One document matched: draft-black-rpgecc-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">
<!ENTITY RFC3279 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3279.xml">
<!ENTITY RFC3552 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3552.xml">
<!ENTITY RFC4050 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4050.xml">
<!ENTITY RFC4492 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml">
<!ENTITY RFC4754 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4754.xml">
<!ENTITY RFC5226 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml">
<!ENTITY RFC5480 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5480.xml">
<!ENTITY RFC5753 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5753.xml">
<!ENTITY RFC6090 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6090.xml">
<!ENTITY RFC6347 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6347.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-black-rpgecc-01" ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
full title is longer than 39 characters -->
<title abbrev="Rigid Parameter Generation for ECC">Rigid Parameter Generation for Elliptic Curve Cryptography</title>
<author fullname="Benjamin Black" initials="B.B."
surname="Black">
<organization>Microsoft</organization>
<address>
<postal>
<street>One Microsoft Way</street>
<city>Redmond</city>
<region>WA</region>
<code>98115</code>
<country>US</country>
</postal>
<email>benblack@microsoft.com</email>
</address>
</author>
<author fullname="Joppe W. Bos" initials="J.B."
surname="Bos">
<organization>NXP Semiconductors</organization>
<address>
<postal>
<street>Interleuvenlaan 80</street>
<city>3001 Leuven</city>
<country>Belgium</country>
</postal>
<email>joppe.bos@nxp.com</email>
</address>
</author>
<author fullname="Craig Costello" initials="C.C."
surname="Costello">
<organization>Microsoft Research</organization>
<address>
<postal>
<street>One Microsoft Way</street>
<city>Redmond</city>
<region>WA</region>
<code>98115</code>
<country>US</country>
</postal>
<email>craigco@microsoft.com</email>
</address>
</author>
<author fullname="Adam Langley" initials="A.L."
surname="Langley">
<organization>Google Inc</organization>
<address>
<email>agl@google.com</email>
</address>
</author>
<author fullname="Patrick Longa" initials="P.L."
surname="Longa">
<organization>Microsoft Research</organization>
<address>
<postal>
<street>One Microsoft Way</street>
<city>Redmond</city>
<region>WA</region>
<code>98115</code>
<country>US</country>
</postal>
<email>plonga@microsoft.com</email>
</address>
</author>
<author fullname="Michael Naehrig" initials="M.N."
surname="Naehrig">
<organization>Microsoft Research</organization>
<address>
<postal>
<street>One Microsoft Way</street>
<city>Redmond</city>
<region>WA</region>
<code>98115</code>
<country>US</country>
</postal>
<email>mnaehrig@microsoft.com</email>
</address>
</author>
<date month="December" year="2014" />
<!-- Meta-data Declarations -->
<area>General</area>
<workgroup>Network Working Group</workgroup>
<keyword>elliptic curve</keyword>
<keyword>cryptography</keyword>
<keyword>ecc</keyword>
<keyword>tls</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>This memo describes algorithms for deterministically generating parameters for elliptic curves over prime fields offering high practical security in cryptographic applications, including Transport Layer Security (TLS) and X.509 certificates. The algorithms can generate domain parameters at any security level for modern (twisted) Edwards curves.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>Since the initial standardization of elliptic curve cryptography (ECC) in <xref target="SEC1" /> there has been significant progress related to both efficiency and security of curves and implementations. Notable examples are algorithms protected against certain side-channel attacks, different 'special' prime shapes which allow faster modular arithmetic, and a larger set of curve models from which to choose. There is also concern in the community regarding the generation and potential weaknesses of the curves defined in <xref target="NIST"/>.</t>
