See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/255970113

A Survey of the Elliptic Curve Integrated Encryption Scheme

Article · January 2010

CITATIONS READS

28 9,268

3 authors, including:

Víctor Gayoso Martínez Carmen Sánchez Ávila

Spanish National Research Council Universidad Politécnica de Madrid
39 PUBLICATIONS   99 CITATIONS    99 PUBLICATIONS   1,584 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Securing Internet of things View project

Modelization of Malware View project

All content following this page was uploaded by Carmen Sánchez Ávila on 04 June 2014.

The user has requested enhancement of the downloaded file.

JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 2, AUGUST 2010

A Survey of the Elliptic Curve Integrated

Encryption Scheme
V. Gayoso Martínez, L. Hernández Encinas, and C. Sánchez Ávila

Abstract— Elliptic Curve Cryptography (ECC) is a relatively recent branch of cryptography based on the arithmetic of elliptic
curves and the Elliptic Curve Discrete Logarithm Problem (ECDLP). Elliptic curve cryptographic schemes are public-key
mechanisms that provide encryption, digital signature and key exchange capabilities. The best known encryption scheme based
on ECC is the Elliptic Curve Integrated Encryption Scheme (ECIES), included in the ANSI X9.63, ISO/IEC 18033-2, IEEE
1363a, and SECG SEC 1 standards. In the present work, we offer a comprehensive introduction to ECIES, detailing the
encryption and decryption procedures and the list of functions and special characteristics included in aforementioned standards.

Index Terms— Elliptic Curve Cryptography, ECIES, encryption scheme.

.

——————————
——————————

1 INTRODUCTION

T HE development of public-key cryptography by

Whitfield Diffie and Martin Hellman in 1976 [1]
represented a revolution in the cryptographic world,
devices where it is important, such as mobile phones.
A comparison between RSA and ECC key lengths is
shown in Table 1 and illustrated in Fig. 1, with data taken
overcoming some of the limitations inherent to symme- from [7] and [8], where the security level is interpreted as
tric-key algorithms such as the key distribution problem. the cryptographic strength provided by a symmetric en-
Public-key schemes are complex designs that, in order cryption algorithm using a key of n bits.
to be useful, must be secure and efficient. In general, both
characteristics depend on the mathematical problem on TABLE 1
which they are based. Some examples of those problems KEY LENGTH COMPARISON OF RSA AND ECC
are the integer factorization problem (IFP) used in the
RSA cryptosystem [2], the discrete logarithm problem Security RSA ECC Approx.
(DLP) used in the ElGamal scheme [3], and the elliptic level key length key length ratio
curve discrete logarithm problem (ECDLP). (bits) (bits) (bits)
In 1985, Victor Miller [4] and Neal Koblitz [5] indepen- 80 1024 160-223 5-6:1
dently proposed a cryptosystem based on elliptic curves, 112 2048 224-255 8-9:1
whose security relies on the ECDLP problem. Elliptic 128 3072 256-283 11-12:1
Curve Cryptography (ECC) can be applied to data en- 192 7680 384-511 15-20:1
cryption and decryption, digital signatures, and key ex- 256 15360 512-571 27-30:1
change procedures.
As in the case of the IFP and DLP, no algorithm is
known that solves the ECDLP in an efficient way. Moreo-
ver, the ECDLP is regarded as the hardest of these three
problems ([5] and [6]). From this fact derives one of the
most important benefits of ECC: the key size. Keys in
ECC are significantly shorter than in other cryptosystems
such as RSA. A shorter key implies easier data manage-
ment, lower hardware requirements (in terms of buffers,
memory, data storage, etc.), less bandwidth when trans-
mitting the keys over a network, and longer battery life in

————————————————
• V. Gayoso Martínez is with the Applied Physics Institute, Spanish Nation-
al Research Council (CSIC), Madrid, Spain.
• L. Hernández Encinas is with the Applied Physics Institute, Spanish Na-
tional Research Council (CSIC), Madrid, Spain
• C. Sánchez Ávila is with the Applied Mathematics to Information Technol-
ogies Department, Polytechnic University, Madrid, Spain.
Fig. 1. Key length comparison for RSA and ECC cryptosystems.

