An Erlang native library implementing the ECIES (Elliptic Curve Integrated Encryption Scheme) public-key cryptography, providing elliptic curve encryption as an alternative to the deprecated crypto public_encrypt, private_decrypt functions.

The Erlang OTP team decided to deprecate several crypto module functions in OTP 27 (See functions deprecated in OTP 27). Notably, no alternatives were provided for two of them crypto:public_encrypt/4 and crypto:private_decrypt/4.

Some information about potential background of these deprecations can be found here.

It is worth mentioning that the above mentioned functions are RSA specific and cannot be used with Elliptic Curve cryptography anyway. In our projects we mainly use Elliptic Curve cryptography and we decided to share this small library for ECIES with the Erlang developers community.

We will be happy if you find it useful and use in your project. If you find any ideas for improvements or notice any missing functionality, please open an issue here; even better propose a Pull Request.

The API of library is simple:

• ecies:generate_key/0- can be used to generate public/private key pair
• ecies:public_encrypt/2 - for encrypting binary message with given public key
• ecies:private_decrypt/2 - for decrypting data using private key corresponding to public key used in public_encrypt

Example:

% Bob generates keys, and publish his public key
{BobPublicKey, BobPrivateKey} = ecies:generate_key(),
% Alice knowing Bob's public key encrypts a message for him
Data = ecies:public_encrypt(BobPublicKey, <<"top secret message">>),
% Bob is able to decrypt the message using his private key
<<"top secret message">> = ecies:private_decrypt(BobPrivateKey, Data).

In the above example the default params are used (as returned by ecies:default_params/0):

  #{
    curve    => secp256k1,
    cipher   => aes_256_cbc,
    kdf      => {kdf, sha256},      % ANSI-X9.63 key derivation
    mac      => {hmac, sha256, 256} % HMAC SHA256 with 256 bits (32 bytes) output
  }.

You can read or write keys in PEM format using function from ecies_pem module:

• ecies_pem:decode_public/1 - decodes a public key from the given "PUBLIC KEY" or "EC PRIVATE KEY" PEM format.
• ecies_pem:decode_private/1 - decodes a private key from the given "EC PRIVATE KEY" PEM format.
• ecies_pem:decode_keypair/1 - decodes both keys from the given "EC PRIVATE KEY" PEM format.
• ecies_pem:encode_public/1 - encodes a public key into "PUBLIC KEY" PEM format.
• ecies_pem:encode_private/1 - encodes a private key into "EC PRIVATE KEY" PEM format.
• ecies_pem:encode_keypair/1 - encodes both keys into "EC PRIVATE KEY" PEM format.

Example:

openssl ecparam -noout -genkey -conv_form compressed -name secp256k1 | tee private.pem

{ok, Pem} = file:read_file("private.pem"),
{Pub, Priv} = ecies_pem:decode_keypair(Pem),
Pub = ecies_pem:decode_public(Pem),
Priv = ecies_pem:decode_private(Pem),
file:write_file("public.pem", ecies_pem:encode_public(Pub)).

openssl ec -pubin -in public.pem -noout -text

Using ecies:generate_key/1, ecies:public_encrypt/3, ecies:private_decrypt/3 functions which accepts extra Params argument you can customize elliptic curve and algorithms used in all steps of encryption/decryption process.

There are a few library API functions that helps with customisation:

• ecies:default_params/0 - returns default set of params
• ecies:supports/1- which can be used to inspect lists of all supported curves, ciphers, hashs (digest types)

We also provide default params compatible with existing ECIES variants used in some other libraries.

• ecies_bitcore:default_params/0 - compatible with bitcore ECIES implementation
• ecies_geth:default_params/0, ecies_geth:params_from_curve/1 - compatible with ethereum's geth ECIES implementation
• ecies_electrum:default_params/0 - compatible with Electrum, Electron Cash and ElectrumSV ECIES implementation (see also here)

Example 1:

% Alice and Bob agrees on the following params
Params = #{
  curve  => x25519,         % Edwards curve 25519
  kdf    => {hkdf, sha256}, % HMAC-based Extract-and-Expand KDF with SHA256 hash
  cipher => aes_256_ctr,
  mac    => {hmac, sha256, 96} % HMAC with SHA256 and 96 bits output
},
  % Bob generates keys
{BobPublicKey, BobPrivateKey} = ecies:generate_key(Params),
% Alice knowing Bob's public key encrypts a message for him
Data = ecies:public_encrypt(BobPublicKey, <<"top secret message">>, Params),
% Bob is able to decrypt the message using his private key
<<"top secret message">> = ecies:private_decrypt(BobPrivateKey, Data, Params).

Example 2:

% Decrypting electrum compatible message
Params = ecies_electrum:default_params(),
PrivateKey = binary:decode_hex(<<"ee3231b5deea48b619814d72a6e1aa04a9f521df281afad5ada89f5393941b1c">>),
MessageBase64 = <<"QklFMQJdmY+9Ys1WjqANreLwXaau62N01r9lebJ9Rp7Az+XRMdNAVgg3J8EEVhni5gn2v+WOD59uDMDp0zY/xPT3IElReQo6XUCSMmgRgRtYl+TUEw==">>,
<<"hello world">> = ecies:private_decrypt(PrivateKey, MessageBase64, Params).

The list of all supported elliptic curves (curve param), ciphers (cipher param) and hash functions used by KDF and MAC algorithms can be obtained using ecies:supports/1 function:

-spec supports(hashs)  -> [digest_type()];
              (curves) -> [named_curve()];
              (ciphers) -> [cipher()];
              (cmac_ciphers) -> [cmac_cipher()];
              (aead_ciphers) -> [aead_cipher()].

For key derivation (kdf param) you can use:

-type kdf_type() :: {hkdf, digest_type()} | % HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
                    {kdf, digest_type()}  | % ANSI-X9.63 KDF
                    {concat_kdf, digest_type()}  | % NIST SP 800-56 Concatenation Key Derivation Function (see section 5.8.1).
                    kdf_fun().
% Custom KDF function
-type kdf_fun()  :: fun((SharedKey :: binary(), Info :: binary(), Length :: pos_integer()) -> Result :: binary()).

For message authentication (mac param):

-type mac_type()    :: {hmac, digest_type(), mac_bits()} | % HMAC for given digest function with specified output bits
                       {cmac, cmac_cipher(), mac_bits()} | % CMAC with AES-*-CBC cipher and given output bits
                       {aead, mac_bits()}. % Special case when AES CCM/GCM ciphers are used to just specify tag output bits 
-type mac_bits()    :: pos_integer() | default. % default atom means output size equal to given mac key length

ecies library is MIT-licensed, as per LICENSE.md.