From: Charles Engelke <w3c@engelke.com>

Date: Tue, 19 Jul 2016 16:36:52 -0400

Message-ID: <CAFeVzdxh64aiMD6fLe1zm8LSoiL0oifTzzFPTe-eSkE9yPt_tQ@mail.gmail.com>

To: Mark Watson <watsonm@netflix.com>

Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>

Date: Tue, 19 Jul 2016 16:36:52 -0400

Message-ID: <CAFeVzdxh64aiMD6fLe1zm8LSoiL0oifTzzFPTe-eSkE9yPt_tQ@mail.gmail.com>

To: Mark Watson <watsonm@netflix.com>

Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>

I don't have any access to X9.62. I do have SEC 1 ( http://www.secg.org/sec1-v2.pdf), which I think is supposed to be about the same. SEC 1 defines two different primitives for the ECDH shared secret, the "Elliptic Curve Diffie-Hellman Primitive" and the "Elliptic Curve Cofactor Diffie-Hellman Primitive". The shared secret for the first primitive is the x coordinate of dQ while the shared secret for the second one is the x coordinate of hdQ. It seems that the RFC is using the first version of SEC 1. Does X9.62 have both versions, too? Finally, section 7.1 of the RFC ( https://tools.ietf.org/html/rfc6090#section-7.1) says that interoperation with the IEEE standard requires (among other things) "prime curves with a cofactor of 1", which would make both methods the same. Perhaps IEEE only includes the cofactor version of the primitive. I may have this wrong. I've just now gone over the two specifications and haven't worked with group theory since grad school. Charlie On Mon, Jul 18, 2016 at 11:18 AM, Mark Watson <watsonm@netflix.com> wrote: > All, > > I posed the following question on Issue 39 [1], but I'm forwarding it here > in case it was not seen by everyone: > > I have a small difficulty in understanding how the operations defined in > X9.62 are identical to those defined in RFC6090. > > An initial point of confusion is that X9.62 uses additive notation for the > group operation of the Elliptic curve group and RFC6090 uses multiplicative > notation, but that is not an issue. > > X9.62 defines the DH operation as *P = hdQ* and RFC6090 defines it as *secret > = (g^k)^j* where: > > - *Q* = *(g^k)* = Public Key (an elliptic curve point) > - *d* = *j* = Private Key (an integer) > - *P* = *secret* = the shared secret (an elliptic curve point) > > X9.62 defines scalar multiplication of a curve point as "repeated > addition" by which I assume it means repeated application of the group > operation. Although both specifications go into some detail as to the group > operation, with different terms and notation, I'm prepared to believe its > exactly the same operation. > > Both specifications then use the x-coordinate of the output. > > The *h* term does not appear in the RFC6090 equation. It is the > "co-factor" - the ratio of the order to the curve to the order of the curve > group. > > Can someone explain this difference ? > > (Note that I have a "working draft" copy of X9.62 so there is an outside > chance I'm not looking at the exact final text). > > > Thanks ... Mark > > > [1] https://github.com/w3c/webcrypto/issues/39 >Received on Tuesday, 19 July 2016 20:37:23 UTC

*
This archive was generated by hypermail 2.3.1
: Tuesday, 19 July 2016 20:37:23 UTC
*