P1363a DL Encryption Schemes

This table compares the different DL encryption schemes considered for inclusion into P1363a during the June 1999 meeting and referenced in the meeting minutes. It was recorded during that meeting and is posted here for general review.

Name

Provably Secure?
Can vary

size?

Patent status
Sender precomp potential before seeing anything

(precomp 1).
Sender precomp potential with PK_R, without message, having done precomp

1.
Sender precomp potential with message, without PK_R, having done precomp

1.

Sender comp remaining

Recip comp

Extra

Special consider-ations

Zheng

Dispute

No

No inventor patent

1 Key Gen (needs domain params)

1 SVD, 1UHF, 1KDF

I UHF, 1 SymE

1 SVD, 2UHF, 1KDF, 1 SymE

Optional params

DH-ES
DH-AES

Yes, under RO, DH, SymE, MAC, RNG

Yes

No inventor patent

1 Key Gen (needs domain params)

1 SVD, 1KDF

1 MAC, 1 SymE

1 SVD, 1 KDF, 1 MAC, 1 SymE

X9.63 AES

? (alleged to be secure)

Yes

Patent pending?

1 Key Gen (needs domain params)

1 SVD, 1KDF

1 MAC, 1 SymE

1 SVD, 1 KDF, 1 MAC, 1 SymE

Optional params

ElGamal (with no message formatting)

No

No

No inventor patent

1 Key gen (needs domain params)

1 SVD

1 combine

1 SVD, 1 combine.

Public domain since 1984

ElGamal (with OAEP message formatting)

Yes, under RO, DH, RNG

Yes

No inventor patent

1 Key gen (needs domain params)

1 SVD

1 message format

1 combine

1 SVD, 1 combine, 1 check format.

PSEC - 1

Yes, under RO, DH

No

Royalty free

1 Hash, 1 SVD, 1 Exp, 1 XOR

1 comp,1 Hash, 1 SVD, 1 Exp, 1 XOR

RNG failure

PSEC - 2

Yes, under RO, DH, SymE, RNG

Yes

Royalty free

1 KDF

1 Hash, 1 SVD, 1 Exp, 1 XOR, 1 SymE

1 KDF, 1 comp,1 Hash, 1 SVD, 1 Exp, 1 XOR, 1 SymE

IBM Swizzle

Dispute

Yes

Patented

Depends on encryption scheme

1 message format

Typically 1 key gen, 1 SVD, 1 combine

1 key gen, 1 SVD, 1 combine, 1 check format.

Notes on new table:

"Size Variability" means system can process messages of size greater than the underlying blocksize by use of (typically) a symmetric encryption scheme.
"Combine" for ElGamal is deliberately left generic, but is usually XOR or multiplication.
SVD = Secret Value Derivation
KDF = Key Derivation Function
Comp = compare
Key Gen, SVD, Exp all cost one exponentiation (= point multiply in EC case)
KDF costs hash, typically of keylength of data
Hash, MAC costs hash, typcially of message length
SymE costs symmetric encryption of message length

Name	Provably Secure?	Can vary size?	Patent status	Sender precomp potential before seeing anything (precomp 1).	Sender precomp potential with PK_R, without message, having done precomp 1.	Sender precomp potential with message, without PK_R, having done precomp 1.	Sender comp remaining	Recip comp	Extra	Special consider-ations
Zheng	Dispute	No	No inventor patent	1 Key Gen (needs domain params)	1 SVD, 1UHF, 1KDF		I UHF, 1 SymE	1 SVD, 2UHF, 1KDF, 1 SymE	Optional params
DH-ES DH-AES	Yes, under RO, DH, SymE, MAC, RNG	Yes	No inventor patent	1 Key Gen (needs domain params)	1 SVD, 1KDF		1 MAC, 1 SymE	1 SVD, 1 KDF, 1 MAC, 1 SymE
X9.63 AES	? (alleged to be secure)	Yes	Patent pending?	1 Key Gen (needs domain params)	1 SVD, 1KDF		1 MAC, 1 SymE	1 SVD, 1 KDF, 1 MAC, 1 SymE	Optional params
ElGamal (with no message formatting)	No	No	No inventor patent	1 Key gen (needs domain params)	1 SVD		1 combine	1 SVD, 1 combine.		Public domain since 1984
ElGamal (with OAEP message formatting)	Yes, under RO, DH, RNG	Yes	No inventor patent	1 Key gen (needs domain params)	1 SVD	1 message format	1 combine	1 SVD, 1 combine, 1 check format.
PSEC - 1	Yes, under RO, DH	No	Royalty free				1 Hash, 1 SVD, 1 Exp, 1 XOR	1 comp,1 Hash, 1 SVD, 1 Exp, 1 XOR		RNG failure
PSEC - 2	Yes, under RO, DH, SymE, RNG	Yes	Royalty free	1 KDF			1 Hash, 1 SVD, 1 Exp, 1 XOR, 1 SymE	1 KDF, 1 comp,1 Hash, 1 SVD, 1 Exp, 1 XOR, 1 SymE
IBM Swizzle	Dispute	Yes	Patented	Depends on encryption scheme		1 message format	Typically 1 key gen, 1 SVD, 1 combine	1 key gen, 1 SVD, 1 combine, 1 check format.