Skip to content

Batch ECIES encryption with shared ephemeral keypair (#496)#488

Closed
elliottdehn wants to merge 1 commit into
digital-asset:mainfrom
elliottdehn:batch-ecies-encryption
Closed

Batch ECIES encryption with shared ephemeral keypair (#496)#488
elliottdehn wants to merge 1 commit into
digital-asset:mainfrom
elliottdehn:batch-ecies-encryption

Conversation

@elliottdehn

@elliottdehn elliottdehn commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

Closes #496

Summary

When encrypting session key randomness for multiple recipients, generate ONE ephemeral EC keypair and reuse it for all ECDH key agreements (via BouncyCastle's IESEngine). Saves the EC key generation cost (~0.077ms, 16.5% of ECIES) for N-1 recipients.

Impact

Encrypt-side savings (submitter):

Scenario Before After Saved
2-party contract 1.6ms 1.5ms 0.1ms (6%)
CC transfer, 20 SVs 16ms ~14ms ~2ms (13%)
CC transfer, 40 SVs 32ms ~29ms ~3ms (9%)

Modest but free — zero protocol changes, backward compatible output format.

ECDH key agreement is 77% of per-recipient ECIES cost and cannot be shared (different recipient keys). EC keygen is 16.5% and IS shared by this PR. The savings are real but bounded by keygen being the minority cost.

Relation to other PRs

Test plan

  • Existing ECIES encrypt/decrypt round-trip tests pass
  • SimplestPingIntegrationTest passes
  • Batch-encrypted ciphertexts decrypt correctly with existing Cipher decrypt path

🤖 Generated with Claude Code

…cost

When encrypting session key randomness for N recipients (e.g., all SV
participants hosting DSO), the current code generates N independent
ephemeral EC keypairs — one per recipient. EC key generation is ~40%
of the per-recipient ECIES cost.

This change introduces batchEncryptWith which uses BouncyCastle's
IESEngine directly, generating ONE ephemeral keypair and reusing it
for all ECDH key agreements. Each recipient still gets a unique
ciphertext (different shared secret → different AES key), and the
output format is unchanged — existing decrypt code works without
modification.

For the Global Synchronizer with ~20 SVs, a CC transfer encrypts the
session key for ~20 participants per view. This saves 19 ephemeral key
generations per view (~40% × 19 × 0.4ms = ~3ms per view).

Security: Multi-recipient DHIES with a shared ephemeral key is
well-studied and secure as long as the KDF is secure (KDF2 with
SHA-256 in this case). The ECDH shared secrets are different per
recipient because the recipient public keys differ.

Implementation:
- Encryption.scala: new batchEncryptWith trait method with default
  fallback to individual encryptWith
- JcePureCrypto.scala: batchEncryptEciesP256 using IESEngine with
  ECDHBasicAgreement, KDF2BytesGenerator, HMac, AES-CBC
- SyncCryptoApiParticipantProvider.scala: encryptFor now uses
  batchEncryptWith for non-deterministic multi-recipient encryption
- SynchronizerCryptoPureApi.scala: delegates to pureCrypto

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@elliottdehn

Copy link
Copy Markdown
Contributor Author

I have hereby read the Digital Asset CLA and agree to its terms

@elliottdehn

Copy link
Copy Markdown
Contributor Author

Benchmark Results

Measured the actual per-step ECIES cost breakdown and the batch savings:

ECIES Step Breakdown (per recipient, secp256r1)

Step Cost % of total
ECDH key agreement 0.361ms 77.2%
EC keygen (ephemeral) 0.077ms 16.5%
AES-GCM encrypt 0.024ms 5.2%
KDF (SHA-256) 0.005ms 1.2%
Total 0.468ms

Batch vs Individual Encryption

Recipients Individual (p50) Batch (p50) Saved % saved
2 0.9ms 0.8ms 0.1ms 11%
5 2.0ms 1.8ms 0.2ms 12%
10 4.0ms 3.5ms 0.6ms 14%
20 8.0ms 6.9ms 1.0ms 13%
40 15.9ms 13.6ms 2.3ms 14%

Correctness verified: all recipients decrypt successfully with the shared ephemeral key.

Analysis

The keygen savings (~0.077ms per skipped keygen) are real but modest — ECDH key agreement dominates at 77% of per-recipient cost. For a 2-view CC transfer with 20 SVs, this saves ~2ms total. Not transformative by itself, but it's free performance with no protocol changes.

The fundamental O(SV) cost is the ECDH key agreement (0.36ms × N_SV), which cannot be reduced without protocol-level changes (group encryption, threshold encryption, or removing DSO as informee per CIP-0104).

@elliottdehn elliottdehn changed the title Batch ECIES encryption with shared ephemeral keypair (O(SV) cost reduction) Batch ECIES encryption with shared ephemeral keypair (#496) Apr 16, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 17, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ECIES generates redundant ephemeral keypairs for multi-recipient encryption

2 participants