draft-ietf-lwig-curve-representations-05.txt | draft-ietf-lwig-curve-representations-06.txt | |||
---|---|---|---|---|

lwig R. Struik | lwig R. Struik | |||

Internet-Draft Struik Security Consultancy | Internet-Draft Struik Security Consultancy | |||

Intended status: Informational May 15, 2019 | Intended status: Informational May 16, 2019 | |||

Expires: November 16, 2019 | Expires: November 17, 2019 | |||

Alternative Elliptic Curve Representations | Alternative Elliptic Curve Representations | |||

draft-ietf-lwig-curve-representations-05 | draft-ietf-lwig-curve-representations-06 | |||

Abstract | Abstract | |||

This document specifies how to represent Montgomery curves and | This document specifies how to represent Montgomery curves and | |||

(twisted) Edwards curves as curves in short-Weierstrass form and | (twisted) Edwards curves as curves in short-Weierstrass form and | |||

illustrates how this can be used to carry out elliptic curve | illustrates how this can be used to carry out elliptic curve | |||

computations using existing implementations of, e.g., ECDSA and ECDH | computations using existing implementations of, e.g., ECDSA and ECDH | |||

using NIST prime curves. | using NIST prime curves. | |||

Requirements Language | Requirements Language | |||

skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||

working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||

Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

This Internet-Draft will expire on November 16, 2019. | This Internet-Draft will expire on November 17, 2019. | |||

Copyright Notice | Copyright Notice | |||

Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||

document authors. All rights reserved. | document authors. All rights reserved. | |||

This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||

Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||

(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||

publication of this document. Please review these documents | publication of this document. Please review these documents | |||

carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||

to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||

include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||

the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||

described in the Simplified BSD License. | described in the Simplified BSD License. | |||

Table of Contents | Table of Contents | |||

1. Fostering Code Reuse with New Elliptic Curves . . . . . . . . 4 | 1. Fostering Code Reuse with New Elliptic Curves . . . . . . . . 4 | |||

2. Specification of Wei25519 . . . . . . . . . . . . . . . . . . 4 | 2. Specification of Wei25519 . . . . . . . . . . . . . . . . . . 4 | |||

3. Use of Representation Switches . . . . . . . . . . . . . . . 4 | 3. Use of Representation Switches . . . . . . . . . . . . . . . 5 | |||

4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||

4.1. Implementation of X25519 . . . . . . . . . . . . . . . . 5 | 4.1. Implementation of X25519 . . . . . . . . . . . . . . . . 6 | |||

4.2. Implementation of Ed25519 . . . . . . . . . . . . . . . . 6 | 4.2. Implementation of Ed25519 . . . . . . . . . . . . . . . . 6 | |||

4.3. Specification of ECDSA25519 . . . . . . . . . . . . . . . 6 | 4.3. Specification of ECDSA25519 . . . . . . . . . . . . . . . 7 | |||

4.4. Other Uses . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.4. Other Uses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||

5. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||

6. Implementation Considerations . . . . . . . . . . . . . . . . 9 | 6. Implementation Considerations . . . . . . . . . . . . . . . . 9 | |||

7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 10 | |||

8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||

9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | |||

9.1. COSE Elliptic Curves Registration . . . . . . . . . . . . 11 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||

9.2. COSE Algorithms Registration (1/2) . . . . . . . . . . . 11 | 10.1. COSE Elliptic Curves Registration . . . . . . . . . . . 12 | |||

9.3. COSE Algorithms Registration (2/2) . . . . . . . . . . . 12 | 10.2. COSE Algorithms Registration (1/2) . . . . . . . . . . . 12 | |||

9.4. JOSE Elliptic Curves Registration . . . . . . . . . . . . 12 | 10.3. COSE Algorithms Registration (2/2) . . . . . . . . . . . 13 | |||

9.5. JOSE Algorithms Registration (1/2) . . . . . . . . . . . 12 | 10.4. JOSE Elliptic Curves Registration . . . . . . . . . . . 13 | |||

9.6. JOSE Algorithms Registration (2/2) . . . . . . . . . . . 13 | 10.5. JOSE Algorithms Registration (1/2) . . . . . . . . . . . 13 | |||

10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 | 10.6. JOSE Algorithms Registration (2/2) . . . . . . . . . . . 14 | |||

11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 | |||

11.1. Normative References . . . . . . . . . . . . . . . . . . 13 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||

11.2. Informative References . . . . . . . . . . . . . . . . . 14 | 12.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||

Appendix A. Some (non-Binary) Elliptic Curves . . . . . . . . . 16 | 12.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||

A.1. Curves in short-Weierstrass Form . . . . . . . . . . . . 16 | Appendix A. Some (non-Binary) Elliptic Curves . . . . . . . . . 17 | |||

