< draft-ietf-lwig-curve-representations-05.txt   draft-ietf-lwig-curve-representations-06.txt >
lwig R. Struik lwig R. Struik
Internet-Draft Struik Security Consultancy Internet-Draft Struik Security Consultancy
Intended status: Informational May 15, 2019 Intended status: Informational May 16, 2019
Expires: November 16, 2019 Expires: November 17, 2019
Alternative Elliptic Curve Representations Alternative Elliptic Curve Representations
draft-ietf-lwig-curve-representations-05 draft-ietf-lwig-curve-representations-06
Abstract Abstract
This document specifies how to represent Montgomery curves and This document specifies how to represent Montgomery curves and
(twisted) Edwards curves as curves in short-Weierstrass form and (twisted) Edwards curves as curves in short-Weierstrass form and
illustrates how this can be used to carry out elliptic curve illustrates how this can be used to carry out elliptic curve
computations using existing implementations of, e.g., ECDSA and ECDH computations using existing implementations of, e.g., ECDSA and ECDH
using NIST prime curves. using NIST prime curves.
Requirements Language Requirements Language
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 16, 2019. This Internet-Draft will expire on November 17, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Fostering Code Reuse with New Elliptic Curves . . . . . . . . 4 1. Fostering Code Reuse with New Elliptic Curves . . . . . . . . 4
2. Specification of Wei25519 . . . . . . . . . . . . . . . . . . 4 2. Specification of Wei25519 . . . . . . . . . . . . . . . . . . 4
3. Use of Representation Switches . . . . . . . . . . . . . . . 4 3. Use of Representation Switches . . . . . . . . . . . . . . . 5
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Implementation of X25519 . . . . . . . . . . . . . . . . 5 4.1. Implementation of X25519 . . . . . . . . . . . . . . . . 6
4.2. Implementation of Ed25519 . . . . . . . . . . . . . . . . 6 4.2. Implementation of Ed25519 . . . . . . . . . . . . . . . . 6
4.3. Specification of ECDSA25519 . . . . . . . . . . . . . . . 6 4.3. Specification of ECDSA25519 . . . . . . . . . . . . . . . 7
4.4. Other Uses . . . . . . . . . . . . . . . . . . . . . . . 7 4.4. Other Uses . . . . . . . . . . . . . . . . . . . . . . . 7
5. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6. Implementation Considerations . . . . . . . . . . . . . . . . 9 6. Implementation Considerations . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 10
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
9.1. COSE Elliptic Curves Registration . . . . . . . . . . . . 11 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
9.2. COSE Algorithms Registration (1/2) . . . . . . . . . . . 11 10.1. COSE Elliptic Curves Registration . . . . . . . . . . . 12
9.3. COSE Algorithms Registration (2/2) . . . . . . . . . . . 12 10.2. COSE Algorithms Registration (1/2) . . . . . . . . . . . 12
9.4. JOSE Elliptic Curves Registration . . . . . . . . . . . . 12 10.3. COSE Algorithms Registration (2/2) . . . . . . . . . . . 13
9.5. JOSE Algorithms Registration (1/2) . . . . . . . . . . . 12 10.4. JOSE Elliptic Curves Registration . . . . . . . . . . . 13
9.6. JOSE Algorithms Registration (2/2) . . . . . . . . . . . 13 10.5. JOSE Algorithms Registration (1/2) . . . . . . . . . . . 13
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 10.6. JOSE Algorithms Registration (2/2) . . . . . . . . . . . 14
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 13 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 14 12.1. Normative References . . . . . . . . . . . . . . . . . . 14
Appendix A. Some (non-Binary) Elliptic Curves . . . . . . . . . 16 12.2. Informative References . . . . . . . . . . . . . . . . . 16
A.1. Curves in short-Weierstrass Form . . . . . . . . . . . . 16 Appendix A. Some (non-Binary) Elliptic Curves . . . . . . . . . 17
