Addition Elliptic Curves for IETF protocols

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Author Watson Ladd 
Last updated 2014-01-08
Stream (None)
Formats plain text pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Draft                                                   W. Ladd
<draft-ladd-safecurves-00.txt>                              Grad Student
Category: Informational                                      UC Berkeley
Expires 9 July 2014                                        5 January 2014

              Addition Elliptic Curves for IETF protocols

Status of this Memo

   Distribution of this memo is unlimited.

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on date.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.   

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.


   This internet draft contains curves whose Jacobians are groups over

Ladd, Watson              Expires 9 July 2014                   [Page 1]
Internet Draft              ladd-safecurves               8 January 2014

   which the Decisional Diffie-Hellman problem is hard, and which have
   implementation advantages.


Ladd, Watson              Expires 9 July 2014                   [Page 2]
Internet Draft              ladd-safecurves               8 January 2014

Table of Contents

   1. Introduction ....................................................3
   2. The curves .......................................................

1. Introduction

   This document contains a set of elliptic curves over prime fields
   with many security advantages.

2. The Curves

   Each curve is given by an equation and a basepoint, together with an
   order. All curves are elliptic. Validation information is given at
   [SAFECURVES]. The names given in this document indicate the family.

   Curve25519 is a curve over GF(2^255-19), formula y^2=x^3+486662x^2+x,
   basepoint (9, 147816194475895447910205935684099868872646
   06134616475288964881837755586237401), order 2^252 +

   E-382 is a curve over GF(2^382-15), formula x^2+y^2=1-6725254x^2y^2,
   basepoint (3914921414754292646847594472454013487047
   298429278603678181725699, 17), order 2^380 -

   M-383 is a curve over GF(2^383-187), forumla y^2=x^3+2065150x^2+x,
   basepoint (12,
   9791524463565757299203154901655432096558642117242906494), order 2^380
   + 166236275931373516105219794935542153308039234455761613271

   Curve383187 is a curve over GF(2^383-187), formula
   y^2=x^3+229969x^2+x, basepoint (5,
   662038422584867624507245060283757321006861735839455), order 2^380 +

   Curve3617 is a curve over GF(2^414-17), formula x^2+y^2=1+3617x^2y^2,
   171904769976866975908866528699294134494857887698432266169206165, 34),
   order 2^411 -

   M-511 is a curve over GF(2^511-187), formula y^2 = x^3+530438x^2+x,
   basepoint (5,

Ladd, Watson              Expires 9 July 2014                   [Page 3]
Internet Draft              ladd-safecurves               8 January 2014

   116625808811349787373477), order 2^508 +

3. Security Considerations

   This entire document discusses methods of implementing cryptography
   securely. The time for an attacker to break the DLP on these curves
   is the square root of the group order with the best known attacks.

   Curves of Edwards form are best when addition is required, those of
   Montgomery form make excellent candidates for Diffie-Hellman key
   agrement on the Kummer surface. Explicit formulas are in the
   Explicit-Formula Database [EFD].

4. IANA Considerations

   IANA should maintain a registry of these curves, calling them
   safecurve-XXXX where XXX is the curve identifier.

5. References



Author Addresses
   Watson Ladd
   Berkeley, CA

Ladd, Watson              Expires 9 July 2014                   [Page 4]