A.2. Montgomery Curves . . . . . . . . . . . . . . . . . . . . 16 | A.1. Curves in short-Weierstrass Form . . . . . . . . . . . . 17 | |||

A.3. Twisted Edwards Curves . . . . . . . . . . . . . . . . . 16 | A.2. Montgomery Curves . . . . . . . . . . . . . . . . . . . . 17 | |||

Appendix B. Elliptic Curve Nomenclature and Finite Fields . . . 17 | A.3. Twisted Edwards Curves . . . . . . . . . . . . . . . . . 18 | |||

B.1. Elliptic Curve Nomenclature . . . . . . . . . . . . . . . 17 | Appendix B. Elliptic Curve Nomenclature and Finite Fields . . . 18 | |||

B.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . 18 | B.1. Elliptic Curve Nomenclature . . . . . . . . . . . . . . . 18 | |||

Appendix C. Elliptic Curve Group Operations . . . . . . . . . . 19 | B.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . 20 | |||

C.1. Group Law for Weierstrass Curves . . . . . . . . . . . . 19 | Appendix C. Elliptic Curve Group Operations . . . . . . . . . . 21 | |||

C.2. Group Law for Montgomery Curves . . . . . . . . . . . . . 20 | C.1. Group Law for Weierstrass Curves . . . . . . . . . . . . 21 | |||

C.3. Group Law for Twisted Edwards Curves . . . . . . . . . . 21 | C.2. Group Law for Montgomery Curves . . . . . . . . . . . . . 21 | |||

Appendix D. Relationship Between Curve Models . . . . . . . . . 22 | C.3. Group Law for Twisted Edwards Curves . . . . . . . . . . 22 | |||

Appendix D. Relationship Between Curve Models . . . . . . . . . 23 | ||||

D.1. Mapping between Twisted Edwards Curves and Montgomery | D.1. Mapping between Twisted Edwards Curves and Montgomery | |||

Curves . . . . . . . . . . . . . . . . . . . . . . . . . 22 | Curves . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||

D.2. Mapping between Montgomery Curves and Weierstrass Curves 23 | ||||

D.2. Mapping between Montgomery Curves and Weierstrass Curves 24 | ||||

D.3. Mapping between Twisted Edwards Curves and Weierstrass | D.3. Mapping between Twisted Edwards Curves and Weierstrass | |||

Curves . . . . . . . . . . . . . . . . . . . . . . . . . 24 | Curves . . . . . . . . . . . . . . . . . . . . . . . . . 25 | |||

Appendix E. Curve25519 and Cousins . . . . . . . . . . . . . . . 24 | Appendix E. Curve25519 and Cousins . . . . . . . . . . . . . . . 25 | |||

E.1. Curve Definition and Alternative Representations . . . . 24 | E.1. Curve Definition and Alternative Representations . . . . 25 | |||

E.2. Switching between Alternative Representations . . . . . . 24 | E.2. Switching between Alternative Representations . . . . . . 26 | |||

E.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 26 | E.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 27 | |||

Appendix F. Further Mappings . . . . . . . . . . . . . . . . . . 28 | Appendix F. Further Mappings . . . . . . . . . . . . . . . . . . 29 | |||

F.1. Isomorphic Mapping between Twisted Edwards Curves . . . . 28 | F.1. Isomorphic Mapping between Twisted Edwards Curves . . . . 29 | |||

F.2. Isomorphic Mapping between Montgomery Curves . . . . . . 29 | F.2. Isomorphic Mapping between Montgomery Curves . . . . . . 30 | |||

F.3. Isomorphic Mapping between Weierstrass Curves . . . . . . 29 | F.3. Isomorphic Mapping between Weierstrass Curves . . . . . . 31 | |||

F.4. Isogenous Mapping between Weierstrass Curves . . . . . . 30 | F.4. Isogenous Mapping between Weierstrass Curves . . . . . . 32 | |||

Appendix G. Further Cousins of Curve25519 . . . . . . . . . . . 32 | Appendix G. Further Cousins of Curve25519 . . . . . . . . . . . 33 | |||

G.1. Further Alternative Representations . . . . . . . . . . . 32 | G.1. Further Alternative Representations . . . . . . . . . . . 33 | |||

G.2. Further Switching . . . . . . . . . . . . . . . . . . . . 32 | G.2. Further Switching . . . . . . . . . . . . . . . . . . . . 33 | |||

G.3. Further Domain Parameters . . . . . . . . . . . . . . . . 33 | G.3. Further Domain Parameters . . . . . . . . . . . . . . . . 34 | |||

Appendix H. Isogeny Details . . . . . . . . . . . . . . . . . . 34 | Appendix H. Isogeny Details . . . . . . . . . . . . . . . . . . 36 | |||

H.1. Isogeny Parameters . . . . . . . . . . . . . . . . . . . 34 | H.1. Isogeny Parameters . . . . . . . . . . . . . . . . . . . 36 | |||

