Elliptic curve 2y^2=x^3+x over field size 8^91+5

Document Type Active Internet-Draft (individual)
Author Daniel Brown 
Last updated 2020-10-02
Stream (None)
Intended RFC status (None)
Formats plain text pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet-Draft                                                D. Brown
Intended status: Experimental                               BlackBerry
Expires: 2021-04-05                                         2020-10-02
          Elliptic curve 2y^2=x^3+x over field size 8^91+5


  Multi-curve elliptic curve cryptography with curve
  2y^2=x^3+x/GF(8^91+5) hedges a risk of new curve-specific attacks.
  This curve features: isomorphism to Miller's curve from 1985; low
  Kolmogorov complexity (little room for embedded weaknesses of
  Gordon, Young--Yung, or Teske); similarity to a Bitcoin curve;
  Montgomery form; complex multiplication by i
  (Gallant--Lambert--Vanstone); prime field; easy reduction,
  inversion, Legendre symbol, and square root; five 64-bit-word field
  arithmetic; string-as-point encoding; and 34-byte keys.

Status of This Memo
  This Internet-Draft is submitted in full conformance with the
  provisions of BCP 78 and BCP 79.  Internet-Drafts are working
  documents of the Internet Engineering Task Force (IETF).  Note that
  other groups may also distribute working documents as
  Internet-Drafts.  The list of current Internet-Drafts is at

  Internet-Drafts are draft documents valid for a maximum of six
  months and may be updated, replaced, or obsoleted by other documents
  at any time.  It is inappropriate to use Internet-Drafts as
  reference material or to cite them other than as "work in progress."

Copyright Notice
  Copyright (c) 2020 IETF Trust and the persons identified as the
  document authors.  All rights reserved.

  This document is subject to BCP 78 and the IETF Trust's Legal
  Provisions Relating to IETF Documents
  (http://trustee.ietf.org/license-info) in effect on the date of
  publication of this document.  Please review these documents
  carefully, as they describe your rights and restrictions with
  respect to this document.

  This document may not be modified, and derivative works of it may
  not be created, except to format it for publication as an RFC or to
  translate it into languages other than English.

Brown             ECC with 2y^2=x^3+x/GF(8^91+5)             [Page 1]
Internet-Draft                                             2020-10-02


1.  Introduction
2.  Requirements Language (RFC 2119)
3.  Use ONLY in multi-curve ECC
4.  Encoding points
4.1.  Point encoding process
4.1.1.  Summary
4.1.2.  Details
4.2.  Point decoding process
4.2.1.  Summary
4.2.2.  Detail
5.  Point validation
5.1.  When to validate
5.1.1.  Mandatory validation
5.1.2.  Simplified validation
5.1.3.  Minimal validation
5.2.  Point validation process
6.  OPTIONAL encodings
6.1.  Encoding scalars
6.2.  Encoding strings as points
7.  IANA considerations
8.  Security considerations
8.1.  Field choice
8.2.  Curve choice
8.3.  Encoding choices
8.4.  General subversion concerns
8.5.  Concerns about 'aegis'
9.  References
9.1.  Normative References
9.2.  Informative References

Brown             ECC with 2y^2=x^3+x/GF(8^91+5)             [Page 2]
Internet-Draft                                             2020-10-02

Appendix A.  Why 2y^2=x^3+x/GF(8^91+5)?
A.1. Not for single-curve ECC
A.2.  Risks of new curve-specific attacks
A.2.1.  What would be considered a "new curve-specific" attack?
A.2.2.1.  What would be considered a "new" attack?
A.2.2.2.  What is, would be, considered a "curve-specific attack"?
A.2.2.3.  Rarity of published curve-specific attacks
A.2.2.4.  Correlation of curve-specific efficiency and attacks
A.3.  Mitigations against new curve-specific attacks
A.3.1.  Fixed curve mitigations
A.3.1.2.  Existing fixed-curve mitigations
A.3.1.2.  Migitations used by 2y^2=x^3+x/GF(8^91+5)
A.3.2.  Multi-curve ECC
A.3.2.1.  Multi-curve ECC is a redundancy strategy
A.3.2.2.  Whether to use multi-ECC
A.  Benefits of multi-curve ECC
A.  Costs of multi-curve ECC
A.3.2.3.  Applying multi-curve ECC
A.4.  General features of curve 2y^2=x^3+x/GF(8^91+5)
A.4.1.  Field features
A.4.3.  Equation features
A.4.4.  Finite curve features
A.4.4.1.  Curve size and cofactor
A.4.4.2.  Pollard rho security
A.4.4.3.  Pohlig--Hellman security
A.4.4.2.  Menezes--Okamoto--Vanstone security
A.4.4.3.  Semaev--Araki--Satoh--Smart security
A.4.4.4.  Edwards and Hessian form
A.4.4.5.  Bleichenbacher security
A.4.4.6.  Bernstein's "twist" security
A.4.4.7.  Cheon security
A.4.4.8  Reductionist security assurance for Diffie--Hellman
Appendix B.  Test vectors
Appendix C.  Sample code (pseudocode)
C.1.  Scalar multiplication of 34-byte strings
C.1.1.  Field arithmetic for GF(8^91+5)
C.1.2.  Montgomery ladder scalar multiplication
C.1.3.  Bernstein's 2-dimensional Montgomery ladder
C.1.4.  GLV in Edwards coordinates (Hisil--Carter--Dawson--Wong)
C.2.  Sample code for test vectors
C.3.  Sample code for a command-line demo of Diffie--Hellman
C.4.  Sample code for public-key validation and curve basics
Show full document text