## Elliptic curve 2y^2=x^3+x over field size 8^91+5

draft-brown-ec-2y2-x3-x-mod-8-to-91-plus-5-06

Document | Type | Active Internet-Draft (individual) | |
---|---|---|---|

Author | Daniel Brown | ||

Last updated | 2020-10-02 | ||

Stream | (None) | ||

Intended RFC status | (None) | ||

Formats | plain text pdf htmlized (tools) htmlized bibtex | ||

Stream | Stream state | (No stream defined) | |

Consensus Boilerplate | Unknown | ||

RFC Editor Note | (None) | ||

IESG | IESG state | I-D Exists | |

Telechat date | |||

Responsible AD | (None) | ||

Send notices to | (None) |

Internet-Draft D. Brown Intended status: Experimental BlackBerry Expires: 2021-04-05 2020-10-02 Elliptic curve 2y^2=x^3+x over field size 8^91+5 <draft-brown-ec-2y2-x3-x-mod-8-to-91-plus-5-06.txt> Abstract Multi-curve elliptic curve cryptography with curve 2y^2=x^3+x/GF(8^91+5) hedges a risk of new curve-specific attacks. This curve features: isomorphism to Miller's curve from 1985; low Kolmogorov complexity (little room for embedded weaknesses of Gordon, Young--Yung, or Teske); similarity to a Bitcoin curve; Montgomery form; complex multiplication by i (Gallant--Lambert--Vanstone); prime field; easy reduction, inversion, Legendre symbol, and square root; five 64-bit-word field arithmetic; string-as-point encoding; and 34-byte keys. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. This document may not be modified, and derivative works of it may not be created, except to format it for publication as an RFC or to translate it into languages other than English. Brown ECC with 2y^2=x^3+x/GF(8^91+5) [Page 1] Internet-Draft 2020-10-02 Contents 1. Introduction 2. Requirements Language (RFC 2119) 3. Use ONLY in multi-curve ECC 4. Encoding points 4.1. Point encoding process 4.1.1. Summary 4.1.2. Details 4.2. Point decoding process 4.2.1. Summary 4.2.2. Detail 5. Point validation 5.1. When to validate 5.1.1. Mandatory validation 5.1.2. Simplified validation 5.1.3. Minimal validation 5.2. Point validation process 6. OPTIONAL encodings 6.1. Encoding scalars 6.2. Encoding strings as points 7. IANA considerations 8. Security considerations 8.1. Field choice 8.2. Curve choice 8.3. Encoding choices 8.4. General subversion concerns 8.5. Concerns about 'aegis' 9. References 9.1. Normative References 9.2. Informative References Brown ECC with 2y^2=x^3+x/GF(8^91+5) [Page 2] Internet-Draft 2020-10-02 Appendix A. Why 2y^2=x^3+x/GF(8^91+5)? A.1. Not for single-curve ECC A.2. Risks of new curve-specific attacks A.2.1. What would be considered a "new curve-specific" attack? A.2.2.1. What would be considered a "new" attack? A.2.2.2. What is, would be, considered a "curve-specific attack"? A.2.2.3. Rarity of published curve-specific attacks A.2.2.4. Correlation of curve-specific efficiency and attacks A.3. Mitigations against new curve-specific attacks A.3.1. Fixed curve mitigations A.3.1.2. Existing fixed-curve mitigations A.3.1.2. Migitations used by 2y^2=x^3+x/GF(8^91+5) A.3.2. Multi-curve ECC A.3.2.1. Multi-curve ECC is a redundancy strategy A.3.2.2. Whether to use multi-ECC A.3.2.2.1. Benefits of multi-curve ECC A.3.2.2.2. Costs of multi-curve ECC A.3.2.3. Applying multi-curve ECC A.4. General features of curve 2y^2=x^3+x/GF(8^91+5) A.4.1. Field features A.4.3. Equation features A.4.4. Finite curve features A.4.4.1. Curve size and cofactor A.4.4.2. Pollard rho security A.4.4.3. Pohlig--Hellman security A.4.4.2. Menezes--Okamoto--Vanstone security A.4.4.3. Semaev--Araki--Satoh--Smart security A.4.4.4. Edwards and Hessian form A.4.4.5. Bleichenbacher security A.4.4.6. Bernstein's "twist" security A.4.4.7. Cheon security A.4.4.8 Reductionist security assurance for Diffie--Hellman Appendix B. Test vectors Appendix C. Sample code (pseudocode) C.1. Scalar multiplication of 34-byte strings C.1.1. Field arithmetic for GF(8^91+5) C.1.2. Montgomery ladder scalar multiplication C.1.3. Bernstein's 2-dimensional Montgomery ladder C.1.4. GLV in Edwards coordinates (Hisil--Carter--Dawson--Wong) C.2. Sample code for test vectors C.3. Sample code for a command-line demo of Diffie--Hellman C.4. Sample code for public-key validation and curve basicsShow full document text