Internet DRAFT - draft-kasamatsu-bncurves-01.xml
draft-kasamatsu-bncurves-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!--
XML2RFC offers an include feature described in the XML2RFC README
file. That syntax, however, contradicts the DTD requirements to
have <reference> elements within the <references> element, so an
XML parser is likely to find your XML file invalid. It may be
possible that XML2RFC will change their DTD so that the XML file
remains valid when their style of include is used.
In the meantime therefore, we use an alternative valid-XML approach
to includes, which unfortunately require that define your includes
at the beginning of the file. Since the biggest benefit of includes
is for references, this requires that your references be defined in
ENTITY clauses here before being "included" and cited elsewhere in
the file.
-->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">
<!ENTITY rfc2863 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2863.xml">
<!ENTITY rfc3418 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3418.xml">
<!ENTITY rfc4181 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4181.xml">
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2578 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2578.xml">
<!ENTITY rfc2579 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2579.xml">
<!ENTITY rfc2580 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2580.xml">
<!ENTITY rfc3410 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3410.xml">
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc symrefs="no"?>
<?rfc compact="no"?>
<?rfc subcompact="no"?>
<?rfc strict="no"?>
<?rfc rfcedstyle="yes"?>
<?rfc compact="yes"?>
<!--
This template is for authors of IETF specifications containing MIB
modules. This template can be used as a starting point to produce
specifications that comply with the Operations & Management Area
guidelines for MIB module documents.
-->
<!--
Throughout this template, the marker "<xref target='TODO' />" is used to indicate an
element or text that requires replacement or removal.
-->
<!-- Intellectual Property section -->
<!--
The Intellectual Property section will be generated automatically by
XML2RFC, based on the ipr attribute in the rfc element.
-->
<!--
<xref target='TODO' />For Internet-drafts, indicate which intellectual property notice
to use per the rules of RFC3978.
Specify this in the ipr attribute. The value can be:
full3978 -
noModification3978 -
noDerivatives3978 -
<xref target='TODO' /> Specify the category attribute per RFC2026
options are info, std, bcp, or exp.
<xref target='TODO' /> if this memo updates an RFC, specify the RFC in the
"updates" attribute
-->
<rfc category="info" submissionType="IETF" consensus="no" ipr="trust200902" docName="draft-kasamatsu-bncurves-01" >
<front>
<title abbrev="BN-Curves">Barreto-Naehrig Curves</title>
<!-- see RFC2223 for guidelines regarding author names -->
<author fullname="Kohei Kasamatsu" initials="K."
surname="Kasamatsu">
<organization>NTT Software Corporation</organization>
<address>
<!--
<postal>
<street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>
<city>Yokohama-shi, Kanagawa 231-8551</city>
<country>Japan</country>
</postal>
<phone>+81 45 212 7908</phone>
-->
<email>kasamatsu.kohei-at-po.ntts.co.jp</email>
</address>
</author>
<author fullname="Satoru Kanno" initials="S."
surname="Kanno">
<organization>NTT Software Corporation</organization>
<address>
<!--
<postal>
<street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>
<city>Yokohama-shi, Kanagawa 231-8551</city>
<country>Japan</country>
</postal>
<phone>+81 45 212 7908</phone>
-->
<email>kanno.satoru-at-po.ntts.co.jp</email>
</address>
</author>
<author fullname="Tetsutaro Kobayashi" initials="T."
surname="Kobayashi">
<organization>NTT</organization>
<address>
<!--
<postal>
<street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>
<city>Yokohama-shi, Kanagawa 231-8551</city>
<country>Japan</country>
</postal>
<phone>+81 45 212 7908</phone>
-->
<email>kobayashi.tetsutaro-at-lab.ntt.co.jp</email>
</address>
</author>
<author fullname="Yuto Kawahara" initials="Y."
surname="Kawahara">
<organization>NTT</organization>
<address>
<!--
<postal>
<street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>
<city>Yokohama-shi, Kanagawa 231-8551</city>
<country>Japan</country>
</postal>
<phone>+81 45 212 7908</phone>
-->
<email>kawahara.yuto-at-lab.ntt.co.jp</email>
</address>
</author>
<!-- <xref target='TODO' />: month and day will be generated automatically by XML2RFC;
be sure the year is current.
-->
<date year="2014" />
<workgroup></workgroup>
<keyword>Elliptic Curve Cryptography, Barreto-Naehrig Curve</keyword>
<abstract>
<t>Elliptic curves with pairings are useful tools for constructing cryptographic primitives.
In this memo, we specify domain parameters of Barreto-Naehrig curves (BN-curves)
<xref target="BN2006" />. The BN-curve is an elliptic curve suitable for pairings and allows us to achieve high security and
efficiency of cryptographic schemes.
This memo specifies domain parameters of two 254-bit BN-curves <xref target="BGMORT2010"/> <xref target="AKLGL2011"/> which allow us to obtain
efficient implementations and domain parameters of 224, 256, 384, and 512-bit BN-curves
which are compliant with ISO/IEC 15946-5<xref target="ISO15946-5"/>.
Furthermore, this memo organizes differences between types of elliptic curves specified in ISO document and often used in open source software,
which are called M-type and D-type, respectively<xref target="Aranha13"/>.
</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="introduction">
<t>Elliptic curves with a special map called a pairing or bilinear map allow cryptographic primitives
to achieve functions or efficiency which cannot be realized by conventional mathematical tools.
There are identity-based encryption (IBE), attribute-based encryption (ABE), ZSS signature, broadcast encryption (BE)
as examples of such primitives. IBE realizes powerful management of public keys by allowing us to use a trusted identifier as a public key.
ABE provides a rich decryption condition based on boolean functions and attributes corresponding to a secret key or a ciphertext.
The ZSS signature gives a shorter size of signature than that of ECDSA. BE provides an efficient encryption procedure in a broadcast setting.</t>
<t>Some of these cryptographic schemes based on elliptic curves with pairings were proposed in the IETF (e.g. <xref target="RFC5091"/>,
<xref target="RFC6508" />, and <xref target="I-D.draft-irtf-cfrg-zss"/>) and used in some protocols (e.g. <xref target="RFC5409"/>,
<xref target="RFC6267" />, <xref target="RFC6507"/>, <xref target="RFC6509"/>, and <xref target="RFC6539"/>).
These cryptographic primitives will be used actively more in the IETF due to their functions or efficiency.</t>
<t>We need to choose an appropriate type of elliptic curve and parameters for the pairing-based cryptographic schemes,
because the choice has great impact on security and efficiency of these schemes.
However, an RFC on elliptic curves with pairings has not yet been provided in the IETF.</t>
<t>In this memo, we specify domain parameters of Barreto-Naehrig curve (BN-curve)
<xref target="BN2006" />. The BN-curve allows us to achieve high security and efficiency with pairings due to an optimum
embedding degree.
This memo specifies domain parameters of two 254-bit BN-curves (<xref target="BGMORT2010"/> and <xref target="AKLGL2011"/>)
because of these efficiencies.
These BN-curves are known as efficient curves in academia and particularly provide
efficient pairing computation which is generally slowest operation in pairing-based cryptography.
There are optimized source codes of (<xref target="BGMORT2010"/> and <xref target="AKLGL2011"/>)
as open source software (<xref target="TEPLA"/> and <xref target="relic"/>), respectively.
Furthermore, this memo specifies domain parameters of 224, 256, 384, and 512-bit curves
which are compliant with ISO document <xref target="ISO15946-5"/> and organizes differences between types of elliptic curves
specified in ISO document and used in open source software, which are called M-type and D-type respectively <xref target="Aranha13"/>.
</t>
</section>
<section title="Requirements Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this memo are to be interpreted as described in <xref target="RFC2119"/>. </t>
</section>
<section title="Preliminaries" anchor="preliminaries">
<t>In this section, we introduce the definition of elliptic curve and bilinear map, notation used in this memo.</t>
<section title="Elliptic Curve" anchor="curve">
<t>Throughout this memo, let p > 3 be a prime and F_p be a finite field.
The curve defined by the following equation E is called an elliptic curve.</t>
<figure>
<artwork>E : y^2 = x^3 + A*x + B such that A, B are in F_p,
4 * A^3 + 27 * B^2 != 0 mod p</artwork>
</figure>
<t>Solutions (x,y) for an elliptic curve E, as well as the point at infinity, are called F_p-rational points.
The additive group is constructed by a well-defined operation in the set of F_p-rational points.
Typically, the cyclic additive group with prime order q and base point G in E(F_p) is used for the cryptographic applications.
Furthermore, we define terminology used in this memo as follows.</t>
<t>
<list style="empty">
<t>O_E: the point at infinity over elliptic curve E.</t>
<t>#E(F_p): number of points on an elliptic curve E over F_p.</t>
<t>cofactor h: h = #E(F_p)/q.</t>
<t>embedding degree k: minimum integer k such that r is a divisor of q^k - 1 and r^2 is not a divisor of q^k - 1</t>
</list>
</t>
</section>
<section title="Bilinear Map" anchor="pairing">
<t>Let G_1 be an additive group of prime order p and let G_2 and G_T be additive and multiplicative groups, respectively, of the same order.
Let P, Q be generators of G_1, G_2 respectively.
We say that (G_1, G_2, G_T) are asymmetric bilinear map groups if there exists a bilinear map e: (G_1, G_2) -> G_T
satisfying the following properties:
</t>
<t>
<list style="numbers">
<t>Bilinearity: for any S in G_1, for any T in G_2, for any a, b in Z_q, we have the relation e(aS, bT) = e(S,T)^{ab}.</t>
<t>Non-degeneracy: for any S in G_1, e(S,T) = 1 for any T in G_2 only if S = O_E.</t>
<t>Computability: for any S in G_1, for any T in G_2, the bilinear map is efficiently computable.</t>
<t>There exists an efficient, publicly computable isomorphism I: G_2 -> G_1 such that I(Q) = P.</t>
</list>
</t>
<t>For BN-curves, G_1 is a q-order cyclic subgroup of E(F_p) and G_2 is a subgroup of E(F_{p^k}), where k is
the embedding degree of the curve. The group G_T is the set of q-th roots of unity in the finite field F_{p^k}.</t>
</section>
</section>
<!--
<section title="Generation of Barreto-Naehrig Curves" anchor="generation-parameter">
<t>In this section, we describe an algorithm for producing a BN-curve. The algorithm takes
as input the approximate desired size m of the order of the BN-curve in bits and upper bound (odd integer) p_max
for the definition field. The outputs the parameters (p,n,b,G) such that the elliptic curve y^2 = x^3 + b has
order n over F_p and the point G is a generator of the curve, where ceiling(t) means the smallest integer not less than t.
For the details of algorithm, refer to <xref target="ISO15946-5"/>. Note that there are some methods for generating
generator and this memo specfies a method which is compliant with the ISO document.
</t>
<t>
<list style="numbers">
<t>Let P(j) = 36 * j^4 + 36 * j^3 + 24 * j^2 + 6 * j + 1.</t>
<t>Compute the smallest u which is approximately equal to 2^{m/4} such that ceiling(log_2 P(-j)) = m.</t>
<t>Compute t = 6 * j^2 + 1, p = P(-j), and n = p + 1 - t.</t>
<t>If p and n are prime, go to Step 10.</t>
<t>Compute p = P(j) and n = p + 1 - t.</t>
<t>If p and n are prime, go to Step 10.</t>
<t>Compute j = j + 1.</t>
<t>If p <= p_max, go to Step 3.</t>
<t>Abort and output fail.</t>
<t>If there is no divisor d of n - 1 s.t. (log n)^2 < d < n^{1/2} and
there is no divisor e of n + 1 s.t. (log n)^2 < e < n^{1/2}, go to Step1.</t>
<t>Set b = 0.</t>
<t>If b + 1 is not represented by b + 1 = y_0^2 mod p for an integer y_0, compute b = b + 1 and go to Step 12.</t>
<t>Compute y_0 = (b + 1)^{1/2} mod p.</t>
<t>Set G = (1,y_0).</t>
<t>If n * G is not O_E, compute b = b + 1 and go to Step 12.</t>
<t>Output p, n, b, and G.</t>
</list>
</t>
</section>
-->
<section title="Domain Parameter Specification" anchor="domain-parameter">
<t>In this section, this memo specifies the domain parameters for two 254-bit elliptic curves which allow us to efficiently compute the operation of a pairing
at high levels of security and domain parameters for 224, 256, 384, and 512-bit elliptic curves which are compliant with the ISO document
<xref target="ISO15946-5"/>. </t>
<section title="Notation for Domain Parameters and Types of Sextic Twists" anchor="notations">
<t>Here, we define notations for specifying domain parameters and explain types of pairing friendly curves.</t>
<t>Domain parameters of the elliptic curve E(F_p) and E(F_{p^12}) are needed for computation of the pairing.
Barreto and Naehrig proposed a method of point and pairing compression by using output of a map I from a sextic twist E'(F_{p^2})
to E(F_{p^12}) instead of E(F_{p^12}). Generally, this method is used with BN-curves.
Hence, this memo follows the method. For the details of the method, refer to <xref target="BN2006"/>.</t>
<t>The pairing friendly curves are classified in two types, which are called D-type and M-type respectively <xref target="Aranha13"/>.
The D-type sextic twist curve is defined by equation y'^2 = x'^3 + b/s when elliptic curve E(F_p) is set to be y^2 = x^3 + b and
represent of F_{p^12} is set to be F_{p^2}[u]/(u^6 - s), where s is in F_{p^2}^*.
Let z be a root of u^6 - s, where z is in F_{p^12}. The corresponding map I: E'(F_{p^2}) -> E(F_{p^12}) is
(x', y') -> (z^2 * x', z^3 * y').
<!--Notice that x = z^2 * x' is in F_{p^6} and y = z^3 * y' is in F_{p^4}.--> </t>
<t>The M-type sextic twist curve is defined by equation y'^2 = x'^3 + b * s when elliptic curve E(F_p) is set to be y^2 = x^3 + b and
represent of F_{p^12} is set to be F_{p^2}[u]/(u^6 - s), where s is in F_{p^2}^*.
The corresponding map I: E'(F_{p^2}) -> E(F_{p^12}) is (x', y') -> (x' * s^{-1} * z^4, y' * s^{-1} * z^3), with z^6 = s. </t>
<!--Also, since any element of F_{p^12} has the form a_5 * z^5 + a_4 * z^4 + a_3 * z^3 + a_2 * z^2 + a 1 * z + a_0.-->
<t>These domain parameters are described in the following way.</t>
<t>
<list style="empty">
<t>Curve-ID is an identifier with which the curve can be referenced.</t>
<t>p_b is a prime specifying base field.</t>
<t>p_e is an irreducible polynomial specifying extension field.</t>
</list>
</t>
<t>For elliptic curve E</t>
<t>
<list style="empty">
<t>A and B are the coefficients of the equation y^2 = x^3 + A * x + B
mod p defining E.</t>
<t>G = (x,y) is the base point, i.e., a point with x and y being its x- and y-coordinates in E, respectively.</t>
<t>q is the prime order of the group generated by G.</t>
<t>h is the cofactor of G in E</t>
</list>
</t>
<t>For twisted curve E'</t>
<t>
<list style="empty">
<t>A' and B' are the coefficients of the equation y^2 = x^3 + A' * x + B'
mod p defining E'.</t>
<t>G' = (x',y') is the base point, i.e., a point with x' and y' being its x'- and y'-coordinates in E', respectively.</t>
<t>q' is the prime order of the group generated by G'.</t>
<t>h' is the cofactor of G' in E'</t>
</list>
</t>
</section>
<section title="Efficient Domain Parameters for 254-Bit-Curves " anchor="curve254">
<t>
In this section, this memo specifies the domain parameters for two 254-bit elliptic curves which are more efficient than parameters of ISO document
with D-type.
