Can I use ECC for encryption/decryption, just like RSA?

Question

I'm familiar with RSA for asymmetric encryption. I also understand it's only supposed to encrypt small amounts of data (smaller than the key) so for encrypting arbitrary data I would typically generate a one-time random key, encrypt just that random key with asymmetric encryption, and then encrypt the actual data using AES with the random key (and then throw away the plaintext key)

Can I also use Elliptic Curve Cryptography for this? And if yes, can I use any common type of curves / keys?

For example, can I create a Ed25519 or Secp256k1 or Secp521r1 keypair, and then encrypt something with the public key so it can only be decrypted with the corresponding private key?

I sometimes read things like 'Ed25519 is only for signatures, not encryption' or 'ECC is only for authentication'.

Suppose I have an RSA keypair MyPrivateRsaKey.pem and MyPublicRsaKey.pem and a small data file secret.txt.
I can encrypt secret.txt using MyPublicRsaKey.pem, and then the encrypted data can only be decrypted with MyPrivateRsaKey.pem.

Now if I have a keypair MyPrivateEd25519Key.pem and MyPublicEd25519Key.pem for example, can I do the same? Or am I mistaken and are elliptic curve keys fundamentally unsuitable for this?

P.S. note that for the context of this question, I'm not dealing with key exchange or signatures or certificates or authentication. Just asymmetric encryption+decryption.

The most standard such scheme is [tag:ECIES], described in SEC1. Another is EC-ElGamal. The two are compared in ECIES (…) EC-ElGamal encryption comparison. This can be a bootstrap for hybrid encryption. How this is done with Ed25519 keys is treated in Difference between X25519 vs. Ed25519. How to do this with practical tools is off-topic. — fgrieu, Oct 31 '20 at 14:25

score 1 · Answer 1 · answered Oct 01 '20 at 13:42

1

This has indeed been answered previously and I'd be comfortable with it being closed as a redirect to prior answers. But just in case:

No, but yes. These are signature schemes, they cannot be used like RSA. The specific thing you're proposing (directly encrypting a tiny amount of data without a hybrid encryption scheme) is not done. Notice that because key sizes for ECC are much smaller than RSA the "tiny amount of data" could only be a few bytes anyway.

However, the thing you'd actually want to do (encrypting arbitrary data) is possible using ECIES, here's a Wikipedia link about this approach.

https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme

Also, if you're serious about using RSA to encrypt data, please stop. Safely doing this is hard in the general case, plus you've got this arbitrary limit on how much data you can encrypt. Use a hybrid scheme (like ECIES) if you want encryption.

answered Oct 01 '20 at 13:42

tialaramex

372
1
5

Thanks, I think I understand. By a hybrid scheme you just mean combining symmetric and asymmetric encryption, correct? The tiny amount of data is actually sufficient, I'd typically use an ECC scheme with ≥256 bit keys, and I just need to encrypt a random symmetric key with that. A 128 bit symmetric key would already suffice. If I follow the ECIES example from your link, I'd say Alice sortof 'encrypts' a shared secret in the sense that only Bob can reconstruct that secret with his private key, correct? – RocketNuts Oct 01 '20 at 14:59
If you just want to agree random keys then you don't need all these pieces. You just want a Elliptic Curve Diffie Hellman Key Agreement scheme like X25519.
That's the trick - with RSA you can (but shouldn't) choose a (small) message and just directly encrypt that message. Like "Dinner is in the dog" or "The code is 5521". You cannot do that with elliptic curve cryptography. But if you want random keys anyway, agreeing random keys is enough.
– tialaramex Oct 02 '20 at 00:39
OK I see, so is that essentially just the asymmetric part of a hybrid scheme like ECIES? Once a random key has been agreed upon, using symmetric encryption with that key is trivial. Note that I would prefer a different random key every time. So next time I'm sending a message, I'm agreeing upon a new random key, and using that new key for the symmetric encryption. Would the random key agreement work the same as in ECIES, is that essentially Elliptic Curve Diffie Hellman Key Agreement? (the description on wikipedia seems slightly different, if I understand correctly) – RocketNuts Oct 03 '20 at 21:11
The main difference as far as I understand is that DH is typically explained as an online algorithm in which the participants agree their parameters "live" whereas ECIES is offline. – tialaramex Oct 04 '20 at 10:40

Can I use ECC for encryption/decryption, just like RSA?

1 Answers1