<t>This memo describes a deterministic algorithm for generation of elliptic curves for cryptography. The constraints in the generation process produce curves that support constant-time, exception-free scalar multiplications that are resistant to a wide range of side-channel attacks including timing and cache attacks, thereby offering high practical security in cryptographic applications. The deterministic algorithm operates without any hidden parameters, reliance on randomness or any other processes offering opportunities for manipulation of the resulting curves. The selection between curve models is determined by choosing the curve form that supports the fastest (currently known) complete formulas for each modularity option of the underlying field prime. Specifically, the Edwards curve x^2 + y^2 = 1 + dx^2y^2 is used with primes p with p = 3 mod 4, and the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 is used for primes p with p = 1 mod 4.</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</section>
</section>
<section title="Scope and Relation to Other Specifications">
<t>This document specifies a deterministic algorithm for generating elliptic curve domain parameters over prime fields GF(p), with p having a length of twice the desired security level in bits, in (twisted) Edwards form.</t>
</section>
<section anchor="security-requirements" title="Security Requirements">
<t>For each curve at a specific security level:</t>
<t>
<list style="numbers">
<t>The domain parameters SHALL be generated in a simple, deterministic manner, without any secret or random inputs. The derivation of the curve parameters is defined in <xref target="generation" />.</t>
<t>The trace of Frobenius MUST NOT be in {0, 1} in order to rule out the attacks described in <xref target="Smart" />, <xref target="AS" />, and <xref target="S" />, as in <xref target="EBP" />.</t>
<t>MOV Degree: the embedding degree k MUST be greater than (r - 1) / 100, as in <xref target="EBP" />.</t>
<t>CM Discriminant: discriminant D MUST be greater than 2^100, as in <xref target="SC" />.</t>
</list>
</t>
</section>
<section anchor="notation" title="Notation">
<t>Throughout this document, the following notation is used:</t>
<figure align="center" suppress-title="true">
<artwork align="left"><![CDATA[
p: Denotes the prime number defining the base field.
GF(p): The finite field with p elements.
d: An element in the finite field GF(p), different from -1,0.
Ed: The elliptic curve Ed/GF(p): x^2 + y^2 = 1 + dx^2y^2 in
Edwards form, defined over GF(p) by the parameter d.
tEd: The elliptic curve tEd/GF(p): -x^2 + y^2 = 1 + dx^2y^2 in
twisted Edwards form, defined over GF(p) by the parameter d.
rd: The largest odd divisor of the number of GF(p)-rational
points on Ed or tEd.
td: The trace of Frobenius of Ed or tEd such that
#Ed(GF(p)) = p + 1 - td or #tEd(GF(p)) = p + 1 - td,
respectively.
rd': The largest odd divisor of the number of GF(p)-rational
points on the non-trivial quadratic twist Ed' or tEd'.
hd: The index (or cofactor) of the subgroup of order rd in the
group of GF(p)-rational points on Ed or tEd.
hd': The index (or cofactor) of the subgroup of order rd' in the
group of GF(p)-rational points on the non-trivial quadratic
twist of Ed or tEd.
P: A generator point defined over GF(p) of prime order rd on Ed
or tEd.
X(P): The x-coordinate of the elliptic curve point P.
Y(P): The y-coordinate of the elliptic curve point P.