A.2. Montgomery Curves . . . . . . . . . . . . . . . . . . . . 16 A.1. Curves in short-Weierstrass Form . . . . . . . . . . . . 17
A.3. Twisted Edwards Curves . . . . . . . . . . . . . . . . . 16 A.2. Montgomery Curves . . . . . . . . . . . . . . . . . . . . 17
Appendix B. Elliptic Curve Nomenclature and Finite Fields . . . 17 A.3. Twisted Edwards Curves . . . . . . . . . . . . . . . . . 18
B.1. Elliptic Curve Nomenclature . . . . . . . . . . . . . . . 17 Appendix B. Elliptic Curve Nomenclature and Finite Fields . . . 18
B.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . 18 B.1. Elliptic Curve Nomenclature . . . . . . . . . . . . . . . 18
Appendix C. Elliptic Curve Group Operations . . . . . . . . . . 19 B.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . 20
C.1. Group Law for Weierstrass Curves . . . . . . . . . . . . 19 Appendix C. Elliptic Curve Group Operations . . . . . . . . . . 21
C.2. Group Law for Montgomery Curves . . . . . . . . . . . . . 20 C.1. Group Law for Weierstrass Curves . . . . . . . . . . . . 21
C.3. Group Law for Twisted Edwards Curves . . . . . . . . . . 21 C.2. Group Law for Montgomery Curves . . . . . . . . . . . . . 21
Appendix D. Relationship Between Curve Models . . . . . . . . . 22 C.3. Group Law for Twisted Edwards Curves . . . . . . . . . . 22
Appendix D. Relationship Between Curve Models . . . . . . . . . 23
D.1. Mapping between Twisted Edwards Curves and Montgomery D.1. Mapping between Twisted Edwards Curves and Montgomery
Curves . . . . . . . . . . . . . . . . . . . . . . . . . 22 Curves . . . . . . . . . . . . . . . . . . . . . . . . . 23
D.2. Mapping between Montgomery Curves and Weierstrass Curves 23
D.2. Mapping between Montgomery Curves and Weierstrass Curves 24
D.3. Mapping between Twisted Edwards Curves and Weierstrass D.3. Mapping between Twisted Edwards Curves and Weierstrass
Curves . . . . . . . . . . . . . . . . . . . . . . . . . 24 Curves . . . . . . . . . . . . . . . . . . . . . . . . . 25
Appendix E. Curve25519 and Cousins . . . . . . . . . . . . . . . 24 Appendix E. Curve25519 and Cousins . . . . . . . . . . . . . . . 25
E.1. Curve Definition and Alternative Representations . . . . 24 E.1. Curve Definition and Alternative Representations . . . . 25
E.2. Switching between Alternative Representations . . . . . . 24 E.2. Switching between Alternative Representations . . . . . . 26
E.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 26 E.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 27
Appendix F. Further Mappings . . . . . . . . . . . . . . . . . . 28 Appendix F. Further Mappings . . . . . . . . . . . . . . . . . . 29
F.1. Isomorphic Mapping between Twisted Edwards Curves . . . . 28 F.1. Isomorphic Mapping between Twisted Edwards Curves . . . . 29
F.2. Isomorphic Mapping between Montgomery Curves . . . . . . 29 F.2. Isomorphic Mapping between Montgomery Curves . . . . . . 30
F.3. Isomorphic Mapping between Weierstrass Curves . . . . . . 29 F.3. Isomorphic Mapping between Weierstrass Curves . . . . . . 31
F.4. Isogenous Mapping between Weierstrass Curves . . . . . . 30 F.4. Isogenous Mapping between Weierstrass Curves . . . . . . 32
Appendix G. Further Cousins of Curve25519 . . . . . . . . . . . 32 Appendix G. Further Cousins of Curve25519 . . . . . . . . . . . 33
G.1. Further Alternative Representations . . . . . . . . . . . 32 G.1. Further Alternative Representations . . . . . . . . . . . 33
G.2. Further Switching . . . . . . . . . . . . . . . . . . . . 32 G.2. Further Switching . . . . . . . . . . . . . . . . . . . . 33
G.3. Further Domain Parameters . . . . . . . . . . . . . . . . 33 G.3. Further Domain Parameters . . . . . . . . . . . . . . . . 34
Appendix H. Isogeny Details . . . . . . . . . . . . . . . . . . 34 Appendix H. Isogeny Details . . . . . . . . . . . . . . . . . . 36
H.1. Isogeny Parameters . . . . . . . . . . . . . . . . . . . 34 H.1. Isogeny Parameters . . . . . . . . . . . . . . . . . . . 36
H.1.1. Coefficients of u(x) . . . . . . . . . . . . . . . . 34 H.1.1. Coefficients of u(x) . . . . . . . . . . . . . . . . 36
H.1.2. Coefficients of v(x) . . . . . . . . . . . . . . . . 37 H.1.2. Coefficients of v(x) . . . . . . . . . . . . . . . . 38
H.1.3. Coefficients of w(x) . . . . . . . . . . . . . . . . 40 H.1.3. Coefficients of w(x) . . . . . . . . . . . . . . . . 41
H.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . . . 41 H.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . . . 42
H.2.1. Coefficients of u'(x) . . . . . . . . . . . . . . . . 41 H.2.1. Coefficients of u'(x) . . . . . . . . . . . . . . . . 42
H.2.2. Coefficients of v'(x) . . . . . . . . . . . . . . . . 43 H.2.2. Coefficients of v'(x) . . . . . . . . . . . . . . . . 44
H.2.3. Coefficients of w'(x) . . . . . . . . . . . . . . . . 46 H.2.3. Coefficients of w'(x) . . . . . . . . . . . . . . . . 47
Appendix I. Point Compression . . . . . . . . . . . . . . . . . 47 Appendix I. Point Compression . . . . . . . . . . . . . . . . . 48
I.1. Point Compression for Weierstrass Curves . . . . . . . . 47 I.1. Point Compression for Weierstrass Curves . . . . . . . . 49
I.2. Point Compression for Montgomery Curves . . . . . . . . . 48 I.2. Point Compression for Montgomery Curves . . . . . . . . . 49
I.3. Point Compression for Twisted Edwards Curves . . . . . . 49 I.3. Point Compression for Twisted Edwards Curves . . . . . . 50
Appendix J. Data Conversions . . . . . . . . . . . . . . . . . . 49 Appendix J. Data Conversions . . . . . . . . . . . . . . . . . . 51
J.1. Conversion between Bit Strings and Integers . . . . . . . 50 J.1. Conversion between Bit Strings and Integers . . . . . . . 51
J.2. Conversion between Octet Strings and Integers (OS2I, J.2. Conversion between Octet Strings and Integers (OS2I,
I2OS) . . . . . . . . . . . . . . . . . . . . . . . . . . 50 I2OS) . . . . . . . . . . . . . . . . . . . . . . . . . . 51
J.3. Conversion between Octet Strings and Bit Strings (BS2OS, J.3. Conversion between Octet Strings and Bit Strings (BS2OS,
OS2BS) . . . . . . . . . . . . . . . . . . . . . . . . . 51 OS2BS) . . . . . . . . . . . . . . . . . . . . . . . . . 52
J.4. Conversion between Field Elements and Octet Strings J.4. Conversion between Field Elements and Octet Strings
(FE2OS, OS2FE) . . . . . . . . . . . . . . . . . . . . . 51 (FE2OS, OS2FE) . . . . . . . . . . . . . . . . . . . . . 52
J.5. Conversion between Elements of Z mod n and Octet Strings J.5. Conversion between Elements of Z mod n and Octet Strings
(ZnE2OS, OS2ZnE) . . . . . . . . . . . . . . . . . . . . 51 (ZnE2OS, OS2ZnE) . . . . . . . . . . . . . . . . . . . . 53
J.6. Ordering Conventions . . . . . . . . . . . . . . . . . . 52 J.6. Ordering Conventions . . . . . . . . . . . . . . . . . . 53
Appendix K. Representation Examples Curve25519 Family Members . 53 Appendix K. Representation Examples Curve25519 Family Members . 54
K.1. Example with Curve25519 . . . . . . . . . . . . . . . . . 53 K.1. Example with Curve25519 . . . . . . . . . . . . . . . . . 55
K.2. Example with Edwards25519 . . . . . . . . . . . . . . . . 55 K.2. Example with Edwards25519 . . . . . . . . . . . . . . . . 56
K.3. Example with Wei25519 . . . . . . . . . . . . . . . . . . 56 K.3. Example with Wei25519 . . . . . . . . . . . . . . . . . . 58
K.4. Example with Wei25519.2 . . . . . . . . . . . . . . . . . 58 K.4. Example with Wei25519.2 . . . . . . . . . . . . . . . . . 59
K.5. Example with Wei25519.-3 . . . . . . . . . . . . . . . . 59 K.5. Example with Wei25519.-3 . . . . . . . . . . . . . . . . 61
Appendix L. Auxiliary Functions . . . . . . . . . . . . . . . . 61 Appendix L. Auxiliary Functions . . . . . . . . . . . . . . . . 62
L.1. Square Roots in GF(q) . . . . . . . . . . . . . . . . . . 61 L.1. Square Roots in GF(q) . . . . . . . . . . . . . . . . . . 62
