0

Imagine the following scenario. A process is running in background and permanently encrypting some data. An adversary has full control of the process, e.g. it can dump the process memory any time and read the symmetric key. It is essential that the adversary cannot decrypt the data, therefore only public-key encryption without any symmetric cipher component is feasible.

What would be the best method for data encryption in this scenario using ECC?

Andy
  • 144
  • 6
  • 2
    No matter the encryption used, wouldn't the process memory contain the plaintext data before it is encrypted, anyway? – fkraiem Dec 10 '19 at 12:10
  • For this application it is allowed. The question is purely cryptography-related: what would be the ECC analogy to RSA? – Andy Dec 10 '19 at 12:47
  • 1
    If your question is that, then just ask that. Why make up a nonsensical example? – fkraiem Dec 10 '19 at 12:52
  • As remarked bt fkraiem, we can't hope to protect the plaintext from a probing right when it arrives. Thus the best we can unconditionally achieve is that probing an encryption compromises neither the previous nor the next. I see no reason to ban internal use of symmetric crypto, if its symmetric key is ECC-generated. Anything wrong with ECIES? – fgrieu Dec 10 '19 at 13:21
  • Possible duplicate of Can elliptic curve cryptography encrypt with public key and decrypt with private key like RSA? – kelalaka Dec 10 '19 at 13:53
  • @kelalaka That question doesn't explicitly exclude symmetric encryption (and my answer, therefore, is ECIES). If you look at the title you may conclude that it would be like just using modular exponentiation, but the body of the question shows that schemes like ECIES are also unknown to the asker. – Maarten Bodewes Dec 10 '19 at 15:45
  • 1
    That said, it does seem to answer the question. Hmm. Andy, is that enough of an answer for you (EC El Gamal)? – Maarten Bodewes Dec 10 '19 at 16:00
  • @Maarten - reinstate Monica: yes, EC ElGmal would answer the question. But the method here leaves as an exercise to the reader to defines a public invertible function $f : m \mapsto P_m$, which maps messages $m$ to points $P_m$ on $E$. And that's not easy. We need a different EC ElGamal (I see how that can be done). Problems remain; the scheme will be.malleable, and that's a security risk, solved by ECIES. Again, no justification is given for "without symmetric cipher" in the question. – fgrieu Dec 10 '19 at 16:34
  • Sorry, I really do not want to go into the details of the application. It is research and definitely not a product, and it does not have to be 100% secure. Surely if you dump the process memory at the exactly right time, you will see the plaintext. But this is only valid in a short window of time, whereas the symmetric key would be "visible" all the time. I could generate a symmetric key for a short amount of time, save the public key with the ciphertext and destroy the keys immediately. It is a valid option, but not the question I'm interested in. – Andy Dec 10 '19 at 18:05

1 Answers1

-1

ECC cant really be used to encrypt and decrypt data - it doesn't have the required properties. An asymmetric cipher such as RSA would have to be used, as this can encrypt and decrypt data.

ECC can be used for bilateral key exchanges, and to sign/verify data. RSA can sign/verify data, do KEMs, and encrypt/decrypt data.

SamG101
  • 613
  • 4
  • 12
  • 1
    Actually, ECC could be used directly on data; for example, use a simple mapping of data to EC points, and then use EC El Gamal (as mentioned in the comments). Whether it solves any specific problem, and whether it makes sense, is another question; however, you could do it... – poncho Dec 14 '19 at 23:36