</t>
<section title="Domain Parameters by Beuchat et al." anchor="curve254a">
<t>Here, we describe the domain parameters for 254-bit elliptic curve<xref target="BGMORT2010"/> with D-type.</t>
<!--
The selections of j and s improve arithmetic associated with base and extension field and save cost of bilinear map.
-->
<t>
The domain parameters described in this subsection are defined by elliptic curve E(F_p) : y^2 = x^3 + 5 and sextic twist
E'(F_{p^2}) : x'^3 + 5/s = x'^3 - u, where F_{p^2} = F_{p}[u]/(u^2 + 5), F_{p^6} = F_{p^2}[v]/(v^3 - u), F_{p^12} = F_{p^6}[w]/(w^2 - v),
s = - 5/u. We describe domain parameters of elliptic curves E and E'.
For the details of these parameters, refer to <xref target="BGMORT2010"/>.
</t>
<t>
<list style="empty">
<t>Curve-ID: Fp254BNa</t>
<t>p_b = 0x2370fb049d410fbe4e761a9886e502417d023f40180000017e80600000
000001</t>
<t>A = 0</t>
<t>B = 5</t>
<t>x = 1</t>
<t>y = 0xd45589b158faaf6ab0e4ad38d998e9982e7ff63964ee1460342a592677cc
cb0</t>
<t>q = 0x2370fb049d410fbe4e761a9886e502411dc1af70120000017e8060000000
0001</t>
<t>h = 1</t>
</list>
</t>
<t>
<list style="empty">
<t>Curve-ID: Fp254n2BNa</t>
<t>p_b = 0x2370fb049d410fbe4e761a9886e502417d023f40180000017e80600000
000001</t>
<t>p_e = u^2 + 5 over p_b</t>
<t>A' = 0</t>
<t>B' = - u</t>
<t>x' = 0x19b0bea4afe4c330da93cc3533da38a9f430b471c6f8a536e81962ed967
909b5 + (0xa1cf585585a61c6e9880b1f2a5c539f7d906fff238fa6341e1de1a2
e45c3f72) u</t>
<t>y' = 0x17abd366ebbd65333e49c711a80a0cf6d24adf1b9b3990eedcc91731384
d2627 + (0x0ee97d6de9902a27d00e952232a78700863bc9aa9be960C32f5bf9fd
0a32d345) u</t>
<t>q' = 0x2370fb049d410fbe4e761a9886e502411dc1af70120000017e806000000
00001</t>
<t>h' = 0x2370fb049d410fbe4e761a9886e50241dc42cf101e0000017e806000000
00001</t>
</list>
</t>
<!-- <t>
<list style="empty">
<t>Curve-ID: Fp254n2BN</t>
<t>p_b = 2370fb049d410fbe4e761a9886e502417d023f40180000017e8060000000
0001</t>
<t>p_e = u^2 + 5 over p_b</t>
<t>A = 0</t>
<t>B = -u</t>
<t>x = 0x19B0BEA4AFE4C330DA93CC3533DA38A9F430B471C6F8A536E81962ED9679
09B5 + 0xA1CF585585A61C6E9880B1F2A5C539F7D906FFF238FA6341E1DE1A2E4
5C3F72u</t>
<t>y = 0x17ABD366EBBD65333E49C711A80A0CF6D24ADF1B9B3990EEDCC91731384D
2627 + 0xEE97D6DE9902A27D00E952232A78700863BC9AA9BE960C32F5BF9FD0A
32D345u</t>
<t>q = 2370fb049d410fbe4e761a9886e502411dc1af70120000017e806000000000
01</t>
<t>h = 2370fb049d410fbe4e761a9886e50241dc42cf101e0000017e806000000000
01</t>
</list>
</t>
-->
</section>
<section title="Domain Parameters by Aranha et al." anchor="curve254b">
<t>Here, we describe the domain parameters for 254-bit elliptic curve <xref target="AKLGL2011"/> with D-type.</t>
<t>
The domain parameters described in this subsection are defined by elliptic curve E(F_p) : y^2 = x^3 + 2 and sextic twist
E'(F_{p^2}) : x'^3 + 2/s = x'^3 + 1 - u, where ,F_{p^2} = F_p [u]/(u^2 + 1), F_{p^6} = F_{p^2} [v]/(v^3 - (1+u)), F_{p^12} = F_{p^6} [w]/(w^2 - v),
1/s = 1/(1 + u). We describes domain parameters of elliptic curves E and E'.
For the details of these parameters, refer to <xref target="AKLGL2011"/>.