L.1.1. Square Roots in GF(q), where q = 3 (mod 4) . . . . . 61 L.1.1. Square Roots in GF(q), where q = 3 (mod 4) . . . . . 62
L.1.2. Square Roots in GF(q), where q = 5 (mod 8) . . . . . 61 L.1.2. Square Roots in GF(q), where q = 5 (mod 8) . . . . . 62
L.2. Inversion . . . . . . . . . . . . . . . . . . . . . . . . 61 L.2. Inversion . . . . . . . . . . . . . . . . . . . . . . . . 62
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 62 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 63
1. Fostering Code Reuse with New Elliptic Curves 1. Fostering Code Reuse with New Elliptic Curves
It is well-known that elliptic curves can be represented using It is well-known that elliptic curves can be represented using
different curve models. Recently, IETF standardized elliptic curves different curve models. Recently, IETF standardized elliptic curves
that are claimed to have better performance and improved robustness that are claimed to have better performance and improved robustness
against "real world" attacks than curves represented in the against "real world" attacks than curves represented in the
traditional "short" Weierstrass model. This document specifies an traditional "short" Weierstrass model. This document specifies an
alternative representation of points of Curve25519, a so-called alternative representation of points of Curve25519, a so-called
Montgomery curve, and of points of Edwards25519, a so-called twisted Montgomery curve, and of points of Edwards25519, a so-called twisted
skipping to change at page 9, line 41 skipping to change at page 9, line 51
Brainpool curves - by design - use a generic prime number. None of Brainpool curves - by design - use a generic prime number. None of
the NIST curves, nor the Brainpool curves, can be expressed as the NIST curves, nor the Brainpool curves, can be expressed as
Montgomery or twisted Edwards curves, whereas - conversely - Montgomery or twisted Edwards curves, whereas - conversely -
Montgomery curves and twisted curves can be expressed as Weierstrass Montgomery curves and twisted curves can be expressed as Weierstrass
curves. curves.
While use of Wei25519 allows reuse of existing generic code that While use of Wei25519 allows reuse of existing generic code that
implements short Weierstrass curves, such as the NIST curve P-256, to implements short Weierstrass curves, such as the NIST curve P-256, to
also implement the CFRG curves Curve25519 or Edwards25519, this also implement the CFRG curves Curve25519 or Edwards25519, this
obviously does not result in an implementation of these CFRG curves obviously does not result in an implementation of these CFRG curves
that exploits the special structure of the underlying field or other that exploits the specific structure of the underlying field or other
specific domain parameters (since generic). Reuse of code, specific domain parameters (since generic). Reuse of generic code,
therefore, may result in a less computationally efficient curve therefore, may result in a less computationally efficient curve
implementation than would have been possible if the implementation implementation than would have been possible if the implementation
had specially targeted Curve25519 or Edwards25519 alone. Overall, had specifically targeted Curve25519 or Edwards25519 alone (with the
one should consider not just code reuse and computational efficiency, overall cost differential estimated to be somewhere in the interval
but also development and maintenance cost, and, e.g, the cost of [1.00-1.25]). If existing generic code offers hardware support,
providing effective implementation attack countermeasures (see also however, the overall speed may still be larger, since less efficient
Section 7). formulae for curve arithmetic using Wei25519 curves compared to a
direct implementation of Curve25519 or Edwards25519 arithmetic may be
more than compensated for by faster implementations of the finite
field arithmetic itself.
