[openssl-users] Better understanding of EC encryption API

Jeffrey Walton noloader at gmail.com
Fri Nov 27 13:40:26 UTC 2015

>    OpenSSL doesn't support it out of the box.  What you're looking for
> is something akin to
> https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme.

+1 on ECIES.

If OpenSSL provided one additional, non core feature, ECIES would be
at the top of my list. Its hard to use incorrectly, and easy to use
correctly. Its also IND_CCA2, which provides a number of desirable
security properties.

In my day job, I recommend it whenever I come across a home grown
scheme rolled by the developers.

>    Ladar Levison has written an implementation which uses OpenSSL as a
> backend.  I tried finding it for you, but my connection (mobile, on
> train) is so bad that I couldn't be bothered to keep trying.

Speaking from experience, be careful of interop issues. I know of two
libraries that support ECIES out of the box. They are BouncyCastle and

In the past BouncyCastle and Crypto++ could not interop even though
they both claim to follow P1363. IEEE did not publish test vectors, so
each library had a misinterpretation that ensured they did not
interop. Here were the issues for each library:

  * BouncyCastle
      - Label should be 8 octets

    * Crypto++
      - Length of the label specified in bits

BouncyCastle fixed their issue in version 1.53 (about 2 months ago).
Crypto++ is fixing their issue at 5.7 (in about 2 months).

If you need a "gold" standard, then use BouncyCastle's implementation,
version 5.7 or above.


More information about the openssl-users mailing list