Elliptic Curves for Security
RFC 7748
Document Type RFC - Informational (January 2016; Errata)
Last updated 2016-07-06
Replaces draft-agl-cfrgcurve
Stream IRTF
Formats plain text pdf htmlized with errata bibtex
IETF conflict review conflict-review-irtf-cfrg-curves
Stream IRTF state Published RFC
Consensus Boilerplate Yes
Document shepherd Alexey Melnikov
IESG IESG state RFC 7748 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Email authors Email RG IPR References Referenced by Nits 
Internet Research Task Force (IRTF)                           A. Langley
Request for Comments: 7748                                        Google
Category: Informational                                       M. Hamburg
ISSN: 2070-1721                             Rambus Cryptography Research
                                                               S. Turner
                                                                   sn3rd
                                                            January 2016

                      Elliptic Curves for Security

Abstract

   This memo specifies two elliptic curves over prime fields that offer
   a high level of practical security in cryptographic applications,
   including Transport Layer Security (TLS).  These curves are intended
   to operate at the ~128-bit and ~224-bit security level, respectively,
   and are generated deterministically based on a list of required
   properties.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Research Task Force
   (IRTF).  The IRTF publishes the results of Internet-related research
   and development activities.  These results might not be suitable for
   deployment.  This RFC represents the consensus of the Crypto Forum
   Research Group of the Internet Research Task Force (IRTF).  Documents
   approved for publication by the IRSG are not a candidate for any
   level of Internet Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7748.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Langley, et al.               Informational                     [Page 1]
RFC 7748              Elliptic Curves for Security          January 2016

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  Notation  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Recommended Curves  . . . . . . . . . . . . . . . . . . . . .   4
     4.1.  Curve25519  . . . . . . . . . . . . . . . . . . . . . . .   4
     4.2.  Curve448  . . . . . . . . . . . . . . . . . . . . . . . .   5
   5.  The X25519 and X448 Functions . . . . . . . . . . . . . . . .   7
     5.1.  Side-Channel Considerations . . . . . . . . . . . . . . .  10
     5.2.  Test Vectors  . . . . . . . . . . . . . . . . . . . . . .  11
   6.  Diffie-Hellman  . . . . . . . . . . . . . . . . . . . . . . .  14
     6.1.  Curve25519  . . . . . . . . . . . . . . . . . . . . . . .  14
     6.2.  Curve448  . . . . . . . . . . . . . . . . . . . . . . . .  15
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  16
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  16
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  17
   Appendix A.  Deterministic Generation . . . . . . . . . . . . . .  19
     A.1.  p = 1 mod 4 . . . . . . . . . . . . . . . . . . . . . . .  20
     A.2.  p = 3 mod 4 . . . . . . . . . . . . . . . . . . . . . . .  21
     A.3.  Base Points . . . . . . . . . . . . . . . . . . . . . . .  21
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  22
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  22

1.  Introduction

   Since the initial standardization of Elliptic Curve Cryptography (ECC
   [RFC6090]) in [SEC1], there has been significant progress related to
   both efficiency and security of curves and implementations.  Notable
   examples are algorithms protected against certain side-channel
   attacks, various "special" prime shapes that allow faster modular
   arithmetic, and a larger set of curve models from which to choose.
   There is also concern in the community regarding the generation and
   potential weaknesses of the curves defined by NIST [NIST].

   This memo specifies two elliptic curves ("curve25519" and "curve448")
   that lend themselves to constant-time implementation and an
   exception-free scalar multiplication that is resistant to a wide
   range of side-channel attacks, including timing and cache attacks.
   They are Montgomery curves (where v^2 = u^3 + A*u^2 + u) and thus
   have birationally equivalent Edwards versions.  Edwards curves
   support the fastest (currently known) complete formulas for the
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools