Elliptic-curve Diffie–Hellman (ECDH) is akey agreement protocol that allows two parties, each having anelliptic-curve public–private key pair, to establish ashared secret over aninsecure channel.^[1][2][3] This shared secret may be directly used as a key, or toderive another key. The key, or the derived key, can then be used to encrypt subsequent communications using asymmetric-key cipher. It is a variant of theDiffie–Hellman protocol usingelliptic-curve cryptography.

The following example illustrates how a shared key is established. SupposeAlice wants to establish a shared key withBob, but the only channel available for them may be eavesdropped by a third party. Initially, thedomain parameters (that is,${\displaystyle (p,a,b,G,n,h)}$ in the prime case or${\displaystyle (m,f(x),a,b,G,n,h)}$ in the binary case) must be agreed upon. Also, each party must have a key pair suitable for elliptic curve cryptography, consisting of a private key${\displaystyle d}$ (a randomly selected integer in the interval${\displaystyle [1,n-1]}$) and a public key represented by a point${\displaystyle Q}$ (where${\displaystyle Q=d\cdot G}$, that is, the result ofadding${\displaystyle G}$ to itself${\displaystyle d}$ times). Let Alice's key pair be${\displaystyle (d_{\text{A}},Q_{\text{A}})}$ and Bob's key pair be${\displaystyle (d_{\text{B}},Q_{\text{B}})}$. Each party must know the other party's public key prior to execution of the protocol.

Alice computes point${\displaystyle (x_k,y_k)=d_{\text{A}}\cdot Q_{\text{B}}}$. Bob computes point${\displaystyle (x_k,y_k)=d_{\text{B}}\cdot Q_{\text{A}}}$. The shared secret is${\displaystyle x_k}$ (thex coordinate of the point). Most standardized protocols based on ECDH derive a symmetric key from${\displaystyle x_k}$ using some hash-based key derivation function.

The shared secret calculated by both parties is equal, because${\displaystyle d_{\text{A}}\cdot Q_{\text{B}}=d_{\text{A}}\cdot d_{\text{B}}\cdot G=d_{\text{B}}\cdot d_{\text{A}}\cdot G=d_{\text{B}}\cdot Q_{\text{A}}}$.

The only information about her key that Alice initially exposes is her public key. So, no party except Alice can determine Alice's private key (Alice of course knows it by having selected it), unless that party can solve the elliptic curvediscrete logarithm problem. Bob's private key is similarly secure. No party other than Alice or Bob can compute the shared secret, unless that party can solve the elliptic curveDiffie–Hellman problem.

The public keys are either static (and trusted, say via a certificate) or ephemeral (also known asECDHE, where final 'E' stands for "ephemeral").Ephemeral keys are temporary and not necessarily authenticated, so if authentication is desired, authenticity assurances must be obtained by other means. Authentication is necessary to avoidman-in-the-middle attacks. If one of either Alice's or Bob's public keys is static, then man-in-the-middle attacks are thwarted. Static public keys provide neitherforward secrecy nor key-compromise impersonation resilience, among other advanced security properties. Holders of static private keys should validate the other public key, and should apply a securekey derivation function to the raw Diffie–Hellman shared secret to avoid leaking information about the static private key. For schemes with other security properties, seeMQV.

If Alice maliciously chooses invalid curve points for her key and Bob does not validate that Alice's points are part of the selected group, she can collect enough residues of Bob's key to derive his private key. SeveralTLS libraries were found to be vulnerable to this attack.^[4]

The shared secret is uniformly distributed on a subset of${\displaystyle [0,p)}$ of size${\displaystyle (n+1)/2}$. For this reason, the secret should not be used directly as a symmetric key, but it can be used as entropy for a key derivation function.

Let${\displaystyle A,B\in F_p}$ such that${\displaystyle B(A^2-4)\ne 0}$. The Montgomery form elliptic curve${\displaystyle E_{M,A,B}}$ is the set of all${\displaystyle (x,y)\in F_p\times F_p}$ satisfying the equation${\displaystyle B{y}^2=x(x^2+Ax+1)}$ along with the point at infinity denoted as${\displaystyle \mathrm{\infty }}$. This is called the affine form of the curve. The set of all${\displaystyle F_p}$-rational points of${\displaystyle E_{M,A,B}}$, denoted as${\displaystyle E_{M,A,B}(F_p)}$ is the set of all${\displaystyle (x,y)\in F_p\times F_p}$ satisfying${\displaystyle B{y}^2=x(x^2+Ax+1)}$ along with${\displaystyle \mathrm{\infty }}$. Under a suitably defined addition operation,${\displaystyle E_{M,A,B}(F_p)}$ is a group with${\displaystyle \mathrm{\infty }}$ as the identity element. It is known that the order of this group is a multiple of 4. In fact, it is usually possible to obtain${\displaystyle A}$ and${\displaystyle B}$ such that the order of${\displaystyle E_{M,A,B}}$ is${\displaystyle 4q}$ for a prime${\displaystyle q}$. For more extensive discussions of Montgomery curves and their arithmetic one may follow.^[5][6][7]

For computational efficiency, it is preferable to work with projective coordinates. The projective form of the Montgomery curve${\displaystyle E_{M,A,B}}$ is${\displaystyle B{Y}^{2}Z=X(X^2+AXZ+Z^2)}$. For a point${\displaystyle P=[X:Y:Z]}$ on${\displaystyle E_{M,A,B}}$, the${\displaystyle x}$-coordinate map${\displaystyle x}$ is the following:^[7]${\displaystyle x(P)=[X:Z]}$ if${\displaystyle Z\ne 0}$ and${\displaystyle x(P)=[1:0]}$ if${\displaystyle P=[0:1:0]}$ .Bernstein^[8][9] introduced the map${\displaystyle x_0}$ as follows:${\displaystyle x_0(X:Z)=X{Z}^{p-2}}$ which is defined for all values of${\displaystyle X}$ and${\displaystyle Z}$ in${\displaystyle F_p}$. Following Miller,^[10] Montgomery^[5] and Bernstein,^[9] the Diffie-Hellman key agreement can be carried out on a Montgomery curve as follows. Let${\displaystyle Q}$ be a generator of a prime order subgroup of${\displaystyle E_{M,A,B}(F_p)}$. Alice chooses a secret key${\displaystyle s}$ and has public key${\displaystyle x_0(sQ)}$; Bob chooses a secret key${\displaystyle t}$ and has public key${\displaystyle x_0(tQ)}$. The shared secret key of Alice and Bob is${\displaystyle x_0(stQ)}$. Using classical computers, the best known method of obtaining${\displaystyle x_0(stQ)}$ from${\displaystyle Q,x_0(sQ)}$ and${\displaystyle x_0(tQ)}$ requires about${\displaystyle O(p^{1/2})}$ time using thePollards rho algorithm.^[11]

The most famous example of Montgomery curve isCurve25519 which was introduced by Bernstein.^[9] For Curve25519,${\displaystyle p=2^{255}-19,A=486662}$ and${\displaystyle B=1}$.The other Montgomery curve which is part of TLS 1.3 isCurve448 which was introducedby Hamburg.^[12] For Curve448,${\displaystyle p=2^{448}-2^{224}-1,A=156326}$ and${\displaystyle B=1}$. Couple of Montgomery curves named M[4698] and M[4058] competitive toCurve25519 andCurve448 respectively have been proposed in.^[13] For M[4698],${\displaystyle p=2^{251}-9,A=4698,B=1}$ and for M[4058],${\displaystyle p=2^{444}-17,A=4058,B=1}$. At 256-bit security level, three Montgomery curves named M[996558], M[952902] and M[1504058] have been proposed in.^[14] For M[996558],${\displaystyle p=2^{506}-45,A=996558,B=1}$, for M[952902],${\displaystyle p=2^{510}-75,A=952902,B=1}$ and for M[1504058],${\displaystyle p=2^{521}-1,A=1504058,B=1}$ respectively. Apart from these two, other proposals of Montgomery curves can be found at.^[15]

• Curve25519 is a popular set of elliptic curve parameters and reference implementation byDaniel J. Bernstein inC.Bindings and alternative implementations are also available.
• Curve448, an elliptic curve potentially offering 224 bits of security, developed by Mike Hamburg ofRambus Cryptography Research.
• LINE messenger app has used the ECDH protocol for its "Letter Sealing"end-to-end encryption of all messages sent through said app since October 2015.^[16]
• Signal Protocol uses ECDH to obtain post-compromise security. Implementations of this protocol are found inSignal,WhatsApp,Facebook Messenger andSkype.

• Elliptic-curve cryptography
• Diffie–Hellman key exchange
• Forward secrecy

• Key-agreement protocols
• Elliptic curve cryptography

• Webarchive template wayback links
• Articles with short description
• Short description is different from Wikidata