Internet DRAFT - draft-ladd-safecurves
draft-ladd-safecurves
Internet Draft W. Ladd
<draft-ladd-safecurves-04.txt> Grad Student
Category: Informational UC Berkeley
Expires 29 September 2014 28 March 2014
Additional Elliptic Curves for IETF protocols
<draft-ladd-safecurves-04.txt>
Status of this Memo
Distribution of this memo is unlimited.
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on 9 July 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Abstract
This Internet Draft explains the mathematics behind and the
Ladd, Watson Expires 29 September 2014 [Page 1]
�
Internet Draft ladd-safecurves 28 March 2014
parameters of a new family of elliptic curves with efficiency and
security advantages over existing and widely deployed mechanisms.
Ladd, Watson Expires 29 September 2014 [Page 2]
�
Internet Draft ladd-safecurves 28 March 2014
Table of Contents
1. Introduction ....................................................3
2. Explicit Formulas ...............................................3
3. The Curves ......................................................6
4. Point Encoding ..................................................9
Design Considerations ...........................................
5. Security Considerations .........................................9
6. IANA Considerations .............................................9
7. Acknowledgments ................................................9
8. References .....................................................10
1. Introduction
This document contains a set of elliptic curves over prime fields
with many security and performance advantages. They are twist-secure,
have large prime-order subgroups, high embedding degree, endomorphism
rings of large discriminant, complete formulas, and primes selected
for fast arithmetic. The reader who wishes to learn more about these
properties and their necessity is refered to [SILVERMAN] and
[SAFECURVES].
These curves have been generated in a rigid manner by computer
search. As such there is very little risk that these curves were
selected to exhibit weaknesses to attacks not in the open literature.
The field is the only free choice, and in all circumstances has been
picked to enable highly efficient arithmetic. Proofs of all
properties claimed exist in [SAFECURVES]. It is easier to avoid known
implementation issues with these curves then short Weierstrass
curves.
2. Algorithms and protocols
We assume the reader is familiar with bignum arithmetic. If not
[COHEN] is the resource to consider.
The elliptic-curve Diffie-Hellman key agreement protocol on a curve
with basepoint g of cofactor h and order q is as follows:
Alice picks a random integer a from the range [1,q-1], computes
[a*h]g, and transmits it to Bob.
Bob picks a random integer b from the range [1,q-1], computes [b*h]g,
and transmits it to Alice.
Both Alice and Bob determine [a*b*h^2]g, Alice as [a*h]([b*h]g), and
likewise for Bob. This can be hashed to give a short shared secret.
So far nothing that has been said depends on the curve shape. On
Ladd, Watson Expires 29 September 2014 [Page 3]
�
Internet Draft ladd-safecurves 28 March 2014
Montgomery curves, curves of the form y^2=x^3+Bx^2+x, one drops the y
coordinate, and so does not distinguish between P and -P. This is
called taking the Kummer variety, and enables faster arithmetic.
On Montgomery curves, curves of the form y^2=x^3+a*x^2+x, the typical
technique is to work over the Kummer variety instead, i.e. drop y
coordinates for use in Diffie-Hellman. Let (X1,Z1), (X2,Z2), (X3,Z3)
be coordinates such that X1/Z1, X2/Z2, X3/Z3 are the x coordinates of
Q-P, P, and Q respectively. Then the equations
A = X2+Z2
AA = A^2
B = X2 - Z2
BB = B^2
E = AA - BB
C = X3 + Z3
D = X3 - Z3
DA = D*A
CB = C*B
X5 = Z1*(DA+CB)^2
Z5 = X1*(DA-CB)^2
X4 = AA*BB
Z4 = E*(BB+a24*E)
gives X4/Z4 as the x coordinate of [2]P, and X5/Z5 as the x
coordinate of P+Q where a24=(a+2)/4. If in calculating [n](X, Z), Z
of the result is zero, this indicates that [n](X,Z) is the point at
infinity, and so the result has x-coordinate 0.
These equations originally appeared in [MONTGOMERY].
To use this to calculate multiplication on the Kummer variety, the
following routine will work to calculate [n]P, given the x coordinate
of P, if [n]P is not the identity of the group. For ECDH this routine
is adequate as returning 0 for the identity is acceptable and does
not lose security.
1: Intilize P_0=[1,0], and P_1=[x_P,1]
2: Iterate over the bits of n from most to least significant
2.1: If the bit is 0, let P_1=P_1+P_0, P_0=2P_0
2.2: If the bit is 1, let P_0=P_1+P_0, P_1=2P_1
3: Write [x_f, z_f]=P_0
4: If z_f is 0, return 0. Otherwise return x_f/z_f.
Note that the difference between P_1 and P_0 is always [x_P, 1], so
the differential addition formula above suffices and in fact Z1 the
constant 1. In implementing the above algorithm the conditionals
should be implemented by means of constant time conditional swaps
rather than jumps to avoid timing and control flow attacks. n should
be represented with a fixed number of bits to further minimize timing
Ladd, Watson Expires 29 September 2014 [Page 4]
�
Internet Draft ladd-safecurves 28 March 2014
information. Skipping initial zeros is a terrible idea.
The final division can be written as x_f*z_f^(p-1), which will be
correct in all cases.
When using this algorithm, no checks on the x coordinate are required
for the Montgomery curves in this standard: they are designed to
resist all attacks that involve transmitting an invalid x coordinate
in the above algorithm.
On (twisted) Edwards curves, curves of the form a*x^2+y^2=1+d*x^2y^2,
a complete addition formula, which works for doubling as well, is
given by representing points in projective coordinates. The formula
for adding (X1, Y1, Z1) to (X2, Y2, Z2) is then
A = Z1*Z2
B = A^2
C = X1*X2
D = Y1*Y2
E = d*C*D
F = B-E
G = B+E
X3 = A*F*((X1+Y1)*(X2+Y2)-C-D)
Y3 = A*G*(D-a*C)
Z3 = F * G
These formulas are from the [EFD], reporting results in [BL07]. Every
point on an Edwards curve can be represented, so Z=0 does not occur.
This formula can be used for doubling also by letting (X1,Y1,Z1)=
(X2,Y2,Z2). For most of the curves with the exception of Ed25519 a=1,
saving a multiplication.
The Montgomery ladder algorithm from above will work with this
addition and doubling, taking care to represent points as triples,
and check that points lie on the curve going into and out of the
routine. To convert from projective coordinates one takes x=X/Z,
y=Y/Z, and to convert affine to projective one takes (x,y,1).
The above algorithms are not the only algorithms possible. One can
use alternative parameterizations such as inverted Edwards
coordinates to make point operations cheaper, alternative algorithms
such as radix-k or sliding window methods to reduce the number of
additions and increase the number of doublings, and isogenies to
transform Montgomery curves into Edwards curves to take advantage of
these techniques. However, implementors should take care to avoid
timing and cache side-channels when implementing any of these
techniques. More information on some of these techniques is in
[TWIST].
Ladd, Watson Expires 29 September 2014 [Page 5]
�
Internet Draft ladd-safecurves 28 March 2014
3. The Curves
These curves were selected as follows: first a field was picked which
because of its form permits specialized, faster arithmetic. Then the
curve shape was selected, either Edwards or Montgomery. Lastly, a
computer search was made for the smallest parameter that would let
the curve satisfy security criteria.
One curve, Ed25519, is isomorphic to Curve25519 but is not of the
above form. It is included because of the desire for a curve of size
approximately 2^250 on which addition makes sense for use in
signature schemes.
Since the field GF(p) has no subfields, Weil restriction is not a
concern. The curves not only needed to have a large prime order
subgroup, but the quadratic twist of the curve needed to as well. The
curves also had to satisfy equations prohibiting the existence of
bilinear maps into small fields as well as have no efficiently
evaluatable endomorphisms beyond the negation map.
Because of the curve shapes being used, exceptional cases are less of
an issue then with short Weierstrass curves.
Each curve is given by an equation and a basepoint, together with the
order of the point and the cofactor.
Curve1174 is a curve over GF(2^251-9), formula x^2+y^2=1-1174x^2y^2,
basepoint (158261909772591154195454700645373976338109
1388846394833492296309729998839514,
30375380136041545047641157286514376465
19513534305223422754827055689195992590), order 2^249 -
11332719920821432534773113288178349711, cofactor 4.
Curve25519 is a curve over GF(2^255-19), formula y^2=x^3+486662x^2+x,
basepoint (9, 147816194475895447910205935684099868872646
06134616475288964881837755586237401), order 2^252 +
27742317777372353535851937790883648493, cofactor 8.
Ed25519 is a curve over GF(2^255-19), formula-x^2+y^2=1-
(121665/121666)x^2y^2, basepoint (x, 4/5), where x is less then p/2.
For reference, in the field 2^255-19,
121665/121666=20800338683988658368647408995589388737092878452
977063003340006470870624536394,
4/5=463168356949264781694283940034751631413079938662562256
15783033603165251855960, and the quoted x is
15112221349535400772501151409588531511454012693041857206046113283949
847762202.