]]></artwork>
</figure>
</section>
<section anchor="generation" title="Parameter Generation">
<t>This section describes the generation of the curve parameters, namely the curve parameter d, and a generator point P of the prime order subgroup of the elliptic curve. Best practice is to use primes with p = 3 mod 4. For compatibility with some deployed implementations, a generation process for primes with p = 1 mod 4 is also provided.</t>
<section anchor="curve-generation" title="Deterministic Curve Parameter Generation">
<section anchor="edwards-generation" title="Edwards Curves">
<t>For a prime p = 3 mod 4, the elliptic curve Ed in Edwards form is determined by the non-square element d from GF(p), different from -1,0 with smallest absolute value such that #Ed(GF(p)) = hd * rd, #Ed'(GF(p)) = hd' * rd', hd = hd' = 4, and both subgroup orders rd and rd' are prime. In addition, care must be taken to ensure the MOV degree and CM discriminant requirements from <xref target="security-requirements" /> are met.</t>
<figure align="center" title="GenerateCurveEdwards">
<artwork align="left"><![CDATA[
Input: a prime p, with p = 3 mod 4
Output: the parameter d defining the curve Ed
1. Set d = 0
2. repeat
repeat
if (d > 0) then
d = -d
else
d = -d + 1
end if
until d is not a square in GF(p)
Compute rd, rd', hd, hd' where #Ed(GF(p)) = hd * rd,
#Ed'(GF(p)) = hd' * rd', hd and hd' are powers of 2 and rd, rd'
are odd
until ((hd = hd' = 4) and rd is prime and rd' is prime)
3. Output d
]]></artwork>
</figure>
</section>
<section anchor="twisted-edwards-generation" title="Twisted Edwards Curves">
<t>For a prime p = 1 mod 4, the elliptic curve tEd in twisted Edwards form is determined by the non-square element d from GF(p), different from -1,0 with smallest absolute value such that #tEd(GF(p)) = hd * rd, #tEd'(GF(p)) = hd' * rd', hd = 8, hd' = 4 and both subgroup orders rd and rd' are prime. In addition, care must be taken to ensure the MOV degree and CM discriminant requirements from <xref target="security-requirements" /> are met.</t>
<figure align="center" title="GenerateCurveTEdwards">
<artwork align="left"><![CDATA[
Input: a prime p, with p = 1 mod 4
Output: the parameter d defining the curve tEd
1. Set d = 0
2. repeat
repeat
if (d > 0) then
d = -d
else
d = -d + 1
end if
until d is not a square in GF(p)
Compute rd, rd', hd, hd' where #tEd(GF(p)) = hd * rd,
#tEd'(GF(p)) = hd' * rd', hd and hd' are powers of 2 and rd, rd'
are odd
until (hd = 8 and hd' = 4 and rd is prime and rd' is prime)
3. Output d
]]></artwork>
</figure>
</section>
</section>
</section>
<section anchor="generators" title="Generators">
<t>The generator points P = (X(P),Y(P)) for all curves are selected by taking the smallest positive value x in GF(p) (when represented as an integer) such that (x, y) is on the curve and such that (X(P),Y(P)) = 8 * (x, y) has large prime order rd.</t>
<figure align="center" title="GenerateGen">
<artwork align="left"><![CDATA[
Input: a prime p and curve parameters non-square d and
a = -1 for twisted Edwards (p = 1 mod 4) or
a = 1 for Edwards (p = 3 mod 4)
Output: a generator point P = (X(P), Y(P)) of order rd
1. Set x = 0 and found_gen = false
2. while (not found_gen) do
x = x + 1
while ((1 - a * x^2) * (1 - d * x^2) is not a quadratic
residue mod p) do
x = x + 1
end while
Compute an integer s, 0 < s < p, such that
s^2 * (1 - d * x^2) = 1 - a * x^2 mod p
Set y = min(s, p - s)
(X(P), Y(P)) = 8 * (x, y)
if ((X(P), Y(P)) has order rd on Ed or tEd, respectively) then
found_gen = true
end if
end while
3. Output (X(P),Y(P))
]]></artwork>
</figure>
</section>
<!-- This PI places the pagebreak correctly (before the section title) in the text output. -->
<?rfc needLines="8" ?>
<section anchor="isogenies" title="Isogenies from the (twisted) Edwards to the Montgomery model">
<t>For applications requiring Montgomery curves, such as x-only point format for elliptic curve Diffie-Hellmann (ECDH) key exchange, isogenies from the generated (twisted) Edwards curves can be produced as described in the following sections.</t>
<section anchor="ed_montgomery" title="Edwards to Montgomery for p = 3 (mod 4)">
<t>For a prime p = 3 mod 4, and a given Edwards curve Ed: x^2 + y^2 = 1 + d x^2 y^2 over GF(p) with non-square parameter d, let A = -(4d - 2). Then the Montgomery curve</t>
<figure align="center">
<artwork align="left"><![CDATA[
EM: v^2 = u^3 + Au^2 + u
]]></artwork>
</figure>
<t>is isogenous to Ed over GF(p). The following map is a 4-isogeny from Ed to EM over GF(p):</t>
<figure align="center">
<artwork align="left"><![CDATA[
phi: Ed -> EM, (x,y) -> (u,v), where
u = y^2 / x^2,
v = -y(x^2 + y^2 - 2) / x^3.
