< draft-ietf-lwig-curve-representations-04.txt | draft-ietf-lwig-curve-representations-05.txt > | |||
---|---|---|---|---|

lwig R. Struik | lwig R. Struik | |||

Internet-Draft Struik Security Consultancy | Internet-Draft Struik Security Consultancy | |||

Intended status: Informational April 19, 2019 | Intended status: Informational May 15, 2019 | |||

Expires: October 21, 2019 | Expires: November 16, 2019 | |||

Alternative Elliptic Curve Representations | Alternative Elliptic Curve Representations | |||

draft-ietf-lwig-curve-representations-04 | draft-ietf-lwig-curve-representations-05 | |||

Abstract | Abstract | |||

This document specifies how to represent Montgomery curves and | This document specifies how to represent Montgomery curves and | |||

(twisted) Edwards curves as curves in short-Weierstrass form and | (twisted) Edwards curves as curves in short-Weierstrass form and | |||

illustrates how this can be used to carry out elliptic curve | illustrates how this can be used to carry out elliptic curve | |||

computations using existing implementations of, e.g., ECDSA and ECDH | computations using existing implementations of, e.g., ECDSA and ECDH | |||

using NIST prime curves. | using NIST prime curves. | |||

Requirements Language | Requirements Language | |||

skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||

working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||

Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

This Internet-Draft will expire on October 21, 2019. | This Internet-Draft will expire on November 16, 2019. | |||

Copyright Notice | Copyright Notice | |||

Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||

document authors. All rights reserved. | document authors. All rights reserved. | |||

This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||

Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||

(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||

publication of this document. Please review these documents | publication of this document. Please review these documents | |||

skipping to change at page 2, line 23 ¶ | skipping to change at page 2, line 23 ¶ | |||

1. Fostering Code Reuse with New Elliptic Curves . . . . . . . . 4 | 1. Fostering Code Reuse with New Elliptic Curves . . . . . . . . 4 | |||

2. Specification of Wei25519 . . . . . . . . . . . . . . . . . . 4 | 2. Specification of Wei25519 . . . . . . . . . . . . . . . . . . 4 | |||

3. Use of Representation Switches . . . . . . . . . . . . . . . 4 | 3. Use of Representation Switches . . . . . . . . . . . . . . . 4 | |||

4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||

4.1. Implementation of X25519 . . . . . . . . . . . . . . . . 5 | 4.1. Implementation of X25519 . . . . . . . . . . . . . . . . 5 | |||

4.2. Implementation of Ed25519 . . . . . . . . . . . . . . . . 6 | 4.2. Implementation of Ed25519 . . . . . . . . . . . . . . . . 6 | |||

4.3. Specification of ECDSA25519 . . . . . . . . . . . . . . . 6 | 4.3. Specification of ECDSA25519 . . . . . . . . . . . . . . . 6 | |||

4.4. Other Uses . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.4. Other Uses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||

5. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||

6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Implementation Considerations . . . . . . . . . . . . . . . . 9 | |||

7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||

8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 | |||

8.1. COSE Elliptic Curves Registration . . . . . . . . . . . . 10 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||

8.2. COSE Algorithms Registration (1/2) . . . . . . . . . . . 10 | 9.1. COSE Elliptic Curves Registration . . . . . . . . . . . . 11 | |||

8.3. COSE Algorithms Registration (2/2) . . . . . . . . . . . 11 | 9.2. COSE Algorithms Registration (1/2) . . . . . . . . . . . 11 | |||

8.4. JOSE Elliptic Curves Registration . . . . . . . . . . . . 11 | 9.3. COSE Algorithms Registration (2/2) . . . . . . . . . . . 12 | |||

8.5. JOSE Algorithms Registration (1/2) . . . . . . . . . . . 11 | 9.4. JOSE Elliptic Curves Registration . . . . . . . . . . . . 12 | |||

8.6. JOSE Algorithms Registration (2/2) . . . . . . . . . . . 12 | 9.5. JOSE Algorithms Registration (1/2) . . . . . . . . . . . 12 | |||

9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 | 9.6. JOSE Algorithms Registration (2/2) . . . . . . . . . . . 13 | |||

10. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 | |||

10.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||

10.2. Informative References . . . . . . . . . . . . . . . . . 13 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 13 | |||

Appendix A. Some (non-Binary) Elliptic Curves . . . . . . . . . 15 | 11.2. Informative References . . . . . . . . . . . . . . . . . 14 | |||

A.1. Curves in short-Weierstrass Form . . . . . . . . . . . . 15 | Appendix A. Some (non-Binary) Elliptic Curves . . . . . . . . . 16 | |||

