scd: ECDH Support

NIIBE Yutaka gniibe at
Wed Dec 17 03:39:39 CET 2014

On 12/09/2014 04:27 PM, NIIBE Yutaka wrote:
> Here are changes to support ECDH by scdaemon.
> I tested this code with experimental version of Gnuk.  It takes about
> 0.6 second to decrypt for NIST P-256 (measured on host PC by gpg
> --decrypt).

And it works with Gnuk 1.1.4.

> I don't know if this protocol is good (or compatible) with existing
> smartcard/token/hsm.  In this implementation, scdaemon only computes
> [d]P (d: private key, P: point) to get shared point and does not
> compute AESWrap, following the protocol of gpg-agent.

It was around March 2013, when I wrote some code for scdaemon's
partial support of ECDH.  At that time, I thought it were card/token
which also computes AESWrap.  In the current implementation of GnuPG,
it's not even gpg-agent, but gpg frontend itself which does AESWrap.
So, the changes in the patch make sense.

Since March 2013, I haven't got any information about existing
card/hsm which supports C(1, 1, ECC CDH).  (While I know those which
support ECDSA.)  Speaking about situation in Japan, "Specifications of
ciphers in the e-Government Recommended Ciphers List" was published
(after I wrote code in 2013):
It only addresses C(2, 0, ECC CDH) (as the former version of 2003).

Given this situation, I think that this patch is relevant and it can
be a reference for those who want to implement ECC on their

More information about the Gnupg-devel mailing list