]]></artwork>
</figure>
<t>The neutral element (0,1) and the point of order two (0,-1) on Ed are mapped to the point at infinity on EM. The dual isogeny is given by</t>
<figure align="center">
<artwork align="left"><![CDATA[
phi_d: EM -> Ed, (u,v) -> (x,y), where
x = 4v(u - 1)(u + 1) / (u^4 - 2u^2 + 4v^2 + 1),
y = (u^2 + 2v - 1)(u^2 - 2v - 1) / (-u^4 + 2uv^2 + 2Au + 4u^2 + 1).
]]></artwork>
</figure>
<t>It holds phi_d(phi((x,y))) = [4](x,y) on Ed and phi(phi_d((u,v))) = [4](u,v) on EM.</t>
</section>
<section anchor="ted_montgomery" title="Twisted Edwards to Montogmery for p = 1 (mod 4)">
<t>For a prime p = 1 mod 4, and a given twisted Edwards curve tEd: -x^2 + y^2 = 1 + d x^2 y^2 over GF(p) with non-square parameter d, let A = 4d + 2. Then the Montgomery curve</t>
<figure align="center">
<artwork align="left"><![CDATA[
EM: v^2 = u^3 + Au^2 + u
]]></artwork>
</figure>
<t>is isogenous to tEd over GF(p). Let s in GF(p) be a fixed square root of -1, i.e. s is a solution to the equation s^2 + 1 = 0 over GF(p). Then, the following map is a 4-isogeny from tEd to EM over GF(p):</t>
<figure align="center">
<artwork align="left"><![CDATA[
phi: tEd -> EM, (x,y) -> (u,v), where
u = -y^2 / x^2,
v = -ys(x^2 - y^2 + 2) / x^3.
]]></artwork>
</figure>
<t>The neutral element (0,1) and the point of order two (0,-1) on tEd are mapped to the point at infinity on EM. The dual isogeny is given by</t>
<figure align="center">
<artwork align="left"><![CDATA[
phi_d: EM -> tEd, (u,v) -> (x,y), where
x = 4sv(u - 1)(u + 1) / (u^4 - 2u^2 + 4v^2 + 1),
y = (u^2 + 2v - 1)(u^2 - 2v - 1) / (-u^4 + 2uv^2 + 2Au + 4u^2 + 1).
]]></artwork>
</figure>
<t>It holds phi_d(phi((x,y))) = [4](x,y) on tEd and phi(phi_d((u,v))) = [4](u,v) on EM.</t>
</section>
</section>
<!-- This PI places the pagebreak correctly (before the section title) in the text output. -->
<?rfc needLines="8" ?>
<section anchor="curves" title="Recommended Curves">
<t>The following figures give parameters for recommended twisted Edwards and Edwards curves at the 128 and 192 bit security levels generated using the algorithms defined in previous sections. All integer values are unsigned.</t>
<figure align="center" title="p = 2^255 - 19, twisted Edwards">
<artwork align="left"><![CDATA[
p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFED
d = 0x1DB41
r = 0x1000000000000000000000000000000014DEF9DEA2F79CD65812
631A5CF5D3ED
x(P) = 0x5C88197130371C6958E48E7C57393BDEDBA29F9231D24B3D4DA2
242EC821CDF1
y(P) = 0x6FEC03B956EC4A0E51A838029242F8B107C27399CC7840C34B95
5E478A8FB7A5
h = 0x8
]]></artwork>
</figure>
<t>The isogenous Montgomery curve for p = 2^255 - 19 is given by A = 0x76D06.</t>
<figure align="center" title="p = 2^384 - 317, Edwards">
<artwork align="left"><![CDATA[
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3
d = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD19F
r = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2471A1
CB46BE1CF61E4555AAB35C87920B9DCC4E6A3897D
x(P) = 0x61B111FB45A9266CC0B6A2129AE55DB5B30BF446E5BE4C005763FFA
8F33163406FF292B16545941350D540E46C206BDE
y(P) = 0x82983E67B9A6EEB08738B1A423B10DD716AD8274F1425F56830F98F
7F645964B0072B0F946EC48DC9D8D03E1F0729392
h = 0x4
]]></artwork>
</figure>
<t>The isogenous Montgomery curve for p = 2^384 - 317 is given by A = 0xB492.</t>
</section>
<section title="TLS NamedCurve Types" anchor="namedcurve_types">
<t>As defined in <xref target="RFC4492" />, the name space NamedCurve is used for the negotiation of elliptic curve groups for key exchange during TLS session establishment. This document adds new NamedCurve types for the elliptic curves defined in this document:</t>
