]>
Elliptic Curves for SecurityGoogle345 Spear StSan FranciscoCA94105USagl@google.comRambus Cryptography Research425 Market Street, 11th FloorSan FranciscoCA94105USmike@shiftleft.orgIECA, Inc.3057 Nutley StreetSuite 106FairfaxVA22031USturners@ieca.com
General
CFRGelliptic curvecryptographyeccThis memo specifies two elliptic curves over prime fields that offer high practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.Since the initial standardization of elliptic curve cryptography (ECC ) in there has been significant progress related to both efficiency and security of curves and implementations. Notable examples are algorithms protected against certain side-channel attacks, various 'special' prime shapes that allow faster modular arithmetic, and a larger set of curve models from which to choose. There is also concern in the community regarding the generation and potential weaknesses of the curves defined by NIST .This memo specifies two elliptic curves (curve25519 and curve448) that lend themselves to constant-time implementation and an exception-free scalar multiplication that is resistant to a wide range of side-channel attacks, including timing and cache attacks. They are Montgomery curves (where y^2 = x^3 + Ax^2 + x) and thus have birationally equivalent Edwards versions. Edwards curves support the fastest (currently known) complete formulas for the elliptic-curve group operations, specifically the Edwards curve x^2 + y^2 = 1 + dx^2y^2 for primes p when p = 3 mod 4, and the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 when p = 1 mod 4. The maps to/from the Montgomery curves to their (twisted) Edwards equivalents are also given.This memo also specifies how these curves can be used with the Diffie-Hellman protocol for key agreement.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.Throughout this document, the following notation is used:Denotes the prime number defining the underlying field.The finite field with p elements.An element in the finite field GF(p), not equal to -2 or 2.A non-zero element in the finite field GF(p), not equal to 1, in the case of an Edwards curve, or not equal to -1, in the case of a twisted Edwards curve.A generator point defined over GF(p) of prime order.The x-coordinate of the elliptic curve point P on a (twisted) Edwards curve.The y-coordinate of the elliptic curve point P on a (twisted) Edwards curve.Coordinates on a Montgomery curve.Coordinates on a (twisted) Edwards curve.For the ~128-bit security level, the prime 2^255-19 is recommended for performance on a wide-range of architectures. Few primes of the form 2^c-s with s small exist between 2^250 and 2^521, and other choices of coefficient are not as competitive in performance. This prime is congruent to 1 mod 4 and the derivation procedure in results in the following Montgomery curve v^2 = u^3 + A*u^2 + u, called curve25519:2^255-194866622^252 + 0x14def9dea2f79cd65812631a5cf5d3ed8The base point is u = 9, v = 14781619447589544791020593568409986887264606134616475288964881837755586237401.This curve is birationally equivalent to a twisted Edwards curve -x^2 + y^2 = 1 + d*x^2*y^2, called edwards25519, where:2^255-19370957059346694393431380835087545651895421138798432190163887855330859402835552^252 + 0x14def9dea2f79cd65812631a5cf5d3ed81511222134953540077250115140958853151145401269304185720604611328394984776220246316835694926478169428394003475163141307993866256225615783033603165251855960The birational maps are:The Montgomery curve defined here is equal to the one defined in and the equivalent twisted Edwards curve is equal to the one defined in .For the ~224-bit security level, the prime 2^448-2^224-1 is recommended for performance on a wide-range of architectures. This prime is congruent to 3 mod 4 and the derivation procedure in results in the following Montgomery curve, called curve448:2^448-2^224-11563262^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d4The base point is u = 5, v =
355293926785568175264127502063783334808976399387714271831880898435169088786967410002932673765864550910142774147268105838985595290606362.This curve is birationally equivalent to the Edwards curve x^2 + y^2 = 1 + d*x^2*y^2 where:2^448-2^224-16119758507445291761604232209655533175432196968710166263289689364150878600426364748917855992836660204147686789799893781470654628155450172^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d4345397493039729516374008604150537410266655260075183290216406970281645695073672344430481787759340633221708391583424041788924124567700732363419362147803445274661903944002267176820680343659030140745099590306164083365386343198191849338272965044442230921818680526749009182718The birational maps are:Both of those curves are also 4-isogenous to the following Edwards curve x^2 + y^2 = 1 + d*x^2*y^2, called edwards448, where:2^448-2^224-1-390812^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d4224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660The 4-isogeny maps between the Montgomery curve and this Edwards curve are:The curve edwards448 defined here is also called "Goldilocks" and is equal to the one defined in .The X25519 and X448 functions perform scalar multiplication on the Montgomery form of the above curves. (This is used when implementing Diffie-Hellman.) The functions take a scalar and a u-coordinate as inputs and produce a u-coordinate