Encryption
Contents
Local files
See also:
PQ encryption
Symmetric encryption
DES and 3DES
DES: FIPS 81, DES/3DES FIPS 46-3
AES
Asymmetric encryption of symmetric keys
- RFC 3766 Determining Strengths For Public Keys Used For Exchanging Symmetric Keys
Asymmetric encryption
RSA encryption
Based on the difficulty of factorisation.
ElGamal encryption
Based on the difficulty of Diffie-Hellman's key exchange. Is probabilistic by using a random number in each encryption so encrypting the same message twice gives a different result.
Private key y is a random element, public key Y = yG. For a message M and a random number t, encryption is (t.G, M+t.Y).
Linear encryption
Boneh, Boyen, and Shacham define a public key encryption scheme by analogy to ElGamal encryption. In this scheme, a public key is the generators u,v,h. The private key is two exponents such that ux=vy=h}.
Encryption combines a message m in G with the public key to create a ciphertext c:=(c1, c2, c3) = (ua, vb, m.ha+b).
To decrypt the ciphertext, the private key can be used to compute m':=c3 . c1x. c2y)-1.
ECC encryption
Basics
Typically based on the difficulty of DLP on an elliptic curve. ECDLP is the problem of finding an ECC user's secret key, given the user's public key.
Several discrete logarithm-based protocols have been adapted to elliptic curves, replacing the group Zp^× with an elliptic curve:
- The EC Diffie–Hellman (ECDH) key agreement scheme is based on the Diffie–Hellman scheme,
- The EC Integrated Encryption Scheme (ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,
- The EC Digital Signature Algorithm (ECDSA) is based on the Digital Signature Algorithm,
- The deformation scheme using Harrison's p-adic Manhattan metric,
- The Edwards-curve Digital Signature Algorithm (EdDSA) is based on Schnorr signature and uses twisted Edwards curves,
- The ECMQV key agreement scheme is based on the MQV key agreement scheme,
- The ECQV implicit certificate scheme.
At the RSA Conference 2005, the National Security Agency (NSA) announced Suite B which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.
A large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the Weil and Tate pairings, have been introduced. Schemes based on these primitives provide efficient identity-based encryption as well as pairing-based signatures, signcryption, key agreement, and proxy re-encryption.
Curve selection
- ECC - safe curves - Daniel Bernstein, Tanja Lange
- There are many standards that try to ensure that the elliptic-curve discrete-logarithm problem (ECDLP) is difficult.
- Be aware that there is a gap between ECDLP difficulty and ECC security. There are attacks that break real-world ECC without solving ECDLP. The core problem is that if you implement the standard curves, chances are you're doing it wrong.
- Standards include:
- ANSI X9.62 (1999)
- IEEE P1363 (2000)
- SEC 2 (2000)
- NIST FIPS 186-2 (2000)
- ANSI X9.63 (2001)
- Brainpool (2005)
- NSA Suite B (2005)
- ANSSI FRP256V1 (2011)
- NIST updates...
NIST ECC
NIST has standardized elliptic curve cryptography for digital signature algorithms in FIPS 186 and for key establishment schemes in SP 800-56A.
- NIST ECC page
- FIPS 186-4 (DSS) proposed 15 curves of varying security levels. It has been superseded by FIPS 186-5 (February 3, 2023).
-
- FIPS 186-5 approves three techniques.
-
- RSA as per IETF RFC 8017 and previously specified in Public Key Cryptography Standard (PKCS) #1.
- ECDSA is specified in this standard. A variant of ECDSA with a deterministic signature generation procedure known as deterministic ECDSA is also approved and specified in IETF RFC 6979.
Recommended elliptic curves for Federal Government use of ECDSA (including deterministic ECDSA) are provided in SP 800-186.
- EdDSA as per IETF RFC 8032. Recommended curves for use of EdDSA are provided in SP 800-186. Also included is HashEdDSA.
- NIST SP 800-186 Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters
- Curves:
- non-binary (in short-Weierstrass form (P-192, P-256,...), Montgomery curves (Curve25519, ...), Edwards curves (Edwards25519))
- binary - deprecated (Koblitz (K-...) and pseudo-random (B-...) curves
- appendix: other allowed curves: brainpool, secp256k1
Pairing-based encryption
Basics
A pairing is a bilinear map. It can e.g. be defined over elliptic curves.
