2

I'm implementing ECDH key exchange in C# using the BouncyCastle library and I'm having a hard time understanding the elliptic curve side (FpCurve). 

FpCurve curve = new FpCurve(
    new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q
    new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a
    new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b

ECDomainParameters ecSpec = new ECDomainParameters(
    curve,
    curve.DecodePoint(Hex.Decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G
    new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307"), // n
    BigInteger.One); // h

I'm wondering if this is correct, what it means and why would this be static? What are these BigInteger values?

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
hobeau
  • 863
  • 1
  • 10
  • 11

1 Answers1

3

I am assuming you are throughly familiar with traditional Diffie-Hellman. If not, read up on it first.

For our purposes here, an elliptic curve is a curve whose points satisfy the equation $y^2=x^3+ax+b$. That right there tells you what $a$ and $b$ are, they are coefficients of the curve.

In elliptic curve cryptography, we need an algebraic group for a number of algorithms (such as Diffie-Hellman). For elliptic curves, we can get this by taking the curve equation above modulo a prime number (in this case the $q$ value in your code), i.e. $x$ and $y$ are elements of $\mathbb Z_q$, and the $+$ and $ยท$ operations are done in this field.

For diffie-hellman we need a point on the curve that can generate a very large subgroup (for more info see this question). That point is the $G$ in your code. $n$ is the order of the subgroup generated by $G$ and $h$ is the cofactor (basically it tells us how much smaller is the subgroup when compared to the original group, don't worry too much about this one).

The reason they are static is that they are public parameters. Think of regular diffie-hellman. There are typically numbers $p$ and $g$ which need to be known to both parties. $p$ describes the group we are working in $\mathbb{Z}_p^*$ (just like $q,a,b$ describe the elliptic curve group) and $g$ is the generator (as is $G$ for elliptic curves). In regular diffie-hellman $p$ and $g$ can be static in your code (otherwise the 2 parties have to agree upon the values some how).

You now know what the values are and why they can be static. So, are the values you've chosen correct? Well, where did they come from? There are a number of standard curves (for example FIPS 186-3). If I were you, I'd stick to recommended/standard curves.

Community
  • 1
mikeazo
  • 39,117
  • 9
  • 118
  • 183