idnits 2.17.1 draft-black-rpgecc-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 21, 2014) is 3407 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'ECCP' is defined on line 455, but no explicit reference was found in the text == Unused Reference: 'FPPR' is defined on line 460, but no explicit reference was found in the text == Unused Reference: 'MSR' is defined on line 468, but no explicit reference was found in the text == Unused Reference: 'RFC3279' is defined on line 478, but no explicit reference was found in the text == Unused Reference: 'RFC3552' is defined on line 483, but no explicit reference was found in the text == Unused Reference: 'RFC4050' is defined on line 487, but no explicit reference was found in the text == Unused Reference: 'RFC4754' is defined on line 495, but no explicit reference was found in the text == Unused Reference: 'RFC5226' is defined on line 499, but no explicit reference was found in the text == Unused Reference: 'RFC5753' is defined on line 507, but no explicit reference was found in the text == Unused Reference: 'RFC6090' is defined on line 511, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 4492 (Obsoleted by RFC 8422) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Black 3 Internet-Draft Microsoft 4 Intended status: Informational J. Bos 5 Expires: June 24, 2015 NXP Semiconductors 6 C. Costello 7 Microsoft Research 8 A. Langley 9 Google Inc 10 P. Longa 11 M. Naehrig 12 Microsoft Research 13 December 21, 2014 15 Rigid Parameter Generation for Elliptic Curve Cryptography 16 draft-black-rpgecc-01 18 Abstract 20 This memo describes algorithms for deterministically generating 21 parameters for elliptic curves over prime fields offering high 22 practical security in cryptographic applications, including Transport 23 Layer Security (TLS) and X.509 certificates. The algorithms can 24 generate domain parameters at any security level for modern (twisted) 25 Edwards curves. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at http://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on June 24, 2015. 44 Copyright Notice 46 Copyright (c) 2014 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 63 2. Scope and Relation to Other Specifications . . . . . . . . . 3 64 3. Security Requirements . . . . . . . . . . . . . . . . . . . . 3 65 4. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 4 66 5. Parameter Generation . . . . . . . . . . . . . . . . . . . . 4 67 5.1. Deterministic Curve Parameter Generation . . . . . . . . 4 68 5.1.1. Edwards Curves . . . . . . . . . . . . . . . . . . . 4 69 5.1.2. Twisted Edwards Curves . . . . . . . . . . . . . . . 5 70 6. Generators . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 7. Isogenies from the (twisted) Edwards to the Montgomery model 6 72 7.1. Edwards to Montgomery for p = 3 (mod 4) . . . . . . . . . 6 73 7.2. Twisted Edwards to Montogmery for p = 1 (mod 4) . . . . . 7 74 8. Recommended Curves . . . . . . . . . . . . . . . . . . . . . 8 75 9. TLS NamedCurve Types . . . . . . . . . . . . . . . . . . . . 8 76 10. Use with ECDSA . . . . . . . . . . . . . . . . . . . . . . . 9 77 10.1. Object Identifiers . . . . . . . . . . . . . . . . . . . 9 78 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 79 12. Security Considerations . . . . . . . . . . . . . . . . . . . 9 80 13. Intellectual Property Rights . . . . . . . . . . . . . . . . 9 81 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 82 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 83 15.1. Normative References . . . . . . . . . . . . . . . . . . 10 84 15.2. Informative References . . . . . . . . . . . . . . . . . 10 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 87 1. Introduction 89 Since the initial standardization of elliptic curve cryptography 90 (ECC) in [SEC1] there has been significant progress related to both 91 efficiency and security of curves and implementations. Notable 92 examples are algorithms protected against certain side-channel 93 attacks, different 'special' prime shapes which allow faster modular 94 arithmetic, and a larger set of curve models from which to choose. 