</t>
<t>
<list style="empty">
<t>Curve-ID: Fp254BNb</t>
<t>p_b = 0x2523648240000001ba344d80000000086121000000000013a700000000
000013</t>
<t>A = 0</t>
<t>B = 2</t>
<t>x = 0x2523648240000001ba344d80000000086121000000000013a70000000000
0012</t>
<t>y = 1</t>
<t>q = 0x2523648240000001ba344d8000000007ff9f800000000010a10000000000
000d</t>
<t>h = 1</t>
</list>
</t>
<t>
<list style="empty">
<t>Curve-ID: Fp254n2BNb</t>
<t>p_b = 0x2523648240000001ba344d80000000086121000000000013a700000000
000013</t>
<t>p_e = u^2 + 1 over p_b</t>
<t>A' = 0</t>
<t>B' = 1 + (0x2523648240000001ba344d80000000086121000000000013a70000
0000000012) u</t>
<t>x' = 0x061a10bb519eb62feb8d8c7e8c61edb6a4648bbb4898bf0d91ee4224c80
3fb2b +(0x0516aaf9ba737833310aa78c5982aa5b1f4d746bae3784b70d8c34c1
e7d54cf3)u </t>
<t>y' = 0x021897a06baf93439a90e096698c822329bd0ae6bdbe09bd19f0e07891c
d2b9a + (0x0ebb2b0e7c8b15268f6d4456f5f38d37b09006ffd739c9578a2d1ae
c6b3ace9b) u</t>
<t>q' = 0x2523648240000001ba344d8000000007ff9f800000000010a1000000000
0000d</t>
<t>h' = 0x2523648240000001ba344d8000000008c2a2800000000016ad000000000
00019</t>
</list>
</t>
</section>
</section>
<section title="Domain Parameters Based on ISO Document" anchor="various-level">
<t>Here, we describe the domain parameters for 224, 256, 384, and 512-bit elliptic curves which are compliant with the ISO document
and are based on M-type.
The domain parameters described in below subsections are defined by Elliptic curve E(F_p): y^2 = x^3 + 3
and sextic twist E'(F_{p^2}): y'^2 = x'^3 + 3 * s, where F_{p^2} = F_p[X]/(X^2 + 1), F_{p^12} = F_{p^2}[X]/(X^6 - s),
s = 1 + X. We describe domain parameters of elliptic curves E.
Detailed information on these domain parameters is given in <xref target="ISO15946-5"/>.</t>
<section title="Domain Parameters for 224-Bit Curves" anchor="curve224">
<t>
<list style="empty">
<t>Curve-ID: Fp224BN</t>
<t>p_b = 0xfffffffffff107288ec29e602c4520db42180823bb907d1287127833</t>
<t>A = 0</t>
<t>B = 3</t>
<t>x = 1</t>
<t>y = 2</t>
<t>q = 0xfffffffffff107288ec29e602c4420db4218082b36c2accff76c58ed</t>
<t>h = 1</t>
</list>
</t>
</section>
<section title="Domain Parameters for 256-Bit Curves" anchor="curve256">
<t>
<list style="empty">
<t>Curve-ID: Fp256BN</t>
<t>p_b = 0xfffffffffffcf0cd46e5f25eee71a49f0cdc65fb12980a82d3292ddbae
d33013</t>
<t>A = 0</t>
<t>B = 3</t>
<t>x = 1</t>
<t>y = 2</t>
<t>q = 0xfffffffffffcf0cd46e5f25eee71a49e0cdc65fb1299921af62d536cd10b
500d</t>
<t>h = 1</t>
</list>
</t>
</section>
<section title="Domain Parameters for 384-Bit Curves" anchor="curve384">
<t>
<list style="empty">
<t>Curve-ID: Fp384BN</t>
<t>p_b = 0xfffffffffffffffffff2a96823d5920d2a127e3f6fbca024c8fbe29531
892c79534f9d306328261550a7cabd7cccd10b</t>
<t>A = 0</t>
<t>B = 3</t>
<t>x = 1</t>
<t>y = 2</t>
<t>q = 0xfffffffffffffffffff2a96823d5920d2a127e3f6fbca023c8fbe2953189
2c795356487d8ac63e4f4db17384341a5775</t>
<t>h = 1</t>
</list>
</t>
</section>
<section title="Domain Parameters for 512-Bit Curves" anchor="curve512">
<t>
<list style="empty">
<t>Curve-ID: Fp512BN</t>
<t>p_b = 0xfffffffffffffffffffffffffff9ec7f01c60ba1d8cb5307c0bbe3c111
b0ef455146cf1eacbe98b8e48c65deab236fel916a55ce5f4c6467b4eb280922ad
ef33</t>
<t>A = 0</t>
<t>B = 3</t>
<t>x = 1</t>
<t>y = 2</t>
<t>q = 0xfffffffffffffffffffffffffff9ec7f01c60ba1d8cb5307c0bbe3c111b0
ef445146cf1eacbe98b8e48c65deab2679a34a10313e04f9a2b406a64a5f519a09
ed</t>
<t>h = 1</t>
</list>
</t>
</section>
<section title="Differences between D-Type and M-Type on ISO parameters" anchor="differences_between_types">
<t>Although ISO document is based on M-type, open source software are often based on D-type. We need to be aware of the differences.
Hence we also describe elliptic curves with D-type based on ISO document <xref target="ISO15946-5"/>.
The elliptic curve E(F_p) is defined by equation y^2 = x^3 + 3 and the sextic twist E'(F_{p^2}) is defined by y'^2 = x'^3 + 3/s,
where F_{p^2} = F_p[X]/(X^2 + 1), F_{p^12} = F_{p^2}[X]/(X^6 - s), 1/s = -8 + 8 * i, i = X^2 + 1.
Detailed information on these domain parameters is given in <xref target="BN2006"/>.</t>
</section>
</section>
</section>
<section title="Object Identifiers" anchor="oid">
<t>We need to define the following object identifiers.
Which organization is suitable for the allotment of these object identifiers?
