4

I'd like to know how much bigger is the ciphertext when encrypting a message using ECC encrytpion? ECIES (or ElGamal)

e-sushi
  • 17,891
  • 12
  • 83
  • 229
user54319
  • 43
  • 1
  • 4
  • Arent EC Elgamal and ECIES the same thing? – mikeazo Nov 14 '13 at 18:05
  • sorry if i made a mistake (: – user54319 Nov 14 '13 at 18:17
  • @mikeazo Actually not really. ElGamal is purely asymmetric and ECIES is a hybrid encryption scheme. – DrLecter Nov 14 '13 at 18:45
  • i'd like to know how larger the cipher text is? in any of the above. percentage wise. thank u in advance – user54319 Nov 14 '13 at 18:50
  • You may look here. In ECIES, the ciphertext size is one point of the curve + the size of the encrypted message (+ small overhead of padding for the symmetric cipher) + the tag length of the used MAC. ElGamal is not really useful for larger messages and when using ElGamal in the elliptic curve setting hashed ElGamal should be your choice (as you avoid cumbersome mapping of messages to points on the curve)... – DrLecter Nov 14 '13 at 19:00
  • ... You could also use a hybrid version of ElGamal to achieve a hybrid cryptosystem like ECIES does. But ECIES is standardized and provides better security (IND-CCA) as the ElGamal versions (only IND-CPA). – DrLecter Nov 14 '13 at 19:02
  • Unfortunately, they seem to be comments instead of answers. – Maarten Bodewes Nov 14 '13 at 20:48
  • can anyone answer? (: tnx – user54319 Nov 14 '13 at 21:28
  • Depends on the details of the ECIES implementation. The overhead is one ECC point. For example with an 256 bit curve (offering 128 bits of security) and compressed points the overhead would be 32 bytes. With uncompressed points you need 64 bytes. Often you'll lose a bit more for headers. The symmetric encryption might cost a bit as well for padding or MACs. – CodesInChaos Nov 14 '13 at 21:38

1 Answers1

2

Ok, I sum it up.

In ECIES, which is a hybrid encryption scheme, the ciphertext size is one point of the curve + the size of the encrypted message (size of the message + small overhead of padding for the symmetric cipher) + the tag length of the used MAC. As CodesInChaos pointed out, if you work on a 256 bit curve (giving 128 bit security), then using point compression this will amount to 32 byte (and 64 otherwise) for the elliptic curve point and as he mentioned in addition to the ciphertext and the MAC some little overhead for the format.

A Note on ElGamal (as in the original Question): ElGamal is not really useful for larger messages and when using ElGamal in the elliptic curve setting hashed ElGamal should be your choice (as you avoid cumbersome mapping of messages to points on the curve). You could also use a hybrid version of ElGamal to achieve a hybrid cryptosystem like ECIES does.

But ECIES is standardized and provides better security (IND-CCA) as the ElGamal versions (only IND-CPA).

Community
  • 1
DrLecter
  • 12,547
  • 3
  • 43
  • 61
  • The padding overhead for the cipher is only required for CBC (& uncommon variants). A tag is used for authenticated encryption, but that's strictly optional as well. Generally compressed points require one extra bit, which usually translates into an extra byte with value 0x02 or 0x03 to determine the sign of the y-coordinate, making for 33 bytes instead of 32, although in theory the additional byte is not required. – Maarten Bodewes Aug 16 '21 at 08:21