Integrated Encryption Scheme

From Crypto++ Wiki
Jump to navigation Jump to search

An Integrated Encryption Scheme, or IES, is a hybrid encryption scheme combines confidentiality and integrity into an easy to use package. It is a hybrid scheme because it combines both public key cryptography with bulk encryption using an XOR function and a key stream.

An IES provides strong security assurances. The scheme is IND-CCA2, which means it provides indistinguishably (IND) under adaptive Chosen Ciphertext Attacks (CCA2). An IES provides more security than most Authenticated Encryption schemes under normal circumstances.

The Crypto++ library provides two traditional Integrated Encryption Schemes, plus a third. The first scheme is Elliptic Curve Integrated Encryption Scheme (ECIES), and the second scheme is Discrete Logarithm Integrated Encryption Scheme (DLIES). The third scheme is LUC Integrated Encryption Scheme, which is based on Lucas Sequences. LUC IES is a less popular scheme.

In general you should prefer an Integrated Encryption Scheme over Authenticated Encryption since an IES provides stronger security assurances.


An Integrated Encryption Scheme combines a Key Encapsulation Mechanism (KEM) with a Data Encapsulation Mechanism (DEM). The system independently derives a bulk encryption key and a MAC key from a common secret. Data is first encrypted under a symmetric cipher, and then the cipher text is MAC'd under an authentication scheme. Finally, the common secret is encrypted under the public part of a public/private key pair. The output of the encryption function is the tuple [math]\displaystyle{ \{K,C,T\} }[/math], where [math]\displaystyle{ K }[/math] is the encrypted common secret, [math]\displaystyle{ C }[/math] is the ciphertext, and [math]\displaystyle{ T }[/math] is the authentication tag. There is some hand waiving around the "common secret" since its actually the result of applying a Key Agreement function, and it uses the other party's static public key and an ephemeral key pair.

The trick to Integrated Encryption Schemes is the way the Key Agreement function is used. The Key Agreement function is Diffie-Hellman, which makes the problem hard under the Discrete Log Problem (DLP). A large seed is used to derive keys for bulk encryption and message integrity. The unique seed ensures each run of the protocol uses different security parameters and results in different keys and different cipher text. The sender uses the symmetric keys to encrypt the data and produce a MAC over the cipher text.

The seed is then encrypted under the other party's public key using a temporary public key pair and the other party's public key. At this point, only half of the key agreement function has been applied using a temporary public key. The other party decrypts the data by finishing the key agreement to recover the seed. Once the seed is recovered the other party can derive the same keys needed to decrypt the cipher text.