<figure align="center" suppress-title="true">
<artwork align="left"><![CDATA[
enum {
ietfp255t1(TBD1),
ietfp255x1(TBD2),
ietfp384e1(TBD3),
ietfp384x1(TBD4)
} NamedCurve;
]]></artwork>
</figure>
<t>These curves are suitable for use with Datagram TLS <xref target="RFC6347" />.</t>
</section>
<section title="Use with ECDSA" anchor="ecdsa">
<t>The (twisted) Edwards curves generated by the procedure defined in this draft are suitable for use in signature algorithms such as ECDSA. In compliance with <xref target="RFC5480" />, which only supports named curves, namedCurve OIDs must be defined for the generated curves and points must be represented as (x,y) in either uncompressed or compressed format.</t>
<section title="Object Identifiers" anchor="ecdsa_oids">
<t>The following object identifiers represent the (twisted) Edwards domain parameter sets defined in this draft:</t>
<figure align="center" suppress-title="true">
<artwork align="left"><![CDATA[
ietfp255t1 OBJECT IDENTIFIER ::= {[TBDOID] 1}
ietfp384e1 OBJECT IDENTIFIER ::= {[TBDOID] 2}
]]></artwork>
</figure>
</section>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>The authors would like to thank Tolga Acar, Karen Easterbrook and Brian LaMacchia for their contributions to the development of this draft.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>TBD</t>
</section>
<section anchor="ipr" title="Intellectual Property Rights">
<t>The authors have no knowledge about any intellectual property rights that cover either the generation algorithms or the usage of the domain parameters defined herein.</t>
</section>
<!-- Possibly a 'Contributors' section ... -->
<section anchor="IANA" title="IANA Considerations">
<t>IANA is requested to assign numbers for the curves listed in <xref target="namedcurve_types"/> in the "EC Named Curve" <xref target="IANA-TLS" /> registry of the "Transport Layer Security (TLS) Parameters" registry as follows:</t>
<texttable anchor="iana_table" align="center">
<ttcol align="center">Value</ttcol>
<ttcol align="center">Description</ttcol>
<ttcol align="center">DTLS-OK</ttcol>
<ttcol align="center">Reference</ttcol>
<c>TBD1</c><c>ietfp255t1</c><c>Y</c><c>this doc</c>
<c>TBD2</c><c>ietfp255x1</c><c>Y</c><c>this doc</c>
<c>TBD3</c><c>ietfp384e1</c><c>Y</c><c>this doc</c>
<c>TBD4</c><c>ietfp384x1</c><c>Y</c><c>this doc</c>
</texttable>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
&RFC2119;
</references>
<references title="Informative References">
<!-- Here we use entities that we defined at the beginning. -->
&RFC3279;
&RFC3552;
&RFC4050;
&RFC4492;
&RFC4754;
&RFC5226;
&RFC5480;
&RFC5753;
&RFC6090;
&RFC6347;
<!-- A reference written by by an organization not a person. -->
<reference anchor="MSR"
target="http://eprint.iacr.org/2014/130.pdf">
<front>
<title>Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis</title>
<author initials="J.B." fullname="Joppe W. Bos" surname="Bos">
<organization>Microsoft Research</organization>
</author>
<author initials="C.C." fullname="Craig Costello" surname="Costello">
<organization>Microsoft Research</organization>
</author>
<author initials="P.L." fullname="Patrick Longa" surname="Longa">
<organization>Microsoft Research</organization>
</author>
<author initials="M.N." fullname="Michael Naehrig" surname="Naehrig">
<organization>Microsoft Research</organization>
</author>
<date day="19" month="February" year="2014" />
</front>
</reference>
<reference anchor="ECCP"
target="https://eprint.iacr.org/2013/734">
<front>
<title>Elliptic Curve Cryptography in Practice</title>
<author fullname="Joppe W. Bos" initials="J.B."
