Elliptic-curve Diffie–Hellman
   HOME

TheInfoList



Click Here for Items Related To - Elliptic-curve Diffie–Hellman
OR:
Elliptic-curve Diffie–Hellman on:   [Wikipedia]   [Google]   [Amazon]

Elliptic-curve Diffie–Hellman (ECDH) is a
key agreement In cryptography, a key-agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third parties from forcing a key choice on the agreeing ...
protocol that allows two parties, each having an elliptic-curve public–private key pair, to establish a
shared secret In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a password, a passphrase, a big number, or a ...
over an
insecure channel In cryptography, a secure channel is a means of data transmission that is resistant to overhearing and tampering. A confidential channel is a means of data transmission that is resistant to overhearing, or eavesdropping (e.g., reading the conten ...
. This shared secret may be directly used as a key, or to derive another key. The key, or the derived key, can then be used to encrypt subsequent communications using a symmetric-key cipher. It is a variant of the Diffie–Hellman protocol using
elliptic-curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide e ...
.


Key establishment protocol

The following example illustrates how a shared key is established. Suppose Alice wants to establish a shared key with
Bob Bob, BOB, or B.O.B. may refer to: Places * Mount Bob, New York, United States *Bob Island, Palmer Archipelago, Antarctica People, fictional characters, and named animals *Bob (given name), a list of people and fictional characters *Bob (surname ...
, but the only channel available for them may be eavesdropped by a third party. Initially, the domain parameters (that is, (p, a, b, G, n, h) in the prime case or (m, f(x), a, b, G, n, h) in the binary case) must be agreed upon. Also, each party must have a key pair suitable for elliptic curve cryptography, consisting of a private key d (a randomly selected integer in the interval , n-1/math>) and a public key represented by a point Q (where Q = d \cdot G, that is, the result of adding G to itself d times). Let Alice's key pair be (d_\text, Q_\text) and Bob's key pair be (d_\text, Q_\text). Each party must know the other party's public key prior to execution of the protocol. Alice computes point (x_k, y_k) = d_\text \cdot Q_\text. Bob computes point (x_k, y_k) = d_\text \cdot Q_\text. The shared secret is x_k (the ''x'' coordinate of the point). Most standardized protocols based on ECDH derive a symmetric key from x_k using some hash-based key derivation function. The shared secret calculated by both parties is equal, because d_\text \cdot Q_\text = d_\text \cdot d_\text \cdot G = d_\text \cdot d_\text \cdot G = d_\text \cdot Q_\text. The only information about her key that Alice initially exposes is her public key. So, no party except Alice can determine Alice's private key (Alice of course knows it by having selected it), unless that party can solve the elliptic curve
discrete logarithm In mathematics, for given real numbers ''a'' and ''b'', the logarithm log''b'' ''a'' is a number ''x'' such that . Analogously, in any group ''G'', powers ''b'k'' can be defined for all integers ''k'', and the discrete logarithm log''b' ...
problem. Bob's private key is similarly secure. No party other than Alice or Bob can compute the shared secret, unless that party can solve the elliptic curve
Diffie–Hellman problem The Diffie–Hellman problem (DHP) is a mathematical problem first proposed by Whitfield Diffie and Martin Hellman in the context of cryptography. The motivation for this problem is that many security systems use one-way functions: mathematical o ...
. The public keys are either static (and trusted, say via a certificate) or ephemeral (also known as ECDHE, where final 'E' stands for "ephemeral"). Ephemeral keys are temporary and not necessarily authenticated, so if authentication is desired, authenticity assurances must be obtained by other means. Authentication is necessary to avoid man-in-the-middle attacks. If one of either Alice's or Bob's public keys is static, then man-in-the-middle attacks are thwarted. Static public keys provide neither
forward secrecy In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key ...
nor key-compromise impersonation resilience, among other advanced security properties. Holders of static private keys should validate the other public key, and should apply a secure
key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a crypto ...
to the raw Diffie–Hellman shared secret to avoid leaking information about the static private key. For schemes with other security properties, see
MQV MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie–Hellman schemes, MQV provides protection against an active attacker. The protocol can be modifi ...
. If Alice maliciously chooses invalid curve points for her key and Bob does not validate that Alice's points are part of the selected group, she can collect enough residues of Bob's key to derive his private key. Several TLS libraries were found to be vulnerable to this attack. While the shared secret may be used directly as a key, it can be desirable to hash the secret to remove weak bits due to the Diffie–Hellman exchange.


Software

*
Curve25519 In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of t ...
is a popular set of elliptic curve parameters and reference implementation by Daniel J. Bernstein in C. Bindings and alternative implementations are also available. * LINE messenger app has used the ECDH protocol for its "Letter Sealing"
end-to-end encryption End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecommunications service providers, telecom providers, Internet ...
of all messages sent through said app since October 2015. *
Signal Protocol The Signal Protocol (formerly known as the TextSecure Protocol) is a non- federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls and instant messaging conversations. The protocol was developed by Open ...
uses ECDH to obtain post-compromise security. Implementations of this protocol are found in
Signal In signal processing, a signal is a function that conveys information about a phenomenon. Any quantity that can vary over space or time can be used as a signal to share messages between observers. The ''IEEE Transactions on Signal Processing'' ...
,
WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...
,
Facebook Messenger Messenger is a proprietary instant messaging app and platform developed by Meta Platforms. Originally developed as Facebook Chat in 2008, the company revamped its messaging service in 2010, released standalone iOS and Android apps in 2011, and ...
and
Skype Skype () is a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for VoIP-based videotelephony, videoconferencing and voice calls. It also has instant messaging, file transfer, deb ...
.


See also

*
Diffie–Hellman key exchange Diffie–Hellman key exchangeSynonyms of Diffie–Hellman key exchange include: * Diffie–Hellman–Merkle key exchange * Diffie–Hellman key agreement * Diffie–Hellman key establishment * Diffie–Hellman key negotiation * Exponential key exc ...
*
Forward secrecy In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key ...


References

{{DEFAULTSORT:Elliptic curve Diffie-Hellman Key-agreement protocols Elliptic curve cryptography