Encryption
Contents
Local files
See also:
PQ encryption
Symmetric encryption
DES and 3DES
DES: FIPS 81, DES/3DES FIPS 463
AES
Asymmetric encryption of symmetric keys
 RFC 3766 Determining Strengths For Public Keys Used For Exchanging Symmetric Keys
Asymmetric encryption
RSA encryption
Based on the difficulty of factorisation.
ElGamal encryption
Based on the difficulty of DiffieHellman's key exchange. Is probabilistic by using a random number in each encryption so encrypting the same message twice gives a different result.
Private key y is a random element, public key Y = yG. For a message M and a random number t, encryption is (t.G, M+t.Y).
Linear encryption
Boneh, Boyen, and Shacham define a public key encryption scheme by analogy to ElGamal encryption. In this scheme, a public key is the generators u,v,h. The private key is two exponents such that u^{x}=v^{y}=h}.
Encryption combines a message m in G with the public key to create a ciphertext c:=(c1, c2, c3) = (u^{a}, v^{b}, m.h^{a+b}).
To decrypt the ciphertext, the private key can be used to compute m':=c3 . c1^{x}. c2^{y})^{1}.
ECC encryption
Basics
Typically based on the difficulty of DLP on an elliptic curve. ECDLP is the problem of finding an ECC user's secret key, given the user's public key.
Several discrete logarithmbased protocols have been adapted to elliptic curves, replacing the group Zp^× with an elliptic curve:
 The EC Diffie–Hellman (ECDH) key agreement scheme is based on the Diffie–Hellman scheme,
 The EC Integrated Encryption Scheme (ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,
 The EC Digital Signature Algorithm (ECDSA) is based on the Digital Signature Algorithm,
 The deformation scheme using Harrison's padic Manhattan metric,
 The Edwardscurve Digital Signature Algorithm (EdDSA) is based on Schnorr signature and uses twisted Edwards curves,
 The ECMQV key agreement scheme is based on the MQV key agreement scheme,
 The ECQV implicit certificate scheme.
At the RSA Conference 2005, the National Security Agency (NSA) announced Suite B which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.
A large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the Weil and Tate pairings, have been introduced. Schemes based on these primitives provide efficient identitybased encryption as well as pairingbased signatures, signcryption, key agreement, and proxy reencryption.
Curve selection
 ECC  safe curves  Daniel Bernstein, Tanja Lange
 There are many standards that try to ensure that the ellipticcurve discretelogarithm problem (ECDLP) is difficult.
 Be aware that there is a gap between ECDLP difficulty and ECC security. There are attacks that break realworld ECC without solving ECDLP. The core problem is that if you implement the standard curves, chances are you're doing it wrong.
 Standards include:
 ANSI X9.62 (1999)
 IEEE P1363 (2000)
 SEC 2 (2000)
 NIST FIPS 1862 (2000)
 ANSI X9.63 (2001)
 Brainpool (2005)
 NSA Suite B (2005)
 ANSSI FRP256V1 (2011)
 NIST updates...
NIST ECC
NIST has standardized elliptic curve cryptography for digital signature algorithms in FIPS 186 and for key establishment schemes in SP 80056A.
 NIST ECC page
 FIPS 1864 (DSS) proposed 15 curves of varying security levels. It has been superseded by FIPS 1865 (February 3, 2023).

 FIPS 1865 approves three techniques.

 RSA as per IETF RFC 8017 and previously specified in Public Key Cryptography Standard (PKCS) #1.
 ECDSA is specified in this standard. A variant of ECDSA with a deterministic signature generation procedure known as deterministic ECDSA is also approved and specified in IETF RFC 6979.
Recommended elliptic curves for Federal Government use of ECDSA (including deterministic ECDSA) are provided in SP 800186.
 EdDSA as per IETF RFC 8032. Recommended curves for use of EdDSA are provided in SP 800186. Also included is HashEdDSA.
 NIST SP 800186 Recommendations for Discrete Logarithmbased Cryptography: Elliptic Curve Domain Parameters
 Curves:
 nonbinary (in shortWeierstrass form (P192, P256,...), Montgomery curves (Curve25519, ...), Edwards curves (Edwards25519))
 binary  deprecated (Koblitz (K...) and pseudorandom (B...) curves
 appendix: other allowed curves: brainpool, secp256k1
Pairingbased encryption
Basics
A pairing is a bilinear map. It can e.g. be defined over elliptic curves.
Pairings involve three groups of prime order. The Stanford PBC library calls them G1, G2, and GT, and calls the order r. The pairing is a bilinear map that takes two elements as input, one from G1 and one from G2, and outputs an element of GT.
The elements of G2 are at least as long as G1; G1 is guaranteed to be the shorter of the two. Sometimes G1 and G2 are the same group (i.e. the pairing is symmetric) so their elements can be mixed freely.
Galbraith, Paterson, and Smart defined three types of pairings: in type 1, G1 = G2; in type 2, G1 ≠ G2 but there exists an efficient homomorphism φ : G2 → G1, while no efficient one
exists in the other direction; in type 3, G1 ≠ G2 and no efficiently computable homomorphism exists between G1 and G2, in either direction.
Although type 1 pairings were mostly used in the earlyage of pairingbased cryptography, they have been gradually discarded in favour of type 3 pairings. Indeed, the latter offer a better efficiency and are compatible with several computational assumptions, such as the Decision DiffieHellman assumption in G1 or G2, also known as the XDH assumption, which does not hold in type 1 pairings.
 Pairing  Wikipedia
 Bilinear map  Wikipedia
A bilinear map is a function combining elements of two vector spaces to yield an element of a third vector space, and is linear in each of its arguments. Matrix multiplication is an example.
Pairing on elliptic curves
Generally, elliptic curves are defined so that pairing is not efficiently computable since elliptic curve cryptography is broken if the pairing is efficiently computable.
It is used in identitybased encryption (IBE), attributebased encryption (ABE), authenticated key exchange (AKE), short signatures and so on.
Quoting Ben Lynn: Minimal pairingbased cryptography requires:
 Arithmetic in Z_{p}. I built mine on top of the GMP library, which conveniently provides number theoretic functions such as inversion modulo a prime and the Jacobi symbol.
 Elliptic curve groups: mostly routines for solving y^{2} = x^{3} + ax + b over Z_{p}, point addition and multiplication.
 Bilinear pairing: Miller’s algorithm.
Further info:
 Freeman  Taxonomy of pairingfriendly curves (2007)
 IETF on pairingfriendly curves  several applications using pairingbased cryptography are standardized and implemented.
 IETF issues RFCs for pairingbased cryptography such as identitybased cryptography, certificateless signatures, SakaiKasahara Key Encryption (SAKKE), and IdentityBased Authenticated Key Exchange (IBAKE), SAKKE is applied to Multimedia Internet KEYing (MIKEY) and used in 3GPP
 Pairingbased key agreement protocols are standardized in ISO/IEC 117703:2015, which contains a key agreement scheme by Joux, identitybased key agreement schemes by SmartChenCheng and by FujiokaSuzukiUstaoglu.
 MIRACL implements MPin, a multifactor authentication protocol. MPin protocol includes a kind of zeroknowledge proof, where pairing is used for its construction.
 Trusted Computing Group (TCG) specifies ECDAA (Elliptic Curve Direct Anonymous Attestation) in the specification of Trusted Platform Module (TPM).
ECDAA is a protocol for proving the attestation held by a TPM to a verifier without revealing the attestation held by that TPM. Pairing is used for constructing ECDAA.
 FIDO Alliance and W3C also published ECDAA algorithm similar to TCG.
 Zcash implements their zeroknowledge proof algorithm named zkSNARKs (ZeroKnowledge Succinct NonInteractive Argument of Knowledge), used for protecting privacy of transactions of Zcash. T
hey use pairing for constructing zkSNARKS.
 Cloudflare introduced Geo Key Manager to restrict distribution of customers' private keys to the subset of their data centers. To achieve this functionality, attributebased encryption is used based on
pairing.
 DFINITY utilized threshold signature scheme to generate the decentralized random beacons. They constructed a BLS signaturebased scheme, which is based on pairings.
 In Ethereum 2.0, project Prysm applies signature aggregation for scalability benefits by leveraging DFINITY's randombeacon chain playground. Their codes are published on GitHub.
