ECIES}$ scheme in the (standard) $\mathsf{LOR-CCA}$ and $\mathsf{INT-CTXT}$ models can be upper bounded by the adversarial advantage against $\mathsf{KE}$ in the $\mathsf{mODH}$ model (Oracle Diffie-Hellman Model with multiple queries) and against $\mathsf{AE}$ in the (standard) $\mathsf{LOR-CCA}$ and $\mathsf{INT-CTXT}$ models respectively. The security in these models implies the following informal properties: (a) the adversary is unable to extract any useful information about plaintext from the given ciphertext (except for its length); (b) if the adversary is given some ephemeral public key (chosen by the honest party), it is unable to form the ciphertext that may be correctly decrypted under this key (for instance, it cannot modify messages formed by honest senders).
We point out some differences in our analysis compared to the previous ones: (a) only the confidentiality of the $\mathrm{ECIES}$ scheme was analyzed; integrity of the scheme (either in the $\mathsf{INT-CTXT}$ or $\mathsf{INT-PTXT}$ models) is not considered; (b) the confidentiality model in previous analysis (LOR-CCA-fg/IND-CCA2) allows only one encryption challenge query to the $\mathcal{O}_{\mathrm{enc}}^b$ oracle; generalization to the case of $q_e$ queries to the encryption oracle seems not to be the immediate consequence; however, the possibility to do a number of queries can make a difference in practice; (c) the analysis given in the previous papers could be slightly more general: it allows any AE(AD)-scheme to be used instead of concrete Encrypt-then-MAC approach.
Hence, we show that it is possible to separate key generation step and encryption process in generic $\mathrm{ECIES}$ scheme and study them independently, which allows one to develop more modular security solutions. The scheme can be used as a building block of more involved protocols (e.g., as a part of user anonymous authentication in 5G-AKA protocol).

Key words: $\mathrm{ECIES}$, provable security.

UDC: 519.719.2

Received 06.IX.2023

DOI: 10.4213/mvk472



© Steklov Math. Inst. of RAS, 2024