Using xor encryption in the following use case

Cryptography Asked by Kaa on December 31, 2021

I use an encryption scheme based on a symmetric cipher, with the corresponding symmetric key encrypted with RSA/OAEP using the public RSA key of the recipient.
I now want to use ECC crypto in replacement of RSA. Looking at the openssl API I can see that there is no RSA equivalent ECC encryption of a key, but only key derivation.
As the same symmetric key has to be encrypted for several different recipients, each of them owning its own encryption public ECC key, I can’t directly use the derived key as the symmetric key.

So I am considering doing this:

  • create a "one time" ECC key pair,
  • derive a shared secret with this key and the recipient public key,
  • xor the symmetric key with the derived shared secret, ensuring that the latter is at least as long as the symmetric key,
  • sign the public part of the "one time" ECC key and transmit it along with the xor encrypted symmetric key so the recipient will be able to decrypt it.

I think that using xor encryption here is safe as:

  • the derived shared secret is supposed to be random looking and will never be reused, as one of the keys used for derivation is a one time key,
  • the derived shared secret is at least as long as the xor-ed content.

But maybe have I missed something?

One Answer

It sounds like you're looking to implement something very similar to what was asked about here, with the addition of a signature of the ephemeral public key. But as poncho's answer points out, the potential malleability of the XORed key and the ciphertext could potentially pose some problems. The way the shared secret is derived may also introduce the possibility for issues here, though following the ECIES method with a KDF should help.

For the sake of differentiating this question from Maarten Bodewes's question, I'll assume you're more interested in replacing your existing scheme than implementing exactly what you've described. One potential option to consider to using standard ECIES (using an ephemeral key and KDF to generate a new symmetric key) to encrypt the symmetric key of your original data. This would certainly have both some computational and size overhead, but should achieve your goal.

Here you could still sign the ECIES output (or probably just the ephemeral public key) if that authentication is important to your system. But if you can afford the overhead that might be a safer/less experimental approach.

Answered by thesquaregroot on December 31, 2021

Add your own answers!

Related Questions

Speed of a 16384-bit RSA key

1  Asked on March 2, 2021 by melab


Can I use ChaCha20-Poly1305 as my KDF?

2  Asked on February 23, 2021 by mint-branch-conditioner


Vulnerability in the Digital Signature Algorithm. Can I calculate k and x?

0  Asked on February 18, 2021 by confused-andstuck


Is Argon2 “sequential memory hard”?

0  Asked on January 22, 2021 by modal-nest


Hash Function Properties

0  Asked on January 19, 2021 by antonis-paragas


Why is it important that phi(n) is kept a secret, in RSA?

5  Asked on January 15, 2021 by johankj


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir