Re: Question about ECDH from Charles Engelke on 2016-07-19 (public-webcrypto@w3.org from July 2016)

From: Charles Engelke <w3c@engelke.com>
Date: Tue, 19 Jul 2016 16:36:52 -0400
To: Mark Watson <watsonm@netflix.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAFeVzdxh64aiMD6fLe1zm8LSoiL0oifTzzFPTe-eSkE9yPt_tQ@mail.gmail.com>

I don't have any access to X9.62. I do have SEC 1 (
http://www.secg.org/sec1-v2.pdf), which I think is supposed to be about the
same.

SEC 1 defines two different primitives for the ECDH shared secret, the
"Elliptic Curve Diffie-Hellman Primitive" and the "Elliptic Curve Cofactor
Diffie-Hellman Primitive". The shared secret for the first primitive is the
x coordinate of dQ while the shared secret for the second one is the x
coordinate of hdQ.

It seems that the RFC is using the first version of SEC 1. Does X9.62 have
both versions, too?

Finally, section 7.1 of the RFC (
https://tools.ietf.org/html/rfc6090#section-7.1) says that interoperation
with the IEEE standard requires (among other things) "prime curves with a
cofactor of 1", which would make both methods the same. Perhaps IEEE only
includes the cofactor version of the primitive.

I may have this wrong. I've just now gone over the two specifications and
haven't worked with group theory since grad school.

Charlie

On Mon, Jul 18, 2016 at 11:18 AM, Mark Watson <watsonm@netflix.com> wrote:

> All,
>
> I posed the following question on Issue 39 [1], but I'm forwarding it here
> in case it was not seen by everyone:
>
> I have a small difficulty in understanding how the operations defined in
> X9.62 are identical to those defined in RFC6090.
>
> An initial point of confusion is that X9.62 uses additive notation for the
> group operation of the Elliptic curve group and RFC6090 uses multiplicative
> notation, but that is not an issue.
>
> X9.62 defines the DH operation as *P = hdQ* and RFC6090 defines it as *secret
> = (g^k)^j* where:
>
>    - *Q* = *(g^k)* = Public Key (an elliptic curve point)
>    - *d* = *j* = Private Key (an integer)
>    - *P* = *secret* = the shared secret (an elliptic curve point)
>
> X9.62 defines scalar multiplication of a curve point as "repeated
> addition" by which I assume it means repeated application of the group
> operation. Although both specifications go into some detail as to the group
> operation, with different terms and notation, I'm prepared to believe its
> exactly the same operation.
>
> Both specifications then use the x-coordinate of the output.
>
> The *h* term does not appear in the RFC6090 equation. It is the
> "co-factor" - the ratio of the order to the curve to the order of the curve
> group.
>
> Can someone explain this difference ?
>
> (Note that I have a "working draft" copy of X9.62 so there is an outside
> chance I'm not looking at the exact final text).
>
>
> Thanks ... Mark
>
>
> [1] https://github.com/w3c/webcrypto/issues/39
>

Received on Tuesday, 19 July 2016 20:37:23 UTC