A.2. Montgomery Curves . . . . . . . . . . . . . . . . . . . . 15 | A.1. Curves in short-Weierstrass Form . . . . . . . . . . . . 16 | |||

A.3. Twisted Edwards Curves . . . . . . . . . . . . . . . . . 15 | A.2. Montgomery Curves . . . . . . . . . . . . . . . . . . . . 16 | |||

Appendix B. Elliptic Curve Nomenclature and Finite Fields . . . 16 | A.3. Twisted Edwards Curves . . . . . . . . . . . . . . . . . 16 | |||

B.1. Elliptic Curve Nomenclature . . . . . . . . . . . . . . . 16 | Appendix B. Elliptic Curve Nomenclature and Finite Fields . . . 17 | |||

B.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . 17 | B.1. Elliptic Curve Nomenclature . . . . . . . . . . . . . . . 17 | |||

Appendix C. Elliptic Curve Group Operations . . . . . . . . . . 18 | B.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . 18 | |||

C.1. Group Law for Weierstrass Curves . . . . . . . . . . . . 18 | Appendix C. Elliptic Curve Group Operations . . . . . . . . . . 19 | |||

C.2. Group Law for Montgomery Curves . . . . . . . . . . . . . 19 | C.1. Group Law for Weierstrass Curves . . . . . . . . . . . . 19 | |||

C.3. Group Law for Twisted Edwards Curves . . . . . . . . . . 20 | C.2. Group Law for Montgomery Curves . . . . . . . . . . . . . 20 | |||

Appendix D. Relationship Between Curve Models . . . . . . . . . 21 | C.3. Group Law for Twisted Edwards Curves . . . . . . . . . . 21 | |||

Appendix D. Relationship Between Curve Models . . . . . . . . . 22 | ||||

D.1. Mapping between Twisted Edwards Curves and Montgomery | D.1. Mapping between Twisted Edwards Curves and Montgomery | |||

Curves . . . . . . . . . . . . . . . . . . . . . . . . . 21 | Curves . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||

D.2. Mapping between Montgomery Curves and Weierstrass Curves 22 | D.2. Mapping between Montgomery Curves and Weierstrass Curves 23 | |||

D.3. Mapping between Twisted Edwards Curves and Weierstrass | D.3. Mapping between Twisted Edwards Curves and Weierstrass | |||

Curves . . . . . . . . . . . . . . . . . . . . . . . . . 23 | Curves . . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||

Appendix E. Curve25519 and Cousins . . . . . . . . . . . . . . . 23 | Appendix E. Curve25519 and Cousins . . . . . . . . . . . . . . . 24 | |||

E.1. Curve Definition and Alternative Representations . . . . 23 | E.1. Curve Definition and Alternative Representations . . . . 24 | |||

E.2. Switching between Alternative Representations . . . . . . 23 | E.2. Switching between Alternative Representations . . . . . . 24 | |||

E.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 25 | E.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 26 | |||

Appendix F. Further Mappings . . . . . . . . . . . . . . . . . . 27 | Appendix F. Further Mappings . . . . . . . . . . . . . . . . . . 28 | |||

F.1. Isomorphic Mapping between Twisted Edwards Curves . . . . 27 | F.1. Isomorphic Mapping between Twisted Edwards Curves . . . . 28 | |||

F.2. Isomorphic Mapping between Montgomery Curves . . . . . . 28 | F.2. Isomorphic Mapping between Montgomery Curves . . . . . . 29 | |||

F.3. Isomorphic Mapping between Weierstrass Curves . . . . . . 28 | F.3. Isomorphic Mapping between Weierstrass Curves . . . . . . 29 | |||

F.4. Isogenous Mapping between Weierstrass Curves . . . . . . 29 | F.4. Isogenous Mapping between Weierstrass Curves . . . . . . 30 | |||

Appendix G. Further Cousins of Curve25519 . . . . . . . . . . . 31 | Appendix G. Further Cousins of Curve25519 . . . . . . . . . . . 32 | |||

G.1. Further Alternative Representations . . . . . . . . . . . 31 | G.1. Further Alternative Representations . . . . . . . . . . . 32 | |||

G.2. Further Switching . . . . . . . . . . . . . . . . . . . . 31 | G.2. Further Switching . . . . . . . . . . . . . . . . . . . . 32 | |||

G.3. Further Domain Parameters . . . . . . . . . . . . . . . . 32 | G.3. Further Domain Parameters . . . . . . . . . . . . . . . . 33 | |||

Appendix H. Isogeny Details . . . . . . . . . . . . . . . . . . 33 | Appendix H. Isogeny Details . . . . . . . . . . . . . . . . . . 34 | |||