</t>
<!--
<t>The root of the tree for the object identifiers defined in this
specification is given by:</t>
<t>
<list style="empty">
<t>
OBJECT IDENTIFIER::= {TBD}
</t>
</list>
</t>
<t> The object identifier ellipticCurve represents the tree for domain
parameter sets. It has the following value:</t>
<t>
<list style="empty">
<t>
OBJECT IDENTIFIER ::= {TBD}
</t>
</list>
</t>
<t>
The tree containing the object identifiers for each set of domain
parameters defined in this RFC is:</t>
<t>
<list style="empty">
<t>
OBJECT IDENTIFIER ::= {TBD}
</t>
</list>
</t>
<t>
The following object identifiers represent the domain parameter sets
defined in this RFC:
</t>
-->
<t>
<list style="empty">
<t>Fp254BNa OBJECT IDENTIFIER ::= {TBD}</t>
<t>Fp254n2BNa OBJECT IDENTIFIER ::= {TBD}</t>
<t>Fp254BNb OBJECT IDENTIFIER ::= {TBD}</t>
<t>Fp254n2BNb OBJECT IDENTIFIER ::= {TBD}</t>
<t>Fp224BN OBJECT IDENTIFIER ::= {TBD}</t>
<t>Fp256BN OBJECT IDENTIFIER ::= {TBD}</t>
<t>Fp384BN OBJECT IDENTIFIER ::= {TBD}</t>
<t>Fp512BN OBJECT IDENTIFIER ::= {TBD}</t>
</list>
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>Elliptic curves which are specified in this memo have hardness of the problems below and enough security margin against the attacks below. </t>
<t>Pairing-based cryptographic primitives are often based on the hardness of the following problems, so when the elliptic curves from
this document are used in such schemes, these problems would apply.
(For details of problems, refer to section 2 of <xref target="Cheon06"/>.) </t>
<t>
<list style="empty">
<t>The elliptic curve discrete logarithm problem (ECDLP)</t>
<t>The elliptic curve computational Diffie-Hellman problem (ECDHP)</t>
<t>The bilinear Diffie-Hellman problem (BDHP)</t>
<t>The elliptic curve discrete logarithm problem with auxiliary inputs (ECDLP with auxiliary inputs)</t>
</list>
</t>
<t>Algorithms to efficiently solve the problems above, aside from special cases, are unknown.
Mainly, there are Pollard-rho algorithm <xref target="Pollard78"/> against point of an elliptic curve and
Number Field Sieve method <xref target="JLSV06"/> against output of pairing as generic attacks against ellitpic curve with pairing.</t>
<t>The Smart, Semaev, and Sato-Araki algorithm <xref target="SA98"/>, and Cheon algorithm <xref target="Cheon06"/>
are main algorithms which improve efficiency in specific cases.
The Smart-Semaev algorithm and Sato-Araki algorithm are polynotmial time algorithms against the ECDLP in the case where #E(F_{p}) equals to p.
These algorithms are independently proposed. Cheon algorithm <xref target="Cheon06"/> is against the ECDLP with auxiliary inputs.
It is prevented by satisfy the following condition, where n is the order of the curve.</t>
<t>
<list style="empty">
<t>there is no divisor d of n - 1 s.t. (log n)^2 < d < n^{1/2} and
there is no divisor e of n + 1 s.t. (log n)^2 < e < n^{1/2}</t>
</list>
</t>
<t>Table 1 shows the security level of elliptic curves described in this memo (<xref target="BGMORT2010"/>, <xref target="AKLGL2011"/>).
Schemes based on the elliptic curves must be combined with cryptographic primitives which have similar or greater security level than the scheme.</t>
<figure align="center">
<artwork>
| Curve-ID | Security Level (bits) |
--------------------------------------
| Fp224BN | 112 |
| Fp254BNa | 128 |
| Fp254BNb | 128 |
| Fp256BN | 128 |
| Fp384BN | 128 |
| Fp512BN | 128 |
</artwork>
</figure>
<t>Table 1: security level of elliptic curve specified in this memo</t>
</section>
<section title="Acknowledgements">
<t>This memo was inspired by the content and structure of <xref target="RFC5639" />.</t>
</section>
<section title="Change log">
<t>NOTE TO RFC EDITOR: Please remove this section in before final RFC publication.</t>
</section>
<!--
<section title="Intellectual Property Rights">
<t>The authors have no knowledge about any intellectual property rights
that cover the usage of the domain parameters defined herein.
However, readers should be aware that implementations based on these
domain parameters may require use of inventions covered by patent
rights.</t>
</section>
-->
<!-- The Author's Addresses section will be generated automatically by XML2RFC from the front information -->
</middle>
<back>
<!-- References Section -->
<!-- Section 4.7f of <xref target='RFC2223bis' /> specifies the requirements for the
references sections. In particular, there MUST be separate lists of
normative and informative references, each in a separate section.
The style SHOULD follow that of recently published RFCs.
The standard MIB boilerplate available at
http://www.ops.ietf.org/mib-boilerplate.html includes lists of
normative and informative references that MUST appear in all IETF
specifications that contain MIB modules. If items from other MIB
modules appear in an IMPORTS statement in the Definitions section,
then the specifications containing those MIB modules MUST be included
in the list of normative references. When items are imported from an
IANA-maintained MIB module the corresponding normative reference
SHALL point to the on-line version of that MIB module. It is the
policy of the RFC Editor that all references must be cited in the
text; such citations MUST appear in the overview section where
documents containing imported definitions (other those already
mentioned in the MIB boilerplate) are required to be mentioned (cf.
