ECIES need for KDF

Question

Reading the ECIES algorithms (and elgamal in general), the general wisdom is to use a KDF and MAC on the shared secret before using it for encryption of ciphertext.

I suspect, however, this was because the encryption used was XOR (for data sizes that were smaller than the original).

If you're using AES GCM with a random iv, I don't see the value of the KDF on the shared secret.

For some protocols, you don't want users decrypting the ciphertext with the wrong key (chosed ciphertext attacks)... so mac'ing the key could be helpful.

But with a random IV, chosen ciphertext seems to be useless here as long as you otherwise follow standards with the shared secret and symmetric portion of the algorithm.

And with GCM, the mac portion of ECIES also seems not useful. I think, maybe, deferring to better-tested AES/GCM for the authentication seems to be the better bet.

See: https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme

Note that using GCM with random nonces, as you propose, gives people the heebie-jeevies. Since ECIES uses ephemeral per-message keys you're possibly safe in this one case, but you might want to stick to a counter nonce, or at least beware of carrying that assumption to other settings. — Luis Casillas, Jul 17 '18 at 21:55
Yeah, using bytes from the hash of the shared key as the key and nonce now... seems to be the popular option. — Erik Aronesty, Jul 19 '18 at 15:22
Random nonces is a lot safer than sequential nonces. The people for whom it has problems aren't looking at whole systems. Sequences are safer, but... how do you custody the sequence? Random numbers generally have operating system and sometimes hardware custody, and a 128 bit nonce offers enough collision detection to transmit yottabytes before there's a significant problem. Only sneaky gotcha is that the openssl lib will truncate your nonce to 96 bits unless you tell it not to. — Erik Aronesty, Aug 14 '18 at 12:55

Squeamish Ossifrage · Accepted Answer · 2018-07-17T22:23:00.007

12

Do not skip the KDF step.

The output of an ECDH key agreement, as used inside ECIES, is some encoding of a point on a curve. Usually the encoding is highly structured and not uniformly distributed among bit strings. For example, it might be the encoding of any element $x \in \mathbb Z/(2^{255} - 19)\mathbb Z$ such that $x^3 + 486662 x^2 + x$ is square, or it might be the encoding of a pair of elements $x, y \in \mathbb Z/(2^{256} - 2^{32} - 977)\mathbb Z$ such that $y^2 = x^3 + 7$.

The security contract of a pseudorandom permutation family like AES is that the key must be uniformly distributed among bit strings. If you violate that contract, you might get in trouble with our friends Alex Biryukov and Dmitry Khovratovich.

Will the specific structure of the encoding you're using of points on the curve you're using get you in trouble with AES in particular? I don't know, but that's not something I would bet on even if I were a betting bird—it voids the security contract and lands you in uncharted territories where few cryptographers have set foot and no rewards are expected to be found.

If you have voided the contract of AES by using a nonuniform distribution on your keys, do not expect security.

edited Jul 17 '18 at 22:23

answered Jul 17 '18 at 21:47

Squeamish Ossifrage

48,392
3
116
223

That paper was not about AES GCM – Erik Aronesty Jul 17 '18 at 21:59
2

@ErikAronesty AES-GCM uses AES. My point is not that this specific paper demonstrates an attack on your specific application. Your specific application doesn't matter enough for anyone to publish a paper at a reputable cryptography conference demonstrating an attack. My point is that you have violated the security contract of AES (and anything built out of it like AES-GCM), and the paper shows an example of what goes wrong when you skimp on your contractual obligations. – Squeamish Ossifrage Jul 17 '18 at 22:03
I think the IV is serving a similar purpose as the KDF here, since the AES algorithm attacks are, typically, chosen-plaintext. Jamming an IV up front seems to prevent this.
Certainly the MAC of the KDF is useless here, so at least you can discard the MAC portion of ECIES.

But yeah, technically the structure in the shared secret could weaken it. A hash of length equal to the maximum key size should be sufficient, rather than a KDF+MAC.... assuming GCM is used.
– Erik Aronesty Jul 17 '18 at 22:11
1

@ErikAronesty The IV does not serve a similar purpose to the KDF. If you use a nonuniform key, you have voided the contract of AES. Don't play with it. – Squeamish Ossifrage Jul 17 '18 at 22:12
OK. I'm ditching the extra MAC though. SHA3 on the key should be more than enough. Thanks! – Erik Aronesty Jul 17 '18 at 22:13
5

@ErikAronesty NOOOOOOOOOO! EFAIL! – Squeamish Ossifrage Jul 17 '18 at 22:14
1

@ErikAronesty If you violate the security contract of the primitive or invent a bespoke composition of it, you are asking for a shot in the foot. If you want public-key encryption, you should use an existing construction that is credibly advertised to guarantee IND-CCA2/NM-CCA2. Tweaking it to replace a MAC of the message by a hash of the key is asking for trouble. – Squeamish Ossifrage Jul 17 '18 at 22:17
1

I'm not sure what @ErikAronesty means by "SHA3 on the key", but shouldn't it be OK (or even better) to use AES-GMAC with the key derived by the KDF, instead of using separated encryption and MAC schemes as specified by ECIES? – Conrado Jul 18 '18 at 11:53
@Conrado Yes, as I suspected, it's far better to use AES-GMAC. Indeed, this is what Apple uses in it's new Secure Enclave and it is gradually ousting the older ECIES standard. – Erik Aronesty Jul 18 '18 at 20:38
I meant "AES-GCM". It is orthogonal to ECIES, you can use ECIES with AES-GCM (arguably it's not strictly ECIES anymore, but...) – Conrado Jul 19 '18 at 01:36
@conrado ... maybe?. ecies does not, itself, specify the symmetric cipher or really which mac is used. most implementations now use aesgcm and forgo the mac step - because it's baked in to gcm. also ecdh already includes a kdf step in openssl.... there's just no way to get it to produce extra bytes right now, so most people use a second kdf to derive the iv... sort of silly. – Erik Aronesty Jul 19 '18 at 15:19

score 2 · Answer 2 · answered Jul 18 '18 at 20:50

It's now generally considered slightly better to use AES-GMAC than to use an HMAC during the key derivation step. For example: this is what Apple uses in its Secure Enclave.

While a hash of the key satisfies the "no structure" contract of an AES key input - using a KDF also performs other useful functions.

The KDF can produce additional bytes for use in AES-GCM's IV. A standard KDF provides flexible choices of hash algorithms to and a flexible amount of bytes to support the symmetric encryption.

In the end, this reduces the amount of data you need to transmit/store when doing encryption, and shifts more code to better tested and standardized libraries.

In summary for interchangeability with the most systems:

ECIES == ECDH -> X93KDF(SHARED_KEY, AES_LEN+IV) -> AES_GCM()

Using the public key in the auth tag of the GCM step can, additionally, provide some malleability defense.

ECIES need for KDF

2 Answers2

Linked