W3C home > Mailing lists > Public > public-webcrypto@w3.org > July 2016

Question about ECDH

From: Mark Watson <watsonm@netflix.com>
Date: Mon, 18 Jul 2016 08:18:39 -0700
Message-ID: <CAEnTvdAX7n1pA5gvaGVRLs_z8cuhQr+5S-A-2gDpyrJDoywm1Q@mail.gmail.com>
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>

I posed the following question on Issue 39 [1], but I'm forwarding it here
in case it was not seen by everyone:

I have a small difficulty in understanding how the operations defined in
X9.62 are identical to those defined in RFC6090.

An initial point of confusion is that X9.62 uses additive notation for the
group operation of the Elliptic curve group and RFC6090 uses multiplicative
notation, but that is not an issue.

X9.62 defines the DH operation as *P = hdQ* and RFC6090 defines it as *secret
= (g^k)^j* where:

   - *Q* = *(g^k)* = Public Key (an elliptic curve point)
   - *d* = *j* = Private Key (an integer)
   - *P* = *secret* = the shared secret (an elliptic curve point)

X9.62 defines scalar multiplication of a curve point as "repeated addition"
by which I assume it means repeated application of the group operation.
Although both specifications go into some detail as to the group operation,
with different terms and notation, I'm prepared to believe its exactly the
same operation.

Both specifications then use the x-coordinate of the output.

The *h* term does not appear in the RFC6090 equation. It is the "co-factor"
- the ratio of the order to the curve to the order of the curve group.

Can someone explain this difference ?

(Note that I have a "working draft" copy of X9.62 so there is an outside
chance I'm not looking at the exact final text).

Thanks ... Mark

[1] https://github.com/w3c/webcrypto/issues/39
Received on Monday, 18 July 2016 15:19:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 18 July 2016 15:19:10 UTC