Discrete Logarithm Integrated Encryption Scheme

From Crypto++ Wiki
Jump to navigation Jump to search

Discrete Logarithm Integrated Encryption Scheme, or DLIES (formerly named DHES and DHAES), is a hybrid encryption system proposed by Abdalla, Bellare and Rogaway. DLIES has been standardized in ANSI X9.63, IEEE 1363a, and ISO/IEC 18033-2. The authors' submission can be found at http://cseweb.ucsd.edu/~mihir/papers/dhies.html.

DLIES combines a Key Encapsulation Mechanism (KEM) with a Data Encapsulation Mechanism (DEM). The system independently derives a bulk encryption key and a MAC key from a common secret. Data is first encrypted under a symmetric cipher, and then the cipher text is MAC'd under an authentication scheme. Finally, the common secret is encrypted under the public part of a public/private key pair. The output of the encryption function is the tuple {K,C,T}, where K is the encrypted common secret, C is the ciphertext, and T is the authentication tag. There is some hand waiving around the "common secret" since its actually the result of applying a Key Agreement function, and it uses the static public key and an ephemeral key pair.

If you are trying to inter-operate and Crypto++ lacks a patch for you, then please visit A Comparison of the Standardized Versions of ECIES. It describes the differences between many of the standardized integrated encryption schemes. Martínez, Alvarez, Encinas, and Ávila do a good job at describing them in an easy to digest format.

Abdalla, Bellare and Rogaway's scheme is similar to Elliptic Curve Integrated Encryption Scheme. DLIES operates over a field of integers, while ECIES operates over a field of elliptic curves.


DLIES is typedef'd as a templated structure in gfpcrypt.h:

template <class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true>
struct DLIES
    : public DL_ES<
        DL_KeyAgreementAlgorithm_DH<Integer, COFACTOR_OPTION>,
        DL_KeyDerivationAlgorithm_P1363<Integer, DHAES_MODE, P1363_KDF2<SHA1> >,
        DL_EncryptionAlgorithm_Xor<HMAC<SHA1>, DHAES_MODE>,
    DLIES<> >
    static std::string CRYPTOPP_API StaticAlgorithmName() {return "DLIES";}

The template parameters include COFACTOR_OPTION and DHAES_MODE. Greater efficiency can be achieved by selecting COFACTOR_OPTION = IncompatibleCofactorMultiplication and DHAES_MODE = false.

DHAES_MODE = true provides the best security. The greater security is achieved by including the ephemeralPublicKey in the key derivation function, and the size of the encodingParameters in the authenticator function.