Rigid Parameter Generation for Elliptic Curve Cryptography

Since the initial standardization of elliptic curve cryptography (ECC) in there has been significant progress related to both efficiency and security of curves and implementations. Notable examples are algorithms protected against certain side-channel attacks, different 'special' prime shapes which allow faster modular arithmetic, and a larger set of curve models from which to choose. There is also concern in the community regarding the generation and potential weaknesses of the curves defined in . This memo describes a deterministic algorithm for generation of elliptic curves for cryptography. The constraints in the generation process produce curves that support constant-time, exception-free scalar multiplications that are resistant to a wide range of side-channel attacks including timing and cache attacks, thereby offering high practical security in cryptographic applications. The deterministic algorithm operates without any hidden parameters, reliance on randomness or any other processes offering opportunities for manipulation of the resulting curves. The selection between curve models is determined by choosing the curve form that supports the fastest (currently known) complete formulas for each modularity option of the underlying field prime. Specifically, the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 is used for primes p with p = 1 mod 4, and the Edwards curve x^2 + y^2 = 1 + dx^2y^2 is used with primes p with p = 3 mod 4.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

This document specifies a deterministic algorithm for generating elliptic curve domain parameters over prime fields GF(p), with p having a length of twice the desired security level in bits, in (twisted) Edwards form. Furthermore, this document identifies the security and implementation requirements for the generated domain parameters.

For each curve at a specific security level: The domain parameters SHALL be generated in a simple, deterministic manner, without any secret or random inputs. The derivation of the curve parameters is defined in . The trace of Frobenius MUST NOT be in {0, 1} in order to rule out the attacks described in , , and , as in . MOV Degree: the embedding degree k MUST be greater than (r - 1) / 100, as in . CM Discriminant: discriminant D MUST be greater than 2^100, as in .

Throughout this document, the following notation is used:

This section describes the generation of the curve parameters, namely the curve parameter d, and a generator point P of the prime order subgroup of the elliptic curve.

For a prime p = 1 mod 4, the elliptic curve tEd in twisted Edwards form is determined by the non-square element d from GF(p), different from -1,0 with smallest absolute value such that #tEd(GF(p)) = hd * rd, #tEd'(GF(p)) = hd' * rd', {hd, hd'} = {4, 8} and both subgroup orders rd and rd' are prime. In addition, care must be taken to ensure the MOV degree and CM discriminant requirements from are met.

0) then d = -d else d = -d + 1 end if until d is not a square in GF(p) Compute rd, rd', hd, hd' where #tEd(GF(p)) = hd * rd, #tEd'(GF(p)) = hd' * rd', hd and hd' are powers of 2 and rd, rd' are odd until ((hd + hd' = 12) and rd is prime and rd' is prime) 3. Output d ]]>

For a prime p = 3 mod 4, the elliptic curve Ed in Edwards form is determined by the non-square element d from GF(p), different from -1,0 with smallest absolute value such that #Ed(GF(p)) = hd * rd, #Ed'(GF(p)) = hd' * rd', hd = hd' = 4, and both subgroup orders rd and rd' are prime. In addition, care must be taken to ensure the MOV degree and CM discriminant requirements from are met.

0) then d = -d else d = -d + 1 end if until d is not a square in GF(p) Compute rd, rd', hd, hd' where #Ed(GF(p)) = hd * rd, #Ed'(GF(p)) = hd' * rd', hd and hd' are powers of 2 and rd, rd' are odd until ((hd = hd' = 4) and rd is prime and rd' is prime) 3. Output d ]]>

The generator points P = (X(P),Y(P)) for all curves are selected by taking the smallest positive value x in GF(p) (when represented as an integer) such that (x, y) is on the curve and such that (X(P),Y(P)) = 8 * (x, y) has large prime order rd.

The following figures give parameters for twisted Edwards and Edwards curves generated using the algorithms defined in previous sections. All integer values are unsigned.

The authors would like to thank Tolga Acar, Karen Easterbrook and Brian LaMacchia for their contributions to the development of this draft.

TBD

The authors have no knowledge about any intellectual property rights that cover the usage of the domain parameters defined herein.

There are no IANA considerations for this document.