7. Security Considerations Overall, one should consider not just code reuse and computational
efficiency, but also development and maintenance cost, and, e.g, the
cost of providing effective implementation attack countermeasures
(see also Section 8).
7. Implementation Status
[Note to the RFC Editor] Please remove this entire section before
publication, as well as the reference to [RFC7942].
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC7942].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to [RFC7942], "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit.
Nikolas Rosener evaluated the performance of switching between
different curve models in his Master's thesis [Rosener]. For an
implementation of Wei25519, see <https://github.com/ncme/c25519>.
For support of this curve in tinydtls, see <https://github.com/ncme/
tinydtls>.
According to <https://community.nxp.com/docs/DOC-330199>, an
implementation of Wei25519 on the Kinets LTC ECC HW platform improves
the performance by over a factor ten compared to a stand-alone
implementation of Curve25519 without hardware support.
The signature scheme ECDSA25519 (see Section 4.3) is supported in
<https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd/>.
8. Security Considerations
The different representations of elliptic curve points discussed in The different representations of elliptic curve points discussed in
this document are all obtained using a publicly known transformation, this document are all obtained using a publicly known transformation,
which is either an isomorphism or a low-degree isogeny. It is well- which is either an isomorphism or a low-degree isogeny. It is well-
known that an isomorphism maps elliptic curve points to equivalent known that an isomorphism maps elliptic curve points to equivalent
mathematical objects and that the complexity of cryptographic mathematical objects and that the complexity of cryptographic
problems (such as the discrete logarithm problem) of curves related problems (such as the discrete logarithm problem) of curves related
via a low-degree isogeny are tightly related. Thus, the use of these via a low-degree isogeny are tightly related. Thus, the use of these
techniques does not negatively impact cryptographic security of techniques does not negatively impact cryptographic security of
elliptic curve operations. elliptic curve operations.
skipping to change at page 10, line 43 skipping to change at page 12, line 5
short-Weierstrass form and in uncompressed tight MSB/msb format). short-Weierstrass form and in uncompressed tight MSB/msb format).
To prevent cross-protocol attacks, private keys SHOULD only be used To prevent cross-protocol attacks, private keys SHOULD only be used
with one cryptographic scheme. Private keys MUST NOT be reused with one cryptographic scheme. Private keys MUST NOT be reused
between Ed25519 (as specified in [RFC8032]) and ECDSA25519 (as between Ed25519 (as specified in [RFC8032]) and ECDSA25519 (as
specified in Section 4.3). specified in Section 4.3).
To prevent intra-protocol cross-instantiation attacks, ephemeral To prevent intra-protocol cross-instantiation attacks, ephemeral
private keys MUST NOT be reused between instantiations of ECDSA25519. private keys MUST NOT be reused between instantiations of ECDSA25519.
8. Privacy Considerations 9. Privacy Considerations
The transformations between different curve models described in this The transformations between different curve models described in this
document are publicly known and, therefore, do not affect privacy document are publicly known and, therefore, do not affect privacy
provisions. provisions.
9. IANA Considerations 10. IANA Considerations
An object identifier is requested for curve Wei25519 and its use with An object identifier is requested for curve Wei25519 and its use with
ECDSA and co-factor ECDH, using the representation conventions of ECDSA and co-factor ECDH, using the representation conventions of
this document. this document.
There is *currently* no further IANA action required for this There is *currently* no further IANA action required for this
document. New object identifiers would be required in case one document. New object identifiers would be required in case one
wishes to specify one or more of the "offspring" protocols wishes to specify one or more of the "offspring" protocols
exemplified in Section 4.4. exemplified in Section 4.4.