© 2010 JCSE
http://sites.google.com/site/jcseuk/
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 2, AUGUST 2010
8

In the present work, we provide a comprehensive in- to itself in the abelian group defined by an elliptic
troduction to the ECIES encryption scheme, detailing the curve, the addition operator is transformed into the
encryption and decryption procedures and the list of scalar multiplication, which in practice allows to multiply
functions and special characteristics included in the ANSI an elliptic curve point P by a positive integer n in order to
X9.63, IEEE 1363a, ISO/IEC 18033-2, and SECG SEC 1 produce another elliptic curve point, S=n·P.
standards. The number of points of an elliptic curve (concept also
This paper is organized as follows: Sections 2 presents known as the cardinal or the order of the curve) is
a brief introduction to elliptic curves and ECC. Section 3 represented as #E. In contrast, the order of a point P that
enumerates the most important ECC implementations for belongs to an elliptic curve E is the smaller integer n that
key exchange, digital signatures and encryption applica- produces the result n·P=O.
tions. Section 4 describes in detail the ECIES scheme and From a cryptographic point of view, not every elliptic
the encryption and decryption steps performed during its curve is useful. Cryptographers are interested in elliptic
operation. In Section 5 we offer a comparison of the curves that form cyclic abelian groups, and also in elliptic
ECIES allowed functions contained in the aforementioned curves with cyclic subgroups, so that the cofactor is a
standards. Finally, Section 6 provides a description of small number (e.g. 2, 4, etc.). As a consequence of La-
some of the additional options that must be taken into grange’s theorem (which states that for any finite group
consideration not only when developing an ECIES im- M, the order of every subgroup N of M divides the order
plementation, but also when using this encryption of M), the order of the generator (i.e. the elliptic curve
scheme as a final user. point that generates all the points of the cyclic subgroup)
An earlier version of this work appeared in [9], where always divides the order of the elliptic curve (which not
the comparison of the ECIES standads was included for necessarily is a prime number).
the first time by the authors. The present contribution Two types of finite fields GF(q), with q = pm elements,
offers, in addition to what was presented in [9], an ex- are used in ECC: prime finite fields GF(p) (where p is an
tended introduction to ECC, the fully detailed encryption odd prime and m = 1) and binary finite fields GF(2m)
and decryption processes, and the section dealing with (where p = 2 and m can be any integer greater than 1).
the additional options that must taken into account when When working with finite fields, using the proper change
configuring ECIES. of variables it is possible to simplify the Weierstrass equa-
tion, obtaining new equations less general (they are
adapted to specific finite fields) but easier to manage.
2 ELLIPTIC CURVE CRYPTOGRAPHY If the characteristic of the finite field is 2, then
An elliptic curve E over the finite field (or Galois Field) GF(q)=GF(2m). If a1 ≠ 0 , the equation (1) can be reduced to
GF is defined by the following equation, known as the the form
Weierstrass equation for elliptic curves in non-
homogeneous form [7]: y 2 + xy = x 3 + ax 2 + b , (2)

y 2 + a1xy + a3 y = x 3 + a2 x 2 + a4 x + a6 , (1) where the discriminant is ∆ = b .

If a1 = 0 , then the equation (1) is transformed into
where a1 , a2 , a3 , a 4 , a6 ∈ GF and ∆ ≠ 0 , being ∆ the discri-
minant of E calculated in the following way [10]: y 2 + cy = x 3 + ax + b , (3)

∆ = −d22 d8 − 8d43 − 27 d62 + 9d2 d4 d6 , where the discriminant is ∆ = c 4 .

Moreover, if the characteristic of the finite field is 3,
being d2 = a12 + 4 a2 , d4 = 2 a4 + a1a3 , d6 = a32 + 4 a6 , and fi- then two cases appear. If a12 ≠ −a 2 , the equation (1) is re-
nally d8 = a12 a6 + 4 a2 a6 − a1a3 a4 + a2 a32 − a42 . duced to
Condition ∆ ≠ 0 assures that the curve is non-singular, y 2 = x 3 + ax 2 + b , (4)
and thus there are no curve points with two or more dif-
ferent tangent lines. where the discriminant is ∆ = − a 3 b .
The homogeneous form of the Weierstrass equation is In contrast, if a12 = − a2 , then equation (1) is reduced to
Y 2 Z + a1 XYZ + a 3YZ 2 = X 3 + a2 X 2 Z + a 4 XZ 2 + a6 Z 3 ,
y 2 = x 3 + ax + b , (5)
and this implies the existence of a special point which can
where the discriminant is ∆ = − a 3 .
only be interpreted in the projective plane: the point at
Finally, if the characteristic of GF(q) is neither 2 nor 3,
infinity O. This point is paramount in the usage of elliptic
using the proper change of variables the equation (1) can
curves in cryptography, as it is the identity element that,
be transformed into
together with the rest of the points of the elliptic curve
and the addition operator (which allows to add two y 2 = x 3 + ax + b , (6)
points of the elliptic curve, P and Q, in order to generate
another point, R=P+Q), characterizes the elliptic curve (
where the discriminant is ∆ = −16 4 a 3 + 27 b 2 . )
with the mathematical structure of an abelian group. The set of parameters to be used in any ECC imple-
When the same point is added several times mentation depends on the underlying finite field. When
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 2, AUGUST 2010
9

