[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04

Internet Draft                                                   W. Ladd
<draft-ladd-safecurves-01.txt>                              Grad Student
Category: Informational                                      UC Berkeley
Expires 9 July 2014                                       8 January 2014

             Additional Elliptic Curves for IETF protocols
                     <draft-ladd-safecurves-01.txt>

Status of this Memo

   Distribution of this memo is unlimited.

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on 9 July 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Abstract

   This internet draft contains curves whose Jacobians are groups over



Ladd, Watson              Expires 9 July 2014                   [Page 1]


Internet Draft              ladd-safecurves               8 January 2014


   which the Decisional Diffie-Hellman problem is hard, and which have
   implementation advantages.

















































Ladd, Watson              Expires 9 July 2014                   [Page 2]


Internet Draft              ladd-safecurves               8 January 2014


Table of Contents

   1. Introduction ....................................................3
   2. The curves ......................................................3
   3. Explicit Formulas ...............................................4
   4. Security Considerations .........................................4
   5. IANA Actions ....................................................5

1. Introduction

   This document contains a set of elliptic curves over prime fields
   with many security and performance advantages. They are twist-secure,
   have large prime order subgroups, high embedding degree, endomorphism
   rings of large discriminant, and primes of fast shapes.

   These curves have been generated in a rigid manner by computer
   search. As such there is very little risk that these curves were
   selected to exhibit weaknesses to attacks not in the open literature.
   The field is the only free choice, and in all circumstances has been
   picked to enable highly efficent arithemetic. Proofs of all
   properties claimed exist in [SAFECURVES].

2. The Curves

   Each curve is given by an equation and a basepoint, together with an
   order. All curves are elliptic. Validation information is given at
   [SAFECURVES]. The names given in this document indicate the family.
   The basepoint is given as an (x,y) ordered pair.

   Curve25519 is a curve over GF(2^255-19), formula y^2=x^3+486662x^2+x,
   basepoint (9, 147816194475895447910205935684099868872646
   06134616475288964881837755586237401), order 2^252 +
   27742317777372353535851937790883648493.

   E382 is a curve over GF(2^382-105), formula x^2+y^2=1-67254x^2y^2,
   basepoint (3914921414754292646847594472454013487047
   137431784830634731377862923477302047857640522480241
   298429278603678181725699, 17), order 2^380 -
   1030303207694556153926491950732314247062623204330168346855

   M383 is a curve over GF(2^383-187), formula y^2=x^3+2065150x^2+x,
   basepoint (12,
   473762340189175399766054630037590257683961716725770372563038
   9791524463565757299203154901655432096558642117242906494), order 2^380
   + 166236275931373516105219794935542153308039234455761613271

   Curve3617 is a curve over GF(2^414-17), formula x^2+y^2=1+3617x^2y^2,
   basepoint



Ladd, Watson              Expires 9 July 2014                   [Page 3]


Internet Draft              ladd-safecurves               8 January 2014


   (17319886477121189177719202498822615443556957307604340815256226
   171904769976866975908866528699294134494857887698432266169206165, 34),
   order 2^411 -
   33364140863755142520810177694098385178984727200411208589594759

   M511 is a curve over GF(2^511-187), formula y^2 = x^3+530438x^2+x,
   basepoint (5,
   25004106455650724233689811491392132522115686851736085900709792642
   48275228603899706950518127817176591878667784247582124505430745177
   116625808811349787373477), order 2^508 +
   107247547596357476240445315140681218420707566274348330289655408
   08827675062043

   E521 is a curve over GF(2^521-1), formula x^2+y^2=1-376014x^2y^2,
   basepoint
   (1571054894184995387535939749894317568645297350402905821437625
   18115230499438118852963259119606760410077267392791511426719338990
   5003276673749012051148356041324, 12), order 2^519 -
   3375547632585017057891076304187826360719049612140512266186351500
   85779108655765