H.1. Isogeny Parameters . . . . . . . . . . . . . . . . . . . 33 | H.1. Isogeny Parameters . . . . . . . . . . . . . . . . . . . 34 | |||

H.1.1. Coefficients of u(x) . . . . . . . . . . . . . . . . 33 | H.1.1. Coefficients of u(x) . . . . . . . . . . . . . . . . 34 | |||

H.1.2. Coefficients of v(x) . . . . . . . . . . . . . . . . 36 | H.1.2. Coefficients of v(x) . . . . . . . . . . . . . . . . 37 | |||

H.1.3. Coefficients of w(x) . . . . . . . . . . . . . . . . 39 | H.1.3. Coefficients of w(x) . . . . . . . . . . . . . . . . 40 | |||

H.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . . . 40 | H.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . . . 41 | |||

H.2.1. Coefficients of u'(x) . . . . . . . . . . . . . . . . 40 | H.2.1. Coefficients of u'(x) . . . . . . . . . . . . . . . . 41 | |||

H.2.2. Coefficients of v'(x) . . . . . . . . . . . . . . . . 42 | H.2.2. Coefficients of v'(x) . . . . . . . . . . . . . . . . 43 | |||

H.2.3. Coefficients of w'(x) . . . . . . . . . . . . . . . . 45 | H.2.3. Coefficients of w'(x) . . . . . . . . . . . . . . . . 46 | |||

Appendix I. Point Compression . . . . . . . . . . . . . . . . . 46 | Appendix I. Point Compression . . . . . . . . . . . . . . . . . 47 | |||

I.1. Point Compression for Weierstrass Curves . . . . . . . . 46 | I.1. Point Compression for Weierstrass Curves . . . . . . . . 47 | |||

I.2. Point Compression for Montgomery Curves . . . . . . . . . 47 | I.2. Point Compression for Montgomery Curves . . . . . . . . . 48 | |||

I.3. Point Compression for Twisted Edwards Curves . . . . . . 48 | I.3. Point Compression for Twisted Edwards Curves . . . . . . 49 | |||

Appendix J. Data Conversions . . . . . . . . . . . . . . . . . . 48 | Appendix J. Data Conversions . . . . . . . . . . . . . . . . . . 49 | |||

J.1. Conversion between Bit Strings and Integers . . . . . . . 49 | J.1. Conversion between Bit Strings and Integers . . . . . . . 50 | |||

J.2. Conversion between Octet Strings and Integers (OS2I, | J.2. Conversion between Octet Strings and Integers (OS2I, | |||

I2OS) . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | I2OS) . . . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||

J.3. Conversion between Octet Strings and Bit Strings (BS2OS, | J.3. Conversion between Octet Strings and Bit Strings (BS2OS, | |||

OS2BS) . . . . . . . . . . . . . . . . . . . . . . . . . 50 | OS2BS) . . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||

J.4. Conversion between Field Elements and Octet Strings | J.4. Conversion between Field Elements and Octet Strings | |||

(FE2OS, OS2FE) . . . . . . . . . . . . . . . . . . . . . 50 | (FE2OS, OS2FE) . . . . . . . . . . . . . . . . . . . . . 51 | |||

J.5. Conversion between Elements of Z mod n and Octet Strings | J.5. Conversion between Elements of Z mod n and Octet Strings | |||

(ZnE2OS, OS2ZnE) . . . . . . . . . . . . . . . . . . . . 50 | (ZnE2OS, OS2ZnE) . . . . . . . . . . . . . . . . . . . . 51 | |||

J.6. Ordering Conventions . . . . . . . . . . . . . . . . . . 51 | J.6. Ordering Conventions . . . . . . . . . . . . . . . . . . 52 | |||

Appendix K. Representation Examples Curve25519 Family Members . 52 | Appendix K. Representation Examples Curve25519 Family Members . 53 | |||

K.1. Example with Curve25519 . . . . . . . . . . . . . . . . . 52 | K.1. Example with Curve25519 . . . . . . . . . . . . . . . . . 53 | |||

K.2. Example with Edwards25519 . . . . . . . . . . . . . . . . 54 | K.2. Example with Edwards25519 . . . . . . . . . . . . . . . . 55 | |||

K.3. Example with Wei25519 . . . . . . . . . . . . . . . . . . 55 | K.3. Example with Wei25519 . . . . . . . . . . . . . . . . . . 56 | |||

K.4. Example with Wei25519.2 . . . . . . . . . . . . . . . . . 57 | K.4. Example with Wei25519.2 . . . . . . . . . . . . . . . . . 58 | |||

K.5. Example with Wei25519.-3 . . . . . . . . . . . . . . . . 58 | K.5. Example with Wei25519.-3 . . . . . . . . . . . . . . . . 59 | |||