95 There is also concern in the community regarding the generation and 96 potential weaknesses of the curves defined in [NIST]. 98 This memo describes a deterministic algorithm for generation of 99 elliptic curves for cryptography. The constraints in the generation 100 process produce curves that support constant-time, exception-free 101 scalar multiplications that are resistant to a wide range of side- 102 channel attacks including timing and cache attacks, thereby offering 103 high practical security in cryptographic applications. The 104 deterministic algorithm operates without any hidden parameters, 105 reliance on randomness or any other processes offering opportunities 106 for manipulation of the resulting curves. The selection between 107 curve models is determined by choosing the curve form that supports 108 the fastest (currently known) complete formulas for each modularity 109 option of the underlying field prime. Specifically, the Edwards 110 curve x^2 + y^2 = 1 + dx^2y^2 is used with primes p with p = 3 mod 4, 111 and the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 is used for 112 primes p with p = 1 mod 4. 114 1.1. Requirements Language 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in RFC 2119 [RFC2119]. 120 2. Scope and Relation to Other Specifications 122 This document specifies a deterministic algorithm for generating 123 elliptic curve domain parameters over prime fields GF(p), with p 124 having a length of twice the desired security level in bits, in 125 (twisted) Edwards form. 127 3. Security Requirements 129 For each curve at a specific security level: 131 1. The domain parameters SHALL be generated in a simple, 132 deterministic manner, without any secret or random inputs. The 133 derivation of the curve parameters is defined in Section 5. 135 2. The trace of Frobenius MUST NOT be in {0, 1} in order to rule out 136 the attacks described in [Smart], [AS], and [S], as in [EBP]. 138 3. MOV Degree: the embedding degree k MUST be greater than (r - 1) / 139 100, as in [EBP]. 141 4. CM Discriminant: discriminant D MUST be greater than 2^100, as in 142 [SC]. 144 4. Notation 146 Throughout this document, the following notation is used: 148 p: Denotes the prime number defining the base field. 149 GF(p): The finite field with p elements. 150 d: An element in the finite field GF(p), different from -1,0. 151 Ed: The elliptic curve Ed/GF(p): x^2 + y^2 = 1 + dx^2y^2 in 152 Edwards form, defined over GF(p) by the parameter d. 153 tEd: The elliptic curve tEd/GF(p): -x^2 + y^2 = 1 + dx^2y^2 in 154 twisted Edwards form, defined over GF(p) by the parameter d. 155 rd: The largest odd divisor of the number of GF(p)-rational 156 points on Ed or tEd. 157 td: The trace of Frobenius of Ed or tEd such that 158 #Ed(GF(p)) = p + 1 - td or #tEd(GF(p)) = p + 1 - td, 159 respectively. 160 rd': The largest odd divisor of the number of GF(p)-rational 161 points on the non-trivial quadratic twist Ed' or tEd'. 162 hd: The index (or cofactor) of the subgroup of order rd in the 163 group of GF(p)-rational points on Ed or tEd. 164 hd': The index (or cofactor) of the subgroup of order rd' in the 165 group of GF(p)-rational points on the non-trivial quadratic 166 twist of Ed or tEd. 167 P: A generator point defined over GF(p) of prime order rd on Ed 168 or tEd. 169 X(P): The x-coordinate of the elliptic curve point P. 170 Y(P): The y-coordinate of the elliptic curve point P. 172 5. Parameter Generation 174 This section describes the generation of the curve parameters, namely 175 the curve parameter d, and a generator point P of the prime order 176 subgroup of the elliptic curve. Best practice is to use primes with 177 p = 3 mod 4. For compatibility with some deployed implementations, a 178 generation process for primes with p = 1 mod 4 is also provided. 