Section 3.2).
In general, each normative reference SHOULD point to the most recent
version of the specification in question.
-->
<references title="Normative References">
<reference anchor="BGMORT2010">
<front>
<title>High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves</title>
<author initials="J. L." surname="Beuchat">
<organization></organization>
</author>
<author initials="J. E." surname="Gonzalez-Diaz">
<organization></organization>
</author>
<author initials="S." surname="Mitsunari">
<organization></organization>
</author>
<author initials="E." surname="Okamoto">
<organization></organization>
</author>
<author initials="F." surname="Rodriguez-Henriquez">
<organization></organization>
</author>
<author initials="T." surname="Teruya">
<organization></organization>
</author>
<date month="" year="2010"/>
</front>
<seriesInfo name="Proceedings" value="Lecture notes in computer sciences; Pairing-Based Cryptography --Pairing2010"/>
</reference>
<reference anchor="AKLGL2011">
<front>
<title>Faster Explicit Formulas for Computing Pairings over Ordinary Curves</title>
<author initials="D. L." surname="Aranha">
<organization></organization>
</author>
<author initials="K." surname="Karabina">
<organization></organization>
</author>
<author initials="P." surname="Longa">
<organization></organization>
</author>
<author initials="C. H." surname="Gebotys">
<organization></organization>
</author>
<author initials="F." surname="Rodriguez-Henriquez">
<organization></organization>
</author>
<author initials="J." surname="Lopez">
<organization></organization>
</author>
<date month="" year="2011"/>
</front>
<seriesInfo name="Proceedings" value="Lecture notes in computer sciences; EUROCRYPT --EUROCRYPT2011"/>
</reference>
<reference anchor="ISO15946-5">
<front>
<title>
Information Technology - Security Techniques -- Cryptographic techniques based on elliptic curves .
Part 5: Elliptic curve generation
</title>
<author>
<organization>International Organization for Standardization</organization>
</author>
<date month="" year="2009"/>
</front>
<seriesInfo name="ISO/IEC" value="15946-5"/>
</reference>
<reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author initials='S.' surname='Bradner'>
<organization /></author>
<date year='1997' month='March' />
</front>
<seriesInfo name='RFC' value='2119' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc2119.txt' />
</reference>
</references>
<references title="Informative References">
<reference anchor="BN2006">
<front>
<title>Pairing-Friendly Elliptic Curves of Prime Order</title>
<author initials="P. S. L. M." surname="Barreto">
<organization></organization>
</author>
<author initials="M." surname="Naehrig">
<organization></organization>
</author>
<date month="" year="2006"/>
</front>
<seriesInfo name="Proceedings" value="Lecture notes in computer sciences; 3897 in Selected Areas in Cryptgraphy -- SAC2005"/>
</reference>
<reference anchor="RFC5091">
<front>
<title>Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems</title>
<author initials='X.' surname='Boyen'>
<organization /></author>
<author initials='L.' surname='Martin'>
<organization /></author>
<date year='2007' month='December' />
</front>
<seriesInfo name='RFC' value='5091' />
<format type='TXT' octets='75993' target='http://www.rfc-editor.org/rfc/rfc5091.txt' />
</reference>
<reference anchor="RFC6508">
<front>
<title>Sakai-Kasahara Key Encryption (SAKKE)</title>
<author initials='M.' surname='Groves'>
<organization /></author>
<date year='2012' month='February' />
</front>
<seriesInfo name='RFC' value='6508' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc6508.txt' />
</reference>
<reference anchor="I-D.draft-irtf-cfrg-zss">
<front>
<title>ZSS Short Signature Scheme for Supersingular and BN Curves</title>
<author initials='L.' surname='Hitt'>
<organization /></author>
<date year='2013' month='' />
</front>
<seriesInfo value="draft-irtf-cfrg-zss-02" name="Internet-Draft"/>
<format target="http://www.ietf.org/id/draft-irtf-cfrg-zss-02.txt" type="TXT"/>
</reference>
<!--
<reference anchor="I-D.draft-hitt-zssbn-02">
<front>
<title>ZSS Short Signature Scheme for Supersingular and BN Curves</title>
<author initials='L.' surname='Hitt'>
<organization /></author>
<date year='2013' month='' />
<seriesInfo name="Proceedings" value="IETF Internet Draft, http://tools.ietf.org/id/draft-irtf-cfrg-zss-02.txt"/>
</front>
<format type='TXT' target='http://tools.ietf.org/id/draft-irtf-cfrg-zss-02.txt' />
</reference>
-->
<reference anchor="RFC5409">
<front>
<title>Using the Boneh-Franklin and Boneh-Boyen Identity-Based Encryption
Algorithms with the Cryptographic Message Syntax (CMS)</title>
<author initials='L.' surname='Martin'>
<organization /></author>
<author initials='M.' surname='Schertler'>
<organization /></author>
<date year='2009' month='January' />
</front>
<seriesInfo name='RFC' value='5409' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc5409.txt' />
</reference>
<reference anchor="RFC6267">
<front>
<title>MIKEY-IBAKE: Identity-Based Authenticated Key Exchange (IBAKE) Mode of
Key Distribution in Multimedia Internet KEYing (MIKEY)</title>
<author initials='V.' surname='Cakulev'>
<organization /></author>
<author initials='G.' surname='Sundaram'>