Selective pairings
Isogenuous encryption
Initiated by the works of Couveignes, Teske and Rostovtsev and Stolbunov. A surjective group morphism, not necessarily invertible, between two elliptic curves is called an isogeny. It turns out that isogenies are algebraic maps as well.
NTRU encryption
Nth degree truncated polynomial ring units (NTRU) is an open source publickey cryptosystem that uses latticebased cryptography to encrypt and decrypt data.
It consists of two algorithms:
 NTRUEncrypt, which is used for encryption,
 NTRUSign, which is used for digital signatures.
Unlike other popular publickey cryptosystems, it is resistant to attacks using Shor's algorithm.
NTRUEncrypt was patented, but it was placed in the public domain in 2017.
NTRUSign is patented, but it can be used by software under the GPL.
 NTRU  Wikipedia
 1996 by Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman
 2016, Daniel Bernstein, Chitchanok Chuengsatiansup, Tanja Lange and Christine van Vredendaal released NTRU Prime
XTR encryption
XTR is an algorithm for publickey encryption, relying on the difficulty of the DLP.
XTR stands for 'ECSTR', which is an abbreviation for Efficient and Compact Subgroup Trace Representation.
It relies on the difficulty of solving Discrete Logarithm related problems in the full multiplicative group of a
finite field. Unlike many cryptographic protocols that are based on the generator of the full multiplicative group of a
finite field, XTR uses the generator g of a relatively small subgroup of some prime order q of a subgroup.
Multivariate
Multivariate is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field F. In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics.
Solving systems of multivariate polynomial equations is proven to be NPcomplete. That's why those schemes are often considered to be good candidates for postquantum cryptography. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among postquantum algorithms.
Hybrid encryption schemes
Basics
A hybrid cryptosystem can be constructed using any two separate cryptosystems:
 a key encapsulation mechanism, which is a publickey cryptosystem, and
 a data encapsulation scheme, which is a symmetrickey cryptosystem.
See also
Implementations
Implementations of public key cryptography today typically employ a hybrid system.
 TLS protocol
 SSH protocol
 OpenPGP file format
 PKCS #7 file format
Hybrid Public Key Encryption (HPKE, published as RFC 9180) is a modern standard for generic hybrid encryption. HPKE is used within multiple IETF protocols, including MLS and TLS Encrypted Hello.
Identity based encryption (IBE)
IBE is a primitive of IDbased cryptography. As such it is a type of publickey encryption in which the public key of a user is some unique information about the identity of the user (e.g. a user's email address). This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the textvalue of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.
IDbased encryption was proposed by Adi Shamir in 1984. He was however only able to give an instantiation of identitybased signatures.
Identitybased encryption remained an open problem for many years. The pairingbased Boneh–Franklin scheme and Cocks's encryption schema based on quadratic residues both solved the IBE problem in 2001.
Attribute based encryption
Attributebased encryption is a generalisation of identity based encryption. It is a generalisation of publickey encryption which enables fine grained access control of encrypted data using authorisation policies. The secret key of a user and the ciphertext are dependent upon attributes (e.g. their email address, the country in which they live, or the kind of subscription they have). In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.
There are mainly two types of attributebased encryption schemes:
 Keypolicy attributebased encryption  KPABE
 Ciphertextpolicy attributebased encryption  CPABE
KPABE
In KPABE, the access structure is specified in the private key, while the ciphertexts are labeled with a set of descriptive attributes.
Private keys are identified by a treeaccess structure in which each interior node of the tree is a threshold gate and the leaves are associated with attributes.
CPABE
In CPABE, an access policy is incorporated into a ciphertext, and a secret decryption key is generated for a subset of attributes held by a user.
If a user holds attributes that satisfy the access policy, she can decrypt ciphertext encrypted under that policy.
In this model, access policy needs to be known before the encryption and secret keys are bound to a subset of attributes.
Deniable encryption
Authenticated encryption
Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data.
Six different authenticated encryption modes (namely OCB 2.0, Key Wrap, CCM, EAX, EncryptthenMAC (EtM), and GCM) have been standardized in ISO/IEC 19772:2009. More authenticated encryption methods were developed in response to NIST solicitation.
Basics
Lightweight Cryptography (LWC) for constrained environments
LWC basics
 NIST On February 7, 2023, NIST announced the selection of the Ascon family for lightweight cryptography standardization.