Appendix L. Auxiliary Functions . . . . . . . . . . . . . . . . 60 | Appendix L. Auxiliary Functions . . . . . . . . . . . . . . . . 61 | |||

L.1. Square Roots in GF(q) . . . . . . . . . . . . . . . . . . 60 | L.1. Square Roots in GF(q) . . . . . . . . . . . . . . . . . . 61 | |||

L.1.1. Square Roots in GF(q), where q = 3 (mod 4) . . . . . 60 | L.1.1. Square Roots in GF(q), where q = 3 (mod 4) . . . . . 61 | |||

L.1.2. Square Roots in GF(q), where q = 5 (mod 8) . . . . . 60 | L.1.2. Square Roots in GF(q), where q = 5 (mod 8) . . . . . 61 | |||

L.2. Inversion . . . . . . . . . . . . . . . . . . . . . . . . 61 | ||||

L.2. Inversion . . . . . . . . . . . . . . . . . . . . . . . . 60 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 62 | |||

Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 61 | ||||

1. Fostering Code Reuse with New Elliptic Curves | 1. Fostering Code Reuse with New Elliptic Curves | |||

It is well-known that elliptic curves can be represented using | It is well-known that elliptic curves can be represented using | |||

different curve models. Recently, IETF standardized elliptic curves | different curve models. Recently, IETF standardized elliptic curves | |||

that are claimed to have better performance and improved robustness | that are claimed to have better performance and improved robustness | |||

against "real world" attacks than curves represented in the | against "real world" attacks than curves represented in the | |||

traditional "short" Weierstrass model. This document specifies an | traditional "short" Weierstrass model. This document specifies an | |||

alternative representation of points of Curve25519, a so-called | alternative representation of points of Curve25519, a so-called | |||

Montgomery curve, and of points of Edwards25519, a so-called twisted | Montgomery curve, and of points of Edwards25519, a so-called twisted | |||

skipping to change at page 9, line 5 ¶ | skipping to change at page 9, line 7 ¶ | |||

NOTE 2: While an implementation of Curve25519 via an isogenous | NOTE 2: While an implementation of Curve25519 via an isogenous | |||

Weierstrass curve with domain parameter a=-3 requires a | Weierstrass curve with domain parameter a=-3 requires a | |||

relatively large table (of size roughly 9kB), for the quadratic | relatively large table (of size roughly 9kB), for the quadratic | |||

twist of Curve25519 (i.e., the Montgomery curve M_{A,B'} with | twist of Curve25519 (i.e., the Montgomery curve M_{A,B'} with | |||

A=486662 and B'=2) this implementation approach only requires a | A=486662 and B'=2) this implementation approach only requires a | |||

table of size less than 0.5kB (over 20x smaller), solely due to | table of size less than 0.5kB (over 20x smaller), solely due to | |||

the fact that it is l-isogenous to a Weierstrass curve with a=-3 | the fact that it is l-isogenous to a Weierstrass curve with a=-3 | |||

parameter with relatively small parameter l=2 (compared to l=47, | parameter with relatively small parameter l=2 (compared to l=47, | |||

as is the case with Curve25519 itself). | as is the case with Curve25519 itself). | |||

