> OpenSSL doesn't support it out of the box. What you're looking for > is something akin to > https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme. +1 on ECIES. If OpenSSL provided one additional, non core feature, ECIES would be at the top of my list. Its hard to use incorrectly, and easy to use correctly. Its also IND_CCA2, which provides a number of desirable security properties. In my day job, I recommend it whenever I come across a home grown scheme rolled by the developers. > Ladar Levison has written an implementation which uses OpenSSL as a > backend. I tried finding it for you, but my connection (mobile, on > train) is so bad that I couldn't be bothered to keep trying. > Speaking from experience, be careful of interop issues. I know of two libraries that support ECIES out of the box. They are BouncyCastle and Crypto++. In the past BouncyCastle and Crypto++ could not interop even though they both claim to follow P1363. IEEE did not publish test vectors, so each library had a misinterpretation that ensured they did not interop. Here were the issues for each library: * BouncyCastle - Label should be 8 octets * Crypto++ - Length of the label specified in bits BouncyCastle fixed their issue in version 1.53 (about 2 months ago). Crypto++ is fixing their issue at 5.7 (in about 2 months). If you need a "gold" standard, then use BouncyCastle's implementation, version 5.7 or above. Jeff
