In OpenVPN, which is the difference between EC and ED? Is it needed DH file when I use elliptic curve?

Question

In a OpenVpn connection, I would like to use an elliptic curve, but I don't know what is the difference between EC and ED. Which is better?

Also, in some documents I read that exists ECDH, that if I am not wrong, is the combination of elliptic curve with Diffie-Hellman. But I am not sure if ECDH is the same than EC. If it is not the same, EC is doesn't need a DH file? If they are not the same, is it better ECDH than EC?

And if EC is different than ED, does ED need a DH file?

In summary, I would like to know the difference between the different algorithms and which is better.

Thanks.

Answer 1

In a OpenVpn connection, I would like to use an elliptic curve, but I don't know what is the difference between EC and ED. Which is better?

By itself "ED" is not a separate thing – it's part of EC.

• In general it's an abbreviation of "twisted Edwards curve", technically just another form of an elliptic curve (the 'EC'), one that apparently has fewer pitfalls than the other types. Curve25519 is the usual example.

• In the context of signatures, "EdDSA" is a signature scheme designed for use with Edwards curves that's quite different from the traditional "ECDSA" signatures – again, more robust than ECDSA, I believe – but it still is a form of EC cryptography nevertheless.

  As far as I know, both ECDSA and EdDSA are secure when used correctly; it's more that ECDSA is very easy for the programmer to get wrong. (For example, each ECDSA signature needs random or otherwise unique data added; that has lead to many mistakes in the past, including the one in PuTTY two weeks ago.)

  However, only certain curves can be used with EdDSA (e.g. it's not possible to use EdDSA with P-256, it has to be used with traditional ECDSA).

• There's no "EdDH" as the same ECDH is used with both Curve25519 (usually called "X25519" in that context) as it is with other EC curves.

• "Ed25519" officially means "EdDSA with Curve25519", although sometimes it also refers to X25519 (which is ECDH with Curve25519) as well.

So if you're looking at this in the context of signatures (e.g. certificate signatures or handshake signatures), then "EdDSA with Ed25519" is a little bit better than "ECDSA with P-256", although probably not by much.

In the context of DH key exchange, similarly, "ECDH with X25519" is probably a little better than "ECDH with P-256".

Also, in some documents I read that exists ECDH, that if I am not wrong, is the combination of elliptic curve with Diffie-Hellman. But I am not sure if ECDH is the same than EC. If it is not the same, EC is doesn't need a DH file? If they are not the same, is it better ECDH than EC?

They are not comparable things:

• EC is the general concept (elliptic curve cryptography);
• ECDH is a specific usage of EC to implement DH.

(Similarly, ECDSA and EdDSA are uses of EC to implement digital signatures; ECIES is a use of EC to implement encryption; etc.)

EC is doesn't need a DH file?

ECDH doesn't need to pre-generate a parameter file because it is typically used with a specific curve, and the curve itself is the "parameter" that both sides already know by name.

(But traditional DH is sometimes used that way, too – there are a few sets of pre-generated DH parameters, such as the IPsec 'Oakley' set from which "group 2" and "group 14" originally came.

If you've ever looked at SSH, it also uses a parameter file for "dh-group-exchange" – but it doesn't need one for "dh-group14", because that already refers to an agreed-upon set of parameters.)