idnits 2.17.00 (12 Aug 2021) /tmp/idnits29197/draft-ietf-lwig-curve-representations-23.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document date (Jan 21, 2022) is 113 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '33' on line 3409 -- Looks like a reference, but probably isn't: '126' on line 3409 -- Looks like a reference, but probably isn't: '0' on line 6466 == Missing Reference: 'N-1' is mentioned on line 6466, but not defined == Unused Reference: 'SP-800-56c' is defined on line 1520, but no explicit reference was found in the text == Unused Reference: 'ECC' is defined on line 1545, but no explicit reference was found in the text == Unused Reference: 'SWUmap' is defined on line 1605, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 lwig R. Struik 3 Internet-Draft Struik Security Consultancy 4 Intended status: Informational Jan 21, 2022 5 Expires: July 25, 2022 7 Alternative Elliptic Curve Representations 8 draft-ietf-lwig-curve-representations-23 10 Abstract 12 This document specifies how to represent Montgomery curves and 13 (twisted) Edwards curves as curves in short-Weierstrass form and 14 illustrates how this can be used to carry out elliptic curve 15 computations leveraging existing implementations and specifications 16 of, e.g., ECDSA and ECDH using NIST prime curves. We also provide 17 extensive background material that may be useful for implementers of 18 elliptic curve cryptography. 20 Requirements Language 22 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 23 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 24 "OPTIONAL" in this document are to be interpreted as described in BCP 25 14 [RFC2119] [RFC8174] when, and only when, they appear in all 26 capitals, as shown here. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on July 25, 2022. 45 Copyright Notice 47 Copyright (c) 2022 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Fostering Code Reuse with New Elliptic Curves . . . . . . . . 5 63 2. Specification of Wei25519 . . . . . . . . . . . . . . . . . . 6 64 3. Use of Representation Switches . . . . . . . . . . . . . . . 7 65 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 7 66 4.1. Implementation of X25519, Specification of ECDH25519 . . 8 67 4.2. Implementation of Ed25519 . . . . . . . . . . . . . . . . 9 68 4.3. Specification of ECDSA25519 . . . . . . . . . . . . . . . 9 69 4.4. Other Uses (Wei448, ECDH448, ECDSA448, and Others) . . . 10 70 5. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 71 5.1. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 11 72 5.2. Representation Conventions . . . . . . . . . . . . . . . 11 73 5.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 12 74 6. Implementation Considerations . . . . . . . . . . . . . . . . 13 75 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 14 76 8. Security Considerations . . . . . . . . . . . . . . . . . . . 15 77 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 16 78 10. Using Wei25519 and Wei448 with COSE and JOSE . . . . . . . . 16 79 10.1. Using Wei25519 and Wei448 Keys with COSE and JOSE . . . 16 80 10.1.1. Encoding of Short-Weierstrass Curves with COSE . . . 17 81 10.1.2. Encoding of Short-Weierstrass Curves with JOSE . . . 18 82 10.2. Using ECDSA25519 and ECDSA448 with COSE and JOSE . . . . 18 83 10.2.1. Encoding of ECDSA Instantiations with COSE . . . . . 19 84 10.2.2. Encoding of ECDSA Instantiations with JOSE . . . . . 20 85 10.3. Using ECDH25519 and ECDH448 with COSE and JOSE . . . . . 21 86 10.3.1. Encoding of co-factor ECDH with COSE . . . . . . . . 22 87 10.3.2. Encoding of co-factor ECDH with JOSE . . . . . . . . 23 88 11. Using Wei25519 and Wei448 with PKIX and CMS . . . . . . . . . 23 89 11.1. Encoding of Short-Weierstrass Curves with PKIX . . . . . 23 90 11.2. Encoding of ECDSA Instantiations with PKIX . . . . . . . 23 91 11.3. Encoding of co-factor ECDH and Other Algorithms with 92 PKIX . . . . . . . . . . . . . . . . . . . . . . . . . . 24 94 11.4. Encoding of Elliptic-Curve-Based Algorithms with CMS . . 24 95 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 96 12.1. OIDs for Use with PKIX and CMS . . . . . . . . . . . . . 25 97 12.2. COSE/JOSE IANA Considerations for Wei25519 . . . . . . . 25 98 12.2.1. COSE Elliptic Curves Registration . . . . . . . . . 25 99 12.2.2. COSE Algorithms Registration . . . . . . . . . . . . 25 100 12.2.3. JOSE Elliptic Curves Registration . . . . . . . . . 26 101 12.2.4. JOSE Algorithms Registration (1/2) . . . . . . . . . 26 102 12.2.5. JOSE Algorithms Registration (2/2) . . . . . . . . . 27 103 12.3. COSE/JOSE IANA Considerations for Wei448 . . . . . . . . 27 104 12.3.1. COSE Elliptic Curves Registration . . . . . . . . . 27 105 12.3.2. COSE Algorithms Registration (1/2) . . . . . . . . . 28 106 12.3.3. COSE Algorithms Registration (2/2) . . . . . . . . . 28 107 12.3.4. JOSE Elliptic Curves Registration . . . . . . . . . 28 108 12.3.5. JOSE Algorithms Registration (1/2) . . . . . . . . . 29 109 12.3.6. JOSE Algorithms Registration (2/2) . . . . . . . . . 29 110 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 111 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 112 14.1. Normative References . . . . . . . . . . . . . . . . . . 30 113 14.2. Informative References . . . . . . . . . . . . . . . . . 33 114 Appendix A. Some (Non-Binary) Elliptic Curves . . . . . . . . . 35 115 A.1. Curves in Short-Weierstrass Form . . . . . . . . . . . . 35 116 A.2. Montgomery Curves . . . . . . . . . . . . . . . . . . . . 36 117 A.3. Twisted Edwards Curves . . . . . . . . . . . . . . . . . 36 118 Appendix B. Elliptic Curve Nomenclature and Finite Fields . . . 37 119 B.1. Elliptic Curve Nomenclature . . . . . . . . . . . . . . . 37 120 B.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . 39 121 Appendix C. Elliptic Curve Group Operations . . . . . . . . . . 40 122 C.1. Group Laws for Weierstrass Curves . . . . . . . . . . . . 40 123 C.2. Group Laws for Montgomery Curves . . . . . . . . . . . . 41 124 C.3. Group Laws for Twisted Edwards Curves . . . . . . . . . . 42 125 Appendix D. Relationships Between Curve Models . . . . . . . . . 43 126 D.1. Mapping between Twisted Edwards Curves and Montgomery 127 Curves . . . . . . . . . . . . . . . . . . . . . . . . . 43 128 D.2. Mapping between Montgomery Curves and Weierstrass Curves 44 129 D.3. Mapping between Twisted Edwards Curves and Weierstrass 130 Curves . . . . . . . . . . . . . . . . . . . . . . . . . 45 131 Appendix E. Curve25519 and Cousins . . . . . . . . . . . . . . . 45 132 E.1. Curve Definition and Alternative Representations . . . . 45 133 E.2. Switching between Alternative Representations . . . . . . 46 134 E.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 47 135 Appendix F. Further Mappings . . . . . . . . . . . . . . . . . . 49 136 F.1. Isomorphic Mapping between Twisted Edwards Curves . . . . 49 137 F.2. Isomorphic Mapping between Montgomery Curves . . . . . . 50 138 F.3. Isomorphic Mapping between Weierstrass Curves . . . . . . 51 139 F.4. Isogenous Mapping between Weierstrass Curves . . . . . . 52 140 Appendix G. Further Cousins of Curve25519 . . . . . . . . . . . 53 141 G.1. Further Alternative Representations . . . . . . . . . . . 53 142 G.2. Further Switching . . . . . . . . . . . . . . . . . . . . 53 143 G.3. Further Domain Parameters . . . . . . . . . . . . . . . . 54 144 G.4. Isogeny Details . . . . . . . . . . . . . . . . . . . . . 56 145 G.4.1. Isogeny Parameters . . . . . . . . . . . . . . . . . 56 146 G.4.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . 62 147 Appendix H. Point Compression . . . . . . . . . . . . . . . . . 