Elliptic curve Diffie–Hellman: Wikis

Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.

Encyclopedia

Updated live from Wikipedia, last check: June 20, 2013 06:21 UTC (44 seconds ago)

Elliptic curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel.[1][2] This shared secret may be directly used as a key, or better yet, to derive another key which can then be used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie–Hellman protocol using elliptic curve cryptography.

Key establishment protocol

Suppose Alice wants to establish a shared key with Bob, but the only channel available for them may be eavesdropped by a third party. Initially, the domain parameters (that is (p,a,b,G,n, h) in the prime case or (m,f(x),a,b, G,n,h) in the binary case) must be agreed upon. Also, each party must have a key pair suitable for elliptic curve cryptography, consisting of a private key d (a randomly selected integer in the interval [1,n − 1]) and a public key Q (where Q = dG). Let Alice's key pair be (dA,Q A) and Bob's key pair be (dB,Q B). Each party must have the other party's public key (an exchange must occur).

Alice computes (xk,y k) = dAQB. Bob computes k = dBQA. The shared key is xk (the x coordinate of the point).

The number calculated by both parties is equal, because dAQB = dAdBG = dBdAG = dBQA.

The protocol is secure because nothing is disclosed (except for the public keys, which are not secret), and no party can derive the private key of the other unless it can solve the Elliptic Curve Discrete Logarithm Problem.

The public keys are either static (and trusted, say via a certificate) or ephemeral. Ephemeral keys are not necessarily authenticated, so if authentication is wanted, it has to be obtained by other means. Static public keys provide neither forward secrecy nor key-compromise impersonation resilience, among other advanced security properties. Holders of static private keys should validate the other public key, and should apply a secure key derivation function to the raw Diffie–Hellman shared secret to avoid leaking information about the static private key. For schemes with more advanced security properties see ECMQV.

References

1. ^ NIST, Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, March, 2006.
2. ^ Certicom Research, Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography, Version 1.0, September 20, 2000.