the field is GF(p), the set of parameters that define the Slightly different versions of ECIES can be found at
curve is (p,a,b,G,n,h), whereas if the finite field is GF(2m), ANSI X9.63 [11], IEEE 1363a [19], ISO/IEC 18033-2 [20]
the set of parameters is (m,f(x),a,b,G,n,h). The meaning of and SEC 1 [14] standards.
each element in both sets is the following: As an example, any standard symmetric key encrypted
• p is the prime number that characterizes the finite with a 1024 bits RSA key produces an output of 128 bytes
field GF(p). compared with the output of 84 bytes if the encryption is
• m is the integer number specifying the finite field performed with one of the possible configurations of
GF(2m). ECIES.
• f(x) is the irreducible polynomial of grade m defining
GF(2m).
• a and b are the elements of the finite field GF(q) tak-
4 ECIES
ing part in the equations (2), (3), (4), (5), and (6). As its name properly indicates, ECIES is an integrated
• G=(Gx,Gy) is the point of the curve that will be used encryption scheme which uses the following functions:
as a generator of the points representing public keys. • Key Agreement (KA): Function used for the genera-
• n is the prime number whose value represents the tion of a shared secret by two parties.
order of the point G (i.e. n·G=O). • Key Derivation Function (KDF): Mechanism that
• h is the cofactor of the curve, computed as h=#E/n, produces a set of keys from keying material and
where n is the order of the generator G. some optional parameters.
• Encryption (ENC): Symmetric encryption algorithm.
• Message Authentication Code (MAC): Data used in
3 ECC STANDARDS order to authenticate messages.
Theoretical findings related to either RSA or ECC cannot • Hash (HASH): Digest function, used within the KDF
be used directly, as it is necessary to define data struc- and the MAC functions.
tures and procedures to manage the information. Cur- In order to describe the steps that must be taken in or-
rently there are three immediate applications for ECC in der to encrypt a clear message, we will follow the tradi-
cryptography, as it is described in this section. tion and will assume that Alice wants to send a message
to Bob. In that scenario, Alice’s ephemeral private and
3.1 Elliptic Curve Diffie-Hellman public keys will be represented as u and U, respectively.
The main objective of key exchange protocols is to put in Similarly, we will refer to Bob‘s private and public keys
contact two or more entities communicating through an as v and V, respectively.
open and insecure channel, sharing a secret key that will In ECC, private keys are elements of the finite field, ei-
provide data confidentiality and integrity to any informa- ther GF(p) or GF(2m), whilst public keys are points belong-
tion exchanged using that channel. ing to the elliptic curve and calculated as the product of
ECDH denotes the generic key exchange scheme based the private key and the generator G of the elliptic curve.
on the Diffie-Hellman mechanism applied to elliptic The steps (shown in Fig. 2) that Alice must complete are
curves. Some practical implementations can be found in the following:
ANSI X9.63 [11], IEEE 1363 [12], NIST SP 800-56A [13], 1) Alice must create an ephemeral key pair consisting in
and SEC 1 [14] documents. the finite field element u and the elliptic curve point
U=u·G. That key pair should be generated pseudo-
3.2 Elliptic Curve Digital Signature Algorithm
randomly exclusively for the current process.
FIPS 186-2 [15] describes all the algorithms and digital 2) After the ephemeral keys u and U are generated,
signature schemes that can be used by any agency of the Alice will use the Key Agreement function, KA, in
U.S. government. Currently those algorithms are DSA, order to create a shared secret value, which is the re-
RSA and ECDSA. ECDSA is the elliptic curve variant of sult of the escalar multiplication u·V, considering as
the Digital Signature Algorithm (DSA). input values Alice's ephemeral private key u and
Both FIPS 186-2 [15] and ANSI X9.62 [16] state a mini- Bob's public key V.
mum key size of 1024 bits for RSA and DSA and 160 bits 3) Then, Alice must take the shared secret value u·V
for ECC, which provides an equivalent security to a and optionally other parameters (e.g. the binary re-
symmetric block cipher with a key size of 80 bits (see Ta- presentation of the ephemeral public key U) as input
ble 1). data for the Key Derivation Function, KDF. The out-
As a comparison, texts signed with a 1024 bits RSA key put of this function is the concatenation of the sym-
produce a digital signature of 128 bytes, whilst the same metric encryption key, kENC, and the MAC key, kMAC.
text signed with a 192 bits ECDSA key generates a digital 4) With the element kENC and the clear message, m,
signature of 48 bytes. Alice will use the symmetric encryption algorithm,
3.3 Elliptic Curve Integrated Encryption Scheme ENC, in order to produce the encrypted message, c.
5) Taking the encrypted message c, kMAC and optionally
The most extended encryption and decryption scheme
other parameters, such as a text string previously
based on ECC is the Elliptic Curve Integrated Encryption
agreed by both parties, Alice must use the selected
Scheme (ECIES). This scheme is a variant of the ElGamal
MAC function in order to produce a tag.
scheme proposed by Abdalla, Bellare, and Rogaway in
6) Finally, Alice will take the temporary public key U, the
[17] and [18].
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 2, AUGUST 2010
10