3. Explicit Formulas

   On Montgomery curves, curves of the form y^2=x^3+Ax^2+x, the typical
   technique is to work over the Kummer curve instead, i.e. drop y
   coordinates for use in Diffie-Hellman. Let (X_1,Z_1), (X_2,Z_2),
   (X_3,Z_3) be coordinates such that X_i/Z_i is the x-coordinate of
   P_i, with P_i=[i]P_1 on the curve. Then
         X5 = Z1*((X3-Z3)*(X2+Z2)+(X3+Z3)*(X2-Z2))2
         Z5 = X1*((X3-Z3)*(X2+Z2)-(X3+Z3)*(X2-Z2))2
         X4 = (X2+Z2)2*(X2-Z2)2
         Z4 = (4*X2*Z2)*((X2-Z2)2+a24*(4*X2*Z2))

   gives X_i/Z_i as the x coordinate of P_i for i in {4,5} where
   a24*4=A+2

   On Edwards curves, curves of the form, x^2+y^2=1+dx^2y^2 a complete
   addition formula, which works for doubling as well, is given by
   representing points as x=Z/X, y=Z/Y. The formula for adding (X_1,
   Y_1, Z_1) to (X_2, Y_2, Z_2) yielding (X_3, Y_3, Z_3) is then
         A = Z1*Z2
         B = d*A2
         C = X1*X2
         D = Y1*Y2
         E = C*D
         H = C-D
         I = (X1+Y1)*(X2+Y2)-C-D
         X3 = c*(E+B)*H



Ladd, Watson              Expires 9 July 2014                   [Page 4]


Internet Draft              ladd-safecurves               8 January 2014


         Y3 = c*(E-B)*I
         Z3 = A*H*I

   These formulas are from the [EFD].

   Using these formulas the standard double-and-add or Montgomery ladder
   recurrence can be used to compute multiples of points.

   The Montgomery curve fromulas require only the x coordinate.
   Protocols based on ECDH should give strong consideration to
   transmitting only the x coordinate, in which case no validation is
   required. The above addition formulas cannot be used to add points on
   Montgomery curves, as they ignore the y coordinate entirely.

   It is highly recommended that Edwards curve points are transmitted in
   compressed form to avoid implementations with missing curve
   membership checks from working. The canonical compression is the y
   coordinate, followed by an indicator of the low bit of the x
   coordinate. Formulas for decompression are left as an exercise to the
   reader.

4. Security Considerations

   This entire document discusses methods of implementing cryptography
   securely. The time for an attacker to break the DLP on these curves
   is the square root of the group order with the best known attacks.
   These curves are twist-secure, avoiding the need for some checks in
   some protocols.

   It is recommended that implementors use the Montgomery ladder on
   Montgomery curves with x coordinate only to avoid side-channel
   attacks when Diffie-Hellman is being used. In this mode, curve checks
   are not required. Otherwise standard curve (but not group) membership
   checks are required for ECDH to be secure.

   These curves are complete, avoiding certain attacks against naive
   implementations of ECC protocols. They have cofactor greater than
   one, occasionally requiring slight adjustments to protocols.

   This is not an exhaustive discussion of security considerations
   relating to the implementation of these curves. Implementors must be
   familiar with cryptography to safely implement any cryptographic
   standard, and this standard is no exception.

4. IANA Considerations

   IANA should maintain a registry of these curves, calling them
   chicagocurve-XXXX where XXXX is the curve identifier.



Ladd, Watson              Expires 9 July 2014                   [Page 5]


Internet Draft              ladd-safecurves               8 January 2014


5. References

   [SAFECURVES] safecurves.cr.yp.to

   [EFD] http://www.hyperelliptic.org/EFD/g1p/index.html

Author's Address
   Watson Ladd
   watsonbladd@gmail.com
   Berkeley, CA









































Ladd, Watson              Expires 9 July 2014                   [Page 6]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/