180 5.1. Deterministic Curve Parameter Generation 182 5.1.1. Edwards Curves 184 For a prime p = 3 mod 4, the elliptic curve Ed in Edwards form is 185 determined by the non-square element d from GF(p), different from 186 -1,0 with smallest absolute value such that #Ed(GF(p)) = hd * rd, 187 #Ed'(GF(p)) = hd' * rd', hd = hd' = 4, and both subgroup orders rd 188 and rd' are prime. In addition, care must be taken to ensure the MOV 189 degree and CM discriminant requirements from Section 3 are met. 191 Input: a prime p, with p = 3 mod 4 192 Output: the parameter d defining the curve Ed 193 1. Set d = 0 194 2. repeat 195 repeat 196 if (d > 0) then 197 d = -d 198 else 199 d = -d + 1 200 end if 201 until d is not a square in GF(p) 202 Compute rd, rd', hd, hd' where #Ed(GF(p)) = hd * rd, 203 #Ed'(GF(p)) = hd' * rd', hd and hd' are powers of 2 and rd, rd' 204 are odd 205 until ((hd = hd' = 4) and rd is prime and rd' is prime) 206 3. Output d 208 GenerateCurveEdwards 210 5.1.2. Twisted Edwards Curves 212 For a prime p = 1 mod 4, the elliptic curve tEd in twisted Edwards 213 form is determined by the non-square element d from GF(p), different 214 from -1,0 with smallest absolute value such that #tEd(GF(p)) = hd * 215 rd, #tEd'(GF(p)) = hd' * rd', hd = 8, hd' = 4 and both subgroup 216 orders rd and rd' are prime. In addition, care must be taken to 217 ensure the MOV degree and CM discriminant requirements from Section 3 218 are met. 220 Input: a prime p, with p = 1 mod 4 221 Output: the parameter d defining the curve tEd 222 1. Set d = 0 223 2. repeat 224 repeat 225 if (d > 0) then 226 d = -d 227 else 228 d = -d + 1 229 end if 230 until d is not a square in GF(p) 231 Compute rd, rd', hd, hd' where #tEd(GF(p)) = hd * rd, 232 #tEd'(GF(p)) = hd' * rd', hd and hd' are powers of 2 and rd, rd' 233 are odd 234 until (hd = 8 and hd' = 4 and rd is prime and rd' is prime) 235 3. Output d 237 GenerateCurveTEdwards 239 6. Generators 241 The generator points P = (X(P),Y(P)) for all curves are selected by 242 taking the smallest positive value x in GF(p) (when represented as an 243 integer) such that (x, y) is on the curve and such that (X(P),Y(P)) = 244 8 * (x, y) has large prime order rd. 246 Input: a prime p and curve parameters non-square d and 247 a = -1 for twisted Edwards (p = 1 mod 4) or 248 a = 1 for Edwards (p = 3 mod 4) 249 Output: a generator point P = (X(P), Y(P)) of order rd 250 1. Set x = 0 and found_gen = false 251 2. while (not found_gen) do 252 x = x + 1 253 while ((1 - a * x^2) * (1 - d * x^2) is not a quadratic 254 residue mod p) do 255 x = x + 1 256 end while 257 Compute an integer s, 0 < s < p, such that 258 s^2 * (1 - d * x^2) = 1 - a * x^2 mod p 259 Set y = min(s, p - s) 261 (X(P), Y(P)) = 8 * (x, y) 263 if ((X(P), Y(P)) has order rd on Ed or tEd, respectively) then 264 found_gen = true 265 end if 266 end while 267 3. Output (X(P),Y(P)) 269 GenerateGen 271 7. Isogenies from the (twisted) Edwards to the Montgomery model 273 For applications requiring Montgomery curves, such as x-only point 274 format for elliptic curve Diffie-Hellmann (ECDH) key exchange, 275 isogenies from the generated (twisted) Edwards curves can be produced 276 as described in the following sections. 278 7.1. Edwards to Montgomery for p = 3 (mod 4) 280 For a prime p = 3 mod 4, and a given Edwards curve Ed: x^2 + y^2 = 1 281 + d x^2 y^2 over GF(p) with non-square parameter d, let A = -(4d - 282 2). Then the Montgomery curve 284 EM: v^2 = u^3 + Au^2 + u 286 is isogenous to Ed over GF(p). The following map is a 4-isogeny from 287 Ed to EM over GF(p): 289 phi: Ed -> EM, (x,y) -> (u,v), where 290 u = y^2 / x^2, 291 v = -y(x^2 + y^2 - 2) / x^3. 293 The neutral element (0,1) and the point of order two (0,-1) on Ed are 294 mapped to the point at infinity on EM. The dual isogeny is given by 296 phi_d: EM -> Ed, (u,v) -> (x,y), where 297 x = 4v(u - 1)(u + 1) / (u^4 - 2u^2 + 4v^2 + 1), 298 y = (u^2 + 2v - 1)(u^2 - 2v - 1) / (-u^4 + 2uv^2 + 2Au + 4u^2 + 1). 300 It holds phi_d(phi((x,y))) = [4](x,y) on Ed and phi(phi_d((u,v))) = 301 [4](u,v) on EM. 303 7.2. Twisted Edwards to Montogmery for p = 1 (mod 4) 305 For a prime p = 1 mod 4, and a given twisted Edwards curve tEd: -x^2 306 + y^2 = 1 + d x^2 y^2 over GF(p) with non-square parameter d, let A = 307 4d + 2. Then the Montgomery curve 309 EM: v^2 = u^3 + Au^2 + u 311 is isogenous to tEd over GF(p). Let s in GF(p) be a fixed square 312 root of -1, i.e. s is a solution to the equation s^2 + 1 = 0 over 313 GF(p). Then, the following map is a 4-isogeny from tEd to EM over 314 GF(p): 316 phi: tEd -> EM, (x,y) -> (u,v), where 317 u = -y^2 / x^2, 318 v = -ys(x^2 - y^2 + 2) / x^3. 320 The neutral element (0,1) and the point of order two (0,-1) on tEd 321 are mapped to the point at infinity on EM. The dual isogeny is given 322 by 324 phi_d: EM -> tEd, (u,v) -> (x,y), where 325 x = 4sv(u - 1)(u + 1) / (u^4 - 2u^2 + 4v^2 + 1), 326 y = (u^2 + 2v - 1)(u^2 - 2v - 1) / (-u^4 + 2uv^2 + 2Au + 4u^2 + 1). 328 It holds phi_d(phi((x,y))) = [4](x,y) on tEd and phi(phi_d((u,v))) = 329 [4](u,v) on EM. 331 8. Recommended Curves 333 The following figures give parameters for recommended twisted Edwards 334 and Edwards curves at the 128 and 192 bit security levels generated 335 using the algorithms defined in previous sections. All integer 336 values are unsigned. 338 p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 339 FFFFFFFFFFED 340 d = 0x1DB41 341 r = 0x1000000000000000000000000000000014DEF9DEA2F79CD65812 342 631A5CF5D3ED 343 x(P) = 0x5C88197130371C6958E48E7C57393BDEDBA29F9231D24B3D4DA2 344 242EC821CDF1 345 y(P) = 0x6FEC03B956EC4A0E51A838029242F8B107C27399CC7840C34B95 346 5E478A8FB7A5 347 h = 0x8 349 p = 2^255 - 19, twisted Edwards 351 The isogenous Montgomery curve for p = 2^255 - 19 is given by A = 352 0x76D06. 354 p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 355 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3 356 d = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 357 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD19F 358 r = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2471A1 359 CB46BE1CF61E4555AAB35C87920B9DCC4E6A3897D 360 x(P) = 0x61B111FB45A9266CC0B6A2129AE55DB5B30BF446E5BE4C005763FFA 361 8F33163406FF292B16545941350D540E46C206BDE 362 y(P) = 0x82983E67B9A6EEB08738B1A423B10DD716AD8274F1425F56830F98F 363 7F645964B0072B0F946EC48DC9D8D03E1F0729392 364 h = 0x4 366 p = 2^384 - 317, Edwards 368 The isogenous Montgomery curve for p = 2^384 - 317 is given by A = 369 0xB492. 371 9. TLS NamedCurve Types 373 As defined in [RFC4492], the name space NamedCurve is used for the 374 negotiation of elliptic curve groups for key exchange during TLS 375 session establishment. This document adds new NamedCurve types for 376 the elliptic curves defined in this document: 378 enum { 379 ietfp255t1(TBD1), 380 ietfp255x1(TBD2), 381 ietfp384e1(TBD3), 382 ietfp384x1(TBD4) 383 } NamedCurve; 385 These curves are suitable for use with Datagram TLS [RFC6347]. 387 10. Use with ECDSA 389 The (twisted) Edwards curves generated by the procedure defined in 390 this draft are suitable for use in signature algorithms such as 391 ECDSA. In compliance with [RFC5480], which only supports named 392 curves, namedCurve OIDs must be defined for the generated curves and 393 points must be represented as (x,y) in either uncompressed or 394 compressed format. 396 10.1. Object Identifiers 398 The following object identifiers represent the (twisted) Edwards 399 domain parameter sets defined in this draft: 401 ietfp255t1 OBJECT IDENTIFIER ::= {[TBDOID] 1} 403 ietfp384e1 OBJECT IDENTIFIER ::= {[TBDOID] 2} 405 11. Acknowledgements 407 The authors would like to thank Tolga Acar, Karen Easterbrook and 408 Brian LaMacchia for their contributions to the development of this 409 draft. 411 12. Security Considerations 413 TBD 415 13. Intellectual Property Rights 417 The authors have no knowledge about any intellectual property rights 418 that cover either the generation algorithms or the usage of the 419 domain parameters defined herein. 