as output. Although the functions work internally with integers, the inputs and outputs are 32-byte strings (for X25519) or 56-byte strings (for X448) and this specification defines their encoding.The u-coordinates are elements of the underlying field GF(2^255-19) or GF(2^448-2^224-1) and are encoded as an array of bytes, u, in little-endian order such that u[0] + 256*u[1] + 256^2*u[2] + ... + 256^(n-1)*u[n-1] is congruent to the value modulo p and u[n-1] is minimal. When receiving such an array, implementations of X25519 (but not X448) MUST mask the most-significant bit in the final byte. This is done to preserve compatibility with point formats which reserve the sign bit for use in other protocols and to increase resistance to implementation fingerprinting.Implementations MUST accept non-canonical values and process them as if they had been reduced modulo the field prime. The non-canonical values are 2^255-19 through 2^255-1 for X25519 and 2^448-2^224-1 through 2^448-1 for X448.The following functions implement this in Python, although the Python code is not intended to be performant nor side-channel free. Here the "bits" parameter should be set to 255 for X25519 and 448 for X448:Scalars are assumed to be randomly generated bytes. For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian. This means that resulting integer is of the form 2^254 + 8 * {0, 1, ..., 2^(251) - 1}. Likewise, for X448, set the two least significant bits of the first byte to 0, and the most significant bit of the last byte to 1. This means that the resulting integer is of the form 2^447 + 4 * {0, 1, ..., 2^(445) - 1}.To implement the X25519(k, u) and X448(k, u) functions (where k is the scalar and u is the u-coordinate) first decode k and u and then perform the following procedure, which is taken from and based on formulas from . All calculations are performed in GF(p), i.e., they are performed modulo p. The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and (156326 - 2) / 4 = 39081 for curve448/X448.(Note that these formulas are slightly different from Montgomery's original paper. Implementations are free to use any correct formulas.)Finally, encode the resulting value as 32 or 56 bytes in little-endian order. For X25519, the unused, most-significant bit MUST be zero.The cswap function SHOULD be implemented in constant time (i.e. independent of the swap argument). For example, this can be done as follows:Where mask(swap) is the all-1 or all-0 word of the same length as x_2 and x_3, computed, e.g., as mask(swap) = 0 - swap.X25519 and X448 are designed so that fast, constant-time implementations are easier to produce. The procedure above ensures that the same sequence of field operations is performed for all values of the secret key, thus eliminating a common source of side-channel leakage. However, this alone does not prevent all side-channels by itself. It is important that the pattern of memory accesses and jumps not depend on the values of any of the bits of k. It is also important that the arithmetic used not leak information about the integers modulo p, for example by having b*c be distinguishable from c*c. On some architectures, even primitive machine instructions, such as single-word division, can have variable timing based on their inputs.Side-channel attacks are an active research area that still sees significant, new results. Implementors are advised to follow this research closely.Two types of tests are provided. The first is a pair of test vectors for each function that consist of expected outputs for the given inputs. The inputs are generally given as 64 or 112 hexadecimal digits that need to be decoded as 32 or 56 binary bytes before processing.The second type of test vector consists of the result of calling the function in question a specified number of times. Initially, set k and u to be the following values:For each iteration, set k to be the result of calling the function and u to be the old value of k. The final result is the value left in k.The X25519 function can be used in an elliptic-curve Diffie-Hellman (ECDH) protocol as follows:Alice generates 32 random bytes in f[0] to f[31] and transmits K_A = X25519(f, 9) to Bob, where 9 is the u-coordinate of the base point and is encoded as a byte with value 9, followed by 31 zero bytes.Bob similarly generates 32 random bytes in g[0] to g[31] and computes K_B = X25519(g, 9) and transmits it to Alice.Using their generated values and the received input, Alice computes X25519(f, K_B) and Bob computes X25519(g, K_A).Both now share K = X25519(f, X25519(g, 9)) = X25519(g, X25519(f, 9)) as a shared secret. Both MUST check, without leaking extra information about the value of K, whether K is the all-zero value and abort if so (see below). Alice and Bob can then use a key-derivation function that includes K, K_A and K_B to derive a key.The check for the all-zero value results from the fact that the X25519 function produces that value if it operates on an input corresponding to a point with order dividing the co-factor, h, of the curve. This check is cheap and so MUST always be carried out. The check may be performed by ORing all the bytes together and checking whether the result is zero as this eliminates standard side-channels in software implementations.Test vector:The X448 function can be used in an ECDH