H.1.1. Coefficients of u(x) . . . . . . . . . . . . . . . . 34 | H.1.1. Coefficients of u(x) . . . . . . . . . . . . . . . . 36 | |||

H.1.2. Coefficients of v(x) . . . . . . . . . . . . . . . . 37 | H.1.2. Coefficients of v(x) . . . . . . . . . . . . . . . . 38 | |||

H.1.3. Coefficients of w(x) . . . . . . . . . . . . . . . . 40 | H.1.3. Coefficients of w(x) . . . . . . . . . . . . . . . . 41 | |||

H.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . . . 41 | H.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . . . 42 | |||

H.2.1. Coefficients of u'(x) . . . . . . . . . . . . . . . . 41 | H.2.1. Coefficients of u'(x) . . . . . . . . . . . . . . . . 42 | |||

H.2.2. Coefficients of v'(x) . . . . . . . . . . . . . . . . 43 | H.2.2. Coefficients of v'(x) . . . . . . . . . . . . . . . . 44 | |||

H.2.3. Coefficients of w'(x) . . . . . . . . . . . . . . . . 46 | H.2.3. Coefficients of w'(x) . . . . . . . . . . . . . . . . 47 | |||

Appendix I. Point Compression . . . . . . . . . . . . . . . . . 47 | Appendix I. Point Compression . . . . . . . . . . . . . . . . . 48 | |||

I.1. Point Compression for Weierstrass Curves . . . . . . . . 47 | I.1. Point Compression for Weierstrass Curves . . . . . . . . 49 | |||

I.2. Point Compression for Montgomery Curves . . . . . . . . . 48 | I.2. Point Compression for Montgomery Curves . . . . . . . . . 49 | |||

I.3. Point Compression for Twisted Edwards Curves . . . . . . 49 | I.3. Point Compression for Twisted Edwards Curves . . . . . . 50 | |||

Appendix J. Data Conversions . . . . . . . . . . . . . . . . . . 49 | Appendix J. Data Conversions . . . . . . . . . . . . . . . . . . 51 | |||

J.1. Conversion between Bit Strings and Integers . . . . . . . 50 | J.1. Conversion between Bit Strings and Integers . . . . . . . 51 | |||

J.2. Conversion between Octet Strings and Integers (OS2I, | J.2. Conversion between Octet Strings and Integers (OS2I, | |||

I2OS) . . . . . . . . . . . . . . . . . . . . . . . . . . 50 | I2OS) . . . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||

J.3. Conversion between Octet Strings and Bit Strings (BS2OS, | J.3. Conversion between Octet Strings and Bit Strings (BS2OS, | |||

OS2BS) . . . . . . . . . . . . . . . . . . . . . . . . . 51 | OS2BS) . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||

J.4. Conversion between Field Elements and Octet Strings | J.4. Conversion between Field Elements and Octet Strings | |||

(FE2OS, OS2FE) . . . . . . . . . . . . . . . . . . . . . 51 | (FE2OS, OS2FE) . . . . . . . . . . . . . . . . . . . . . 52 | |||

J.5. Conversion between Elements of Z mod n and Octet Strings | J.5. Conversion between Elements of Z mod n and Octet Strings | |||

(ZnE2OS, OS2ZnE) . . . . . . . . . . . . . . . . . . . . 51 | (ZnE2OS, OS2ZnE) . . . . . . . . . . . . . . . . . . . . 53 | |||

J.6. Ordering Conventions . . . . . . . . . . . . . . . . . . 52 | J.6. Ordering Conventions . . . . . . . . . . . . . . . . . . 53 | |||

Appendix K. Representation Examples Curve25519 Family Members . 53 | Appendix K. Representation Examples Curve25519 Family Members . 54 | |||

K.1. Example with Curve25519 . . . . . . . . . . . . . . . . . 53 | K.1. Example with Curve25519 . . . . . . . . . . . . . . . . . 55 | |||

K.2. Example with Edwards25519 . . . . . . . . . . . . . . . . 55 | K.2. Example with Edwards25519 . . . . . . . . . . . . . . . . 56 | |||

K.3. Example with Wei25519 . . . . . . . . . . . . . . . . . . 56 | K.3. Example with Wei25519 . . . . . . . . . . . . . . . . . . 58 | |||

K.4. Example with Wei25519.2 . . . . . . . . . . . . . . . . . 58 | K.4. Example with Wei25519.2 . . . . . . . . . . . . . . . . . 59 | |||

K.5. Example with Wei25519.-3 . . . . . . . . . . . . . . . . 59 | K.5. Example with Wei25519.-3 . . . . . . . . . . . . . . . . 61 | |||

Appendix L. Auxiliary Functions . . . . . . . . . . . . . . . . 61 | Appendix L. Auxiliary Functions . . . . . . . . . . . . . . . . 62 | |||

L.1. Square Roots in GF(q) . . . . . . . . . . . . . . . . . . 61 | L.1. Square Roots in GF(q) . . . . . . . . . . . . . . . . . . 62 | |||

L.1.1. Square Roots in GF(q), where q = 3 (mod 4) . . . . . 61 | L.1.1. Square Roots in GF(q), where q = 3 (mod 4) . . . . . 62 | |||

L.1.2. Square Roots in GF(q), where q = 5 (mod 8) . . . . . 61 | L.1.2. Square Roots in GF(q), where q = 5 (mod 8) . . . . . 62 | |||

L.2. Inversion . . . . . . . . . . . . . . . . . . . . . . . . 61 | L.2. Inversion . . . . . . . . . . . . . . . . . . . . . . . . 62 | |||

Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 62 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 63 | |||

1. Fostering Code Reuse with New Elliptic Curves | 1. Fostering Code Reuse with New Elliptic Curves | |||

It is well-known that elliptic curves can be represented using | It is well-known that elliptic curves can be represented using | |||

different curve models. Recently, IETF standardized elliptic curves | different curve models. Recently, IETF standardized elliptic curves | |||

that are claimed to have better performance and improved robustness | that are claimed to have better performance and improved robustness | |||

against "real world" attacks than curves represented in the | against "real world" attacks than curves represented in the | |||

traditional "short" Weierstrass model. This document specifies an | traditional "short" Weierstrass model. This document specifies an | |||

alternative representation of points of Curve25519, a so-called | alternative representation of points of Curve25519, a so-called | |||

Montgomery curve, and of points of Edwards25519, a so-called twisted | Montgomery curve, and of points of Edwards25519, a so-called twisted | |||

skipping to change at page 9, line 41 ¶ | skipping to change at page 9, line 51 ¶ | |||

Brainpool curves - by design - use a generic prime number. None of | Brainpool curves - by design - use a generic prime number. None of | |||

the NIST curves, nor the Brainpool curves, can be expressed as | the NIST curves, nor the Brainpool curves, can be expressed as | |||

Montgomery or twisted Edwards curves, whereas - conversely - | Montgomery or twisted Edwards curves, whereas - conversely - | |||

Montgomery curves and twisted curves can be expressed as Weierstrass | Montgomery curves and twisted curves can be expressed as Weierstrass | |||

curves. | curves. | |||

While use of Wei25519 allows reuse of existing generic code that | While use of Wei25519 allows reuse of existing generic code that | |||

implements short Weierstrass curves, such as the NIST curve P-256, to | implements short Weierstrass curves, such as the NIST curve P-256, to | |||

also implement the CFRG curves Curve25519 or Edwards25519, this | also implement the CFRG curves Curve25519 or Edwards25519, this | |||

obviously does not result in an implementation of these CFRG curves | obviously does not result in an implementation of these CFRG curves | |||

that exploits the special structure of the underlying field or other | that exploits the specific structure of the underlying field or other | |||

specific domain parameters (since generic). Reuse of code, | specific domain parameters (since generic). Reuse of generic code, | |||

therefore, may result in a less computationally efficient curve | therefore, may result in a less computationally efficient curve | |||

implementation than would have been possible if the implementation | implementation than would have been possible if the implementation | |||

had specially targeted Curve25519 or Edwards25519 alone. Overall, | had specifically targeted Curve25519 or Edwards25519 alone (with the | |||

one should consider not just code reuse and computational efficiency, | overall cost differential estimated to be somewhere in the interval | |||

but also development and maintenance cost, and, e.g, the cost of | [1.00-1.25]). If existing generic code offers hardware support, | |||

providing effective implementation attack countermeasures (see also | however, the overall speed may still be larger, since less efficient | |||

Section 7). | formulae for curve arithmetic using Wei25519 curves compared to a | |||