6. Security Considerations | 6. Implementation Considerations | |||

The efficiency of elliptic curve arithmetic is primarily determined | ||||

by the efficiency of its group operations (see Appendix C). Numerous | ||||

optimized formulae exist, such as the use of so-called Montgomery | ||||

ladders with Montgomery curves [Mont-Ladder] or with Weierstrass | ||||

curves [Wei-Ladder], the use of hardcoded a=-3 domain parameter for | ||||

Weierstrass curves [ECC-Isogeny], and the use of hardcoded a=-1 | ||||

domain parameters for twisted Edwards curves [tEd-Formulas]. These | ||||

all target reduction of the number of finite field operations | ||||

(primarily, finite field multiplications and squarings). Other | ||||

optimizations target more efficient modular reductions underlying | ||||

these finite field operations, by specifying curves defined over a | ||||

field GF(q), where the field size q has a special form or a specific | ||||

bit-size (typically, close to a multiple of a machine word). | ||||

Depending on the implementation strategy, the bit-size of q may also | ||||

facilitate reduced so-called "carry-effects" of integer arithmetic. | ||||

Most curves use a combination of these design philosophies. All NIST | ||||

curves [FIPS-186-4] and Brainpool curves [RFC5639] are Weierstrass | ||||

curves with a=-3 domain parameter, thus facilitating more efficient | ||||

elliptic curve group operations (via so-called Jacobian coordinates). | ||||

The NIST curves and the Montgomery curve Curve25519 are defined over | ||||

prime fields, where the prime number has a special form, whereas the | ||||

Brainpool curves - by design - use a generic prime number. None of | ||||

the NIST curves, nor the Brainpool curves, can be expressed as | ||||

Montgomery or twisted Edwards curves, whereas - conversely - | ||||

Montgomery curves and twisted curves can be expressed as Weierstrass | ||||

curves. | ||||

While use of Wei25519 allows reuse of existing generic code that | ||||

implements short Weierstrass curves, such as the NIST curve P-256, to | ||||

also implement the CFRG curves Curve25519 or Edwards25519, this | ||||

obviously does not result in an implementation of these CFRG curves | ||||

that exploits the special structure of the underlying field or other | ||||

specific domain parameters (since generic). Reuse of code, | ||||

therefore, may result in a less computationally efficient curve | ||||

implementation than would have been possible if the implementation | ||||

had specially targeted Curve25519 or Edwards25519 alone. Overall, | ||||

one should consider not just code reuse and computational efficiency, | ||||

but also development and maintenance cost, and, e.g, the cost of | ||||

providing effective implementation attack countermeasures (see also | ||||

Section 7). | ||||

7. Security Considerations | ||||

The different representations of elliptic curve points discussed in | The different representations of elliptic curve points discussed in | |||

this document are all obtained using a publicly known transformation, | this document are all obtained using a publicly known transformation, | |||

which is either an isomorphism or a low-degree isogeny. It is well- | which is either an isomorphism or a low-degree isogeny. It is well- | |||

known that an isomorphism maps elliptic curve points to equivalent | known that an isomorphism maps elliptic curve points to equivalent | |||

mathematical objects and that the complexity of cryptographic | mathematical objects and that the complexity of cryptographic | |||

problems (such as the discrete logarithm problem) of curves related | problems (such as the discrete logarithm problem) of curves related | |||

via a low-degree isogeny are tightly related. Thus, the use of these | via a low-degree isogeny are tightly related. Thus, the use of these | |||

techniques does not negatively impact cryptographic security of | techniques does not negatively impact cryptographic security of | |||

elliptic curve operations. | elliptic curve operations. | |||

skipping to change at page 9, line 43 ¶ | skipping to change at page 10, line 43 ¶ | |||

short-Weierstrass form and in uncompressed tight MSB/msb format). | short-Weierstrass form and in uncompressed tight MSB/msb format). | |||

To prevent cross-protocol attacks, private keys SHOULD only be used | To prevent cross-protocol attacks, private keys SHOULD only be used | |||

with one cryptographic scheme. Private keys MUST NOT be reused | with one cryptographic scheme. Private keys MUST NOT be reused | |||

between Ed25519 (as specified in [RFC8032]) and ECDSA25519 (as | between Ed25519 (as specified in [RFC8032]) and ECDSA25519 (as | |||

specified in Section 4.3). | specified in Section 4.3). | |||

To prevent intra-protocol cross-instantiation attacks, ephemeral | To prevent intra-protocol cross-instantiation attacks, ephemeral | |||

private keys MUST NOT be reused between instantiations of ECDSA25519. | private keys MUST NOT be reused between instantiations of ECDSA25519. | |||

7. Privacy Considerations | 8. Privacy Considerations | |||

The transformations between different curve models described in this | The transformations between different curve models described in this | |||

document are publicly known and, therefore, do not affect privacy | document are publicly known and, therefore, do not affect privacy | |||

provisions. | provisions. | |||

8. IANA Considerations | 9. IANA Considerations | |||

An object identifier is requested for curve Wei25519 and its use with | An object identifier is requested for curve Wei25519 and its use with | |||

ECDSA and co-factor ECDH, using the representation conventions of | ECDSA and co-factor ECDH, using the representation conventions of | |||

this document. | this document. | |||

There is *currently* no further IANA action required for this | There is *currently* no further IANA action required for this | |||

document. New object identifiers would be required in case one | document. New object identifiers would be required in case one | |||

wishes to specify one or more of the "offspring" protocols | wishes to specify one or more of the "offspring" protocols | |||

exemplified in Section 4.4. | exemplified in Section 4.4. | |||

8.1. COSE Elliptic Curves Registration | 9.1. COSE Elliptic Curves Registration | |||

This section registers the following value in the IANA "COSE Elliptic | This section registers the following value in the IANA "COSE Elliptic | |||

Curves" registry [IANA.COSE.Curves]. | Curves" registry [IANA.COSE.Curves]. | |||

Name: Wei25519; | Name: Wei25519; | |||

Value: TBD (Requested value: -1); | Value: TBD (Requested value: -1); | |||

Key Type: EC2 or OKP (where OKP uses the squeezed MSB/msb | Key Type: EC2 or OKP (where OKP uses the squeezed MSB/msb | |||

representation of this specification); | representation of this specification); | |||