9.1. COSE Elliptic Curves Registration 10.1. COSE Elliptic Curves Registration
This section registers the following value in the IANA "COSE Elliptic This section registers the following value in the IANA "COSE Elliptic
Curves" registry [IANA.COSE.Curves]. Curves" registry [IANA.COSE.Curves].
Name: Wei25519; Name: Wei25519;
Value: TBD (Requested value: -1); Value: TBD (Requested value: -1);
Key Type: EC2 or OKP (where OKP uses the squeezed MSB/msb Key Type: EC2 or OKP (where OKP uses the squeezed MSB/msb
representation of this specification); representation of this specification);
Description: short-Weierstrass curve Wei25519; Description: short-Weierstrass curve Wei25519;
Reference: Appendix E.3 of this specification; Reference: Appendix E.3 of this specification;
Recommended: Yes. Recommended: Yes.
(Note that The "kty" value for Wei25519 may be "OKP" or "EC2".) (Note that The "kty" value for Wei25519 may be "OKP" or "EC2".)
9.2. COSE Algorithms Registration (1/2) 10.2. COSE Algorithms Registration (1/2)
This section registers the following value in the IANA "COSE This section registers the following value in the IANA "COSE
Algorithms" registry [IANA.COSE.Algorithms]. Algorithms" registry [IANA.COSE.Algorithms].
Name: ECDSA25519; Name: ECDSA25519;
Value: TBD (Requested value: -1); Value: TBD (Requested value: -1);
Description: ECDSA w/ SHA-256 and curve Wei25519; Description: ECDSA w/ SHA-256 and curve Wei25519;
Reference: Section 4.3 of this specification; Reference: Section 4.3 of this specification;
Recommended: Yes. Recommended: Yes.
9.3. COSE Algorithms Registration (2/2) 10.3. COSE Algorithms Registration (2/2)
This section registers the following value in the IANA "COSE This section registers the following value in the IANA "COSE
Algorithms" registry [IANA.COSE.Algorithms]. Algorithms" registry [IANA.COSE.Algorithms].
Name: ECDH25519; Name: ECDH25519;
Value: TBD (Requested value: -2); Value: TBD (Requested value: -2);
Description: NIST-compliant co-factor Diffie-Hellman w/ curve Description: NIST-compliant co-factor Diffie-Hellman w/ curve
Wei25519 and key derivation function HKDF SHA256; Wei25519 and key derivation function HKDF SHA256;
Reference: Section 4.1 of this specification (for key derivation, Reference: Section 4.1 of this specification (for key derivation,
see Section 11.1 of [RFC8152]); see Section 11.1 of [RFC8152]);
Recommended: Yes. Recommended: Yes.
9.4. JOSE Elliptic Curves Registration 10.4. JOSE Elliptic Curves Registration
This section registers the following value in the IANA "JSON Web Key This section registers the following value in the IANA "JSON Web Key
Elliptic Curve" registry [IANA.JOSE.Curves]. Elliptic Curve" registry [IANA.JOSE.Curves].
Curve Name: Wei25519; Curve Name: Wei25519;
Curve Description: short-Weierstrass curve Wei25519; Curve Description: short-Weierstrass curve Wei25519;
JOSE Implementation Requirements: optional; JOSE Implementation Requirements: optional;
Change Controller: IANA; Change Controller: IANA;
Reference: Appendix E.3 of this specification. Reference: Appendix E.3 of this specification.
9.5. JOSE Algorithms Registration (1/2) 10.5. JOSE Algorithms Registration (1/2)
This section registers the following value in the IANA "JSON Web This section registers the following value in the IANA "JSON Web
Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms].
Algorithm Name: ECDSA25519; Algorithm Name: ECDSA25519;
Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519; Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519;
Algorithm Usage Locations: alg; Algorithm Usage Locations: alg;
skipping to change at page 12, line 49 skipping to change at page 14, line 4
This section registers the following value in the IANA "JSON Web This section registers the following value in the IANA "JSON Web
Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms].
