Encryption

Contents

Local files

See also:

PQ encryption

Symmetric encryption

DES and 3DES

DES: FIPS 81, DES/3DES FIPS 46-3

AES

Asymmetric encryption of symmetric keys

Asymmetric encryption

RSA encryption

Based on the difficulty of factorisation.

ElGamal encryption

Based on the difficulty of Diffie-Hellman's key exchange. Is probabilistic by using a random number in each encryption so encrypting the same message twice gives a different result.

Private key y is a random element, public key Y = yG. For a message M and a random number t, encryption is (t.G, M+t.Y).

Linear encryption

Boneh, Boyen, and Shacham define a public key encryption scheme by analogy to ElGamal encryption. In this scheme, a public key is the generators u,v,h. The private key is two exponents such that ux=vy=h}.

Encryption combines a message m in G with the public key to create a ciphertext c:=(c1, c2, c3) = (ua, vb, m.ha+b).

To decrypt the ciphertext, the private key can be used to compute m':=c3 . c1x. c2y)-1.

ECC encryption

Basics

Typically based on the difficulty of DLP on an elliptic curve. ECDLP is the problem of finding an ECC user's secret key, given the user's public key.

Several discrete logarithm-based protocols have been adapted to elliptic curves, replacing the group Zp^× with an elliptic curve: At the RSA Conference 2005, the National Security Agency (NSA) announced Suite B which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information. A large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the Weil and Tate pairings, have been introduced. Schemes based on these primitives provide efficient identity-based encryption as well as pairing-based signatures, signcryption, key agreement, and proxy re-encryption.

Curve selection

NIST ECC

NIST has standardized elliptic curve cryptography for digital signature algorithms in FIPS 186 and for key establishment schemes in SP 800-56A.

Pairing-based encryption

Basics

A pairing is a bilinear map. It can e.g. be defined over elliptic curves.

Pairings involve three groups of prime order. The Stanford PBC library calls them G1, G2, and GT, and calls the order r. The pairing is a bilinear map that takes two elements as input, one from G1 and one from G2, and outputs an element of GT.

The elements of G2 are at least as long as G1; G1 is guaranteed to be the shorter of the two. Sometimes G1 and G2 are the same group (i.e. the pairing is symmetric) so their elements can be mixed freely.

Galbraith, Paterson, and Smart defined three types of pairings: in type 1, G1 = G2; in type 2, G1 ≠ G2 but there exists an efficient homomorphism φ : G2 → G1, while no efficient one exists in the other direction; in type 3, G1 ≠ G2 and no efficiently computable homomorphism exists between G1 and G2, in either direction.

Although type 1 pairings were mostly used in the early-age of pairing-based cryptography, they have been gradually discarded in favour of type 3 pairings. Indeed, the latter offer a better efficiency and are compatible with several computational assumptions, such as the Decision Diffie-Hellman assumption in G1 or G2, also known as the XDH assumption, which does not hold in type 1 pairings.

Pairing on elliptic curves

Generally, elliptic curves are defined so that pairing is not efficiently computable since elliptic curve cryptography is broken if the pairing is efficiently computable.

It is used in identity-based encryption (IBE), attribute-based encryption (ABE), authenticated key exchange (AKE), short signatures and so on.

Quoting Ben Lynn: Minimal pairing-based cryptography requires: Further info:

Selective pairings

Isogenuous encryption

Initiated by the works of Couveignes, Teske and Rostovtsev and Stolbunov. A surjective group morphism, not necessarily invertible, between two elliptic curves is called an isogeny. It turns out that isogenies are algebraic maps as well.

NTRU encryption

Nth degree truncated polynomial ring units (NTRU) is an open source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data. It consists of two algorithms: Unlike other popular public-key cryptosystems, it is resistant to attacks using Shor's algorithm. NTRUEncrypt was patented, but it was placed in the public domain in 2017. NTRUSign is patented, but it can be used by software under the GPL.

XTR encryption

XTR is an algorithm for public-key encryption, relying on the difficulty of the DLP. XTR stands for 'ECSTR', which is an abbreviation for Efficient and Compact Subgroup Trace Representation. It relies on the difficulty of solving Discrete Logarithm related problems in the full multiplicative group of a finite field. Unlike many cryptographic protocols that are based on the generator of the full multiplicative group of a finite field, XTR uses the generator g of a relatively small subgroup of some prime order q of a subgroup.

Multivariate

Multivariate is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field F. In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics.

Solving systems of multivariate polynomial equations is proven to be NP-complete. That's why those schemes are often considered to be good candidates for post-quantum cryptography. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.

Hybrid encryption schemes

Basics

A hybrid cryptosystem can be constructed using any two separate cryptosystems: See also

Implementations

Implementations of public key cryptography today typically employ a hybrid system. Hybrid Public Key Encryption (HPKE, published as RFC 9180) is a modern standard for generic hybrid encryption. HPKE is used within multiple IETF protocols, including MLS and TLS Encrypted Hello.

Identity based encryption (IBE)

IBE is a primitive of ID-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user (e.g. a user's email address). This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.

ID-based encryption was proposed by Adi Shamir in 1984. He was however only able to give an instantiation of identity-based signatures.

Identity-based encryption remained an open problem for many years. The pairing-based Boneh–Franklin scheme and Cocks's encryption schema based on quadratic residues both solved the IBE problem in 2001.

Attribute based encryption

Attribute-based encryption is a generalisation of identity based encryption. It is a generalisation of public-key encryption which enables fine grained access control of encrypted data using authorisation policies. The secret key of a user and the ciphertext are dependent upon attributes (e.g. their email address, the country in which they live, or the kind of subscription they have). In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.

There are mainly two types of attribute-based encryption schemes:

KP-ABE

In KP-ABE, the access structure is specified in the private key, while the ciphertexts are labeled with a set of descriptive attributes.

Private keys are identified by a tree-access structure in which each interior node of the tree is a threshold gate and the leaves are associated with attributes.

CP-ABE

In CP-ABE, an access policy is incorporated into a ciphertext, and a secret decryption key is generated for a subset of attributes held by a user. If a user holds attributes that satisfy the access policy, she can decrypt ciphertext encrypted under that policy. In this model, access policy needs to be known before the encryption and secret keys are bound to a subset of attributes.

Deniable encryption

Authenticated encryption

Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data.

Six different authenticated encryption modes (namely OCB 2.0, Key Wrap, CCM, EAX, Encrypt-then-MAC (EtM), and GCM) have been standardized in ISO/IEC 19772:2009. More authenticated encryption methods were developed in response to NIST solicitation.

Basics

Lightweight Cryptography (LWC) for constrained environments

LWC basics