Geodesic
Privacy and integrity properties of $\mathrm{ECIES}$ scheme
Matematičeskie voprosy kriptografii, Tome 15 (2024) no. 2, pp. 101-136 Cet article a éte moissonné depuis la source Math-Net.Ru

Voir la notice de l'article

We analyze $\mathrm{ECIES}$ scheme in the provable security framework. The object of study ($\mathrm{ECIES}$) is an asymmetric (hybrid) authenticated encryption scheme based on the key exchange scheme $\mathsf{KE}$ and AE(AD)-scheme $\mathsf{AE}$. The encryption process consists of two steps: (a) generating ephemeral pair and session secret key $K$ using $\mathsf{KE}$, (b) encrypting the message $m$ under the key $K$ using $\mathsf{AE}$ and sending results to the recipient. We show that the adversarial advantage against $\mathrm{ECIES}$ scheme in the (standard) $\mathsf{LOR-CCA}$ and $\mathsf{INT-CTXT}$ models can be upper bounded by the adversarial advantage against $\mathsf{KE}$ in the $\mathsf{mODH}$ model (Oracle Diffie-Hellman Model with multiple queries) and against $\mathsf{AE}$ in the (standard) $\mathsf{LOR-CCA}$ and $\mathsf{INT-CTXT}$ models respectively. The security in these models implies the following informal properties: (a) the adversary is unable to extract any useful information about plaintext from the given ciphertext (except for its length); (b) if the adversary is given some ephemeral public key (chosen by the honest party), it is unable to form the ciphertext that may be correctly decrypted under this key (for instance, it cannot modify messages formed by honest senders). We point out some differences in our analysis compared to the previous ones: (a) only the confidentiality of the $\mathrm{ECIES}$ scheme was analyzed; integrity of the scheme (either in the $\mathsf{INT-CTXT}$ or $\mathsf{INT-PTXT}$ models) is not considered; (b) the confidentiality model in previous analysis (LOR-CCA-fg/IND-CCA2) allows only one encryption challenge query to the $\mathcal{O}_{\mathrm{enc}}^b$ oracle; generalization to the case of $q_e$ queries to the encryption oracle seems not to be the immediate consequence; however, the possibility to do a number of queries can make a difference in practice; (c) the analysis given in the previous papers could be slightly more general: it allows any AE(AD)-scheme to be used instead of concrete Encrypt-then-MAC approach. Hence, we show that it is possible to separate key generation step and encryption process in generic $\mathrm{ECIES}$ scheme and study them independently, which allows one to develop more modular security solutions. The scheme can be used as a building block of more involved protocols (e.g., as a part of user anonymous authentication in 5G-AKA protocol). 
@article{MVK_2024_15_2_a6,
     author = {K. D. Tsaregorodtsev},
     title = {Privacy and integrity properties of $\mathrm{ECIES}$ scheme},
     journal = {Matemati\v{c}eskie voprosy kriptografii},
     pages = {101--136},
     year = {2024},
     volume = {15},
     number = {2},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/MVK_2024_15_2_a6/}
}
TY  - JOUR
AU  - K. D. Tsaregorodtsev
TI  - Privacy and integrity properties of $\mathrm{ECIES}$ scheme
JO  - Matematičeskie voprosy kriptografii
PY  - 2024
SP  - 101
EP  - 136
VL  - 15
IS  - 2
UR  - http://geodesic.mathdoc.fr/item/MVK_2024_15_2_a6/
LA  - ru
ID  - MVK_2024_15_2_a6
ER  - 
%0 Journal Article
%A K. D. Tsaregorodtsev
%T Privacy and integrity properties of $\mathrm{ECIES}$ scheme
%J Matematičeskie voprosy kriptografii
%D 2024
%P 101-136
%V 15
%N 2
%U http://geodesic.mathdoc.fr/item/MVK_2024_15_2_a6/
%G ru
%F MVK_2024_15_2_a6
K. D. Tsaregorodtsev. Privacy and integrity properties of $\mathrm{ECIES}$ scheme. Matematičeskie voprosy kriptografii, Tome 15 (2024) no. 2, pp. 101-136. http://geodesic.mathdoc.fr/item/MVK_2024_15_2_a6/

[1] Martínez G. V., Encinas L. H., “A comparison of the standardized versions of ECIES”, Sixth Int. Conf. Inf. Assurance and Security, IEEE, 2010

[2] Martínez G. V., Encinas L. H., Dios A. Q., “Security and practical considerations when implementing the elliptic curve integrated encryption scheme”, Cryptologia, 39:3 (2015), 244–269, Taylor Francis | DOI

[3] Shoup V., A proposal for an ISO standard for public key encryption, IACR Cryptology ePrint Archive, Paper 2001/112, , 2001 https://eprint.iacr.org/2001/112

[4] Abdalla M., Bellare M., Rogaway P., “The Oracle Diffie-Hellman assumptions and an analysis of DHIES”, CT-RSA 2001, Lect. Notes Comput. Sci., 2020, 2001, 143–158 | DOI | MR | Zbl

[5] Smart N., “The exact security of ECIES in the generic group model”, Cryptography and Coding, Lect. Notes Comput. Sci., 2260, 2001, 73–84 | DOI | MR | Zbl

