Elliptic Curves for Security
RFC 7748
Internet Research Task Force (IRTF) A. Langley
Request for Comments: 7748 Google
Category: Informational M. Hamburg
ISSN: 2070-1721 Rambus Cryptography Research
S. Turner
sn3rd
January 2016
Elliptic Curves for Security
Abstract
This memo specifies two elliptic curves over prime fields that offer
a high level of practical security in cryptographic applications,
including Transport Layer Security (TLS). These curves are intended
to operate at the ~128-bit and ~224-bit security level, respectively,
and are generated deterministically based on a list of required
properties.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Research Task Force
(IRTF). The IRTF publishes the results of Internet-related research
and development activities. These results might not be suitable for
deployment. This RFC represents the consensus of the Crypto Forum
Research Group of the Internet Research Task Force (IRTF). Documents
approved for publication by the IRSG are not a candidate for any
level of Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7748.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Langley, et al. Informational [Page 1]
RFC 7748 Elliptic Curves for Security January 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Recommended Curves . . . . . . . . . . . . . . . . . . . . . 4
4.1. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . 4
4.2. Curve448 . . . . . . . . . . . . . . . . . . . . . . . . 5
5. The X25519 and X448 Functions . . . . . . . . . . . . . . . . 7
5.1. Side-Channel Considerations . . . . . . . . . . . . . . . 10
5.2. Test Vectors . . . . . . . . . . . . . . . . . . . . . . 11
6. Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . 14
6.1. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . 14
6.2. Curve448 . . . . . . . . . . . . . . . . . . . . . . . . 15
7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
8.1. Normative References . . . . . . . . . . . . . . . . . . 16
8.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Deterministic Generation . . . . . . . . . . . . . . 19
A.1. p = 1 mod 4 . . . . . . . . . . . . . . . . . . . . . . . 20
A.2. p = 3 mod 4 . . . . . . . . . . . . . . . . . . . . . . . 21
A.3. Base Points . . . . . . . . . . . . . . . . . . . . . . . 21
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction
Since the initial standardization of Elliptic Curve Cryptography (ECC
[RFC6090]) in [SEC1], there has been significant progress related to
both efficiency and security of curves and implementations. Notable
examples are algorithms protected against certain side-channel
attacks, various "special" prime shapes that allow faster modular
arithmetic, and a larger set of curve models from which to choose.
There is also concern in the community regarding the generation and
potential weaknesses of the curves defined by NIST [NIST].
This memo specifies two elliptic curves ("curve25519" and "curve448")
that lend themselves to constant-time implementation and an
exception-free scalar multiplication that is resistant to a wide
range of side-channel attacks, including timing and cache attacks.
They are Montgomery curves (where v^2 = u^3 + A*u^2 + u) and thus
have birationally equivalent Edwards versions. Edwards curves
support the fastest (currently known) complete formulas for the
Show full document text