Algorithm Name: ECDSA25519; Algorithm Name: ECDSA25519;
Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519; Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519;
Algorithm Usage Locations: alg; Algorithm Usage Locations: alg;
JOSE Implementation Requirements: optional; JOSE Implementation Requirements: optional;
Change Controller: IANA; Change Controller: IANA;
Reference: Section 4.3 of this specification; Reference: Section 4.3 of this specification;
Algorithm Analysis Documents: Section 4.3 of this specification. Algorithm Analysis Documents: Section 4.3 of this specification.
9.6. JOSE Algorithms Registration (2/2) 10.6. JOSE Algorithms Registration (2/2)
This section registers the following value in the IANA "JSON Web This section registers the following value in the IANA "JSON Web
Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms].
Algorithm Name: ECDH25519; Algorithm Name: ECDH25519;
Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/
curve Wei25519 and key derivation function HKDF SHA256; curve Wei25519 and key derivation function HKDF SHA256;
Algorithm Usage Locations: alg; Algorithm Usage Locations: alg;
Change Controller: IANA; Change Controller: IANA;
Reference: Section 4.1 of this specification (for key derivation, Reference: Section 4.1 of this specification (for key derivation,
see Section 5 of [SP-800-56c]); see Section 5 of [SP-800-56c]);
Algorithm Analysis Documents: Section 4.1 of this specification (for Algorithm Analysis Documents: Section 4.1 of this specification (for
key derivation, see Section 5 of [SP-800-56c]). key derivation, see Section 5 of [SP-800-56c]).
10. Acknowledgements 11. Acknowledgements
Thanks to Nikolas Rosener for discussions surrounding implementation Thanks to Nikolas Rosener for discussions surrounding implementation
details of the techniques described in this document and to Phillip details of the techniques described in this document and to Phillip
Hallam-Baker for triggering inclusion of verbiage on the use of Hallam-Baker for triggering inclusion of verbiage on the use of
Montgomery ladders with recovery of the y-coordinate. Thanks to Montgomery ladders with recovery of the y-coordinate. Thanks to
Stanislav Smyshlyaev and Vasily Nikolaev for their careful reviews. Stanislav Smyshlyaev and Vasily Nikolaev for their careful reviews.
11. References 12. References
11.1. Normative References 12.1. Normative References
[ANSI-X9.62] [ANSI-X9.62]
ANSI X9.62-2005, "Public Key Cryptography for the ANSI X9.62-2005, "Public Key Cryptography for the
Financial Services Industry: The Elliptic Curve Digital Financial Services Industry: The Elliptic Curve Digital
Signature Algorithm (ECDSA)", American National Standard Signature Algorithm (ECDSA)", American National Standard
for Financial Services, Accredited Standards Committee X9, for Financial Services, Accredited Standards Committee X9,
Inc, Anapolis, MD, 2005. Inc, Anapolis, MD, 2005.
[FIPS-186-4] [FIPS-186-4]
FIPS 186-4, "Digital Signature Standard (DSS), Federal FIPS 186-4, "Digital Signature Standard (DSS), Federal
skipping to change at page 14, line 24 skipping to change at page 15, line 30
[RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm
Agility and Selecting Mandatory-to-Implement Algorithms", Agility and Selecting Mandatory-to-Implement Algorithms",
BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015,
<https://www.rfc-editor.org/info/rfc7696>. <https://www.rfc-editor.org/info/rfc7696>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032, Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017, DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>. <https://www.rfc-editor.org/info/rfc8032>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017, RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/info/rfc8152>. <https://www.rfc-editor.org/info/rfc8152>.
[SEC1] SEC1, "SEC 1: Elliptic Curve Cryptography, Version 2.0", [SEC1] SEC1, "SEC 1: Elliptic Curve Cryptography, Version 2.0",
skipping to change at page 14, line 48 skipping to change at page 16, line 11
Establishment Schemes Using Discrete Log Cryptography, Establishment Schemes Using Discrete Log Cryptography,
Revision 3", US Department of Commerce/National Institute Revision 3", US Department of Commerce/National Institute
of Standards and Technology, Gaithersburg, MD, April 2018. of Standards and Technology, Gaithersburg, MD, April 2018.
[SP-800-56c] [SP-800-56c]
NIST SP 800-56c, "Recommendation for Key-Derivation NIST SP 800-56c, "Recommendation for Key-Derivation
Methods in Key-Establishment Schemes, Revision 1", US Methods in Key-Establishment Schemes, Revision 1", US
Department of Commerce/National Institute of Standards and Department of Commerce/National Institute of Standards and
Technology, Gaithersburg, MD, April 2018. Technology, Gaithersburg, MD, April 2018.
11.2. Informative References 12.2. Informative References
[ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in [ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in
Cryptography", Cambridge University Press, Lecture Notes Cryptography", Cambridge University Press, Lecture Notes
Series 265, July 1999. Series 265, July 1999.
[ECC-Isogeny] [ECC-Isogeny]
E. Brier, M. Joye, "Fast Point Multiplication on Elliptic E. Brier, M. Joye, "Fast Point Multiplication on Elliptic
Curves through Isogenies", AAECC, Lecture Notes in Curves through Isogenies", AAECC, Lecture Notes in
Computer Science, Vol. 2643, New York: Springer-Verlag, Computer Science, Vol. 2643, New York: Springer-Verlag,
2003. 2003.
[GECC] D. Hankerson, A.J. Menezes, S.A. Vanstone, "Guide to [GECC] D. Hankerson, A.J. Menezes, S.A. Vanstone, "Guide to
Elliptic Curve Cryptography", New York: Springer-Verlag, Elliptic Curve Cryptography", New York: Springer-Verlag,
2004. 2004.
[HW-ECC] W.P. Liu, "How to Use the Kinets LTC ECC HW to Accelerate
Curve25519 (version 7)", NXP,
https://community.nxp.com/docs/DOC-330199, April 2017.
[IANA.COSE.Algorithms] [IANA.COSE.Algorithms]
IANA, "COSE Algorithms", IANA, IANA, "COSE Algorithms", IANA,
https://www.iana.org/assignments/cose/ https://www.iana.org/assignments/cose/
cose.xhtml#algorithms. cose.xhtml#algorithms.
[IANA.COSE.Curves] [IANA.COSE.Curves]
IANA, "COSE Elliptic Curves", IANA, IANA, "COSE Elliptic Curves", IANA,
https://www.iana.org/assignments/cose/cose.xhtml#elliptic- https://www.iana.org/assignments/cose/cose.xhtml#elliptic-
curves. curves.
skipping to change at page 15, line 45 skipping to change at page 17, line 5
[IANA.JOSE.Curves] [IANA.JOSE.Curves]
IANA, "JSON Web Key Elliptic Curve", IANA, IANA, "JSON Web Key Elliptic Curve", IANA,
https://www.iana.org/assignments/jose/jose.xhtml#web-key- https://www.iana.org/assignments/jose/jose.xhtml#web-key-
elliptic-curve. elliptic-curve.
[Mont-Ladder] [Mont-Ladder]
P.L. Montgomery, "Speeding the Pollard and Elliptic Curve P.L. Montgomery, "Speeding the Pollard and Elliptic Curve
Methods of Factorization", Mathematics of Methods of Factorization", Mathematics of
Computation, Vol. 48, 1987. Computation, Vol. 48, 1987.
[Rosener] N. Rosener, "Evaluating the Performance of Transformations
Between Curve Representations in Elliptic Curve
Cryptography for Constrained Device Security",
M.Sc. Universitat Bremen, August 2018.
[tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, [tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters,
"Twisted Edwards Curves", Africacrypt 2008, Lecture Notes "Twisted Edwards Curves", Africacrypt 2008, Lecture Notes
in Computer Science, Vol. 5023, New York: Springer-Verlag, in Computer Science, Vol. 5023, New York: Springer-Verlag,
2008. 2008.
[tEd-Formulas] [tEd-Formulas]
H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted
Edwards Curves Revisited", ASIACRYPT 2008, Lecture Notes Edwards Curves Revisited", ASIACRYPT 2008, Lecture Notes
in Computer Science, Vol. 5350, New York: Springer-Verlag, in Computer Science, Vol. 5350, New York: Springer-Verlag,
2008. 2008.
 End of changes. 34 change blocks. 
106 lines changed or deleted 160 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/