11

I would like to perform a variant of Elliptic Curve ElGamal in java using the BouncyCastle libraries.

I currently face the difficulty of mapping a message $m$ onto the elliptic curve $E_p$. I have so far multiplied the generator $g$ of $E_p$ by the message $m$. However, this is hardly reversible. Hence I cannot retrieve the original message without storing a lookup table for my whole message space.

The post ElGamal with EC quotes that some reversible mapping exists, described in Elliptic Curve Cryptosystem, Koblitz.

After doing some research, I found Mapping an Arbitrary Message to an Elliptic Curve when Defined over $GF(2^n)$, King et al.. However it looks quite cryptic to me, and I believe there must exist some library doing this already.

Is there any widely used mapping available? Also, is there any library implementing this?

Community
  • 1
franckysnow
  • 213
  • 2
  • 6
  • Your initial approach would require to solve the elliptic curve discrete logarithm problem when inverting the encoding. This can only be used if messages come from a small space and thus solving the ECDLP is tractable. You can look here in Section 2.4 for a typically used probabilistic encoding or the other approaches in the cited paper for injective maps. – DrLecter Mar 12 '14 at 16:39
  • 1
    Also, instead of attempting to use ElGammal, you could use the Elliptic Curve Integrated Encryption System, that works better, and the problem you have just doesn't come up – poncho Mar 12 '14 at 17:26

1 Answers1

9

When using ElGamal on elliptic curves you have two possibilities:

Encoding free Version of El Gamal

Use a version of ElGamal such as "hashed ElGamal" that avoids the task of mapping messages to points on the curve. In standard ElGamal on elliptic curves you would compute the ciphertext as $(C_1,C_2)=(kP,M+kY)$ where $k$ is a random integer, $M$ the message $m$ mapped to a point on the curve, $Y$ the public key and $P$ the generator point.

In hashed ElGamal, the ciphertext is $(C_1,C_2)=(kP,m\oplus H(kY))$ where $H:G\rightarrow \{0,1\}^n$ is a hash function that maps points on the curve to $n$ bit strings. Consequently, you can encrypt $n$ bit messages, for instance 256 bit if you use SHA-256 for $H$. For the input to $H$ you need to encode the points of the curve in a suitable way.

What you describe in your question, i.e., encode $m$ as $mP$, is also known as exponential ElGamal and typically used to make it additively homomorphic. But in this case, you have to compute discrete logarithms after decrypting. Note that decryption will yield $mP$ and you have to compute $m=\log_P mP$ which means you have to solve the elliptic curve discrete logarithm problem. This is only practical for small messages.

Map Messages to the Curve

A standard probabilistic encoding that can be used for curves over $\mathbb{F}_p$ (for a large prime $p$) is that you fix some value $\ell$, for instance half the bitlength of $p$, and then simply choose a random integer from $\mathbb{Z}_p$ and set the least significant bits of this value to represent your message, i.e., you have a value $r\|m$. Then, treat this value $r\|m$ as the $x$ coordinate of a (potential) point on the curve (in affine coordinates). If it is on the curve, take one of the two possible $y$ values and you have your encoding of the message to a point. Otherwise, start over again with a new $x$ value.

This is one probabilistic encoding and if you want to have injective maps that are also efficiently invertible take a look here as pointed out in my comment.

Third possibility: Avoid ElGamal

As @poncho pointed out, you could simply replace ElGamal with another elliptic curve encryption scheme such as ECIES. It is a hybrid encryption scheme and avoids the task of mapping messages to points on the curve. In practice this seems to best solution if you want to use your scheme simply for encryption (and do not need it as a building block in protocols which require proofs of knowledge or stuff the like).

DrLecter
  • 12,547
  • 3
  • 43
  • 61
  • Thank you for your answer. Yes, I precisely use ECEG for its homomorphic properties as well as for the possibility to perform threshold encryption.

    As I believe lose these properties with hashed ElGamal and ECIES, I will dive deeper in the mappings you suggested.

     – franckysnow Mar 13 '14 at 08:28
  • 1
    @FranckStudiesCommEng Note, however that with encodings different from mapping $m$ to $mP$ you will lose the meaninglul homomorphic property of addition oft integers modulo the group order. – DrLecter Mar 13 '14 at 08:35
  • thank you for your very constructive comments. It helped me see better my options. – franckysnow Mar 15 '14 at 01:02
  • Great comments, but the question remains: Is there a library function for performing the probabilistic mapping from a message to a point that you describe? (Which is, by the way, also briefly covered by King in the paper mentioned in the question in section 3.1.) – Niels Abildgaard May 17 '14 at 12:30
  • @Niels Abildgaard I do not know if Bouncycastle provides an ECC version of ElGamal at all. But such an encoding is not hard to implement. – DrLecter May 17 '14 at 13:56
  • @DrLecter Context: I was looking at this as I am implementing ECElGamal for my bachelors project. I have implemented the encoding, but to compare with Bouncy Castle I would need their implementation.

    Bouncy Castle has org.bouncycastle.crypto.ec.ECElGamal in Java, but not in the C# port. It does not, as far as I have found, contain any encoding function, leaving it up to the user to implement this.

     – Niels Abildgaard May 17 '14 at 17:22
  • @Niels Abilgaard Nice! Yes it seems that Bouncycastle does not provide an encoding function. You may add your encoding to the BC lib. – DrLecter May 17 '14 at 22:52
  • @DrLecter Unfortunately my project is in C#, and so I have only implemented the encoding here. I am using Koblitz's (or Miller's) probabilistic encoding, so it's really nothing special. – Niels Abildgaard May 19 '14 at 09:27