3

I have been learning about the fundementals of ECC and I'm a bit confused on this point: What makes up the public key in an ECC key exchange, and when is this public key generated?

In the video at https://www.youtube.com/watch?v=F3zzNa42-tQ and the StackOverflow Q&A Basic explanation of Elliptic Curve Cryptography? , it is stated that the public key is generated when the key exchange takes place. The public keys are the Generator point "times" the private key of each party. Because the Generator point changes for each handshake, the public key must not be generator beforehand.

If this is the case, then what is the purpose of ever generating an ECC public key? For a project I am working on, it is necessary to generate a public key to be placed in a certificate signing request to connect with AWS. Also, there is openssl functionality for creating ECC public keys:

openssl ec -in ecc_private.pem -pubout -out ecc_public.pem

Is the word "public key" being loosely used? Are there multiple public keys?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Code Wiget
  • 197
  • 2
  • 5

2 Answers2

5

As already indicated in the other answer $A$ and $B$ in the video are the public keys of Alice and Bob. The public keys are part of the key pair generation by each one of the parties, usually denoted $\operatorname{Gen}$. With ECC the keys can be generated from the private key at any time, as the public key is generated after the private key within the $\operatorname{Gen}$ function, namely by multiplying the private key value with the base point $G$.

The base point is part of the domain parameters agreed upon by client and server during the handshake and is not expected to change for ECDH. When performing ephemeral-ephemeral key agreement a key pair is regenerated by each party. In that case the key agreement does not perform authentication of any party as the public key cannot be trusted by the other party; authentication is performed separately. That authentication could be performed using any means, including ECDSA with a different, static key pair. In that case the static public key is commonly within a certificate signed by a certificate authority.

What you are generating is a static or key which has the life time displayed in the certificate (after which it isn't trusted anymore, it doesn't self destruct). That key is still just the the private key $s$ multiplied with $G$ of the domain parameters. This is a deterministic calculation: there is therefore only one public key per key pair. The parameters used for this key can be different from the parameters used for the ephemeral key pair used for key agreement; the parameters are indicated by the encoding of the public key in the certificate.

So no, the term "public key" is not used "loosely" here.

There is also ephemeral-static and even static-static Diffie-Hellman, although neither of them is often used. In that case the static public keys can be part of a certificate and trusted. So the entities holding the static keys are then authenticated. A party with an ephemeral key pair isn't authenticated and may need to log in, in case it is a website user, for instance.

As indicated, this isn't used as much; ECDH certificates are not commonplace and static Diffie-Hellman doesn't offer forward secrecy - the session data will become known if the confidentiality of the static key is compromised.

You're generating a static key pair which can be used for authentication. When using a ECDHE ciphersuite you'll need to generate a ephemeral key pair as well, but this is hidden in the TLS implementation. Fortunately generating ECC key pairs is relatively fast: just randomization and point multiplication. This is one of the main benefits of using ECC.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
1

With the notation of the video, $A = \alpha G$ is seen as the public key of Alice and $B = \beta G$ as the public key of Bob.

Alice computes the shared Diffie-Hellman key using her private key $\alpha$ and Bob's public key $B$ as $K = \alpha B$.

Bob does similarly using his private key $\beta$ and Alice's public key $A$ to get the shared Diffie-Hellman key $K = \beta A$.

It is easily verified that the shared key computed by Alice is the same as the one computed by Bob: $\alpha B = \beta A = (\alpha\beta)G$.

user94293
  • 1,779
  • 13
  • 14