direct implementation of Curve25519 or Edwards25519 arithmetic may be | ||||

more than compensated for by faster implementations of the finite | ||||

field arithmetic itself. | ||||

7. Security Considerations | Overall, one should consider not just code reuse and computational | |||

efficiency, but also development and maintenance cost, and, e.g, the | ||||

cost of providing effective implementation attack countermeasures | ||||

(see also Section 8). | ||||

7. Implementation Status | ||||

[Note to the RFC Editor] Please remove this entire section before | ||||

publication, as well as the reference to [RFC7942]. | ||||

This section records the status of known implementations of the | ||||

protocol defined by this specification at the time of posting of this | ||||

Internet-Draft, and is based on a proposal described in [RFC7942]. | ||||

The description of implementations in this section is intended to | ||||

assist the IETF in its decision processes in progressing drafts to | ||||

RFCs. Please note that the listing of any individual implementation | ||||

here does not imply endorsement by the IETF. Furthermore, no effort | ||||

has been spent to verify the information presented here that was | ||||

supplied by IETF contributors. This is not intended as, and must not | ||||

be construed to be, a catalog of available implementations or their | ||||

features. Readers are advised to note that other implementations may | ||||

exist. | ||||

According to [RFC7942], "this will allow reviewers and working groups | ||||

to assign due consideration to documents that have the benefit of | ||||

running code, which may serve as evidence of valuable experimentation | ||||

and feedback that have made the implemented protocols more mature. | ||||

It is up to the individual working groups to use this information as | ||||

they see fit. | ||||

Nikolas Rosener evaluated the performance of switching between | ||||

different curve models in his Master's thesis [Rosener]. For an | ||||

implementation of Wei25519, see <https://github.com/ncme/c25519>. | ||||

For support of this curve in tinydtls, see <https://github.com/ncme/ | ||||

tinydtls>. | ||||

According to <https://community.nxp.com/docs/DOC-330199>, an | ||||

implementation of Wei25519 on the Kinets LTC ECC HW platform improves | ||||

the performance by over a factor ten compared to a stand-alone | ||||

implementation of Curve25519 without hardware support. | ||||

The signature scheme ECDSA25519 (see Section 4.3) is supported in | ||||

<https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd/>. | ||||

8. Security Considerations | ||||

The different representations of elliptic curve points discussed in | The different representations of elliptic curve points discussed in | |||

this document are all obtained using a publicly known transformation, | this document are all obtained using a publicly known transformation, | |||

which is either an isomorphism or a low-degree isogeny. It is well- | which is either an isomorphism or a low-degree isogeny. It is well- | |||

known that an isomorphism maps elliptic curve points to equivalent | known that an isomorphism maps elliptic curve points to equivalent | |||

mathematical objects and that the complexity of cryptographic | mathematical objects and that the complexity of cryptographic | |||

problems (such as the discrete logarithm problem) of curves related | problems (such as the discrete logarithm problem) of curves related | |||

via a low-degree isogeny are tightly related. Thus, the use of these | via a low-degree isogeny are tightly related. Thus, the use of these | |||

techniques does not negatively impact cryptographic security of | techniques does not negatively impact cryptographic security of | |||

elliptic curve operations. | elliptic curve operations. | |||

skipping to change at page 10, line 43 ¶ | skipping to change at page 12, line 5 ¶ | |||

short-Weierstrass form and in uncompressed tight MSB/msb format). | short-Weierstrass form and in uncompressed tight MSB/msb format). | |||

To prevent cross-protocol attacks, private keys SHOULD only be used | To prevent cross-protocol attacks, private keys SHOULD only be used | |||

with one cryptographic scheme. Private keys MUST NOT be reused | with one cryptographic scheme. Private keys MUST NOT be reused | |||

between Ed25519 (as specified in [RFC8032]) and ECDSA25519 (as | between Ed25519 (as specified in [RFC8032]) and ECDSA25519 (as | |||

specified in Section 4.3). | specified in Section 4.3). | |||

To prevent intra-protocol cross-instantiation attacks, ephemeral | To prevent intra-protocol cross-instantiation attacks, ephemeral | |||

private keys MUST NOT be reused between instantiations of ECDSA25519. | private keys MUST NOT be reused between instantiations of ECDSA25519. | |||

8. Privacy Considerations | 9. Privacy Considerations | |||

The transformations between different curve models described in this | The transformations between different curve models described in this | |||

document are publicly known and, therefore, do not affect privacy | document are publicly known and, therefore, do not affect privacy | |||

provisions. | provisions. | |||

9. IANA Considerations | 10. IANA Considerations | |||

An object identifier is requested for curve Wei25519 and its use with | An object identifier is requested for curve Wei25519 and its use with | |||

ECDSA and co-factor ECDH, using the representation conventions of | ECDSA and co-factor ECDH, using the representation conventions of | |||

this document. | this document. | |||

There is *currently* no further IANA action required for this | There is *currently* no further IANA action required for this | |||

document. New object identifiers would be required in case one | document. New object identifiers would be required in case one | |||

wishes to specify one or more of the "offspring" protocols | wishes to specify one or more of the "offspring" protocols | |||

exemplified in Section 4.4. | exemplified in Section 4.4. | |||

9.1. COSE Elliptic Curves Registration | 10.1. COSE Elliptic Curves Registration | |||

This section registers the following value in the IANA "COSE Elliptic | This section registers the following value in the IANA "COSE Elliptic | |||

Curves" registry [IANA.COSE.Curves]. | Curves" registry [IANA.COSE.Curves]. | |||

Name: Wei25519; | Name: Wei25519; | |||

Value: TBD (Requested value: -1); | Value: TBD (Requested value: -1); | |||

Key Type: EC2 or OKP (where OKP uses the squeezed MSB/msb | Key Type: EC2 or OKP (where OKP uses the squeezed MSB/msb | |||

representation of this specification); | representation of this specification); | |||

