INFORMATIONAL

Errata Exist

Internet Research Task Force (IRTF) A. Langley Request for Comments: 7748 Google Category: Informational M. Hamburg ISSN: 2070-1721 Rambus Cryptography Research S. Turner sn3rd January 2016 Elliptic Curves for Security Abstract This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7748. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Langley, et al. Informational [Page 1]

RFC 7748 Elliptic Curves for Security January 2016 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Recommended Curves . . . . . . . . . . . . . . . . . . . . . 4 4.1. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . 4 4.2. Curve448 . . . . . . . . . . . . . . . . . . . . . . . . 5 5. The X25519 and X448 Functions . . . . . . . . . . . . . . . . 7 5.1. Side-Channel Considerations . . . . . . . . . . . . . . . 10 5.2. Test Vectors . . . . . . . . . . . . . . . . . . . . . . 11 6. Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . 14 6.1. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . 14 6.2. Curve448 . . . . . . . . . . . . . . . . . . . . . . . . 15 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 8.2. Informative References . . . . . . . . . . . . . . . . . 17 Appendix A. Deterministic Generation . . . . . . . . . . . . . . 19 A.1. p = 1 mod 4 . . . . . . . . . . . . . . . . . . . . . . . 20 A.2. p = 3 mod 4 . . . . . . . . . . . . . . . . . . . . . . . 21 A.3. Base Points . . . . . . . . . . . . . . . . . . . . . . . 21 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 1 . Introduction RFC6090]) in [SEC1], there has been significant progress related to both efficiency and security of curves and implementations. Notable examples are algorithms protected against certain side-channel attacks, various "special" prime shapes that allow faster modular arithmetic, and a larger set of curve models from which to choose. There is also concern in the community regarding the generation and potential weaknesses of the curves defined by NIST [NIST]. This memo specifies two elliptic curves ("curve25519" and "curve448") that lend themselves to constant-time implementation and an exception-free scalar multiplication that is resistant to a wide range of side-channel attacks, including timing and cache attacks. They are Montgomery curves (where v^2 = u^3 + A*u^2 + u) and thus have birationally equivalent Edwards versions. Edwards curves support the fastest (currently known) complete formulas for the elliptic-curve group operations, specifically the Edwards curve x^2 + y^2 = 1 + d*x^2*y^2 for primes p when p = 3 mod 4, and the twisted Edwards curve -x^2 + y^2 = 1 + d*x^2*y^2 when p = 1 mod 4. The maps to/from the Montgomery curves to their (twisted) Edwards equivalents are also given. Langley, et al. Informational [Page 2]

RFC 7748 Elliptic Curves for Security January 2016 4 . Recommended Curves 4.1 . Curve25519 Appendix A results in the following Montgomery curve v^2 = u^3 + A*u^2 + u, called "curve25519": p 2^255 - 19 A 486662 order 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed cofactor 8 U(P) 9 V(P) 147816194475895447910205935684099868872646061346164752889648818 37755586237401 The base point is u = 9, v = 1478161944758954479102059356840998688726 4606134616475288964881837755586237401. This curve is birationally equivalent to a twisted Edwards curve -x^2 + y^2 = 1 + d*x^2*y^2, called "edwards25519", where: p 2^255 - 19 d 370957059346694393431380835087545651895421138798432190163887855330 85940283555 order 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed cofactor 8 X(P) 151122213495354007725011514095885315114540126930418572060461132 83949847762202 Y(P) 463168356949264781694283940034751631413079938662562256157830336 03165251855960 Langley, et al. Informational [Page 4]

RFC 7748 Elliptic Curves for Security January 2016 curve25519], and the equivalent twisted Edwards curve is equal to the one defined in [ed25519]. 4.2 . Curve448 Appendix A results in the following Montgomery curve, called "curve448": p 2^448 - 2^224 - 1 A 156326 order 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d cofactor 4 U(P) 5 V(P) 355293926785568175264127502063783334808976399387714271831880898 435169088786967410002932673765864550910142774147268105838985595290 606362 This curve is birationally equivalent to the Edwards curve x^2 + y^2 = 1 + d*x^2*y^2 where: p 2^448 - 2^224 - 1 d 611975850744529176160423220965553317543219696871016626328968936415 087860042636474891785599283666020414768678979989378147065462815545 017 order 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d cofactor 4 Langley, et al. Informational [Page 5]

RFC 7748 Elliptic Curves for Security January 2016 goldilocks]. Langley, et al. Informational [Page 6]

RFC 7748 Elliptic Curves for Security January 2016 5 . The X25519 and X448 Functions Langley, et al. Informational [Page 7]

RFC 7748 Elliptic Curves for Security January 2016 curve25519] and based on formulas from [montgomery]. All calculations are performed in GF(p), i.e., they are performed modulo p. The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and (156326 - 2) / 4 = 39081 for curve448/X448. Langley, et al. Informational [Page 8]

