Elliptic-curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties, each having an elliptic-curve public–private key pair, to establish a shared secret over an insecure channel.
The following example illustrates how a shared key is established.
Suppose Alice wants to establish a shared key with Bob, but the only channel available for them may be eavesdropped by a third party.
Also, each party must have a key pair suitable for elliptic curve cryptography, consisting of a private key
(a randomly selected integer in the interval
) and a public key represented by a point
Most standardized protocols based on ECDH derive a symmetric key from
The shared secret calculated by both parties is equal, because
Bob's private key is similarly secure.
No party other than Alice or Bob can compute the shared secret, unless that party can solve the elliptic curve Diffie–Hellman problem.
The public keys are either static (and trusted, say via a certificate) or ephemeral (also known as ECDHE, where final 'E' stands for "ephemeral").
If one of either Alice's or Bob's public keys is static, then man-in-the-middle attacks are thwarted.
Static public keys provide neither forward secrecy nor key-compromise impersonation resilience, among other advanced security properties.
If Alice maliciously chooses invalid curve points for her key and Bob does not validate that Alice's points are part of the selected group, she can collect enough residues of Bob's key to derive his private key.
Several TLS libraries were found to be vulnerable to this attack.
[4] The shared secret is uniformly distributed on a subset of
The Montgomery form elliptic curve
Under a suitably defined addition operation,
For more extensive discussions of Montgomery curves and their arithmetic one may follow.
[5][6][7] For computational efficiency, it is preferable to work with projective coordinates.
The projective form of the Montgomery curve
Following Miller,[10] Montgomery[5] and Bernstein,[9] the Diffie-Hellman key agreement can be carried out on a Montgomery curve as follows.
be a generator of a prime order subgroup of
The shared secret key of Alice and Bob is
Using classical computers, the best known method of obtaining
[11] The most famous example of Montgomery curve is Curve25519 which was introduced by Bernstein.
The other Montgomery curve which is part of TLS 1.3 is Curve448 which was introduced by Hamburg.
Couple of Montgomery curves named M[4698] and M[4058] competitive to Curve25519 and Curve448 respectively have been proposed in.
At 256-bit security level, three Montgomery curves named M[996558], M[952902] and M[1504058] have been proposed in.
Apart from these two, other proposals of Montgomery curves can be found at.