Description: short-Weierstrass curve Wei25519; | Description: short-Weierstrass curve Wei25519; | |||

Reference: Appendix E.3 of this specification; | Reference: Appendix E.3 of this specification; | |||

Recommended: Yes. | Recommended: Yes. | |||

(Note that The "kty" value for Wei25519 may be "OKP" or "EC2".) | (Note that The "kty" value for Wei25519 may be "OKP" or "EC2".) | |||

8.2. COSE Algorithms Registration (1/2) | 9.2. COSE Algorithms Registration (1/2) | |||

This section registers the following value in the IANA "COSE | This section registers the following value in the IANA "COSE | |||

Algorithms" registry [IANA.COSE.Algorithms]. | Algorithms" registry [IANA.COSE.Algorithms]. | |||

Name: ECDSA25519; | Name: ECDSA25519; | |||

Value: TBD (Requested value: -1); | Value: TBD (Requested value: -1); | |||

Description: ECDSA w/ SHA-256 and curve Wei25519; | Description: ECDSA w/ SHA-256 and curve Wei25519; | |||

Reference: Section 4.3 of this specification; | Reference: Section 4.3 of this specification; | |||

Recommended: Yes. | Recommended: Yes. | |||

8.3. COSE Algorithms Registration (2/2) | 9.3. COSE Algorithms Registration (2/2) | |||

This section registers the following value in the IANA "COSE | This section registers the following value in the IANA "COSE | |||

Algorithms" registry [IANA.COSE.Algorithms]. | Algorithms" registry [IANA.COSE.Algorithms]. | |||

Name: ECDH25519; | Name: ECDH25519; | |||

Value: TBD (Requested value: -2); | Value: TBD (Requested value: -2); | |||

Description: NIST-compliant co-factor Diffie-Hellman w/ curve | Description: NIST-compliant co-factor Diffie-Hellman w/ curve | |||

Wei25519 and key derivation function HKDF SHA256; | Wei25519 and key derivation function HKDF SHA256; | |||

Reference: Section 4.1 of this specification (for key derivation, | Reference: Section 4.1 of this specification (for key derivation, | |||

see Section 11.1 of [RFC8152]); | see Section 11.1 of [RFC8152]); | |||

Recommended: Yes. | Recommended: Yes. | |||

8.4. JOSE Elliptic Curves Registration | 9.4. JOSE Elliptic Curves Registration | |||

This section registers the following value in the IANA "JSON Web Key | This section registers the following value in the IANA "JSON Web Key | |||

Elliptic Curve" registry [IANA.JOSE.Curves]. | Elliptic Curve" registry [IANA.JOSE.Curves]. | |||

Curve Name: Wei25519; | Curve Name: Wei25519; | |||

Curve Description: short-Weierstrass curve Wei25519; | Curve Description: short-Weierstrass curve Wei25519; | |||

JOSE Implementation Requirements: optional; | JOSE Implementation Requirements: optional; | |||

Change Controller: IANA; | Change Controller: IANA; | |||

Reference: Appendix E.3 of this specification. | Reference: Appendix E.3 of this specification. | |||

8.5. JOSE Algorithms Registration (1/2) | 9.5. JOSE Algorithms Registration (1/2) | |||

This section registers the following value in the IANA "JSON Web | This section registers the following value in the IANA "JSON Web | |||

Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | |||

Algorithm Name: ECDSA25519; | Algorithm Name: ECDSA25519; | |||

Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519; | Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519; | |||

Algorithm Usage Locations: alg; | Algorithm Usage Locations: alg; | |||

JOSE Implementation Requirements: optional; | JOSE Implementation Requirements: optional; | |||

Change Controller: IANA; | Change Controller: IANA; | |||

Reference: Section 4.3 of this specification; | Reference: Section 4.3 of this specification; | |||

Algorithm Analysis Documents: Section 4.3 of this specification. | Algorithm Analysis Documents: Section 4.3 of this specification. | |||

8.6. JOSE Algorithms Registration (2/2) | 9.6. JOSE Algorithms Registration (2/2) | |||

This section registers the following value in the IANA "JSON Web | This section registers the following value in the IANA "JSON Web | |||

Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | |||

Algorithm Name: ECDH25519; | Algorithm Name: ECDH25519; | |||

Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ | Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ | |||

curve Wei25519 and key derivation function HKDF SHA256; | curve Wei25519 and key derivation function HKDF SHA256; | |||