protocol very much like the X25519 function.If X448 is to be used, the only differences are that Alice and Bob generate 56 random bytes (not 32) and calculate K_A = X448(f, 5) or K_B = X448(g, 5) where 5 is the u-coordinate of the base point and is encoded as a byte with value 5, followed by 55 zero bytes.As with X25519, both sides MUST check, without leaking extra information about the value of K, whether the resulting shared K is the all-zero value and abort if so.Test vector:The security level (i.e. the number of "operations" needed for a brute-force attack on a primitive) of curve25519 is slightly under the standard 128-bit level. This is acceptable because the standard security levels are primarily driven by much simplier, symmetric primitives where the security level naturally falls on a power of two. For asymmetric primitives, rigidly adhering to a power-of-two security level would require compromises in other parts of the design, which we reject. Additionally, comparing security levels between types of primitives can be misleading under common threat models where multiple targets can be attacked concurrently .The ~224-bit security level of curve448 is a trade-off between performance and paranoia. Large quantum computers, if ever created, will break both curve25519 and curve448, and reasonable projections of the abilities of classical computers conclude that curve25519 is perfectly safe. However, some designs have relaxed performance requirements and wish to hedge against some amount of analytical advance against elliptic curves and thus curve448 is also provided.This document merges draft-black-rpgecc-01 and draft-turner-thecurve25519function-01. The following authors of those documents wrote much of the text and figures but are not listed as authors on this document: Benjamin Black, Joppe W. Bos, Craig Costello, Patrick Longa, Michael Naehrig and Watson Ladd.The authors would also like to thank Tanja Lange, Rene Struik, Rich Salz, Ilari Liusvaara, Deirdre Connolly, Simon Josefsson, Stephan Farrell and Georg Nestmann for their reviews and contributions.The X25519 function was developed by Daniel J. Bernstein in .
&RFC2119;
&RFC6090;
Understanding brute forceThe discrete logarithm problem on elliptic curves of trace oneFermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curvesEvaluation of discrete logarithms on some elliptic curvesReducing elliptic curve logarithms to logarithms in a finite fieldECC Brainpool Standard Curves and Curve GenerationECC BrainpoolSafeCurves: choosing safe curves for elliptic-curve cryptographyRecommended Elliptic Curves for Federal Government UseNational Institute of StandardsSEC 1: Elliptic Curve CryptographyCerticom ResearchCurve25519 -- new Diffie-Hellman speed recordsSpeeding the Pollard and elliptic curve methods of factorizationHigh-speed high-security signaturesEd448-Goldilocks, a new elliptic curveThis section specifies the procedure that was used to generate the above curves; specifically it defines how to generate the parameter A of the Montgomery curve y^2 = x^3 + Ax^2 + x. This procedure is intended to be as objective as can reasonably be achieved so that it's clear that no untoward considerations influenced the choice of curve. The input to this process is p, the prime that defines the underlying field. The size of p determines the amount of work needed to compute a discrete logarithm in the elliptic curve group and choosing a precise p depends on many implementation concerns. The performance of the curve will be dominated by operations in GF(p) so carefully choosing a value that allows for easy reductions on the intended architecture is critical. This document does not attempt to articulate all these considerations.The value (A-2)/4 is used in several of the elliptic curve point arithmetic formulas. For simplicity and performance reasons, it is beneficial to make this constant small, i.e. to choose A so that (A-2) is a small integer which is divisible by four.For each curve at a specific security level:The trace of Frobenius MUST NOT be in {0, 1} in order to rule out the attacks described in , , and , as in and .MOV Degree : the embedding degree k MUST be greater than (r - 1) / 100, as in and .CM Discriminant: discriminant D MUST be greater than 2^100, as in .For primes congruent to 1 mod 4, the minimal cofactors of the curve and its twist are either {4, 8} or {8, 4}. We choose a curve with the latter cofactors so that any algorithms that take the cofactor into account don't have to worry about checking for points on the twist, because the twist cofactor will be the smaller of the two.To generate the Montgomery curve we find the minimal, positive A value, such that A > 2 and (A-2) is divisible by four and where the cofactors are as desired. The find1Mod4 function in the following Sage script returns this value given p:For a prime congruent to 3 mod 4, both the curve and twist cofactors can be 4 and this is minimal. Thus we choose the curve with these cofactors and minimal, positive A such that A > 2 and (A-2) is divisible by four. The find3Mod4 function in the following Sage script returns this value given p:The base point for a curve is the point with minimal, positive u value that is in the correct subgroup. The findBasepoint function in the following Sage script returns this value given p and A: