-1

As we know, ECC using $C_2 = r \cdot G, C_1 = M + r \cdot G$; and decrypt with $M=C_1 - K \cdot C_2$. And sign using point $X$: $X = k \cdot G(x_0,y_0)$. $r = x_0 \cdot K; s = 1 / k \cdot (M + r \cdot d) \mod(n)$; here $d$ is private key, $K$ is public key. and then verify by is true of $r \cdot G == M \cdot G / s + x \cdot K/s$.

Here is my question: can I encrypt using private key (or sign) and get the message $M$ directly by public key $K$? Instead of $r \cdot G == M \cdot G / s + x \cdot K/s$, how can I got something like $M = \operatorname{function}(r,s,K,G)$ ?

Thanks Edward

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Edward
  • 1
  • 4
    Actually, the standard method to encrypt using ECC is ECIES. Standard methods to sign using ECC include ECDSA and EC-Schnorr. – fgrieu Jul 11 '21 at 08:47
  • 1
    Err, why do you want to encrypt with your private key. Since your public key is public implies the encrypted message can decrypt by everybody. What is your actual problem? Also, private key is integer and public key is a point! – kelalaka Jul 11 '21 at 17:40
  • I try to replace RSA with ECC in a very small project. If ECC can't do that, I may still use RSA to do that message recovery. – Edward Jul 13 '21 at 06:24
  • If you cannot live with the 64 byte overhead of ECC (assuming 256 bit key size) then I would recommend sticking with RSA, although it is less strong in the classical sense and that signatures giving message recovery are generally not state-of-the-art like PSS. – Maarten Bodewes Jul 26 '21 at 13:57

1 Answers1

5

In public-key cryptography, there is NO SUCH THING as "encrypt with private key". It's a misnomer since the RSA days.

Also, what you describe as "M = function(pubkey, signature)" is signature with message recovery. These algorithms are rare nowadays and had been largely replaced with signature with appendix (which ECDSA is one of them).

ECC as specified in SEC#* series of standards are based on discrete logarithm problem over elliptic curves. By their nature, building DLog-based trapdoor permutation of arbitrary size is significantly more inefficient than building signature formula that use DLog difficulty to prevent secret components from leaking. Therefore, ECC don't have digital signature with message recovery.

DannyNiu
  • 9,207
  • 2
  • 24
  • 57
  • In the case that we don't need to know the message before we verify the signature. If we can calculate M=function(pubkey,signature), we can directly get M and verified. RSA can do that, why ECC can't? --- regardless of why we need this , could you please tell how to solve this M=func(pub,sign) in ECC ? – Edward Jul 12 '21 at 07:28
  • @Edward See if that's a satisfactory explanation. – DannyNiu Jul 12 '21 at 08:27
  • It is great to know that ECC can't do message recovery. and I agree with you about the efficiency issue. Yet, it is true that there are some cases that we need message recovery. First is that hash can be made ,though it is difficult. Verified hash don't 100%ly means message is the true Message. In my another case, we need message recovery. – Edward Jul 13 '21 at 05:41