<organization /></author>
<date year='2011' month='June' />
</front>
<seriesInfo name='RFC' value='6267' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc6267.txt' />
</reference>
<reference anchor="RFC6507">
<front>
<title>Elliptic Curve-Based Certificateless Signatures
for Identity-Based Encryption (ECCSI)</title>
<author initials='M.' surname='Groves'>
<organization /></author>
<date year='2012' month='February' />
</front>
<seriesInfo name='RFC' value='6507' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc6507.txt' />
</reference>
<reference anchor="RFC6509">
<front>
<title>MIKEY-SAKKE: Sakai-Kasahara Key Encryption in
Multimedia Internet KEYing (MIKEY)</title>
<author initials='M.' surname='Groves'>
<organization /></author>
<date year='2012' month='February' />
</front>
<seriesInfo name='RFC' value='6509' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc6509.txt' />
</reference>
<reference anchor="RFC6539">
<front>
<title>IBAKE: Identity-Based Authenticated Key Exchange</title>
<author initials='V.' surname='Cakulev'>
<organization /></author>
<author initials='G.' surname='Sundaram'>
<organization /></author>
<author initials='I.' surname='Broustis'>
<organization /></author>
<date year='2012' month='March' />
</front>
<seriesInfo name='RFC' value='6539' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc6539.txt' />
</reference>
<reference anchor="Cheon06">
<front>
<title>Security Analysis of the Strong Diffie-Hellman Problem</title>
<author initials="J." surname="Cheon">
<organization></organization>
</author>
<date month="" year="2006"/>
</front>
<seriesInfo name="Proceedings" value="Lecture notes in computer sciences; 4004 in Advances in Cryptogoly -- Eurocrypt2006"/>
</reference>
<reference anchor="JLSV06">
<front>
<title>The number field sieve in the medium prime case</title>
<author initials="A." surname="Joux">
<organization></organization>
</author>
<author initials="R." surname="Lercier">
<organization></organization>
</author>
<author initials="P." surname="Smart">
<organization></organization>
</author>
<author initials="F." surname="Vercauteren">
<organization></organization>
</author>
<date month="" year="2006"/>
</front>
<seriesInfo name="Proceedings" value="Lecture notes in computer sciences; 4117 in Comput. Sci. -- CRYPTO2006"/>
</reference>
<reference anchor="Pollard78">
<front>
<title>Monte Carlo Methods for Index Computation ( mod p)</title>
<author initials="J." surname="Pollard">
<organization></organization>
</author>
<date month="" year="1978"/>
</front>
<seriesInfo name="Proceedings" value="Mathematics of Computation, Vol.32"/>
</reference>
<reference anchor="SA98">
<front>
<title>Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves</title>
<author initials="T." surname="Satoh">
<organization></organization>
</author>
<author initials="K." surname="Araki">
<organization></organization>
</author>
<date month="" year="1998"/>
</front>
<seriesInfo name="Proceedings" value="Comm. Math. UnivSancti Pauli 47"/>
</reference>
<reference anchor="RFC5639">
<front>
<title>Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation</title>
<author initials='M.' surname='Lochter'>
<organization /></author>
<author initials='J.' surname='Merkle'>
<organization /></author>
<date year='2010' month='March' />
</front>
<seriesInfo name='RFC' value='5639' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc5639.txt' />
</reference>
<reference anchor="TEPLA" target="http://www.cipher.risk.tsukuba.ac.jp/tepla/index_e.html">
<front>
<title>University of Tsukuba Elliptic Curve and Pairing Library</title>
<author fullname="University of Tsukuba"></author>
<date year="2013"/>
</front>
</reference>
<reference anchor="relic" target="https://code.google.com/p/relic-toolkit/">
<front>
<title>RELIC is an Efficient LIbrary for Cryptography</title>
<author initials="D. F." surname="Aranha"></author>
<author initials="C. P. L." surname="Gouv"></author>
<date year="2013"/>
</front>
</reference>
<reference anchor="Aranha13">
<front>
<title>The Realm of the Pairings</title>
<author initials="D. F." surname="Aranha">
<organization></organization>
</author>
<author initials="P. S. L. B. " surname="Barreto">
<organization></organization>
</author>
<author initials="P." surname="Longa">
<organization></organization>
</author>
<author initials="J. E." surname="Rocardini">
<organization></organization>
</author>
<date month="" year="2013"/>
</front>
<seriesInfo name="" value="SAC 2013, to appear"/>
</reference>
<!--
<reference anchor="TEPLA">
<front>
<title>University of Tsukuba Elliptic Curve and Pairing Library</title>
<author initials="C." surname="University of Tsukuba">
<organization /></author>
<date year='2010' month='March' />
</front>
<format type='TXT' target='http://www.cipher.risk.tsukuba.ac.jp/tepla/index_e.html'/>
</reference>
<reference anchor="relic">
<front>
<title>RELIC is an Efficient LIbrary for Cryptography</title>
<author initials="D. F." surname="Aranha"/>
<organization /></author>
<author initials="C. P. L." surname="Gouv"/>
<organization /></author>
<date year='2010' month='March' />
</front>
<format type='TXT' target='https://code.google.com/p/relic-toolkit/' />
</reference>
-->
</references>
</back>
</rfc>