Fig. 2. ECIES encryption functional diagram.

tag, and the encrypted message c, and will send the 5 ECIES ALLOWED FUNCTIONS COMPARISON
cryptogram (U||tag||c) consisting of those three con-
This section presents the comparison of allowed KA,
catenated elements to Bob.
KDF, HASH, ENC, and MAC functions that appear in the
Regarding the decryption process, the steps that Bob
ANSI X9.63 [11], IEEE 1363a [17], ISO/IEC 18033-2 [20],
must perform (shown in Fig. 3) are the following:
and SECG SEC 1 [14] standards.
1) After receiving the cryptogram (U||tag||c) from
Table 2 shows the different KA functions allowed in
Alice, Bob must retrieve the ephemeral public key U,
ECIES. In the context of ECIES, DH denotes the Diffie-
the tag, and the encrypted message c, so he can deal
Hellman key agreement function [1] whose standard pro-
with those elements separately.
cedure was described in Section 4, whilst the term DHC
2) Using the retrieved ephemeral public key, U, and his
refers to the Diffie-Hellman variant that, in addition to
own private key, v, Bob will multiply both elements
the sender’s and recipient’s keys, includes the cofactor in
in order to produce the shared secret value v·U, as
the computation of the shared secret value by means of
the result of this computation is the same that the
the products h·u·V and h·v·U [7].
product u·V, which is the core of the Diffie-Hellman
procedure ([1] and [7]).
3) Taking as input the shared secret value v·U and the TABLE 2
same optional parameters that Alice used, Bob must ECIES KA FUNCTIONS PER STANDARD
produce the same encryption and MAC keys by
means of the KDF procedure. X9.63 1363a 18033-2 SEC 1
4) With the MAC key kMAC, the encrypted message c,
and the same optional parameters used by Alice, DH DH DH DH
Bob will first compute the element tag*, and then he
will compare its value with the tag that he received DHC DHC DHC
as part of the cryptogram. If the values are different,
Bob must reject the cryptogram due to a failure in
MAC verification procedure. The KDF functions considered in ECIES are presented
5) If the tag value generated by Bob is the correct one, in Table 3, where X9.63-KDF is the KDF function defined
then he will continue the process by deciphering the in the ANSI X9.63 standard, KDF1 and KDF2 are func-
encrypted message c using the symmetric ENC algo- tions defined by the ISO/IEC 18033-2 document, and
rithm and kENC. At the end of the decryption process, NIST-800-56 is the KDF concatenation function specified
Bob will be able to access the plaintext that Alice in- in NIST SP 800-56A [13].
tended to send him.
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 2, AUGUST 2010
11

Fig. 3. ECIES decryption functional diagram.

