Elliptic curve Diffie-Hellman in TLS 1.3 – Elliptic Curves
8.5.6 Elliptic curve Diffie-Hellman in TLS 1.3
If Alice and Bob use the ECDH key agreement with elliptic curves secp256r1, secp384r1, or secp521r1, they follow the ECKAS-DH1 scheme defined in the IEEE 1363-2000 standard illustrated in Figure 8.5.6.
When using the ECKAS-DH1 scheme, Alice and Bob first agree on the secret value derivation primitive. IEEE 1363-2000 standards defines two possible choices: Elliptic Curve Secret Value Derivation Primitive, Diffie-Hellman version (ECSVDP-DH) and Elliptic Curve Secret Value Derivation Primitive, Diffie-Hellman version with cofactor multiplication (ECSVDP-DHC).
Given a point G on an elliptic curve, ECSVDP-DH computes the shared secret value as follows:
- Take the secret random number α of one communicating party, say Alice, and the public key share βG of the other communicating party, say Bob, and compute an elliptic curve point P = α(βG).
- Terminate the protocol if P equals O, the point at infinity.
- Otherwise, output the x coordinate of P as the shared secret value.
In contrast, ECSVDP-DHC computes the shared secret value using the following steps:
- If Alice and Bob want the calculations to be compatible with ECSVDP-DH, compute an integer t = h−1α (mod n). Otherwise, set t to one communicating party’s, say Alice’s, secret random number α. Here, n is the order of the group 𝔾 generated by the base point g, and h is the so-called cofactor of the elliptic curve, that is, the number of subgroups holding the points of the elliptic curve.
- Using the other communicating party’s, say Bob’s, public key share βG, compute an elliptic curve point P = ht(βG).
- Terminate the protocol if P equals O, the point at infinity.
- Otherwise, output the x coordinate of P as the shared secret value.
Next, Alice and Bob agree on the key derivation function. IEEE 1363-2000 specifies two possible choices: SHA-1 (which is no longer secure) and RIPEMD-160. With these two parameters set, Alice and Bob exchange their public key shares αG and βG, and use the selected secret value derivation primitive to compute the shared secret key.
Figure 8.11: ECKAS-DH1 key agreement scheme defined in the IEEE 1363-2000 standard
If Alice and Bob use the elliptic curves 25519 or 448, they compute αG and βG, respectively, and exchange these values in the KeyShareEntry.key˙exchange structure. Here, G is the standard public base point on the elliptic curve chosen by them.
Next, Alice computes the shared secret value as α(βG) and Bob computes it as β(αG). The resulting value is used raw, without post-processing. However, Alice and Bob must verify that the computed Diffie-Hellman shared secret is not an all-zero value. If it is an all-zero value, they must immediately terminate the TLS session.