RFC 7748 Elliptic Curves for Security January 2016 Langley, et al. Informational [Page 9]

RFC 7748 Elliptic Curves for Security January 2016 5.1 . Side-Channel Considerations Langley, et al. Informational [Page 10]

RFC 7748 Elliptic Curves for Security January 2016 5.2 . Test Vectors Langley, et al. Informational [Page 11]

RFC 7748 Elliptic Curves for Security January 2016 Langley, et al. Informational [Page 12]

RFC 7748 Elliptic Curves for Security January 2016 Langley, et al. Informational [Page 13]

RFC 7748 Elliptic Curves for Security January 2016 6 . Diffie-Hellman 6.1 . Curve25519 Section 7). The check may be performed by ORing all the bytes together and checking whether the result is zero, as this eliminates standard side-channels in software implementations. Test vector: Alice's private key, a: 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a Alice's public key, X25519(a, 9): 8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a Bob's private key, b: 5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb Bob's public key, X25519(b, 9): de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f Their shared secret, K: 4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742 Langley, et al. Informational [Page 14]

RFC 7748 Elliptic Curves for Security January 2016 Section 6. However, a large number of existing implementations do not do this. Designers using these curves should be aware that for each public key, there are several publicly computable public keys that are equivalent to it, i.e., they produce the same shared secrets. Thus using a public key as an identifier and knowledge of a shared secret as proof of ownership (without including the public keys in the key derivation) might lead to subtle vulnerabilities. Designers should also be aware that implementations of these curves might not use the Montgomery ladder as specified in this document, but could use generic, elliptic-curve libraries instead. These implementations could reject points on the twist and could reject non-minimal field elements. While not recommended, such implementations will interoperate with the Montgomery ladder specified here but may be trivially distinguishable from it. For example, sending a non-canonical value or a point on the twist may cause such implementations to produce an observable error while an implementation that follows the design in this text would successfully produce a shared key. 8 . References 8.1 . Normative References RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. Langley, et al. Informational [Page 16]

RFC 7748 Elliptic Curves for Security January 2016 safecurves] Bernstein, D. and T. Lange, "SafeCurves: choosing safe curves for elliptic-curve cryptography", Oct 2013, <http://safecurves.cr.yp.to/>. [satoh] Satoh, T. and K. Araki, "Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves", 1998. [SEC1] Certicom Research, "SEC 1: Elliptic Curve Cryptography", September 2000, <http://www.secg.org/sec1-v2.pdf>. [semaev] Semaev, I., "Evaluation of discrete logarithms on some elliptic curves", 1998, <http://www.ams.org/journals/ mcom/1998-67-221/S0025-5718-98-00887-4/ S0025-5718-98-00887-4.pdf>. [smart] Smart, N., "The Discrete Logarithm Problem on Elliptic Curves of Trace One", 1999, <http://www.hpl.hp.com/techreports/97/HPL-97-128.pdf>. Langley, et al. Informational [Page 18]

RFC 7748 Elliptic Curves for Security January 2016 Appendix A . Deterministic Generation smart], [satoh], and [semaev], as in [brainpool] and [safecurves]. 2. MOV Degree [reducing]: the embedding degree MUST be greater than (order - 1) / 100, as in [brainpool] and [safecurves]. 3. CM Discriminant: discriminant D MUST be greater than 2^100, as in [safecurves]. Langley, et al. Informational [Page 19]

RFC 7748 Elliptic Curves for Security January 2016 A.1 . p = 1 mod 4 Langley, et al. Informational [Page 20]

RFC 7748 Elliptic Curves for Security January 2016 A.2 . p = 3 mod 4 A.3 . Base Points Langley, et al. Informational [Page 21]

RFC 7748 Elliptic Curves for Security January 2016 draft-black-rpgecc-01 and draft-turner-thecurve25519function-01. The following authors of those documents wrote much of the text and figures but are not listed as authors on this document: Benjamin Black, Joppe W. Bos, Craig Costello, Patrick Longa, Michael Naehrig, Watson Ladd, and Rich Salz. The authors would also like to thank Tanja Lange, Rene Struik, Rich Salz, Ilari Liusvaara, Deirdre Connolly, Simon Josefsson, Stephen Farrell, Georg Nestmann, Trevor Perrin, and John Mattsson for their reviews and contributions. The X25519 function was developed by Daniel J. Bernstein in [curve25519]. Authors' Addresses Adam Langley Google 345 Spear Street San Francisco, CA 94105 United States Email: agl@google.com Mike Hamburg Rambus Cryptography Research 425 Market Street, 11th Floor San Francisco, CA 94105 United States Email: mike@shiftleft.org Sean Turner sn3rd Email: sean@sn3rd.com Langley, et al. Informational [Page 22]