ECDH parameters in TLS 1.3 – Elliptic Curves
8.5.7 ECDH parameters in TLS 1.3
Both server Alice and client Bob encode their ECDH parameters in the KeyShare structure, in the key˙exchange opaque field of a KeyShareEntry. When elliptic curves secp256r1, secp384r1, or secp521r1 are used, the key˙exchange field stores the serialized value of the UncompressedPointRepresentation structure shown in Listing 8.3.
Listing 8.3: Uncompressed elliptic curve point representation in TLS 1.3
struct {
uint8 legacy_form = 4;
opaque X[coordinate_length];
opaque Y[coordinate_length];
} UncompressedPointRepresentation;
The variables X and Y in Listing 8.3 are a binary representation of x coordinate and y coordinate in network byte order. The size of the variables X and Y is determined by the parameters of the elliptic curve that Alice and Bob agreed upon.
As an example, if the curve used is secp256r1, then both X and Y use 32 octets – if necessary, left-padded by zeros. In the case of the secp384r1 curve, X and Y have the size of 48 octets each and 66 octets each for the secp512r1 curve.
If Alice and Bob use one of the curves secp256r1, secp384r1, or secp521r1, they must validate each other’s public values. That is, Alice needs to verify that Bob’s public value βG is a valid point on the elliptic curve, and Bob must do the same for Alice’s public value αG. This includes the verification of the following for the public value:
- It is not the identity element 𝕆 (that is, not the point at infinity)
- It has the expected representation for its coordinates x and y in the underlying finite field
- It is a point on the correct elliptic curve
- It has the correct order
Altogether, the verification criteria ensure that the public values αG and βG are in the correct elliptic-curve subgroup and are not identity elements.
In contrast to previous TLS versions, TLS 1.3 does not allow you to negotiate the point format. This is a good example of how simplicity favors security: if only a single format is accepted, the risk of implementation bugs in the parser code is significantly reduced.