Elliptic Curves for Security
draft-irtf-cfrg-curves-07
| The information below is for an old version of the document |
| Document |
Type |
|
Active Internet-Draft (cfrg RG)
|
|
Last updated |
|
2015-08-29
|
|
Replaces |
|
draft-agl-cfrgcurve
|
|
Stream |
|
IRTF
|
|
Intended RFC status |
|
Informational
|
|
Formats |
|
plain text
pdf
html
bibtex
|
|
IETF conflict review |
|
conflict-review-irtf-cfrg-curves |
| Stream |
IRTF state
|
|
(None)
|
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
| IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
cfrg-chairs@ietf.org
|
CFRG A. Langley
Internet-Draft Google
Intended status: Informational M. Hamburg
Expires: March 1, 2016 Rambus Cryptography Research
S. Turner
IECA, Inc.
August 29, 2015
Elliptic Curves for Security
draft-irtf-cfrg-curves-07
Abstract
This memo specifies two elliptic curves over prime fields that offer
high practical security in cryptographic applications, including
Transport Layer Security (TLS). These curves are intended to operate
at the ~128-bit and ~224-bit security level, respectively, and are
generated deterministically based on a list of required properties.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 1, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Langley, et al. Expires March 1, 2016 [Page 1]
Internet-Draft cfrgcurve August 2015
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Recommended Curves . . . . . . . . . . . . . . . . . . . . . 3
4.1. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . 3
4.2. Curve448 . . . . . . . . . . . . . . . . . . . . . . . . 4
5. The X25519 and X448 functions . . . . . . . . . . . . . . . . 6
5.1. Side-channel considerations . . . . . . . . . . . . . . . 9
5.2. Test vectors . . . . . . . . . . . . . . . . . . . . . . 9
6. Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . 12
6.2. Curve448 . . . . . . . . . . . . . . . . . . . . . . . . 13
7. Security Considerations . . . . . . . . . . . . . . . . . . . 14
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Normative References . . . . . . . . . . . . . . . . . . 15
9.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. Deterministic Generation . . . . . . . . . . . . . . 16
A.1. p = 1 mod 4 . . . . . . . . . . . . . . . . . . . . . . . 17
A.2. p = 3 mod 4 . . . . . . . . . . . . . . . . . . . . . . . 18
A.3. Base points . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction
Since the initial standardization of elliptic curve cryptography (ECC
[RFC6090]) in [SEC1] there has been significant progress related to
both efficiency and security of curves and implementations. Notable
examples are algorithms protected against certain side-channel
attacks, various 'special' prime shapes that allow faster modular
arithmetic, and a larger set of curve models from which to choose.
There is also concern in the community regarding the generation and
potential weaknesses of the curves defined by NIST [NIST].
This memo specifies two elliptic curves ("curve25519" and "curve448")
that lend themselves to constant-time implementation and an
exception-free scalar multiplication that is resistant to a wide
range of side-channel attacks, including timing and cache attacks.
Show full document text