Join Log in
Score:-1
avatar Crypto

How to encrypt using private key for ECC

cn flag
Edward

As we know, ECC using $C_2 = r \cdot G, C_1 = M + r \cdot G$; and decrypt with $M=C_1 - K \cdot C_2$. And sign using point $X$: $X = k \cdot G(x_0,y_0)$. $r = x_0 \cdot K; s = 1 / k \cdot (M + r \cdot d) \mod(n)$; here $d$ is private key, $K$ is public key. and then verify by is true of $r \cdot G == M \cdot G / s + x \cdot K/s$.

Here is my question: can I encrypt using private key (or sign) and get the message $M$ directly by public key $K$? Instead of $r \cdot G == M \cdot G / s + x \cdot K/s$, how can I got something like $M = \operatorname{function}(r,s,K,G)$ ?

Thanks Edward

142
1 + 4
fgrieu avatar
ng flag
fgrieu
Actually, the standard method to encrypt using ECC is [ECIES](https://www.secg.org/sec1-v2.pdf#subsection.5.1). Standard methods to sign using ECC include [ECDSA](https://www.secg.org/sec1-v2.pdf#subsection.4.1) and [EC-Schnorr](https://crypto.stackexchange.com/q/34863/555).
4
Reply
kelalaka avatar
in flag
kelalaka
Err, why do you want to encrypt with your private key. Since your public key is public implies the encrypted message can decrypt by everybody. What is your actual problem? Also, private key is integer and public key is a point!
1
Reply
cn flag
Edward
I try to replace RSA with ECC in a very small project. If ECC can't do that, I may still use RSA to do that message recovery.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
If you cannot live with the 64 byte overhead of ECC (assuming 256 bit key size) then I would recommend sticking with RSA, although it is less strong in the classical sense and that signatures giving message recovery are generally not state-of-the-art like PSS.
0
Reply
Score:5
DannyNiu avatar Crypto
vu flag
DannyNiu

In public-key cryptography, there is NO SUCH THING as "encrypt with private key". It's a misnomer since the RSA days.

Also, what you describe as "M = function(pubkey, signature)" is signature with message recovery. These algorithms are rare nowadays and had been largely replaced with signature with appendix (which ECDSA is one of them).

ECC as specified in SEC#* series of standards are based on discrete logarithm problem over elliptic curves. By their nature, building DLog-based trapdoor permutation of arbitrary size is significantly more inefficient than building signature formula that use DLog difficulty to prevent secret components from leaking. Therefore, ECC don't have digital signature with message recovery.

0 + 3
cn flag
Edward
In the case that we don't need to know the message before we verify the signature. If we can calculate M=function(pubkey,signature), we can directly get M and verified. RSA can do that, why ECC can't? --- regardless of why we need this , could you please tell how to solve this M=func(pub,sign) in ECC ?
0
Reply
DannyNiu avatar
vu flag
DannyNiu
@Edward See if that's a satisfactory explanation.
0
Reply
cn flag
Edward
It is great to know that ECC can't do message recovery. and I agree with you about the efficiency issue. Yet, it is true that there are some cases that we need message recovery. First is that hash can be made ,though it is difficult. Verified hash don't 100%ly means message is the true Message. In my another case, we need message recovery.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.