Pairings involve three groups of prime order. The Stanford PBC library calls them G1, G2, and GT, and calls the order r. The pairing is a bilinear map that takes two elements as input, one from G1 and one from G2, and outputs an element of GT.
The elements of G2 are at least as long as G1; G1 is guaranteed to be the shorter of the two. Sometimes G1 and G2 are the same group (i.e. the pairing is symmetric) so their elements can be mixed freely.
Galbraith, Paterson, and Smart defined three types of pairings: in type 1, G1 = G2; in type 2, G1 ≠ G2 but there exists an efficient homomorphism φ : G2 → G1, while no efficient one
exists in the other direction; in type 3, G1 ≠ G2 and no efficiently computable homomorphism exists between G1 and G2, in either direction.
Although type 1 pairings were mostly used in the early-age of pairing-based cryptography, they have been gradually discarded in favour of type 3 pairings. Indeed, the latter offer a better efficiency and are compatible with several computational assumptions, such as the Decision Diffie-Hellman assumption in G1 or G2, also known as the XDH assumption, which does not hold in type 1 pairings.
- Pairing - Wikipedia
- Bilinear map - Wikipedia
A bilinear map is a function combining elements of two vector spaces to yield an element of a third vector space, and is linear in each of its arguments. Matrix multiplication is an example.
Pairing on elliptic curves
Generally, elliptic curves are defined so that pairing is not efficiently computable since elliptic curve cryptography is broken if the pairing is efficiently computable.
It is used in identity-based encryption (IBE), attribute-based encryption (ABE), authenticated key exchange (AKE), short signatures and so on.
Quoting Ben Lynn: Minimal pairing-based cryptography requires:
- Arithmetic in Zp. I built mine on top of the GMP library, which conveniently provides number theoretic functions such as inversion modulo a prime and the Jacobi symbol.
- Elliptic curve groups: mostly routines for solving y2 = x3 + ax + b over Zp, point addition and multiplication.
- Bilinear pairing: Miller’s algorithm.
Further info:
- Freeman - Taxonomy of pairing-friendly curves (2007)
- IETF on pairing-friendly curves - several applications using pairing-based cryptography are standardized and implemented.
- IETF issues RFCs for pairing-based cryptography such as identity-based cryptography, certificateless signatures, Sakai-Kasahara Key Encryption (SAKKE), and Identity-Based Authenticated Key Exchange (IBAKE), SAKKE is applied to Multimedia Internet KEYing (MIKEY) and used in 3GPP
- Pairing-based key agreement protocols are standardized in ISO/IEC 11770-3:2015, which contains a key agreement scheme by Joux, identity-based key agreement schemes by Smart-Chen-Cheng and by Fujioka-Suzuki-Ustaoglu.
- MIRACL implements M-Pin, a multi-factor authentication protocol. M-Pin protocol includes a kind of zero-knowledge proof, where pairing is used for its construction.
- Trusted Computing Group (TCG) specifies ECDAA (Elliptic Curve Direct Anonymous Attestation) in the specification of Trusted Platform Module (TPM).
ECDAA is a protocol for proving the attestation held by a TPM to a verifier without revealing the attestation held by that TPM. Pairing is used for constructing ECDAA.
- FIDO Alliance and W3C also published ECDAA algorithm similar to TCG.
- Zcash implements their zero-knowledge proof algorithm named zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), used for protecting privacy of transactions of Zcash. T
hey use pairing for constructing zk-SNARKS.
- Cloudflare introduced Geo Key Manager to restrict distribution of customers' private keys to the subset of their data centers. To achieve this functionality, attribute-based encryption is used based on
pairing.
- DFINITY utilized threshold signature scheme to generate the decentralized random beacons. They constructed a BLS signature-based scheme, which is based on pairings.
- In Ethereum 2.0, project Prysm applies signature aggregation for scalability benefits by leveraging DFINITY's random-beacon chain playground. Their codes are published on GitHub.
