Elliptic curve 2y^2=x^3+x over field size 8^91+5

Document Type Active Internet-Draft (individual)
Last updated 2020-04-03
Stream (None)
Intended RFC status (None)
Formats plain text pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet-Draft                                                D. Brown
Intended status: Experimental                               BlackBerry
Expires: 2020-10-05                                         2020-04-03
          Elliptic curve 2y^2=x^3+x over field size 8^91+5


  Multi-curve elliptic curve cryptography with 2y^2=x^3+x/GF(8^91+5)
  hedges a risk of new curve-specific attacks.  The curve features:
  isomorphism to Miller's curve from 1985; low Kolmogorov complexity
  (little room for embedded weaknesses of Gordon, Young--Yung, or
  Teske); prime field; Montgomery ladder or Edwards unified arithmetic
  (Hisil--Carter--Dawson--Wong); complex multiplication by i
  (Gallant--Lambert--Vanstone); 34-byte keys; five 64-bit-word field
  arithmetic; easy reduction, inversion, Legendre symbol, and square
  root; similarity to a Bitcoin curve; and string-as-point encoding.

Status of This Memo
  This Internet-Draft is submitted in full conformance with the
  provisions of BCP 78 and BCP 79.  Internet-Drafts are working
  documents of the Internet Engineering Task Force (IETF).  Note that
  other groups may also distribute working documents as
  Internet-Drafts.  The list of current Internet-Drafts is at

  Internet-Drafts are draft documents valid for a maximum of six
  months and may be updated, replaced, or obsoleted by other documents
  at any time.  It is inappropriate to use Internet-Drafts as
  reference material or to cite them other than as "work in progress."

Copyright Notice
  Copyright (c) 2019 IETF Trust and the persons identified as the
  document authors.  All rights reserved.

  This document is subject to BCP 78 and the IETF Trust's Legal
  Provisions Relating to IETF Documents
  (http://trustee.ietf.org/license-info) in effect on the date of
  publication of this document.  Please review these documents
  carefully, as they describe your rights and restrictions with
  respect to this document.

  This document may not be modified, and derivative works of it may
  not be created, except to format it for publication as an RFC or to
  translate it into languages other than English.

Brown                2y^2=x^3+x over 8^91+5                 [Page 1]
Internet-Draft                                             2020-04-03

Table of contents
  1.  Introduction
  2.  Requirements Language (RFC 2119)
  3.  Overview
  3.1. Not for single-curve ECC
  3.2.  Risks of new curve-specific attacks
  3.3.  Multi-curve ECC
  3.3.1.  Multi-curve ECC is a redundancy strategy
  3.3.2.  Whether to use multi-ECC  Benefits of multi-curve ECC  Costs of multi-curve ECC
  3.3.3.  Applying multi-curve ECC
  3.4.  Curve features
  3.4.1.  Field features
  3.4.3.  Equation features
  3.4.4.  Finite curve feature  Curve size and cofactor  Pollard rho security  Pohlig--Hellman security  Menezes--Okamoto--Vanstone security  Semaev--Araki--Satoh--Smart security  Edwards and Hessian form  Bleichenbacher security  Bernstein's "twist" security  Cheon security
  4.  Encoding points
  4.1.  Point encoding process
  4.1.1.  Summary
  4.1.2.  Details
  4.2.  Point decoding process
  4.2.1.  Summary
  4.2.2.  Detail
  5.  Point validation
  5.1.  When to validate
  5.1.1.  Mandatory validation
  5.1.2.  Simplified validation
  5.1.4.  Minimal validation
  5.2.  Point validation process
  6.  OPTIONAL encodings
  6.1.  Encoding scalars
  6.2.  Encoding strings as points
  7.  IANA Considerations
  8.  Security considerations
  8.1.  Field choice
  8.2.  Curve choice
  8.3.  Encoding choices
  8.4.  General subversion concerns
  8.5.  Concerns about 'aegis'
  9.  References

Brown                2y^2=x^3+x over 8^91+5                 [Page 2]
Internet-Draft                                             2020-04-03

  9.1.  Normative References
  9.2.  Informative References
  Appendix A.  Test vectors
  Appendix B.  Minimizing trapdoors and backdoors
  Appendix C.  Pseudocode
  C.1.  Scalar multiplication of 34-byte strings
  C.1.1.  Field arithmetic for GF(8^91+5)
  C.1.2.  Montgomery ladder scalar multiplication
  C.1.3.  Bernstein's 2-dimensional Montgomery ladder
  C.1.4.  GLV in Edwards coordinates (Hisil--Carter--Dawson--Wong)
  C.2  Pseudocode for test vectors
  C.3.  Pseudocode for a command-line demo of Diffie--Hellman
  C.4  Pseudocode for public-key validation and twist insecurity
  C.5.  Elligator i
  D. Primality proofs and certificates
  D.1.  Pratt certificate for the field size 8^91+5
  D.2.  Pratt certificate for subgroup order

1.  Introduction
  Elliptic curve cryptography (ECC) is now part of several IETF

  Multi-curve ECC mitigates the risk of new curve-specific attacks on
  ECC.  This document aims to contribute to multi-curve ECC by
  describing how to use the curve
Show full document text