Batch ECIES encryption with shared ephemeral keypair (#496)#488
Closed
elliottdehn wants to merge 1 commit into
Closed
Batch ECIES encryption with shared ephemeral keypair (#496)#488elliottdehn wants to merge 1 commit into
elliottdehn wants to merge 1 commit into
Conversation
…cost When encrypting session key randomness for N recipients (e.g., all SV participants hosting DSO), the current code generates N independent ephemeral EC keypairs — one per recipient. EC key generation is ~40% of the per-recipient ECIES cost. This change introduces batchEncryptWith which uses BouncyCastle's IESEngine directly, generating ONE ephemeral keypair and reusing it for all ECDH key agreements. Each recipient still gets a unique ciphertext (different shared secret → different AES key), and the output format is unchanged — existing decrypt code works without modification. For the Global Synchronizer with ~20 SVs, a CC transfer encrypts the session key for ~20 participants per view. This saves 19 ephemeral key generations per view (~40% × 19 × 0.4ms = ~3ms per view). Security: Multi-recipient DHIES with a shared ephemeral key is well-studied and secure as long as the KDF is secure (KDF2 with SHA-256 in this case). The ECDH shared secrets are different per recipient because the recipient public keys differ. Implementation: - Encryption.scala: new batchEncryptWith trait method with default fallback to individual encryptWith - JcePureCrypto.scala: batchEncryptEciesP256 using IESEngine with ECDHBasicAgreement, KDF2BytesGenerator, HMac, AES-CBC - SyncCryptoApiParticipantProvider.scala: encryptFor now uses batchEncryptWith for non-deterministic multi-recipient encryption - SynchronizerCryptoPureApi.scala: delegates to pureCrypto Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
I have hereby read the Digital Asset CLA and agree to its terms |
Contributor
Author
Benchmark ResultsMeasured the actual per-step ECIES cost breakdown and the batch savings: ECIES Step Breakdown (per recipient, secp256r1)
Batch vs Individual Encryption
Correctness verified: all recipients decrypt successfully with the shared ephemeral key. AnalysisThe keygen savings (~0.077ms per skipped keygen) are real but modest — ECDH key agreement dominates at 77% of per-recipient cost. For a 2-view CC transfer with 20 SVs, this saves ~2ms total. Not transformative by itself, but it's free performance with no protocol changes. The fundamental O(SV) cost is the ECDH key agreement (0.36ms × N_SV), which cannot be reduced without protocol-level changes (group encryption, threshold encryption, or removing DSO as informee per CIP-0104). |
This was referenced Apr 16, 2026
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #496
Summary
When encrypting session key randomness for multiple recipients, generate ONE ephemeral EC keypair and reuse it for all ECDH key agreements (via BouncyCastle's
IESEngine). Saves the EC key generation cost (~0.077ms, 16.5% of ECIES) for N-1 recipients.Impact
Encrypt-side savings (submitter):
Modest but free — zero protocol changes, backward compatible output format.
ECDH key agreement is 77% of per-recipient ECIES cost and cannot be shared (different recipient keys). EC keygen is 16.5% and IS shared by this PR. The savings are real but bounded by keygen being the minority cost.
Relation to other PRs
Test plan
SimplestPingIntegrationTestpasses🤖 Generated with Claude Code