6

If two parties calculate an ECDH shared secret can they (with no security weakness) use this raw value directly as an encryption key, assuming the underlying key and ECDH sizes match?

Also the situation I'm specifically looking at using static ECC keys, not ephemeral ones, but I would also be curious if using the raw ECDH value for encryption may be OK when using ephemeral keys. I do understand that it is ~trivial to apply a KDF to the ECDH secret but I am evaluating an existing system. The system uses p256r1 and is using the resulting x-coordinate as the shared secret.

otus
  • 32,462
  • 5
  • 75
  • 167
big_fish_small_pond
  • 165
  • 2
  • 9

1 Answers1

10

If two parties calculate an ECDH shared secret can they (with no security weakness) use this raw value directly as an encryption key?

If the ECDH curve size is large enough, then yes, there is no immediate security weakness. It would cause the theoreticians heartburn (as the symmetric key is supposed to be chosen uniformly, and it isn't in this case), however there is no practical way for an attacker to exploit this.

To give an example: suppose the ECDH is done over P256, and you use the x-coordinate as the shared secret; and you use that shared secret to key AES-256.

Then, the attacker knows that (approximately) half the possible AES-256 keys are impossible (as they cannot be the x-coordinate of a P256 point); however there still are approximately $2^{255}$ possible values the key could be, and it would still be impractical to search over that large of a space.

poncho
  • 154,064
  • 12
  • 239
  • 382