I made a simple Python 3.6 >= fork of this

[robertsdotpm]

Hello,

I'm in the process of adding a public-key encryption feature to a protocol that I'm building in Python. What I wanted to do with this was to select a library that was highly portable. What I've found is that while the established cryptography libraries in Python are good they tend to use C extensions which break across platforms. Using these C-based modules greatly reduces the portability of software that uses them.

At first I thought that I'd use RSA. RSA is simple but just because it's simple it doesn't mean it's good. Due to the way RSA works it means that there is a tendency to use arbitrary precision numbers to do the math. Unfortunately, this is vulnerable to the marvin attack in Python. https://people.redhat.com/~hkario/marvin/ So next I wanted to look at using ECC public key encryption but there doesn't seem to be pure Python implementations of such code. There are programs that can do signing for ECDSA but don't offer encryption.

Eventually I came across your library which is extremely elegant. It generates a shared secret based on elliptic curve operations on keys. Then it uses a symmetric encryption algorithm. The code for this is simple and well-written. But what I've found is that the library is not very portable. It references larger cryptography libraries and due to its reliance on newer language features in Python it wont work on older versions of Python. I decided I'd try to fork this and fix those issues. I first removed data classes and typing. The other major change I made was to use a different symmetric encryption algorithm.

The choice of AES-GCM is good but its implementation is massive and it's hard to do without introducing timing attacks. The choice of AES-GCM and XCHACHA20 were the main reasons for requiring the Crypto library dependency. So instead, I removed this code and replaced it with RC6 with CBC padding; I chose RC6 because it uses CPU operations that can be done in constant time which helps mitigate timing attacks (whether this translates to Python IDK.) I kept the original idea of authenticated messages by using HMAC codes which is important when using CBC padding. Though I don't know if I'm using everything correctly. I also replaced the original key derivation function so it uses the standard library. The result is a more portable version of the original library.

https://github.com/robertsdotpm/ecies

I haven't really updated comments or docs here. This isn't meant to be a serious fork but a quick hack. Tested working on 3.6.8 and 3.9.

[kigawas]

Thanks for adding a fork!

I don't know much about RC6 but chacha20 is also constant time without hardware acceleration.
It's also pretty well designed.

About HKDF implantation, you can find some test vectors on the web.

Another thing you may need to take care of is entropy when generating random bytes.