Elliptic Curve Diffie-Hellman (ECDH) Definition

Elliptic Curve Diffie-Hellman (ECDH) is a key exchange algorithm used in public key cryptography to allow two parties to establish a shared secret over an insecure communication channel.

ECDH works by each party generating a pair of public and private keys using elliptic curve cryptography. The public keys are exchanged, and each party combines the other party’s public key with its own private key to generate a shared secret that can be used for encryption and decryption of messages.

The security of ECDH is based on the computational difficulty of solving the discrete logarithm problem on elliptic curves. The strength of the algorithm depends on the size and choice of the elliptic curve, as well as the key size used for encryption.

ECDH is widely used in various applications, including secure messaging, virtual private networks, and digital signatures, among others.

Key establishment protocol

The following example illustrates how a shared key is established. Suppose Alice wants to establish a shared key with Bob, but the only channel available for them may be eavesdropped by a third party. Initially, the domain parameters (that is, $(p,a,b,G,n,h)$ in the prime case or $(m,f(x),a,b,G,n,h)$ in the binary case) must be agreed upon. Also, each party must have a key pair suitable for elliptic curve cryptography, consisting of a private key $d$ (a randomly selected integer in the interval $[1,n-1]$ ) and a public key represented by a point $Q$ (where $Q=d\cdot G$ , that is, the result of adding $G$ to itself $d$ times). Let Alice’s key pair be $(d_{\text{A}},Q_{\text{A}})$ and Bob’s key pair be $(d_{\text{B}},Q_{\text{B}})$ . Each party must know the other party’s public key prior to execution of the protocol.

Alice computes point $(x_{k},y_{k})=d_{\text{A}}\cdot Q_{\text{B}}$ . Bob computes point $(x_{k},y_{k})=d_{\text{B}}\cdot Q_{\text{A}}$ . The shared secret is $x_{k}$ (the x coordinate of the point). Most standardized protocols based on ECDH derive a symmetric key from $x_{k}$ using some hash-based key derivation function.

The shared secret calculated by both parties is equal, because $d_{\text{A}}\cdot Q_{\text{B}}=d_{\text{A}}\cdot d_{\text{B}}\cdot G=d_{\text{B}}\cdot d_{\text{A}}\cdot G=d_{\text{B}}\cdot Q_{\text{A}}$ .

The only information about her key that Alice initially exposes is her public key. So, no party except Alice can determine Alice’s private key (Alice of course knows it by having selected it), unless that party can solve the elliptic curve discrete logarithm problem. Bob’s private key is similarly secure. No party other than Alice or Bob can compute the shared secret, unless that party can solve the elliptic curve Diffie–Hellman problem.

The public keys are either static (and trusted, say via a certificate) or ephemeral (also known as ECDHE, where final ‘E’ stands for “ephemeral”). Ephemeral keys are temporary and not necessarily authenticated, so if authentication is desired, authenticity assurances must be obtained by other means. Authentication is necessary to avoid man-in-the-middle attacks. If one of either Alice’s or Bob’s public keys is static, then man-in-the-middle attacks are thwarted. Static public keys provide neither forward secrecy nor key-compromise impersonation resilience, among other advanced security properties. Holders of static private keys should validate the other public key, and should apply a secure key derivation function to the raw Diffie–Hellman shared secret to avoid leaking information about the static private key.

If Alice maliciously chooses invalid curve points for her key and Bob does not validate that Alice’s points are part of the selected group, she can collect enough residues of Bob’s key to derive his private key. Several TLS libraries were found to be vulnerable to this attack.

The shared secret is uniformly distributed on a subset of $[0,p)$ of size $(n+1)/2$ . For this reason, the secret should not be used directly as a symmetric key, but it can be used as entropy for a key derivation function.

Related Products

ACS Launches ACOS5-EVO Cryptographic Smart Card

Nick Schooler2023-03-13T14:16:26-07:00May 3rd, 2019|

HONG KONG, 3 May 2019 - Advanced Card Systems Ltd. (ACS), Asia Pacific's top supplier and one of the world's top 3 suppliers of PC-linked smart card readers (Source: Frost & Sullivan), introduces the ACOS5-EVO Cryptographic Smart

SPYRUS Announces Comprehensive HSM SDKs to Accelerate Development of Secure Internet of Things Solutions with Microsoft Azure IoT

Nick Schooler2023-03-13T14:17:01-07:00September 17th, 2018|

San Jose, CA – September 17, 2018, SPYRUS, Inc. today announced it has released a comprehensive set of core Internet of Things (IoT) operations Software Development Kits (SDKs) that support the seamless integration of our Rosetta Hardware Security Modules (HSMs)

Yubico Launches YubiHSM 2: The World’s Smallest and Best Price/Performance Hardware Security Module, Providing Root of Trust for Servers and Computing Devices

Nick Schooler2023-03-13T14:22:34-07:00October 31st, 2017|

PALO ALTO, CA – October 31, 2017 – Yubico, the leading provider of authentication and encryption hardware devices for the modern web, today launched the YubiHSM 2, a new, cost-effective Hardware Security Module (HSM) for servers and IoT gateways. The

SPYRUS collaborates with Microsoft to accelerate secure Internet of Things solutions

Nick Schooler2023-03-13T14:22:42-07:00September 25th, 2017|

San Jose, CA – September 25, 2017, SPYRUS, Inc. today announced it has joined Microsoft Azure Certified for Internet of Things (IoT), ensuring customers get secure IoT solutions up and running quickly with hardware and software

New Versions of VanDyke Software’s SecureCRT 8.0 and SecureFX 8.0 Feature an Updated User Interface and Enhanced Smart Card Support

Nick Schooler2023-03-13T14:27:07-07:00March 31st, 2016|

Albuquerque, N.M. (March 31, 2016) — VanDyke Software®, a developer of multi-platform secure terminal emulation, secure file transfer, and remote administration software, today released the newest official versions of SecureCRT® 8.0 SSH client and SecureFX® 8.0 secure file transfer client for

SecureCRT 8.0 and SecureFX 8.0 Beta Releases from VanDyke Software Introduce an Updated User Interface and Enhanced Smart Card Support

Nick Schooler2023-03-13T14:27:12-07:00January 28th, 2016|

Albuquerque, N.M. (January 28, 2016) — VanDyke Software®, a developer of multi-platform secure terminal emulation and secure file transfer software, today announced the beta releases of SecureCRT® 8.0 and SecureFX® 8.0. SecureCRT and SecureFX 8.0 (beta) feature an updated user interface

L Plus Hardware Security Module (HSM) Card

Categories: Authentication, Cryptography, Standards

Tags: ECDHE, ECDSA

« Back to Glossary Index

Key establishment protocol

Related Products

SentryCard Biometric Fingerprint Smart Card

HID OMNIKEY 5022 CL Desktop Contactless Smart Card Reader

HID OMNIKEY 5027 Contactless Smart Card Reader w/ Keyboard Wedge

HID OMNIKEY 5023 CL Desktop Contactless Smart Card Reader

Related Articles