TABLE 3 [25]; and MISTY1, CAST-128, Camellia, and SEED are the
ECIES KDF FUNCTIONS PER STANDARD algorithms specified in [26], [27], [28], and [29], respec-
tively.
ANSI X9.63 IEEE 1363a ISO 18033-2 SECG SEC 1

X9.63-KDF X9.63-KDF KDF1 X9.63-KDF TABLE 5

ECIES ENC FUNCTIONS PER STANDARD
KDF2 NIST-800-56
ANSI X9.63 IEEE 1363a ISO 18033-2 SECG SEC 1

In Table 4, the HASH functions used in ECIES are pre- XOR TDES TDES XOR
sented. SHA-1 is the well-known digest function included
in [21]; SHA-2 represents the family composed by SHA- AES AES AES
256, SHA-384, and SHA-512 [21]; SHA-2* is the SHA-2
family with the addition of the SHA-224 hash algorithm MISTY1
[21]; RIPEMD is the set of hash algorithms defined in [22];
and WHIRLPOOL is the function defined in [23]. CAST-128

Camellia
TABLE 4
ECIES HASH FUNCTIONS PER STANDARD SEED
ANSI X9.63 IEEE 1363a ISO 18033-2 SECG SEC 1

SHA-1 SHA-1 SHA-1 SHA-1 In Table 6, the allowed MAC functions are shown.
DEA is the MAC function specified in ANSI X9.19 [30];
SHA-2 SHA-2 SHA-2* X9.71 is the reference to another MAC standard devel-
oped by ANSI [31]; MAC1, HMAC-SHA-1, and HMAC-
RIPEMD RIPEMD RIPEMD are defined in [32]; HMAC-SHA-2 represents
the family of HMAC algorithms, i.e., HMAC-SHA-256,
WHIRLPOOL HMAC-SHA-384, and HMAC-SHA-512, described in [33];
HMAC-SHA-2* is the same as HMAC-SHA-2 with the
The symmetric ciphers considered in ECIES are shown addition of the HMAC-SHA-224 function; and CMAC-
in Table 5, where TDES is the Triple DES algorithm in AES is the set of HMAC functions related to the AES
CBC mode [24]; AES represents the Advanced Encryption symmetric algorithm, that is, CMAC-AES-128, CMAC-
Standard family, i.e., AES-128, AES-192, and AES-256 AES-192, and CMAC-AES-256, included in [34].
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 2, AUGUST 2010
12