Description: short-Weierstrass curve Wei25519; | Description: short-Weierstrass curve Wei25519; | |||

Reference: Appendix E.3 of this specification; | Reference: Appendix E.3 of this specification; | |||

Recommended: Yes. | Recommended: Yes. | |||

(Note that The "kty" value for Wei25519 may be "OKP" or "EC2".) | (Note that The "kty" value for Wei25519 may be "OKP" or "EC2".) | |||

9.2. COSE Algorithms Registration (1/2) | 10.2. COSE Algorithms Registration (1/2) | |||

This section registers the following value in the IANA "COSE | This section registers the following value in the IANA "COSE | |||

Algorithms" registry [IANA.COSE.Algorithms]. | Algorithms" registry [IANA.COSE.Algorithms]. | |||

Name: ECDSA25519; | Name: ECDSA25519; | |||

Value: TBD (Requested value: -1); | Value: TBD (Requested value: -1); | |||

Description: ECDSA w/ SHA-256 and curve Wei25519; | Description: ECDSA w/ SHA-256 and curve Wei25519; | |||

Reference: Section 4.3 of this specification; | Reference: Section 4.3 of this specification; | |||

Recommended: Yes. | Recommended: Yes. | |||

9.3. COSE Algorithms Registration (2/2) | 10.3. COSE Algorithms Registration (2/2) | |||

This section registers the following value in the IANA "COSE | This section registers the following value in the IANA "COSE | |||

Algorithms" registry [IANA.COSE.Algorithms]. | Algorithms" registry [IANA.COSE.Algorithms]. | |||

Name: ECDH25519; | Name: ECDH25519; | |||

Value: TBD (Requested value: -2); | Value: TBD (Requested value: -2); | |||

Description: NIST-compliant co-factor Diffie-Hellman w/ curve | Description: NIST-compliant co-factor Diffie-Hellman w/ curve | |||

Wei25519 and key derivation function HKDF SHA256; | Wei25519 and key derivation function HKDF SHA256; | |||

Reference: Section 4.1 of this specification (for key derivation, | Reference: Section 4.1 of this specification (for key derivation, | |||

see Section 11.1 of [RFC8152]); | see Section 11.1 of [RFC8152]); | |||

Recommended: Yes. | Recommended: Yes. | |||

9.4. JOSE Elliptic Curves Registration | 10.4. JOSE Elliptic Curves Registration | |||

This section registers the following value in the IANA "JSON Web Key | This section registers the following value in the IANA "JSON Web Key | |||

Elliptic Curve" registry [IANA.JOSE.Curves]. | Elliptic Curve" registry [IANA.JOSE.Curves]. | |||

Curve Name: Wei25519; | Curve Name: Wei25519; | |||

Curve Description: short-Weierstrass curve Wei25519; | Curve Description: short-Weierstrass curve Wei25519; | |||

JOSE Implementation Requirements: optional; | JOSE Implementation Requirements: optional; | |||

Change Controller: IANA; | Change Controller: IANA; | |||

Reference: Appendix E.3 of this specification. | Reference: Appendix E.3 of this specification. | |||

9.5. JOSE Algorithms Registration (1/2) | 10.5. JOSE Algorithms Registration (1/2) | |||

This section registers the following value in the IANA "JSON Web | This section registers the following value in the IANA "JSON Web | |||

Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | |||

Algorithm Name: ECDSA25519; | Algorithm Name: ECDSA25519; | |||

Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519; | Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519; | |||

Algorithm Usage Locations: alg; | Algorithm Usage Locations: alg; | |||

skipping to change at page 12, line 49 ¶ | skipping to change at page 14, line 4 ¶ | |||

This section registers the following value in the IANA "JSON Web | This section registers the following value in the IANA "JSON Web | |||

Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | |||

Algorithm Name: ECDSA25519; | Algorithm Name: ECDSA25519; | |||

Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519; | Algorithm Description: ECDSA w/ SHA-256 and curve Wei25519; | |||

Algorithm Usage Locations: alg; | Algorithm Usage Locations: alg; | |||

JOSE Implementation Requirements: optional; | JOSE Implementation Requirements: optional; | |||

Change Controller: IANA; | Change Controller: IANA; | |||

Reference: Section 4.3 of this specification; | Reference: Section 4.3 of this specification; | |||

Algorithm Analysis Documents: Section 4.3 of this specification. | Algorithm Analysis Documents: Section 4.3 of this specification. | |||

9.6. JOSE Algorithms Registration (2/2) | 10.6. JOSE Algorithms Registration (2/2) | |||

This section registers the following value in the IANA "JSON Web | This section registers the following value in the IANA "JSON Web | |||

Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. | |||

Algorithm Name: ECDH25519; | Algorithm Name: ECDH25519; | |||

Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ | Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ | |||

curve Wei25519 and key derivation function HKDF SHA256; | curve Wei25519 and key derivation function HKDF SHA256; | |||

Algorithm Usage Locations: alg; | Algorithm Usage Locations: alg; | |||

Change Controller: IANA; | Change Controller: IANA; | |||

Reference: Section 4.1 of this specification (for key derivation, | Reference: Section 4.1 of this specification (for key derivation, | |||

see Section 5 of [SP-800-56c]); | see Section 5 of [SP-800-56c]); | |||

Algorithm Analysis Documents: Section 4.1 of this specification (for | Algorithm Analysis Documents: Section 4.1 of this specification (for | |||

key derivation, see Section 5 of [SP-800-56c]). | key derivation, see Section 5 of [SP-800-56c]). | |||

10. Acknowledgements | 11. Acknowledgements | |||

Thanks to Nikolas Rosener for discussions surrounding implementation | Thanks to Nikolas Rosener for discussions surrounding implementation | |||

details of the techniques described in this document and to Phillip | details of the techniques described in this document and to Phillip | |||

Hallam-Baker for triggering inclusion of verbiage on the use of | Hallam-Baker for triggering inclusion of verbiage on the use of | |||

Montgomery ladders with recovery of the y-coordinate. Thanks to | Montgomery ladders with recovery of the y-coordinate. Thanks to | |||

Stanislav Smyshlyaev and Vasily Nikolaev for their careful reviews. | Stanislav Smyshlyaev and Vasily Nikolaev for their careful reviews. | |||

11. References | 12. References | |||

11.1. Normative References | 12.1. Normative References | |||

[ANSI-X9.62] | [ANSI-X9.62] | |||

ANSI X9.62-2005, "Public Key Cryptography for the | ANSI X9.62-2005, "Public Key Cryptography for the | |||

Financial Services Industry: The Elliptic Curve Digital | Financial Services Industry: The Elliptic Curve Digital | |||

Signature Algorithm (ECDSA)", American National Standard | Signature Algorithm (ECDSA)", American National Standard | |||

for Financial Services, Accredited Standards Committee X9, | for Financial Services, Accredited Standards Committee X9, | |||

Inc, Anapolis, MD, 2005. | Inc, Anapolis, MD, 2005. | |||

[FIPS-186-4] | [FIPS-186-4] | |||

FIPS 186-4, "Digital Signature Standard (DSS), Federal | FIPS 186-4, "Digital Signature Standard (DSS), Federal | |||

skipping to change at page 14, line 24 ¶ | skipping to change at page 15, line 30 ¶ | |||

[RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm | [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm | |||

Agility and Selecting Mandatory-to-Implement Algorithms", | Agility and Selecting Mandatory-to-Implement Algorithms", | |||

BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, | BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, | |||

<https://www.rfc-editor.org/info/rfc7696>. | <https://www.rfc-editor.org/info/rfc7696>. | |||

[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | |||

for Security", RFC 7748, DOI 10.17487/RFC7748, January | for Security", RFC 7748, DOI 10.17487/RFC7748, January | |||

2016, <https://www.rfc-editor.org/info/rfc7748>. | 2016, <https://www.rfc-editor.org/info/rfc7748>. | |||

[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | ||||

Code: The Implementation Status Section", BCP 205, | ||||

RFC 7942, DOI 10.17487/RFC7942, July 2016, | ||||

<https://www.rfc-editor.org/info/rfc7942>. | ||||

[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | |||

Signature Algorithm (EdDSA)", RFC 8032, | Signature Algorithm (EdDSA)", RFC 8032, | |||

DOI 10.17487/RFC8032, January 2017, | DOI 10.17487/RFC8032, January 2017, | |||

<https://www.rfc-editor.org/info/rfc8032>. | <https://www.rfc-editor.org/info/rfc8032>. | |||

[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | |||

RFC 8152, DOI 10.17487/RFC8152, July 2017, | RFC 8152, DOI 10.17487/RFC8152, July 2017, | |||

<https://www.rfc-editor.org/info/rfc8152>. | <https://www.rfc-editor.org/info/rfc8152>. | |||

[SEC1] SEC1, "SEC 1: Elliptic Curve Cryptography, Version 2.0", | [SEC1] SEC1, "SEC 1: Elliptic Curve Cryptography, Version 2.0", | |||

skipping to change at page 14, line 48 ¶ | skipping to change at page 16, line 11 ¶ | |||

Establishment Schemes Using Discrete Log Cryptography, | Establishment Schemes Using Discrete Log Cryptography, | |||

Revision 3", US Department of Commerce/National Institute | Revision 3", US Department of Commerce/National Institute | |||

of Standards and Technology, Gaithersburg, MD, April 2018. | of Standards and Technology, Gaithersburg, MD, April 2018. | |||