Algorithm Usage Locations: alg; | Algorithm Usage Locations: alg; | |||

Change Controller: IANA; | Change Controller: IANA; | |||

Reference: Section 4.1 of this specification (for key derivation, | Reference: Section 4.1 of this specification (for key derivation, | |||

see Section 5 of [SP-800-56c]); | see Section 5 of [SP-800-56c]); | |||

Algorithm Analysis Documents: Section 4.1 of this specification (for | Algorithm Analysis Documents: Section 4.1 of this specification (for | |||

key derivation, see Section 5 of [SP-800-56c]). | key derivation, see Section 5 of [SP-800-56c]). | |||

9. Acknowledgements | 10. Acknowledgements | |||

Thanks to Nikolas Rosener for discussions surrounding implementation | Thanks to Nikolas Rosener for discussions surrounding implementation | |||

details of the techniques described in this document and to Phillip | details of the techniques described in this document and to Phillip | |||

Hallam-Baker for triggering inclusion of verbiage on the use of | Hallam-Baker for triggering inclusion of verbiage on the use of | |||

Montgomery ladders with recovery of the y-coordinate. Thanks to | Montgomery ladders with recovery of the y-coordinate. Thanks to | |||

Stanislav Smyshlyaev and Vasily Nikolaev for their careful reviews. | Stanislav Smyshlyaev and Vasily Nikolaev for their careful reviews. | |||

10. References | 11. References | |||

10.1. Normative References | 11.1. Normative References | |||

[ANSI-X9.62] | [ANSI-X9.62] | |||

ANSI X9.62-2005, "Public Key Cryptography for the | ANSI X9.62-2005, "Public Key Cryptography for the | |||

Financial Services Industry: The Elliptic Curve Digital | Financial Services Industry: The Elliptic Curve Digital | |||

Signature Algorithm (ECDSA)", American National Standard | Signature Algorithm (ECDSA)", American National Standard | |||

for Financial Services, Accredited Standards Committee X9, | for Financial Services, Accredited Standards Committee X9, | |||

Inc, Anapolis, MD, 2005. | Inc, Anapolis, MD, 2005. | |||

[FIPS-186-4] | [FIPS-186-4] | |||

FIPS 186-4, "Digital Signature Standard (DSS), Federal | FIPS 186-4, "Digital Signature Standard (DSS), Federal | |||

skipping to change at page 13, line 48 ¶ | skipping to change at page 14, line 48 ¶ | |||

Establishment Schemes Using Discrete Log Cryptography, | Establishment Schemes Using Discrete Log Cryptography, | |||

Revision 3", US Department of Commerce/National Institute | Revision 3", US Department of Commerce/National Institute | |||

of Standards and Technology, Gaithersburg, MD, April 2018. | of Standards and Technology, Gaithersburg, MD, April 2018. | |||

[SP-800-56c] | [SP-800-56c] | |||

NIST SP 800-56c, "Recommendation for Key-Derivation | NIST SP 800-56c, "Recommendation for Key-Derivation | |||

Methods in Key-Establishment Schemes, Revision 1", US | Methods in Key-Establishment Schemes, Revision 1", US | |||

Department of Commerce/National Institute of Standards and | Department of Commerce/National Institute of Standards and | |||

Technology, Gaithersburg, MD, April 2018. | Technology, Gaithersburg, MD, April 2018. | |||

10.2. Informative References | 11.2. Informative References | |||

[ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in | [ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in | |||

Cryptography", Cambridge University Press, Lecture Notes | Cryptography", Cambridge University Press, Lecture Notes | |||

Series 265, July 1999. | Series 265, July 1999. | |||

[ECC-Isogeny] | [ECC-Isogeny] | |||

E. Brier, M. Joye, "Fast Point Multiplication on Elliptic | E. Brier, M. Joye, "Fast Point Multiplication on Elliptic | |||

Curves through Isogenies", AAECC, Lecture Notes in | Curves through Isogenies", AAECC, Lecture Notes in | |||

Computer Science, Vol. 2643, New York: Springer-Verlag, | Computer Science, Vol. 2643, New York: Springer-Verlag, | |||

2003. | 2003. | |||

skipping to change at page 14, line 40 ¶ | skipping to change at page 15, line 40 ¶ | |||

IANA, "JSON Web Signature and Encryption Algorithms", | IANA, "JSON Web Signature and Encryption Algorithms", | |||

IANA, | IANA, | |||

https://www.iana.org/assignments/jose/jose.xhtml#web- | https://www.iana.org/assignments/jose/jose.xhtml#web- | |||

signature-encryption-algorithms. | signature-encryption-algorithms. | |||

[IANA.JOSE.Curves] | [IANA.JOSE.Curves] | |||

IANA, "JSON Web Key Elliptic Curve", IANA, | IANA, "JSON Web Key Elliptic Curve", IANA, | |||

https://www.iana.org/assignments/jose/jose.xhtml#web-key- | https://www.iana.org/assignments/jose/jose.xhtml#web-key- | |||

elliptic-curve. | elliptic-curve. | |||

[Ladder] P.L. Montgomery, "Speeding the Pollard and Elliptic Curve | [Mont-Ladder] | |||

P.L. Montgomery, "Speeding the Pollard and Elliptic Curve | ||||

Methods of Factorization", Mathematics of | Methods of Factorization", Mathematics of | |||

Computation, Vol. 48, 1987. | Computation, Vol. 48, 1987. | |||

[tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, | [tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, | |||

"Twisted Edwards Curves", Africacrypt 2008, Lecture Notes | "Twisted Edwards Curves", Africacrypt 2008, Lecture Notes | |||

in Computer Science, Vol. 5023, New York: Springer-Verlag, | in Computer Science, Vol. 5023, New York: Springer-Verlag, | |||

2008. | 2008. | |||

[tEd-Formulas] | [tEd-Formulas] | |||

H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted | H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted | |||

Edwards Curves Revisited", ASIACRYPT 2008, Lecture Notes | Edwards Curves Revisited", ASIACRYPT 2008, Lecture Notes | |||

in Computer Science, Vol. 5350, New York: Springer-Verlag, | in Computer Science, Vol. 5350, New York: Springer-Verlag, | |||

2008. | 2008. | |||

[Wei-y-recovery] | [Wei-Ladder] | |||

T. Izu, Ts. Takagi,, "A Fast Parallel Elliptic Curve | T. Izu, Ts. Takagi,, "A Fast Parallel Elliptic Curve | |||

Multiplication Resistant Against Side Channel Attacks", | Multiplication Resistant Against Side Channel Attacks", | |||

Centre for Applied Cryptographic Research, Corr 2002-03, | Centre for Applied Cryptographic Research, Corr 2002-03, | |||

2002. | 2002. | |||

Appendix A. Some (non-Binary) Elliptic Curves | Appendix A. Some (non-Binary) Elliptic Curves | |||

A.1. Curves in short-Weierstrass Form | A.1. Curves in short-Weierstrass Form | |||

Let GF(q) denote the finite field with q elements, where q is an odd | Let GF(q) denote the finite field with q elements, where q is an odd | |||

skipping to change at page 28, line 42 ¶ | skipping to change at page 29, line 42 ¶ | |||

other point (u',v') of M_{A',B'} to the point (u,v):=(-u',v') of | other point (u',v') of M_{A',B'} to the point (u,v):=(-u',v') of | |||

M_{A,B}. | M_{A,B}. | |||

Implementations may take advantage of this mapping to carry out | Implementations may take advantage of this mapping to carry out | |||

elliptic curve groups operations originally defined for a Montgomery | elliptic curve groups operations originally defined for a Montgomery | |||

curve with generic domain parameters A and B on a corresponding | curve with generic domain parameters A and B on a corresponding | |||

isomorphic Montgomery curve with domain parameters A' and B' that | isomorphic Montgomery curve with domain parameters A' and B' that | |||

have a more special form, which is known to allow for more efficient | have a more special form, which is known to allow for more efficient | |||

implementations of addition laws. In particular, it is known that | implementations of addition laws. In particular, it is known that | |||

such efficiency improvements exist if B' assumes a small absolute | such efficiency improvements exist if B' assumes a small absolute | |||

value, such as B':=(+/-)1. (see [Ladder]). | value, such as B':=(+/-)1. (see [Mont-Ladder]). | |||

F.3. Isomorphic Mapping between Weierstrass Curves | F.3. Isomorphic Mapping between Weierstrass Curves | |||

One can map points of the Weierstrass curve W_{a,b} to points of the | One can map points of the Weierstrass curve W_{a,b} to points of the | |||

Weierstrass curve W_{a',b'}, where a':=a*s^4 and b':=b*s^6 for some | Weierstrass curve W_{a',b'}, where a':=a*s^4 and b':=b*s^6 for some | |||

nonzero element s of GF(q). This defines a one-to-one | nonzero element s of GF(q). This defines a one-to-one | |||

correspondence, which - in fact - is an isomorphism between W_{a,b} | correspondence, which - in fact - is an isomorphism between W_{a,b} | |||

and W_{a',b'}. | and W_{a',b'}. | |||

The mapping from W_{a,b} to W_{a',b'} is defined by mapping the point | The mapping from W_{a,b} to W_{a',b'} is defined by mapping the point | |||

End of changes. 26 change blocks. | ||||

94 lines changed or deleted | | 139 lines changed or added | ||

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |