Join Log in
Score:6
Elliot Solskjaer avatar Crypto

EC Public key encryption scheme where Alice does not know Bob's public key

sa flag
Elliot Solskjaer

I've found ECDH and ECIES, but those both require Alice to know Bob's public key and Bob to know Alice's public key in order to derive a shared secret. Now assume Bob knows Alice's public key $A$, but Alice does not know Bob's public key $B$. Is there an Elliptic Curve encryption scheme where Bob can encrypt a message for Alice using just their public key $A$ which Alice can then decrypt without needing Bob's public key? (The reverse is not necessary, Alice does not need to send any encrypted messages to Bob)

2532
0 + 0
Score:13
knaccc avatar Crypto
es flag
knaccc

ECIES does not require the sender to publish their own permanent public key. Instead, they can just create an anonymous ephemeral key pair, and publish the ephemeral public key along with the ciphertext. The sender can discard the ephemeral private key as soon as the encryption has been completed. Alternatively, the private key can be retained so that the sender can provide a signature at a later time to prove that they were the sender.

0 + 0
Elliot Solskjaer avatar
sa flag
Elliot Solskjaer
Exactly what I was looking for, thank you!
0
Reply
Score:2
kelalaka avatar Crypto
in flag
kelalaka

You might be looking for anonymous messaging in which the sender hides their identity from the receiver. The Libsodium has one specially designed for this sealed_box

Only the recipient can decrypt these messages, using its private key. While the recipient can verify the integrity of the message, it cannot verify the identity of the sender.

Bob can decrypt the incoming message from Alice, however, they cannot verify the identity of the sender. Also, there is no way Eve can determine the sender, too. This scheme uses an ephemeral private and public key pair (generated and used once) is generated and later the ephemeral private key is destroyed. As long as the sender IP etc. is hidden from the observers, there is no way to determine the sender.

Note 1: this is an existing and well-maintained library that you don't need to implement anything to achieve your target.

Note 2: ElGamal Encryption (1985) , on the other hand, is exactly designed in this manner. Alice doesn't need to set up a public-private key pair to send a message to Bob. ElGamal Encryption is used to encrypt the symmetric key ( or one can transmit the key material and derive the key with a good KDF like HKDF).

0 + 0
knaccc avatar
es flag
knaccc
Both ECIES/sealed_box and EC ElGamal are essentially creating an ephemeral key pair in order to then perform an ECDH step. Then they differ slightly according to whether a symmetric key is derived from this ECDH shared secret, or whether in the case of El Gamal the shared secret is encrypted with the ECDH shared secret.
0
Reply
kelalaka avatar
in flag
kelalaka
@knaccc It is here to show the first one ( DLIES 1999). sealed_box is intended to be like this ( provides only integrity) in contrast to crypto_box which has authentication, too ( the libsodium is the library to be used IMHO ). Yes, DLIES( ECIES) is also designed in this way, too.
0
Reply
knaccc avatar
es flag
knaccc
Ah interesting, that's a good point, I see what you're saying now. The authentication would be unnecessary overhead when the key pair is ephemeral.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.