[SP-800-56c] | [SP-800-56c] | |||

NIST SP 800-56c, "Recommendation for Key-Derivation | NIST SP 800-56c, "Recommendation for Key-Derivation | |||

Methods in Key-Establishment Schemes, Revision 1", US | Methods in Key-Establishment Schemes, Revision 1", US | |||

Department of Commerce/National Institute of Standards and | Department of Commerce/National Institute of Standards and | |||

Technology, Gaithersburg, MD, April 2018. | Technology, Gaithersburg, MD, April 2018. | |||

11.2. Informative References | 12.2. Informative References | |||

[ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in | [ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in | |||

Cryptography", Cambridge University Press, Lecture Notes | Cryptography", Cambridge University Press, Lecture Notes | |||

Series 265, July 1999. | Series 265, July 1999. | |||

[ECC-Isogeny] | [ECC-Isogeny] | |||

E. Brier, M. Joye, "Fast Point Multiplication on Elliptic | E. Brier, M. Joye, "Fast Point Multiplication on Elliptic | |||

Curves through Isogenies", AAECC, Lecture Notes in | Curves through Isogenies", AAECC, Lecture Notes in | |||

Computer Science, Vol. 2643, New York: Springer-Verlag, | Computer Science, Vol. 2643, New York: Springer-Verlag, | |||

2003. | 2003. | |||

[GECC] D. Hankerson, A.J. Menezes, S.A. Vanstone, "Guide to | [GECC] D. Hankerson, A.J. Menezes, S.A. Vanstone, "Guide to | |||

Elliptic Curve Cryptography", New York: Springer-Verlag, | Elliptic Curve Cryptography", New York: Springer-Verlag, | |||

2004. | 2004. | |||

[HW-ECC] W.P. Liu, "How to Use the Kinets LTC ECC HW to Accelerate | ||||

Curve25519 (version 7)", NXP, | ||||

https://community.nxp.com/docs/DOC-330199, April 2017. | ||||

[IANA.COSE.Algorithms] | [IANA.COSE.Algorithms] | |||

IANA, "COSE Algorithms", IANA, | IANA, "COSE Algorithms", IANA, | |||

https://www.iana.org/assignments/cose/ | https://www.iana.org/assignments/cose/ | |||

cose.xhtml#algorithms. | cose.xhtml#algorithms. | |||

[IANA.COSE.Curves] | [IANA.COSE.Curves] | |||

IANA, "COSE Elliptic Curves", IANA, | IANA, "COSE Elliptic Curves", IANA, | |||

https://www.iana.org/assignments/cose/cose.xhtml#elliptic- | https://www.iana.org/assignments/cose/cose.xhtml#elliptic- | |||

curves. | curves. | |||

skipping to change at page 15, line 45 ¶ | skipping to change at page 17, line 5 ¶ | |||

[IANA.JOSE.Curves] | [IANA.JOSE.Curves] | |||

IANA, "JSON Web Key Elliptic Curve", IANA, | IANA, "JSON Web Key Elliptic Curve", IANA, | |||

https://www.iana.org/assignments/jose/jose.xhtml#web-key- | https://www.iana.org/assignments/jose/jose.xhtml#web-key- | |||

elliptic-curve. | elliptic-curve. | |||

[Mont-Ladder] | [Mont-Ladder] | |||

P.L. Montgomery, "Speeding the Pollard and Elliptic Curve | P.L. Montgomery, "Speeding the Pollard and Elliptic Curve | |||

Methods of Factorization", Mathematics of | Methods of Factorization", Mathematics of | |||

Computation, Vol. 48, 1987. | Computation, Vol. 48, 1987. | |||

[Rosener] N. Rosener, "Evaluating the Performance of Transformations | ||||

Between Curve Representations in Elliptic Curve | ||||

Cryptography for Constrained Device Security", | ||||

M.Sc. Universitat Bremen, August 2018. | ||||

[tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, | [tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, | |||

"Twisted Edwards Curves", Africacrypt 2008, Lecture Notes | "Twisted Edwards Curves", Africacrypt 2008, Lecture Notes | |||

in Computer Science, Vol. 5023, New York: Springer-Verlag, | in Computer Science, Vol. 5023, New York: Springer-Verlag, | |||

2008. | 2008. | |||

[tEd-Formulas] | [tEd-Formulas] | |||

H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted | H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted | |||

Edwards Curves Revisited", ASIACRYPT 2008, Lecture Notes | Edwards Curves Revisited", ASIACRYPT 2008, Lecture Notes | |||

in Computer Science, Vol. 5350, New York: Springer-Verlag, | in Computer Science, Vol. 5350, New York: Springer-Verlag, | |||

2008. | 2008. | |||

End of changes. 34 change blocks. | ||||

106 lines changed or deleted | | 160 lines changed or added | ||

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |