28

I've searched some information on ECC, but so far I have only found Diffie-Hellman key-exchange implementations using ECC, but I don't want to exchange keys, I want to encrypt & decrypt data like in ElGamal. I know that ElGamal with elliptic curves should be possible (Since ElGamal is based on DH), but I have no idea how. So, could anyone tell me how to implement ElGamal using elliptic curves. I think I do not need to much background information,

  1. What is the private, what is the public key?
  2. How to encrypt messages? and
  3. How to decrypt messages?

should be enough.

CriticalError
  • 383
  • 1
  • 3
  • 4
  • 3
    Note that it is more common to use ECIES to encrypt data using EC. ECIES is basically static Diffie-Hellman key agreement followed by symmetric encryption using the resulting key. – Maarten Bodewes Feb 22 '15 at 15:57

1 Answers1

39

Your answer is in the paper Elliptic curve cryptosystems from Neal Koblitz:

  • Set up an elliptic curve $E$ over a field $\mathbb{F}_q$ and a point $P$ of order $N$ just the same as for EC-DDH as system parameters.
  • You need a public known function $f : m \mapsto P_m$, which maps messages $m$ to points $P_m$ on $E$. It should be invertible, and one way is to use $m$ in the curve's equation as $x$ and calculate the according $y$.
  • Choose a secret key $x \in_R [1,N-1]$ randomly, publish the point $Y=x P$ as public key.
  • Encryption: choose random $k\in_R [1,N-1]$ , then calculate $C=kP$ and $C'=kY$ and calculate $P_m = f(m)$. The ciphertext is the tuple $(C, C'+P_m)$.
  • Decryption: From a ciphertext $(C,D)$ calculate $C' = xC$, and retrieve the point $P_m$ with $P_m = D-C' = (k(xP)+P_m)-(x(kP))$. Then calculate the message $m$ with $f^{-1}(P_m)$.
lovesh
  • 512
  • 2
  • 10
tylo
  • 12,654
  • 24
  • 39
  • 3
    You're using $\mathbb{F}_q$ to denote the field from which the ECC points' coordinates are chosen. Private keys are chosen from 1..N-1, where N is the order of the ECC group, not from $\mathbb{F}_q$. – Brock Hansen Apr 23 '14 at 00:05
  • @BrockHansen Changed the description of the private key "generation". Could you check if the math notation is good enough? – Maarten Bodewes Feb 22 '15 at 16:08
  • @MaartenBodewes Now it should be fine. – DrLecter Feb 22 '15 at 17:16
  • @DrLecter Ah, yeah, I wondered already if the other random components would be correct. I guess they have to be limited by the order :) I'm currently trying to map a message $m$ to a point for Bouncy Castle for this question - if anybody is able to help please do. – Maarten Bodewes Feb 22 '15 at 17:24
  • 1
    @MaartenBodewes You could take a look at this paper (Section 2.4 shows a simple standard approach). I think I have answered such a question already here somewhere, but cannot find it anymore :/ – DrLecter Feb 22 '15 at 17:32
  • How would your $m=x$ technique work, considering only half of the possible $x$ values are on the curve? – CodesInChaos Dec 18 '15 at 08:43
  • You're right, it doesn't work for every $x$. It was a simplified version of the paper's function $(2)$ in section $3$. Basically they suggest for $m < q/1000 - 1$ and then look for $x$ with $1000m \leq x < 1000(m+1)<q$ and a solution for the curve equation. It's a probabilitstic embedding, which still has a chance that there is no sulition in the interval. The inverse can then be calculated by dropping the last 3 decimal digits of x.. – tylo Jan 13 '16 at 14:06
  • @tylo I do not quite understand how to get $y$ according to use $m$ in the equation as $x$. For example, if I have $y^2 = x^3 + 4x +4$ over $\mathbb F_{13}$, with generator $P=(1, 3)$. If I choose $m=10$, how do I get the point $(10,2)$ on the curve? Thanks. –  Aug 02 '17 at 13:37
  • I'm amazed! Precisely what I need in a design that started with RSA! – Sam Ginrich Jan 30 '23 at 20:23
  • @DrLecter This one? https://crypto.stackexchange.com/a/14449/98888 – Sam Ginrich Jan 30 '23 at 20:34