TABLE 6 CONCLUSIONS
ECIES MAC FUNCTIONS PER STANDARD
ECIES is the best known encryption scheme in the scope
ANSI X9.63 IEEE 1363a ISO 18033-2 SECG SEC 1 of ECC, which is one of the most interesting current cryp-
tographic trends. Even though ECIES provides some val-
DEA MAC1 H-SHA-1 H-SHA-1 uable advantages over other cryptosystems as RSA, the
number of slightly different versions of ECIES included in
ANSI X9.71 H-SHA-2 H-SHA-2* the standards may obstruct the adoption of ECIES.
After analyzing the ECIES descriptions contained in
H-RIPEMD CMAC-AES ANSI X9.63, IEEE 1363a, ISO/IEC 18033-2, and SECG
SEC 1, it can be stated that it is not possible to implement
a software version compatible with all those standards,
regarding both the specific operations and the list of al-
6 ECIES ADDITIONAL OPTIONS lowed functions and algorithms. In addition to this, im-
Due to the significant number of functions implied in the plementations may face another important problem,
operation of ECIES, there are several options that must be which is the limitation in the functions available to the
fixed in order to allow the recipient to correctly interpret developer in the application programming interface of the
the cryptogram and successfully decrypt it. target device (PCs, smart cards, mobile phones, etc.).
In this section we present the most interesting addi- Taking into account both the interoperability and secu-
tional options that must be taken into account by both rity aspects, even though the newer versions (ISO/IEC
ECIES developers and users. 18033-2 and SECG SEC 1) may not be fully compatible
with legacy devices, they provide access to the most re-
6.1 Point compression usage cent and secure functions (e.g. SHA-2, AES, etc.), and in-
When converting an elliptic curve point into a binary clude recommendations to avoid the latest criptographic
string, sender and recipient must agree on one of the fol- attacks, so those standards should be considered as the
lowing two formats: starting point for any ECIES implementation.
• Uncompressed: Both coordinates are taken into ac-
count. A header byte 0x04 indicates that this is the
format in use, so the byte string corresponding to the ACKNOWLEDGMENT
elliptic curve point P=(Px,Py) would be 0x04|| Px
This work has been partially supported by Ministerio
|| Py, where Px and Py are the binary representa-
de Ciencia e Innovación (Spain) under the grant TEC2009-
tions of the coordinates (considered as integer num-
13964-C04-02 and Ministerio de Industria, Turismo y
bers), and || is the concatenation operator.
Comercio (Spain) in collaboration with CDTI and Te-
• Compressed: Only the first coordinate is used, which
lefónica I+D under the project Segur@ CENIT-2007 2004.
is signalled by using the header byte 0x02 or 0x03.
The proper value of the header is decided based on
some computations performed involving both coor-
dinates, so for any elliptic curve point only one REFERENCES
compressed binary representation, either 0x02||Px [1] W. Diffie and M.E. Hellman, “New directions in cryptogra-
or 0x03||Px, is valid. phy”, IEEE Transactions in Information Theory, vol. 22, pp. 644-
654, 1976.
6.2 Shared secret value generation
[2] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining
Independently of which of the KA functions is used (DH digital signatures and public-key cryptosystems”, Communica-
or DHC), users face a variety of options regarding the tions of the ACM, vol. 26, pp. 96-99, 1983.
information that will be taken as input in the KDF func- [3] T. ElGamal. “A public key cryptosystem and a signature
tion: scheme based on discrete logarithms”, IEEE Transactions on In-
• Firstly, users must decide whether to use the whole formation Theory, vol. 31, pp. 469—472, 1985.
point P=(Px,Py), obtained as the output of the KA [4] V.S. Miller, “Use of elliptic curves in cryptography”, Lecture
function, or just the first coordinate of that point, Px. Notes in Computer Science, vol. 218, pp. 417-426, 1986.
• Secondly, they must decide whether to use the ele- [5] N. Koblitz, “Elliptic curve cryptosystems”, Mathematics of Com-
ment selected given the previous decision, or the putation, vol. 48, pp. 203-209, 1987.
hash output of that element, as it is described in [19]. [6] Bundesamt für Sicherheit in der Informationstechnik (BSI),
Elliptic Curve Cryptography, TR 03111, 2009.
6.3 Keying material interpretation
http://www.bsi.de/literat/tr/tr03111/BSI-TR-03111.pdf
Before obtaining the MAC and ENC keys from the output
[7] D. Hankerson, A. J. Menezes, and S. Vanstone, Guide to Elliptic
of the KDF function, users must define the interpretation
Curve Cryptography. New York: Springer-Verlag, 2003.
order of that output. The two options available are:
[8] National Institute of Standards and Technology (NIST), Recom-
• First, the MAC key; then, the ENC key (kMAC||kENC).
mendation for key management – Part 1: General, SP 800-57, 2007.
• First, the ENC key; then, the MAC key (kENC||kMAC).
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 2, AUGUST 2010
13

