]>
Rigid Parameter Generation for Elliptic Curve CryptographyMicrosoftOne Microsoft WayRedmondWA98115USbenblack@microsoft.comNXP SemiconductorsInterleuvenlaan 803001 LeuvenBelgiumjoppe.bos@nxp.comMicrosoft ResearchOne Microsoft WayRedmondWA98115UScraigco@microsoft.comGoogle Incagl@google.comMicrosoft ResearchOne Microsoft WayRedmondWA98115USplonga@microsoft.comMicrosoft ResearchOne Microsoft WayRedmondWA98115USmnaehrig@microsoft.com
General
Network Working Groupelliptic curvecryptographyecctlsThis memo describes algorithms for deterministically generating parameters for elliptic curves over prime fields offering high practical security in cryptographic applications, including Transport Layer Security (TLS) and X.509 certificates. The algorithms can generate domain parameters at any security level for modern (twisted) Edwards curves.Since the initial standardization of elliptic curve cryptography (ECC) in there has been significant progress related to both efficiency and security of curves and implementations. Notable examples are algorithms protected against certain side-channel attacks, different 'special' prime shapes which allow faster modular arithmetic, and a larger set of curve models from which to choose. There is also concern in the community regarding the generation and potential weaknesses of the curves defined in .This memo describes a deterministic algorithm for generation of elliptic curves for cryptography. The constraints in the generation process produce curves that support constant-time, exception-free scalar multiplications that are resistant to a wide range of side-channel attacks including timing and cache attacks, thereby offering high practical security in cryptographic applications. The deterministic algorithm operates without any hidden parameters, reliance on randomness or any other processes offering opportunities for manipulation of the resulting curves. The selection between curve models is determined by choosing the curve form that supports the fastest (currently known) complete formulas for each modularity option of the underlying field prime. Specifically, the Edwards curve x^2 + y^2 = 1 + dx^2y^2 is used with primes p with p = 3 mod 4, and the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 is used for primes p with p = 1 mod 4.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.This document specifies a deterministic algorithm for generating elliptic curve domain parameters over prime fields GF(p), with p having a length of twice the desired security level in bits, in (twisted) Edwards form.For each curve at a specific security level:The domain parameters SHALL be generated in a simple, deterministic manner, without any secret or random inputs. The derivation of the curve parameters is defined in .The trace of Frobenius MUST NOT be in {0, 1} in order to rule out the attacks described in , , and , as in .MOV Degree: the embedding degree k MUST be greater than (r - 1) / 100, as in .CM Discriminant: discriminant D MUST be greater than 2^100, as in .Throughout this document, the following notation is used:This section describes the generation of the curve parameters, namely the curve parameter d, and a generator point P of the prime order subgroup of the elliptic curve. Best practice is to use primes with p = 3 mod 4. For compatibility with some deployed implementations, a generation process for primes with p = 1 mod 4 is also provided.For a prime p = 3 mod 4, the elliptic curve Ed in Edwards form is determined by the non-square element d from GF(p), different from -1,0 with smallest absolute value such that #Ed(GF(p)) = hd * rd, #Ed'(GF(p)) = hd' * rd', hd = hd' = 4, and both subgroup orders rd and rd' are prime. In addition, care must be taken to ensure the MOV degree and CM discriminant requirements from are met.For a prime p = 1 mod 4, the elliptic curve tEd in twisted Edwards form is determined by the non-square element d from GF(p), different from -1,0 with smallest absolute value such that #tEd(GF(p)) = hd * rd, #tEd'(GF(p)) = hd' * rd', hd = 8, hd' = 4 and both subgroup orders rd and rd' are prime. In addition, care must be taken to ensure the MOV degree and CM discriminant requirements from are met.The generator points P = (X(P),Y(P)) for all curves are selected by taking the smallest positive value x in GF(p) (when represented as an integer) such that (x, y) is on the curve and such that (X(P),Y(P)) = 8 * (x, y) has large prime order rd.For applications requiring Montgomery curves, such as x-only point format for elliptic curve Diffie-Hellmann (ECDH) key exchange, isogenies from the generated (twisted) Edwards curves can be produced as described in the following sections.For a prime p = 3 mod 4, and a given Edwards curve Ed: x^2 + y^2 = 1 + d x^2 y^2 over GF(p) with non-square parameter d, let A = -(4d - 2). Then the Montgomery curveis isogenous to Ed over GF(p). The following map is a 4-isogeny from Ed to EM over GF(p):The neutral element (0,1) and the point of order two (0,-1) on Ed are mapped to the point at infinity on EM. The dual isogeny is given byIt holds phi_d(phi((x,y))) = [4](x,y) on Ed and phi(phi_d((u,v))) = [4](u,v) on EM.For a prime p = 1 mod 4, and a given twisted Edwards curve tEd: -x^2 + y^2 = 1 + d x^2 y^2 over GF(p) with non-square parameter d, let A = 4d + 2. Then the Montgomery curveis isogenous to tEd over GF(p). Let s in GF(p) be a fixed square root of -1, i.e. s is a solution to the equation s^2 + 1 = 0 over GF(p). Then, the following map is a 4-isogeny from tEd to EM over GF(p):The neutral element (0,1) and the point of order two (0,-1) on tEd are mapped to the point at infinity on EM. The dual isogeny is given byIt holds phi_d(phi((x,y))) = [4](x,y) on tEd and phi(phi_d((u,v))) = [4](u,v) on EM.The following figures give parameters for recommended twisted Edwards and Edwards curves at the 128 and 192 bit security levels generated using the algorithms defined in previous sections. All integer values are unsigned.The isogenous Montgomery curve for p = 2^255 - 19 is given by A = 0x76D06.The isogenous Montgomery curve for p = 2^384 - 317 is given by A = 0xB492.As defined in , the name space NamedCurve is used for the negotiation of elliptic curve groups for key exchange during TLS session establishment. This document adds new NamedCurve types for the elliptic curves defined in this document:These curves are suitable for use with Datagram TLS .The (twisted) Edwards curves generated by the procedure defined in this draft are suitable for use in signature algorithms such as ECDSA. In compliance with , which only supports named curves, namedCurve OIDs must be defined for the generated curves and points must be represented as (x,y) in either uncompressed or compressed format.The following object identifiers represent the (twisted) Edwards domain parameter sets defined in this draft:The authors would like to thank Tolga Acar, Karen Easterbrook and Brian LaMacchia for their contributions to the development of this draft.TBDThe authors have no knowledge about any intellectual property rights that cover either the generation algorithms or the usage of the domain parameters defined herein.IANA is requested to assign numbers for the curves listed in in the "EC Named Curve" registry of the "Transport Layer Security (TLS) Parameters" registry as follows:ValueDescriptionDTLS-OKReferenceTBD1ietfp255t1Ythis docTBD2ietfp255x1Ythis docTBD3ietfp384e1Ythis docTBD4ietfp384x1Ythis doc
&RFC2119;
&RFC3279;
&RFC3552;
&RFC4050;
&RFC4492;
&RFC4754;
&RFC5226;
&RFC5480;
&RFC5753;
&RFC6090;
&RFC6347;
Selecting Elliptic Curves for Cryptography: An Efficiency and Security AnalysisMicrosoft ResearchMicrosoft ResearchMicrosoft ResearchMicrosoft ResearchElliptic Curve Cryptography in PracticeThe discrete logarithm problem on elliptic curves of trace oneFermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curvesEvaluation of discrete logarithms on some elliptic curvesECC Brainpool Standard Curves and Curve GenerationECC BrainpoolSafeCurves: choosing safe curves for elliptic-curve cryptographyRecommended Elliptic Curves for Federal Government UseNational Institute of StandardsSEC 1: Elliptic Curve CryptographyCerticom ResearchPublic Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA)ANSIEC Named Curve RegistryIANA