Ladd, Watson Expires 29 September 2014 [Page 6]
�
Internet Draft ladd-safecurves 28 March 2014
E382 is a curve over GF(2^382-105), formula x^2+y^2=1-67254x^2y^2,
basepoint (3914921414754292646847594472454013487047
137431784830634731377862923477302047857640522480241
298429278603678181725699, 17), order 2^380 -
1030303207694556153926491950732314247062623204330168346855, cofactor
4.
M383 is a curve over GF(2^383-187), formula y^2=x^3+2065150x^2+x,
basepoint (12,
473762340189175399766054630037590257683961716725770372563038
9791524463565757299203154901655432096558642117242906494), order 2^380
+ 166236275931373516105219794935542153308039234455761613271, cofactor
8.
Curve3617 is a curve over GF(2^414-17), formula x^2+y^2=1+3617x^2y^2,
basepoint
(17319886477121189177719202498822615443556957307604340815256226
171904769976866975908866528699294134494857887698432266169206165, 34),
order 2^411 -
33364140863755142520810177694098385178984727200411208589594759,
cofactor 8.
Ed448-Goldilocks is a curve over GF(2^448-2^224-1), formula
x^2+y^2=1-39081x^2y^2, basepoint
(1178121612634369467372824843433100646651805353570163734168790821
47939404277809514858788439644911793978499419995990477371552926
308078495, 19), order 2^446 -
13818066809895115352007386748515426880336692474882178609894547503885,
cofactor 4.
M511 is a curve over GF(2^511-187), formula y^2 = x^3+530438x^2+x,
basepoint (5,
25004106455650724233689811491392132522115686851736085900709792642
48275228603899706950518127817176591878667784247582124505430745177
116625808811349787373477), order 2^508 +
107247547596357476240445315140681218420707566274348330289655408
08827675062043, cofactor 8.
E521 is a curve over GF(2^521-1), formula x^2+y^2=1-376014x^2y^2,
basepoint
(1571054894184995387535939749894317568645297350402905821437625
18115230499438118852963259119606760410077267392791511426719338990
5003276673749012051148356041324, 12), order 2^519 -
3375547632585017057891076304187826360719049612140512266186351500
85779108655765, cofactor 4.
4. Point Encoding
Ladd, Watson Expires 29 September 2014 [Page 7]
�
Internet Draft ladd-safecurves 28 March 2014
We begin by noting that if (b_0, b_1, ... b_{n}) is a sequence of
bytes, that \sum_{i=0}^n b_i*256^i is an integer, and every integer
up to 256^{n+1} can be represented this way. This is the little-
endian representation of an integer, and is unique for a given
integer.
Let (x,y) be a point on M(GF_p), where M is a Montgomery curve. Then
let l be the minimal number of bytes to represent x in little-endian.
A point is represented as l-bytes, representing in little-endian
radix 256 the minimal representative of [x] modulo p. This
representation works for the standard x-coordinate only arithmetic
for ECDH, but cannot be used for protocols requiring addition.
Let (x,y) be a point on E(GF_p), where E is an Edwards curve or
twisted Edwards curve. Let l be the minimial number of bytes to
represent a value of size up to p-1 with the top bit free.
Concretely, if the next power of two above p is 256 to some power, we
need an extra byte, otherwise we do not.
Define the sign bit of x to be one if the encoding of x in little-
endian is lexographically larger then that of -x, and zero otherwise.
Concretely the sign bit one elements of F_q are {1,3,5,... q-2}.
A point is represented as l bytes, l representing in little-endian
radix 256 the minimal representative of [y] modulo p, and the top bit
of the top byte set to equal the sign bit of x. Because we have
always ensured that there is extra room in l than is strictly
required to represent y, we have room for the top bit to be set.
Point encoding is clear in both cases. To decode a point on an
Edwards curve with parameter d, one takes the y value and computes
the valuex^2, then takes the square root. Methods for taking the
square root are sadly highly prime-dependent, but [COHEN] contains a
large number of options. If the square root does not exist, the
encoding is invalid and no further operations should be performed
with the provided data.
These point encodings were selected to be compatible with the
existing high speed software for Curve25519 and Ed25519.
5. Design Considerations
These curves were selected to satisfy a few criteria. First off each
prime is of a form enabling fast software implementations for
arithmetic modulo that prime. Secondly, the prime shapes are picked
so that the addition and doubling formulas have no exceptions. This
ensures that software doesn't have to deal with invalid points
appearing the middle of an operation, leaking information to an
Ladd, Watson Expires 29 September 2014 [Page 8]
�
Internet Draft ladd-safecurves 28 March 2014
attacker. Thirdly the curve shapes have exceptionally fast formulas.
Fourthly, the parameters of the curves are minimal, except for
Ed25519, ensuring fast arithmetic and rigidity in picking the curve.
Ed25519 is isomorphic to Curve25519, and is useful in implementations
taking advantage of radix-k algorithms or when signatures using a
group of size around 2^250 are required.
Curve25519 implementations using these techniques have set speed
records for ECDH at the 125 bit security level, and signature speed
records. Other curves have not yet been implemented in this manner,
but it is assumed that when mature optimized code is written it will
perform similarly.
For a protocol to use these curves, both parties must agree on which
curves are being used, and on an encoding. The encoding in this
document is highly recommended. Once this is decided, the protocol
need only specify the arithmetic to be done on the points exchanged,
and need not specify how that arithmetic is to be done.
6. Security Considerations
This entire document discusses methods of implementing cryptography
securely. The time for an attacker to break the DLP on these curves
is the square root of the group order with the best known attacks.
These curves are twist-secure, limiting the impact of wrong-curve
attacks on Montgomery ladders.
It is recommended that implementors use the Montgomery ladder on
Montgomery curves with x coordinate only to avoid timing attacks when
Diffie-Hellman is being used. In this mode, curve checks are not
required. On Edwards curves, standard curve (but not group)
membership checks are required for ECDH to be secure. Implementors
should pay attention to the cofactor in the discussion of ECDH in
section 2, and avoid forgetting the cofactor. While the impact is
slight, it should still be avoided.
These curves and cited formulas are complete, avoiding certain
attacks against naive implementations of ECC protocols. They have
cofactor greater than one, occasionally requiring slight adjustments
to protocols such as using multiples of the cofactor as keys for ECDH
or similar representations for signature schemes. These adjustments
are protocol-specific.
This is not an exhaustive discussion of security considerations
relating to the implementation of these curves. Implementors must be
familiar with cryptography to safely implement any cryptographic
standard, and this standard is no exception.
Ladd, Watson Expires 29 September 2014 [Page 9]
�
Internet Draft ladd-safecurves 28 March 2014
6. IANA Considerations
IANA should assign OIDs to these curves.
7. Acknowledgments
Thanks to Alyssa Rowan and Robert Ransom for catching transcription
and formula errors. Paul Lambert was the guinea pig for
implementation guidelines. Paul Hoffman noticed the cofactor was
missing. Manuel Pegourie-Gonnard noticed suboptimal formulas and
corrected them, as well as inadvertent misstatements and
underspecifications. Thanks to David McGrew for providing editorial
support. Thanks to the various members of the CFRG who provided
advice on the text, and to Michael Hamburg for discussing adaptation
of the point encoding to Ed448-Goldilocks. Jeff "=JeffH" Hodges
recommended Silverman as a reference. Ilari Liusvaara noticed
infelicities of language.
8. References
[BL07] Bernstein, Daniel J and Tanja Lange. ``Faster addition and
doubling on elliptic curves.'' Pages 29-50 in Kurosawa, Advances in
Cryptology:ASIACRYPT 2007. Lecture Notes in Computer Science 4833,
Springer-Verlag Berlin, 2007.
[COHEN] Cohen, Henri. A Course in Computational Algebraic Number
Theory, GTM 138, Springer-Verlag, 1993.
[EFD] Lange, Tanja. Explicit Formula Database.
http://www.hyperelliptic.org/EFD/g1p/index.html
[MONTGOMERY] Montgomery, Peter L. ``Speeding the Pollard and elliptic
curves methods of factorization''. Mathematics of Computation 48
(1987), 243-264. MR 88e:11130.
[SAFECURVES] Berstein, Daniel J, and Tanja Lange. Safecurves.
safecurves.cr.yp.to
[SILVERMAN] Silverman, Joseph H. The Arithmetic of Elliptic Curves,
GTM 106. Springer-Verlag Berlin, 2009.
[TWIST] Bernstein, Daniel J, Peter Birkner, Marc Joye, Tanja Lange,
and Christiane Peters. ``Twisted Edwards Curves''. In Vaudany, Serg.
Avances in Cryptology:AFRICACRYPT 2008. Lecture Notes in Computer
Science 5023. Springer-Verlag, Berlin 2008. Preprint from
http://eprint.iacr.org/2008/013.pdf
Author's Address
Ladd, Watson Expires 29 September 2014 [Page 10]
�
Internet Draft ladd-safecurves 28 March 2014
Watson Ladd
watsonbladd@gmail.com
Berkeley, CA
Ladd, Watson Expires 29 September 2014 [Page 11]