[6] Bellare M., Namprempre C., “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm”, J. Cryptology, 21:4 (2008), 469–491, Springer | DOI | MR

[7] Boyd C., Mathuria A., Stebila D., Protocols for authentication and key establishment, 2nd edition, Springer, Berlin–Heidelberg, 2020, 521 pp. | Zbl

[8] Nesterenko A. Yu., Semenov A. M., “Metodika otsenki bezopasnosti kriptograficheskikh protokolov”, Prikl. diskr. matem., 2022, no. 56, 33–82 | DOI

[9] 3GPP, Security architecture and procedures for 5G System (3GPP TS 33.501 version 17.5.0 Release 17), Technical specification (TS), 2022

[10] Rekomendatsii po standartizatsii R1323565.1.026-2019. Informatsionnaya tekhnologiya (IT). Kriptograficheskaya zaschita informatsii. Rezhimy raboty blochnykh shifrov, realizuyuschie autentifitsirovannoe shifrovanie, Standartinform, M., 2019, 12+IV pp.

[11] Nozdrunov V., “Parallel and double block cipher mode of operation (PD-mode) for authenticated encryption”, Preproceedings, 6th Workshop on Current Trends in Cryptology (CTCrypt 2017), 2017, 36–45

[12] Mezhgosudarstvennyi standart GOST 34.13-2018. Informatsionnaya tekhnologiya (IT). Kriptograficheskaya zaschita informatsii. Rezhimy raboty blochnykh shifrov, Standartinform, M., 2018, 24+V pp.

[13] Rekomendatsii po standartizatsii R 50.1.113-2016. Informatsionnaya tekhnologiya (IT). Kriptograficheskaya zaschita informatsii. Kriptograficheskie algoritmy, soputstvuyuschie primeneniyu algoritmov elektronnoi tsifrovoi podpisi i funktsii kheshirovaniya, Standartinform, M., 2016, 24+IV pp.

[14] Alekseev E. K., Oshkin I. B., Popov V. O., Smyshlyaev S. V., “O kriptograficheskikh svoistvakh algoritmov, soputstvuyuschikh primeneniyu standartov GOST R 34.11-2012 i GOST R 34.10-2012”, Matematicheskie voprosy kriptografii, 7:1 (2016), 5–38 | DOI | MR | Zbl

[15] Katz J., Lindell Y., Introduction to modern cryptography, CRC press, Boca Raton, Florida, 2020, 626 pp. | MR

[16] Guo F., Susilo W., Mu Y., Introduction to security reduction, Springer, Cham, Switzerland, 2018, 253 pp. | Zbl

[17] Bellare M., Rogaway P., “The security of triple encryption and a framework for code-based game-playing proofs”, EUROCRYPT 2006, Lect. Notes Comput. Sci., 4004, 2006, 409–426 | DOI | MR | Zbl

[18] Nechaev V. I., “K voprosu o slozhnosti determinirovannogo algoritma dlya diskretnogo logarifma”, Matem. zametki, 55:2 (1994), 91–101 | MR | Zbl

[19] Shoup V., “Lower bounds for discrete logarithms and related problems”, EUROCRYPT 1997, Lect. Notes Comput. Sci., 1233, 1997, 256–266 | DOI | MR

[20] Mezhgosudarstvennyi standart GOST 34.12-2018. Informatsionnaya tekhnologiya (IT). Kriptograficheskaya zaschita informatsii. Blochnye shifry, Standartinform, M., 2018, iv+13 pp.

[21] Bellare M., Goldreich O., Mityagin A., The power of verification queries in message authentication and authenticated encryption, IACR Cryptology ePrint Archive, Paper 2004/309, , 2004 https://eprint.iacr.org/2004/309

[22] Rogaway P., “Evaluation of some blockcipher modes of operation”, Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan, 2011

[23] Iwata T., Kurosawa K., “Stronger security bounds for OMAC, TMAC, and XCBC”, INDOCRYPT 2003, Lect. Notes Comput. Sci., 2904, 2003, 402–415 | DOI | MR | Zbl

[24] Nandi M., “Improved security analysis for OMAC as a pseudorandom function”, J. Math. Cryptology, 3:2 (2009), 133–148, Walter de Gruyter GmbH Co. KG | DOI | MR

[25] Chattopadhyay S., Jha A., Nandi M., “Towards tight security bounds for OMAC, XCBC and TMAC”, ASIACRYPT 2022, Lect. Notes Comput. Sci., 13791, 2023, 348–378 | DOI | MR | Zbl

[26] Ahmetzyanova L., Alekseev E., Oshkin I., Smyshlyaev S., Sonina L., “On the properties of the CTR encryption mode of Magma and Kuznyechik block ciphers with re-keying method based on CryptoPro Key Meshing”, Matematicheskie voprosy kriptografii, 8:2 (2017), 39–50 | DOI | MR | Zbl

[27] Bellare M., Rogaway P., “Random oracles are practical: A paradigm for designing efficient protocols”, 1st ACM Conf. Computer Communic. Security, Association for Computing Machinery, New York, NY, USA, 1993, 62–73

[28] Koblitz N., Menezes A., “The random oracle model: a twenty-year retrospective”, Designs, Codes and Cryptography, 77 (2015), 587–610, Springer | DOI | MR