Selective pairings
Isogenuous encryption
Initiated by the works of Couveignes, Teske and Rostovtsev and Stolbunov. A surjective group morphism, not necessarily invertible, between two elliptic curves is called an isogeny. It turns out that isogenies are algebraic maps as well.
NTRU encryption
Nth degree truncated polynomial ring units (NTRU) is an open source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data.
It consists of two algorithms:
- NTRUEncrypt, which is used for encryption,
- NTRUSign, which is used for digital signatures.
Unlike other popular public-key cryptosystems, it is resistant to attacks using Shor's algorithm.
NTRUEncrypt was patented, but it was placed in the public domain in 2017.
NTRUSign is patented, but it can be used by software under the GPL.
- NTRU - Wikipedia
- 1996 by Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman
- 2016, Daniel Bernstein, Chitchanok Chuengsatiansup, Tanja Lange and Christine van Vredendaal released NTRU Prime
XTR encryption
XTR is an algorithm for public-key encryption, relying on the difficulty of the DLP.
XTR stands for 'ECSTR', which is an abbreviation for Efficient and Compact Subgroup Trace Representation.
It relies on the difficulty of solving Discrete Logarithm related problems in the full multiplicative group of a
finite field. Unlike many cryptographic protocols that are based on the generator of the full multiplicative group of a
finite field, XTR uses the generator g of a relatively small subgroup of some prime order q of a subgroup.
Multivariate
Multivariate is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field F. In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics.
Solving systems of multivariate polynomial equations is proven to be NP-complete. That's why those schemes are often considered to be good candidates for post-quantum cryptography. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.
Hybrid encryption schemes
Basics
A hybrid cryptosystem can be constructed using any two separate cryptosystems:
- a key encapsulation mechanism, which is a public-key cryptosystem, and
- a data encapsulation scheme, which is a symmetric-key cryptosystem.
See also
Implementations
Implementations of public key cryptography today typically employ a hybrid system.
- TLS protocol
- SSH protocol
- OpenPGP file format
- PKCS #7 file format
Hybrid Public Key Encryption (HPKE, published as RFC 9180) is a modern standard for generic hybrid encryption. HPKE is used within multiple IETF protocols, including MLS and TLS Encrypted Hello.
Identity based encryption (IBE)
IBE is a primitive of ID-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user (e.g. a user's email address). This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.
ID-based encryption was proposed by Adi Shamir in 1984. He was however only able to give an instantiation of identity-based signatures.
Identity-based encryption remained an open problem for many years. The pairing-based Boneh–Franklin scheme and Cocks's encryption schema based on quadratic residues both solved the IBE problem in 2001.
Attribute based encryption
Attribute-based encryption is a generalisation of identity based encryption. It is a generalisation of public-key encryption which enables fine grained access control of encrypted data using authorisation policies. The secret key of a user and the ciphertext are dependent upon attributes (e.g. their email address, the country in which they live, or the kind of subscription they have). In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.
There are mainly two types of attribute-based encryption schemes:
- Key-policy attribute-based encryption - KP-ABE
- Ciphertext-policy attribute-based encryption - CP-ABE
KP-ABE
In KP-ABE, the access structure is specified in the private key, while the ciphertexts are labeled with a set of descriptive attributes.
Private keys are identified by a tree-access structure in which each interior node of the tree is a threshold gate and the leaves are associated with attributes.
CP-ABE
In CP-ABE, an access policy is incorporated into a ciphertext, and a secret decryption key is generated for a subset of attributes held by a user.
If a user holds attributes that satisfy the access policy, she can decrypt ciphertext encrypted under that policy.
In this model, access policy needs to be known before the encryption and secret keys are bound to a subset of attributes.
Deniable encryption
Authenticated encryption
Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data.
Six different authenticated encryption modes (namely OCB 2.0, Key Wrap, CCM, EAX, Encrypt-then-MAC (EtM), and GCM) have been standardized in ISO/IEC 19772:2009. More authenticated encryption methods were developed in response to NIST solicitation.
Basics
Lightweight Cryptography (LWC) for constrained environments
LWC basics
- NIST On February 7, 2023, NIST announced the selection of the Ascon family for lightweight cryptography standardization.