[9] V. Gayoso Martínez, L. Hernández Encinas, and C. Sánchez [29] H.J. Lee, S.J. Lee, J.H. Yoon, D.H. Cheon, and J.I.Lee, The SEED
Ávila, “A Comparison of the Standardized Versions of ECIES”, Encryption Algorithm, RFC 4269, 2005.
Proceedings of the Sixth International Conference on Information As- http://www.ietf.org/rfc/rfc4269.txt
surance and Security – IAS 2010, Atlanta, 2010. [30] American National Standards Institute (ANSI), Financial Institu-
[10] J. Silverman, The Arithmetic of Elliptic Curves. New York: Sprin- tion Retail Message Authentication, X9.19, 1996.
ger-Verlag, 1986. [31] American National Standards Institute (ANSI), Keyed Hash
[11] American National Standards Institute (ANSI), Public Key Cryp- Message Authentication Code, X9.71, 2001.
tography for the Financial Services Industry: Key Agreement and Key [32] H. Krawczyk, M. Bellare, and R. Canetti, HMAC: Keyed Hashing
Transport Using Elliptic Curve Cryptography, X9.63, 2001. for Message Authentication, RFC 2104, 1997.
[12] Institute of Electrical and Electronics Engineers (IEEE), Standard http://www.ietf.org/rfc/rfc2104.txt
Specifications for Public Key Cryptography, Std. 1363, 2000. [33] National Institute of Standards and Technology (NIST), The
[13] National Institute of Standards and Technology (NIST), Recom- Keyed-Hash Message Authentication Code (HMAC), FIPS 198, 2002.
mendation for Pair-wise Key Establishment Schemes Using Discrete [34] National Institute of Standards and Technology (NIST), Recom-
Logarithm Cryptography, SP 800-56A, 2005. mendation for Block Cipher Modes of Operation: The CMAC Mode
[14] Standards for Efficient Cryptography Group (SECG), Elliptic for Authentication, SP 800-38B, 2005.
Curve Cryptography, SEC 1, version 2, 2009.
http://www.secg. org/download/aid-780/sec1-v2.pdf
[15] National Institute of Standards and Technology (NIST), Digital INFORMATION ABOUT AUTHOR(S):
Signature Standard (DSS), FIPS 186-2, 2000.
[16] American National Standards Institute (ANSI), Public Key Cryp- Víctor Gayoso Martínez obtained his Master Degree in Telecom-
tography for the Financial Services Industry: The Elliptic Curve Digi- munication Engineering from the Polytechnic University of Madrid in
tal Signature Algorithm (ECDSA), X9.62, 1998. 2002. Since then, he has been working in topics related to smart
[17] M. Abdalla, M. Bellare, and P. Rogaway, “DHAES: An encryp- cards, Java technology and public key cryptography.
tion scheme based on the Diffie-Hellman problem”, submission
to IEEE P1363a, 1998.
Luis Hernández Encinas obtained his Ph.D. in Mathematics from
http://grouper.ieee.org/groups/1363/P1363a/contributions/
the University of Salamanca, in 1992. He is a researcher at the De-
dhaes.pdf
partment of Information Processing and Coding, Spanish Council for
[18] M. Abdalla, M. Bellare, and P. Rogaway, DHIES: An encryption
Scientific Research (CSIC). His current research interests include
scheme based on the Diffie-Hellman problem, unpublished, 2001.
cryptography, algebraic curve cryptosystems, image processing and
http://www.cs.ucdavis.edu/~rogaway/papers/dhies.pdf
number theory.
[19] Institute of Electrical and Electronics Engineers (IEEE), Standard
Specifications for Public Key Cryptography - Amendment 1: Addi-
Carmen Sánchez Ávila received the Ph.D. in Mathematical
tional Techniques, Std. 1363a, 2004.
Sciences from the Polytechnic University of Madrid in 1993. At
[20] International Organization for Standardization/International
present she is Professor in the Department of Applied Mathematics,
Electrotechnical Commission (ISO/IEC), Information Technology
where during the last years she has been teaching different under-
– Security Techniques – Encryption Algorithms – Part 2: Asymme-
graduate
tric Ciphers, 18033-2, 2006.
courses as well as graduate courses in Biometric and Cryptography.
[21] National Institute of Standards and Technology (NIST), Secure
Hash Standard, FIPS 180-2, 2002.
[22] H. Dobbertin, A. Bosselaers, and B. Preneel, “RIPEMD-160: A Streng-
thened Version of RIPEMD”, Lecture Notes in Computer Science, vol.
1039, pp. 71-82, 1996.
[23] International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC), Information Technology
-- Security Techniques -- Hash-functions -- Part 3: Dedicated Hash-
functions, 10118-3, 2004.
[24] American National Standards Institute (ANSI), Triple Data En-
cryption: Modes of Operation, X9.52, 1998.
[25] National Institute of Standards and Technology (NIST), Ad-
vanced Encryption Standard, FIPS 197, 2001.
[26] M. Matsui, Specification of MISTY1 - A 64-bit Block Cipher, sub-
mission to NESSIE, 2000.
https://www.cosic.esat.kuleuven.be/nessie/workshop/submi
ssions/misty1.zip
[27] C. Adams, The CAST-128 Encryption Algorithm, RFC 2144, 1997.
http://www.ietf.org/rfc/rfc2144.txt
[28] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Naka-
jima, and T. Tokita, “Camellia: A 128-Bit Block Cipher Suitable
for Multiple Platforms - Design and Analysis”, Lecture Notes in
Computer Science, vol. 2012, pp. 39-56, 2001.

View publication stats