421 14. IANA Considerations 423 IANA is requested to assign numbers for the curves listed in 424 Section 9 in the "EC Named Curve" [IANA-TLS] registry of the 425 "Transport Layer Security (TLS) Parameters" registry as follows: 427 +-------+-------------+---------+-----------+ 428 | Value | Description | DTLS-OK | Reference | 429 +-------+-------------+---------+-----------+ 430 | TBD1 | ietfp255t1 | Y | this doc | 431 | TBD2 | ietfp255x1 | Y | this doc | 432 | TBD3 | ietfp384e1 | Y | this doc | 433 | TBD4 | ietfp384x1 | Y | this doc | 434 +-------+-------------+---------+-----------+ 436 Table 1 438 15. References 440 15.1. Normative References 442 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 443 Requirement Levels", BCP 14, RFC 2119, March 1997. 445 15.2. Informative References 447 [AS] Satoh, T. and K. Araki, "Fermat quotients and the 448 polynomial time discrete log algorithm for anomalous 449 elliptic curves", 1998. 451 [EBP] ECC Brainpool, "ECC Brainpool Standard Curves and Curve 452 Generation", October 2005, . 455 [ECCP] Bos, J., Halderman, J., Heninger, N., Moore, J., Naehrig, 456 M., and E. Wustrow, "Elliptic Curve Cryptography in 457 Practice", December 2013, 458 . 460 [FPPR] Faugere, J., Perret, L., Petit, C., and G. Renault, 2012, 461 . 463 [IANA-TLS] 464 IANA, "EC Named Curve Registry", 2014, 465 . 468 [MSR] Bos, J., Costello, C., Longa, P., and M. Naehrig, 469 "Selecting Elliptic Curves for Cryptography: An Efficiency 470 and Security Analysis", February 2014, 471 . 473 [NIST] National Institute of Standards, "Recommended Elliptic 474 Curves for Federal Government Use", July 1999, 475 . 478 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 479 Identifiers for the Internet X.509 Public Key 480 Infrastructure Certificate and Certificate Revocation List 481 (CRL) Profile", RFC 3279, April 2002. 483 [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC 484 Text on Security Considerations", BCP 72, RFC 3552, July 485 2003. 487 [RFC4050] Blake-Wilson, S., Karlinger, G., Kobayashi, T., and Y. 488 Wang, "Using the Elliptic Curve Signature Algorithm 489 (ECDSA) for XML Digital Signatures", RFC 4050, April 2005. 491 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 492 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 493 for Transport Layer Security (TLS)", RFC 4492, May 2006. 495 [RFC4754] Fu, D. and J. Solinas, "IKE and IKEv2 Authentication Using 496 the Elliptic Curve Digital Signature Algorithm (ECDSA)", 497 RFC 4754, January 2007. 499 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 500 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 501 May 2008. 503 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 504 "Elliptic Curve Cryptography Subject Public Key 505 Information", RFC 5480, March 2009. 507 [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve 508 Cryptography (ECC) Algorithms in Cryptographic Message 509 Syntax (CMS)", RFC 5753, January 2010. 511 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 512 Curve Cryptography Algorithms", RFC 6090, February 2011. 514 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 515 Security Version 1.2", RFC 6347, January 2012. 517 [S] Semaev, I., "Evaluation of discrete logarithms on some 518 elliptic curves", 1998. 520 [SC] Bernstein, D. and T. Lange, "SafeCurves: choosing safe 521 curves for elliptic-curve cryptography", June 2014, 522 . 524 [SEC1] Certicom Research, "SEC 1: Elliptic Curve Cryptography", 525 September 2000, 526 . 528 [Smart] Smart, N., "The discrete logarithm problem on elliptic 529 curves of trace one", 1999. 531 [X9.62] ANSI, "Public Key Cryptography for the Financial Services 532 Industry, The Elliptic Curve Digital Signature Algorithm 533 (ECDSA)", 2005. 535 Authors' Addresses 537 Benjamin Black 538 Microsoft 539 One Microsoft Way 540 Redmond, WA 98115 541 US 543 Email: benblack@microsoft.com 545 Joppe W. Bos 546 NXP Semiconductors 547 Interleuvenlaan 80 548 3001 Leuven 549 Belgium 551 Email: joppe.bos@nxp.com 553 Craig Costello 554 Microsoft Research 555 One Microsoft Way 556 Redmond, WA 98115 557 US 559 Email: craigco@microsoft.com 561 Adam Langley 562 Google Inc 564 Email: agl@google.com 565 Patrick Longa 566 Microsoft Research 567 One Microsoft Way 568 Redmond, WA 98115 569 US 571 Email: plonga@microsoft.com 573 Michael Naehrig 574 Microsoft Research 575 One Microsoft Way 576 Redmond, WA 98115 577 US 579 Email: mnaehrig@microsoft.com