Elliptic Curves for Security
RFC 7748
Document | Type |
RFC - Informational
(January 2016; Errata)
Was draft-irtf-cfrg-curves (cfrg RG)
|
|
---|---|---|---|
Last updated | 2016-07-06 | ||
Replaces | draft-agl-cfrgcurve | ||
Stream | IRTF | ||
Formats | plain text pdf htmlized with errata bibtex | ||
IETF conflict review | conflict-review-irtf-cfrg-curves | ||
Stream | IRTF state | Published RFC | |
Consensus Boilerplate | Yes | ||
Document shepherd | Alexey Melnikov | ||
IESG | IESG state | RFC 7748 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
Internet Research Task Force (IRTF) A. Langley Request for Comments: 7748 Google Category: Informational M. Hamburg ISSN: 2070-1721 Rambus Cryptography Research S. Turner sn3rd January 2016 Elliptic Curves for Security Abstract This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7748. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Langley, et al. Informational [Page 1] RFC 7748 Elliptic Curves for Security January 2016 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Recommended Curves . . . . . . . . . . . . . . . . . . . . . 4 4.1. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . 4 4.2. Curve448 . . . . . . . . . . . . . . . . . . . . . . . . 5 5. The X25519 and X448 Functions . . . . . . . . . . . . . . . . 7 5.1. Side-Channel Considerations . . . . . . . . . . . . . . . 10 5.2. Test Vectors . . . . . . . . . . . . . . . . . . . . . . 11 6. Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . 14 6.1. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . 14 6.2. Curve448 . . . . . . . . . . . . . . . . . . . . . . . . 15 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 8.2. Informative References . . . . . . . . . . . . . . . . . 17 Appendix A. Deterministic Generation . . . . . . . . . . . . . . 19 A.1. p = 1 mod 4 . . . . . . . . . . . . . . . . . . . . . . . 20 A.2. p = 3 mod 4 . . . . . . . . . . . . . . . . . . . . . . . 21 A.3. Base Points . . . . . . . . . . . . . . . . . . . . . . . 21 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 1. Introduction Since the initial standardization of Elliptic Curve Cryptography (ECC [RFC6090]) in [SEC1], there has been significant progress related to both efficiency and security of curves and implementations. Notable examples are algorithms protected against certain side-channel attacks, various "special" prime shapes that allow faster modular arithmetic, and a larger set of curve models from which to choose. There is also concern in the community regarding the generation and potential weaknesses of the curves defined by NIST [NIST]. This memo specifies two elliptic curves ("curve25519" and "curve448") that lend themselves to constant-time implementation and an exception-free scalar multiplication that is resistant to a wide range of side-channel attacks, including timing and cache attacks. They are Montgomery curves (where v^2 = u^3 + A*u^2 + u) and thus have birationally equivalent Edwards versions. Edwards curves support the fastest (currently known) complete formulas for theShow full document text