surname="Bos" />
<author fullname="J. Alex Halderman" initials="J.H."
surname="Halderman" />
<author fullname="Nadia Heninger" initials="N.H."
surname="Heninger" />
<author fullname="Jonathan Moore" initials="J.M."
surname="Moore" />
<author fullname="Michael Naehrig" initials="M.N."
surname="Naehrig" />
<author fullname="Eric Wustrow" initials="E.W."
surname="Wustrow" />
<date day="2" month="December" year="2013" />
</front>
</reference>
<reference anchor="FPPR"
target="http://dx.doi.org/10.1007/978-3-642-29011-4_4">
<front>
<title></title>
<author fullname="Jean-Charles Faugere" initials="J.F."
surname="Faugere" />
<author fullname="Ludovic Perret" initials="L.P."
surname="Perret" />
<author fullname="Christophe Petit" initials="C.P."
surname="Petit" />
<author fullname="Guenael Renault" initials="G.R."
surname="Renault" />
<date year="2012" />
</front>
</reference>
<reference anchor="Smart">
<front>
<title>The discrete logarithm problem on elliptic curves of trace one</title>
<author fullname="Nigel Smart" initials="N.S." surname="Smart" />
<date year="1999" />
</front>
</reference>
<reference anchor="AS">
<front>
<title>Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves</title>
<author fullname="Takakazu Satoh" initials="T.S." surname="Satoh" />
<author fullname="Kiyomichi Araki" initials="K.A." surname="Araki" />
<date year="1998" />
</front>
</reference>
<reference anchor="S">
<front>
<title>Evaluation of discrete logarithms on some elliptic curves</title>
<author fullname="Igor Semaev" initials="I.S." surname="Semaev" />
<date year="1998" />
</front>
</reference>
<reference anchor="EBP" target="http://www.ecc-brainpool.org/download/Domain-parameters.pdf">
<front>
<title>ECC Brainpool Standard Curves and Curve Generation</title>
<author>
<organization>ECC Brainpool</organization>
</author>
<date day ="19" month="October" year="2005" />
</front>
</reference>
<reference anchor="SC"
target="http://safecurves.cr.yp.to/">
<front>
<title>SafeCurves: choosing safe curves for elliptic-curve cryptography</title>
<author fullname="Daniel J. Bernstein" initials="D.J.B." surname="Bernstein" />
<author fullname="Tanja Lange" initials="T.J." surname="Lange" />
<date day="28" month="June" year="2014" />
</front>
</reference>
<reference anchor="NIST"
target="http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf">
<front>
<title>Recommended Elliptic Curves for Federal Government Use</title>
<author>
<organization>National Institute of Standards</organization>
</author>
<date month="July" year="1999" />
</front>
</reference>
<reference anchor="SEC1"
target="http://www.secg.org/collateral/sec1_final.pdf">
<front>
<title>SEC 1: Elliptic Curve Cryptography</title>
<author>
<organization>Certicom Research</organization>
</author>
<date day="20" month="September" year="2000" />
</front>
</reference>
<reference anchor="X9.62">
<front>
<title>Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
<author>
<organization>ANSI</organization>
</author>
<date year="2005" />
</front>
</reference>
<reference anchor="IANA-TLS"
target="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8">
<front>
<title>EC Named Curve Registry</title>
<author>
<organization>IANA</organization>
</author>
<date year="2014"/>
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 03:37:49 |