Asymmetric stream cipher with short plaintext => short ciphertext

I am looking for an asymmetric cipher which has the property that very short inputs result in very short outputs.

.NET's standard RSACryptoService seems to output a minimum of 128 bytes for any short plaintext, including the empty plaintext. Minimum supported BlockSize is 128 and the only supported Mode is CBC.

The perfect algorithm would not expand the plaintext at all, while pro开发者_StackOverflow社区viding the asymmetric property. Expected input size is 50-100 bytes, certainly never more than 150.

It is certainly possible to achieve your goals for the sizes you are interested in by using elliptic curve ElGamal encryption and variants. The Bouncycastle C# library is one option for implementation.

So for example by using the NIST P-256 curve you can encrypt 32 bytes of data and get a 64 byte result. If you use proper padding you can encrypt less data. I believe PGP once considered implementing this but I don't know if they ever did.

Asymmetric ciphers need long keys because there are many very powerful techniques for narrowing the key-space and the input-space. If, by seeing that you've sent a short encrypted message, I know that the plaintext is also short, then that further narrows the input-space. So if such a cipher exists, then it would by definition be unsafe to send short messages.

Asymmetric ciphers are extraordinarily slow. So slow as to be unusable, in practice, on anything but the smallest inputs. Symmetric ciphers, however, can be very fast.

The technique for using an asymmetric cipher is as follows:

• using a cryptographically strong random number generator, create a secret key S
• encrypt the data using a symmetric algorithm (e.g., AES-256-CBC) and key S
• encrypt key S using an asymmetric algorithm (e.g., RSA) and key A of the key-pair
• prepend the encrypted form of key S to the encrypted message

In other words, the message is encrypted with a random key using a symmetric algorithm, and then the random key is encrypted with one of the keys using an asymmetric algorithm.

You also have to take into account the IV and padding for the CBC mode, and you have to take into account the padding for the RSA. It adds up. Perfect algorithms require IV's and padding. Given that you have one IV, two paddings, and the random symmetric key (encrypted) to store along with the message (encrypted), the crypto stuff will have to take up space.

I don't think you can get a ciphertext noticeably smaller than the size of the key, and your keys for asymmetric crypto algorithms should probably be in the hundreds to thousands of bits. Can you not combine multiple things together and encrypt a bigger chunk?