# Integrated Encryption Scheme

Integrated Encryption Scheme (IES) is a hybrid encryption scheme which provides semantic security against an adversary who is allowed to use chosen-plaintext and chosen-ciphertext attacks. The security of the scheme is based on the computational Diffie–Hellman problem. Two incarnations of the IES are standardized: Discrete Logarithm Integrated Encryption Scheme (DLIES) and Elliptic Curve Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two incarnations are identical up to the change of an underlying group and so to be concrete we concentrate on the latter.

## Informal Description

As a brief and informal description and overview of how IES works, we use a Discrete Logarithm Integrated Encryption Scheme (DLIES) based example, focusing on illuminating the reader's understanding, rather than precise technical details.

1. Alice learns Bob's public key, ${\displaystyle g^{x}}$ through a public key infrastructure or other pre-distributed method. We assume Bob knows his own private key ${\displaystyle x}$.
2. Alice generates a fresh, ephemeral value ${\displaystyle y}$, and its associated public value, ${\displaystyle g^{y}}$.
3. Alice then computes a symmetric key ${\displaystyle k}$ using this information and a KDF as follows: ${\displaystyle k={\mathit {KDF}}(g^{xy})}$.
4. Alice computes her ciphertext ${\displaystyle c}$ from her actual message ${\displaystyle m}$, i.e. the symmetric encryption of ${\displaystyle m}$, encrypted under key ${\displaystyle k}$ (using an authenticated encryption scheme) as follows: ${\displaystyle c=E(k;m)}$.
5. Alice transmits (in a single message) both the public ephemeral ${\displaystyle g^{y}}$, and the ciphertext ${\displaystyle c}$.
6. Bob, knowing ${\displaystyle x}$ and ${\displaystyle g^{y}}$, can now compute ${\displaystyle k=KDF(g^{xy})}$ and decrypt ${\displaystyle m}$ from ${\displaystyle c}$.

## Formal Description

### Information required

To send an encrypted message to Bob using ECIES, Alice needs the following information:

• cryptographic suite to be used, including a key derivation function (e.g., ANSI-X9.63-KDF with SHA-1 option), a message authentication code (e.g., HMAC-SHA-1-160 with 160-bit keys or HMAC-SHA-1-80 with 80-bit keys) and a symmetric encryption scheme (e.g., TDEA in CBC mode or XOR encryption scheme)—noted ${\displaystyle E}$;
• elliptic curve domain parameters: ${\displaystyle (p,a,b,G,n,h)}$ for a curve over a prime field or ${\displaystyle (m,f(x),a,b,G,n,h)}$ for a curve over a binary field;
• Bob's public key: ${\displaystyle K_{B}}$ (Bob generates it as follows: ${\displaystyle K_{B}=k_{B}G}$, where ${\displaystyle k_{B}}$ is the private key he chooses at random: ${\displaystyle k_{B}\in [1,n-1]}$);
• optional shared information: ${\displaystyle S_{1}}$ and ${\displaystyle S_{2}}$.
• ${\displaystyle O}$ denotes the point at infinity

### Encryption

To encrypt a message ${\displaystyle m}$ Alice does the following:

1. generates a random number ${\displaystyle r\in [1,n-1]}$ and calculates ${\displaystyle R=rG}$;
2. derives a shared secret: ${\displaystyle S=P_{x}}$, where ${\displaystyle P=(P_{x},P_{y})=rK_{B}}$ (and ${\displaystyle P\neq O}$);
3. uses a KDF to derive symmetric encryption keys and MAC keys: ${\displaystyle k_{E}\|k_{M}={\textrm {KDF}}(S\|S_{1})}$;
4. encrypts the message: ${\displaystyle c=E(k_{E};m)}$;
5. computes the tag of encrypted message and ${\displaystyle S_{2}}$: ${\displaystyle d={\textrm {MAC}}(k_{M};c\|S_{2})}$;
6. outputs ${\displaystyle R\|c\|d}$.

### Decryption

To decrypt the ciphertext ${\displaystyle R\|c\|d}$ Bob does the following:

1. derives the shared secret: ${\displaystyle S=P_{x}}$, where ${\displaystyle P=(P_{x},P_{y})=k_{B}R}$ (it is the same as the one Alice derived because ${\displaystyle P=k_{B}R=k_{B}rG=rk_{B}G=rK_{B}}$), or outputs failed if ${\displaystyle P=O}$;
2. derives keys the same way as Alice did: ${\displaystyle k_{E}\|k_{M}={\textrm {KDF}}(S\|S_{1})}$;
3. uses MAC to check the tag and outputs failed if ${\displaystyle d\neq {\textrm {MAC}}(k_{M};c\|S_{2})}$;
4. uses symmetric encryption scheme to decrypt the message ${\displaystyle m=E^{-1}(k_{E};c)}$.