W3C home > Mailing lists > Public > public-webcrypto@w3.org > July 2016

Re: Question about ECDH

From: Mark Watson <watsonm@netflix.com>
Date: Tue, 19 Jul 2016 13:46:01 -0700
Message-ID: <CAEnTvdDa0qv8wkKyKu6gUoaf7w-SS5E41gGG28H-kgj4veUk0w@mail.gmail.com>
To: Charles Engelke <w3c@engelke.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Hi Charles,

Thanks - that explanation makes sense: there are two ways to do ECDH
defined in SEC1, the RFC uses one of them and X9.62 uses the other and they
are the same for curves with cofactor 1.

So, then, can anyone tell me what is the co-factor of the curves we defined
in the WebCrypto specification ? If that is 1, then I am convinced that the
RFC and X9.62 are the same and we can safely switch.


On Tue, Jul 19, 2016 at 1:36 PM, Charles Engelke <w3c@engelke.com> wrote:

> I don't have any access to X9.62. I do have SEC 1 (
> http://www.secg.org/sec1-v2.pdf), which I think is supposed to be about
> the same.
> SEC 1 defines two different primitives for the ECDH shared secret, the
> "Elliptic Curve Diffie-Hellman Primitive" and the "Elliptic Curve Cofactor
> Diffie-Hellman Primitive". The shared secret for the first primitive is the
> x coordinate of dQ while the shared secret for the second one is the x
> coordinate of hdQ.
> It seems that the RFC is using the first version of SEC 1. Does X9.62 have
> both versions, too?
> Finally, section 7.1 of the RFC (
> https://tools.ietf.org/html/rfc6090#section-7.1) says that interoperation
> with the IEEE standard requires (among other things) "prime curves with a
> cofactor of 1", which would make both methods the same. Perhaps IEEE only
> includes the cofactor version of the primitive.
> I may have this wrong. I've just now gone over the two specifications and
> haven't worked with group theory since grad school.
> Charlie
> On Mon, Jul 18, 2016 at 11:18 AM, Mark Watson <watsonm@netflix.com> wrote:
>> All,
>> I posed the following question on Issue 39 [1], but I'm forwarding it
>> here in case it was not seen by everyone:
>> I have a small difficulty in understanding how the operations defined in
>> X9.62 are identical to those defined in RFC6090.
>> An initial point of confusion is that X9.62 uses additive notation for
>> the group operation of the Elliptic curve group and RFC6090 uses
>> multiplicative notation, but that is not an issue.
>> X9.62 defines the DH operation as *P = hdQ* and RFC6090 defines it as *secret
>> = (g^k)^j* where:
>>    - *Q* = *(g^k)* = Public Key (an elliptic curve point)
>>    - *d* = *j* = Private Key (an integer)
>>    - *P* = *secret* = the shared secret (an elliptic curve point)
>> X9.62 defines scalar multiplication of a curve point as "repeated
>> addition" by which I assume it means repeated application of the group
>> operation. Although both specifications go into some detail as to the group
>> operation, with different terms and notation, I'm prepared to believe its
>> exactly the same operation.
>> Both specifications then use the x-coordinate of the output.
>> The *h* term does not appear in the RFC6090 equation. It is the
>> "co-factor" - the ratio of the order to the curve to the order of the curve
>> group.
>> Can someone explain this difference ?
>> (Note that I have a "working draft" copy of X9.62 so there is an outside
>> chance I'm not looking at the exact final text).
>> Thanks ... Mark
>> [1] https://github.com/w3c/webcrypto/issues/39
Received on Tuesday, 19 July 2016 20:46:30 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 19 July 2016 20:46:31 UTC