eth-ecies icon indicating copy to clipboard operation
eth-ecies copied to clipboard
verified publisher icon libertylocked

Can you describe your code?

Open clinton81 opened this issue 7 years ago • 1 comments

I was confused with ECIES and couldn't find a suitable example. Can I ask you some questions?

clinton81 avatar Sep 27 '18 01:09 clinton81

If Alice is sending some encrypted message to Bob

  • Alice gets Bob's public key, gx
  • Alice first generates an ephemeral keypair (random 32 bytes), y (private) and gy (public)
  • Alice uses Elliptic-curve Diffie–Hellman (ECDH) to derive a shared secret from her y and Bob's gx, px = ECDH(y, gx) (32 bytes)
  • Alice uses SHA512 as KDF. ke || ka = SHA512(px) to get ke as encryption key (32 bytes) and ka as authentication key (32 bytes)
  • Alice encrypts her message m using AES256 in CBC mode with random iv. c = AES256-CBC(ke, iv, m)
  • Alice computes MAC, mac = HMAC-SHA256(ka, iv || gy || c)
  • Alice sends iv || gy || mac || c to Bob.

Once Bob gets gy he also uses ECDH

px = ECDH(x, gy)

Then he decrypts the message, checks MAC, etc etc

There's no single standard ECIES and you can change it up a bit in your implementation if you wish, for example you can use ke = HMAC-SHA256(px, 0x01) and ka = HMAC-SHA256(px, 0x02) as KDF. (I probably should have done this but if I change the lib at this point it'll break previously encrypted messages)

Also you can potentially replace AES256-CBC with AES256-GCM, in which case you don't even need to derive authentication key or compute MAC yourself.

libertylocked avatar Sep 27 '18 01:09 libertylocked