Addition Elliptic Curves for IETF protocols
draft-ladd-safecurves-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
|
|
|---|---|---|---|
| Author | Watson Ladd | ||
| Last updated | 2014-01-08 | ||
| RFC stream | (None) | ||
| Formats | |||
| Additional resources | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ladd-safecurves-00
Internet Draft W. Ladd
<draft-ladd-safecurves-00.txt> Grad Student
Category: Informational UC Berkeley
Expires 9 July 2014 5 January 2014
Addition Elliptic Curves for IETF protocols
<draft-ladd-safecurves-00.txt>
Status of this Memo
Distribution of this memo is unlimited.
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on date.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Abstract
This internet draft contains curves whose Jacobians are groups over
Ladd, Watson Expires 9 July 2014 [Page 1]
Internet Draft ladd-safecurves 8 January 2014
which the Decisional Diffie-Hellman problem is hard, and which have
implementation advantages.
Ladd, Watson Expires 9 July 2014 [Page 2]
Internet Draft ladd-safecurves 8 January 2014
Table of Contents
1. Introduction ....................................................3
2. The curves .......................................................
1. Introduction
This document contains a set of elliptic curves over prime fields
with many security advantages.
2. The Curves
Each curve is given by an equation and a basepoint, together with an
order. All curves are elliptic. Validation information is given at
[SAFECURVES]. The names given in this document indicate the family.
Curve25519 is a curve over GF(2^255-19), formula y^2=x^3+486662x^2+x,
basepoint (9, 147816194475895447910205935684099868872646
06134616475288964881837755586237401), order 2^252 +
27742317777372353535851937790883648493.
E-382 is a curve over GF(2^382-15), formula x^2+y^2=1-6725254x^2y^2,
basepoint (3914921414754292646847594472454013487047
137431784830634731377862923477302047857640522480241
298429278603678181725699, 17), order 2^380 -
1030303207694556153926491950732314247062623204330168346855
M-383 is a curve over GF(2^383-187), forumla y^2=x^3+2065150x^2+x,
basepoint (12,
473762340189175399766054630037590257683961716725770372563038
9791524463565757299203154901655432096558642117242906494), order 2^380
+ 166236275931373516105219794935542153308039234455761613271
Curve383187 is a curve over GF(2^383-187), formula
y^2=x^3+229969x^2+x, basepoint (5,
4759238150142744228328102229734187233490253962521130945928672202
662038422584867624507245060283757321006861735839455), order 2^380 +
356080847217269887368687156533236720299699248977882517025
Curve3617 is a curve over GF(2^414-17), formula x^2+y^2=1+3617x^2y^2,
basepoint
(17319886477121189177719202498822615443556957307604340815256226
171904769976866975908866528699294134494857887698432266169206165, 34),
order 2^411 -
33364140863755142520810177694098385178984727200411208589594759
M-511 is a curve over GF(2^511-187), formula y^2 = x^3+530438x^2+x,
basepoint (5,
Ladd, Watson Expires 9 July 2014 [Page 3]
Internet Draft ladd-safecurves 8 January 2014
25004106455650724233689811491392132522115686851736085900709792642
48275228603899706950518127817176591878667784247582124505430745177
116625808811349787373477), order 2^508 +
107247547596357476240445315140681218420707566274348330289655408
08827675062043
3. Security Considerations
This entire document discusses methods of implementing cryptography
securely. The time for an attacker to break the DLP on these curves
is the square root of the group order with the best known attacks.
Curves of Edwards form are best when addition is required, those of
Montgomery form make excellent candidates for Diffie-Hellman key
agrement on the Kummer surface. Explicit formulas are in the
Explicit-Formula Database [EFD].
4. IANA Considerations
IANA should maintain a registry of these curves, calling them
safecurve-XXXX where XXX is the curve identifier.
5. References
[SAFECURVES] safecurves.cr.yp.to
[EFD] http://www.hyperelliptic.org/EFD/g1p/index.html
Author Addresses
Watson Ladd
watsonbladd@gmail.com
Berkeley, CA
Ladd, Watson Expires 9 July 2014 [Page 4]