libertylocked
commented
6 years ago If Alice is sending some encrypted message to Bob
- Alice gets Bob's public key,
gx - Alice first generates an ephemeral keypair (random 32 bytes),
y(private) andgy(public) - Alice uses Elliptic-curve Diffie–Hellman (ECDH) to derive a shared secret from her y and Bob's gx,
px = ECDH(y, gx)(32 bytes) - Alice uses SHA512 as KDF.
ke || ka = SHA512(px)to getkeas encryption key (32 bytes) andkaas authentication key (32 bytes) - Alice encrypts her message
musing AES256 in CBC mode with randomiv.c = AES256-CBC(ke, iv, m) - Alice computes MAC,
mac = HMAC-SHA256(ka, iv || gy || c) - Alice sends
iv || gy || mac || cto Bob.
Once Bob gets gy he also uses ECDH
px = ECDH(x, gy)Then he decrypts the message, checks MAC, etc etc
There's no single standard ECIES and you can change it up a bit in your implementation if you wish, for example you can use ke = HMAC-SHA256(px, 0x01) and ka = HMAC-SHA256(px, 0x02) as KDF. (I probably should have done this but if I change the lib at this point it'll break previously encrypted messages)
Also you can potentially replace AES256-CBC with AES256-GCM, in which case you don't even need to derive authentication key or compute MAC yourself.
I was confused with ECIES and couldn't find a suitable example. Can I ask you some questions?