68 148 H.1. Point Compression for Weierstrass Curves . . . . . . . . 69 149 H.2. Point Compression for Montgomery Curves . . . . . . . . . 70 150 H.3. Point Compression for Twisted Edwards Curves . . . . . . 70 151 Appendix I. Data Conversions . . . . . . . . . . . . . . . . . . 71 152 I.1. Strings and String Operations . . . . . . . . . . . . . . 71 153 I.2. Conversion between Bit Strings and Integers (BS2I, I2BS) 72 154 I.3. Conversion between Octet Strings and Integers (OS2I, 155 I2OS) . . . . . . . . . . . . . . . . . . . . . . . . . . 73 156 I.4. Conversion between Octet Strings and Bit Strings (OS2BS, 157 BS2OS) . . . . . . . . . . . . . . . . . . . . . . . . . 73 158 I.5. Conversion between Field Elements and Octet Strings 159 (FE2OS, OS2FE) . . . . . . . . . . . . . . . . . . . . . 74 160 I.6. Conversion between Elements of Z_n and Octet Strings 161 (ZnE2OS, OS2ZnE) . . . . . . . . . . . . . . . . . . . . 74 162 I.7. Ordering Conventions . . . . . . . . . . . . . . . . . . 75 163 I.8. Conversion Between Curve Points and Octet Strings . . . . 76 164 Appendix J. Representation Examples Curve25519 Family Members . 78 165 J.1. Example with Curve25519 . . . . . . . . . . . . . . . . . 79 166 J.2. Example with Edwards25519 . . . . . . . . . . . . . . . . 81 167 J.3. Example with Wei25519 . . . . . . . . . . . . . . . . . . 83 168 J.4. Example with Wei25519.2 . . . . . . . . . . . . . . . . . 86 169 J.5. Example with Wei25519.-3 . . . . . . . . . . . . . . . . 88 170 Appendix K. Auxiliary Functions . . . . . . . . . . . . . . . . 90 171 K.1. Square Roots in GF(q) . . . . . . . . . . . . . . . . . . 90 172 K.1.1. Square Roots in GF(q), where q = 3 (mod 4) . . . . . 91 173 K.1.2. Square Roots in GF(q), where q = 5 (mod 8) . . . . . 91 174 K.2. Inversion . . . . . . . . . . . . . . . . . . . . . . . . 91 175 K.3. Mappings to Curve Points . . . . . . . . . . . . . . . . 92 176 K.3.1. Mapping to Points of Weierstrass Curve . . . . . . . 92 177 K.3.2. Mapping to Points of Montgomery Curve . . . . . . . . 93 178 K.3.3. Mapping to Points of Twisted Edwards Curve . . . . . 94 179 K.4. Mappings to High-Order Curve Points . . . . . . . . . . . 95 180 K.4.1. Mapping to High-Order Points of Weierstrass Curve . . 95 181 K.4.2. Mapping to High-Order Points of Montgomery Curve . . 96 182 K.4.3. Mapping to High-Order Points of Twisted Edwards Curve 97 183 K.5. Randomized Representation of Curve Points . . . . . . . . 98 184 K.6. Completing the Mappings to Curve Points . . . . . . . . . 99 185 Appendix L. Curve secp256k1 and Friend . . . . . . . . . . . . . 102 186 L.1. Curve Definition and Alternative Representation . . . . . 103 187 L.2. Switching Between Representations . . . . . . . . . . . . 103 188 L.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 103 189 L.4. Isogeny Details . . . . . . . . . . . . . . . . . . . . . 105 190 L.4.1. Isogeny Parameters . . . . . . . . . . . . . . . . . 105 191 L.4.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . 106 192 Appendix M. Curve448 and Cousins . . . . . . . . . . . . . . . . 106 193 M.1. Curve Definition and Alternative Representations . . . . 106 194 M.2. Switching between Alternative Representations . . . . . . 107 195 M.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 108 196 Appendix N. Further Cousins of Curve448 . . . . . . . . . . . . 111 197 N.1. Further Alternative Representations . . . . . . . . . . . 111 198 N.2. Further Switching . . . . . . . . . . . . . . . . . . . . 111 199 N.3. Further Domain Parameters . . . . . . . . . . . . . . . . 114 200 N.4. Isogeny Details . . . . . . . . . . . . . . . . . . . . . 116 201 N.4.1. Isogeny Parameters . . . . . . . . . . . . . . . . . 116 202 N.4.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . 117 203 Appendix O. Representation Examples Curve448 Family Members . . 117 204 O.1. Example with Curve448 . . . . . . . . . . . . . . . . . . 118 205 O.2. Example with Ed448 . . . . . . . . . . . . . . . . . . . 121 206 O.3. Example with Wei448 . . . . . . . . . . . . . . . . . . . 124 207 O.4. Example with Wei448.1 . . . . . . . . . . . . . . . . . . 127 208 O.5. Example with Wei448.-3 . . . . . . . . . . . . . . . . . 130 209 O.6. Example with Edwards448 . . . . . . . . . . . . . . . . . 132 210 Appendix P. Random Integers in Z_n . . . . . . . . . . . . . . . 135 211 P.1. Conversion to Integers in Z_n via Modular Reduction . . . 136 212 P.2. Conversion to Integers in Z_n via Scaling . . . . . . . . 137 213 P.3. Conversion to Integers in Z_n via the Discard Method . . 138 214 Appendix Q. ECDSA signatures . . . . . . . . . . . . . . . . . . 138 215 Q.1. ECDSA Signing Operation . . . . . . . . . . . . . . . . . 138 216 Q.2. ECDSA Verification Operation . . . . . . . . . . . . . . 139 217 Q.3. Representation Examples ECDSA . . . . . . . . . . . . . . 140 218 Q.3.1. Example of ECDSA with Wei25519 and SHA-256 . . . . . 141 219 Q.3.2. Example of ECDSA with Wei25519 and SHAKE128 . . . . . 143 220 Q.3.3. Example of ECDSA with Wei448 and SHAKE256 . . . . . . 145 221 Q.3.4. Example of ECDSA with P-256 and SHA-256 . . . . . . . 147 222 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 150 224 1. Fostering Code Reuse with New Elliptic Curves 226 Elliptic curves can be represented using different curve models. 227 Recently, IETF standardized elliptic curves that are claimed to have 228 better performance and improved robustness against "real world" 229 attacks than curves represented in the traditional short-Weierstrass 230 curve model. These so-called CFRG curves [RFC7748] use the 231 Montgomery curve model and the model of twisted Edwards curves. 233 In this document, we specify these curves using the traditional 234 short-Weierstrass model and also define how to efficiently switch 235 between representations in these different curve models. In 236 particular, we specify Wei25519, which allows an alternative 237 representation of points of Curve25519 (a Montgomery curve) and of 238 points of Edwards25519 (a twisted Edwards curve), as points of a 239 corresponding short-Weierstrass curve. Similarly, we specify Wei448, 240 which allows an alternative representation of points of Curve448 (a 241 Montgomery curve) and of points of Ed448 (an Edwards curve), as 242 points of a corresponding short-Weierstrass curve. 244 Use of Wei25519 and Wei448 allows easy definition of new 245 instantiations of signature schemes and key agreement schemes already 246 specified for traditional NIST prime curves, thereby allowing easy 247 integration with existing specifications, such as NIST SP 800-56a 248 [SP-800-56a], FIPS Pub 186-4 [FIPS-186-4], and ANSI X9.62-2005 249 [ANSI-X9.62], and fostering code reuse on platforms that already 250 implement some of these schemes using elliptic curve arithmetic for 251 curves in short-Weierstrass form (see Appendix C.1). To illustrate 252 this, we specify how to use Wei25519 and Wei448 with co-factor ECDH 253 and with ECDSA, thereby giving rise to the key agreement schemes 254 ECDH25519 and ECDH448 and the signature schemes ECDSA25519 and 255 ECDSA448. In all these cases, implementors may use the curve 256 arithmetic for the curve model of their choosing (where they can 257 efficiently switch between representations in different curve models, 258 if required). 260 For ease of exposition, we consider Wei25519 first and introduce 261 Wei448 simply as an illustration of how to create other "offspring" 262 objects and protocols (see Section 4.4). We also provide extensive 263 background material that we hope may be useful for implementors of 264 elliptic curve cryptography or for cross-referencing with future 265 specification work. 267 2. Specification of Wei25519 269 For the specification of Wei25519 and its relationship to Curve25519 270 and Edwards25519, see Appendix E. For further details and background 271 information on elliptic curves, we refer to the other appendices. 273 The use of Wei25519 allows reuse of existing generic code that 274 implements short-Weierstrass curves, such as the NIST curve P-256, to 275 also implement the CFRG curves Curve25519 and Edwards25519. (Here, 276 generic code refers to an implementation that does not depend on 277 hardcoded domain parameters (see also Section 6).) We also cater to 278 reusing of existing code where some domain parameters may have been 279 hardcoded, thereby widening the scope of applicability. To this end, 280 we specify the short-Weierstrass curves Wei25519.2 and Wei25519.-3, 281 with hardcoded domain parameter a=2 and a=-3 (mod p), respectively; 282 see Appendix G. (Here, p is the characteristic of the field over 283 which these curves are defined.) 285 3. Use of Representation Switches 287 The curves Curve25519, Edwards25519, and Wei25519, as specified in 288 Appendix E.3, are all isomorphic, with the transformations of 289 Appendix E.2. These transformations map the specified base point of 290 each of these curves to the specified base point of each of the other 291 curves. Consequently, a public-private key pair (k,R:=k*G) for any 292 one of these curves corresponds, via these isomorphic mappings, to 293 the public-private key pair (k, R':=k*G') for each of these other 294 curves (where G and G' are the corresponding base points of these 295 curves). This observation extends to the case where one also 296 considers curve Wei25519.2 (which has hardcoded domain parameter 297 a=2), as specified in Appendix G.3, since it is isomorphic to 298 Wei25519, with the transformation of Appendix G.2, and, thereby, also 299 isomorphic to Curve25519 and Edwards25519. 301 The curve Wei25519.-3 (which has hardcoded domain parameter a=-3 (mod 302 p)) is not isomorphic to the curve Wei25519, but is related in a 303 slightly weaker sense: the curve Wei25519 is isogenous to the curve 304 Wei25519.-3, where the mapping of Appendix G.2 is an isogeny of 305 degree l=47 that maps the specified base point G of Wei25519 to the 306 specified base point G' of Wei25519.-3 and where the so-called dual 307 isogeny (which maps Wei25519.-3 to Wei25519) has the same degree 308 l=47, but does not map G' to G, but to a fixed multiple hereof, where 309 this multiple is l=47. Consequently, a public-private key pair 310 (k,R:=k*G) for Wei25519 corresponds to the public-private key pair 311 (k, R':= k*G') for Wei25519.-3 (via the l-isogeny), whereas the 312 public-private key pair (k, R':=k*G') corresponds to the public- 313 private key pair (l*k, l*R=l*k*G) of Wei25519 (via the dual isogeny). 314 (Note the extra scalar l=47 here.) 316 Alternative curve representations can, therefore, be used in any 317 cryptographic scheme that involves computations on public-private key 318 pairs, where implementations may carry out computations on the 319 corresponding object for the isomorphic or isogenous curve and 320 convert the results back to the original curve (where, in case this 321 involves an l-isogeny, one has to take into account the factor l). 322 This includes use with elliptic-curve based signature schemes and key 323 agreement and key transport schemes. 325 For some examples of curve computations on each of the curves 326 specified in Appendix E.3 and Appendix G.3, see Appendix J. 328 4. Examples 329 4.1. Implementation of X25519, Specification of ECDH25519 331 RFC 7748 [RFC7748] specifies the use of X25519, a co-factor Diffie- 332 Hellman key agreement scheme, with instantiation by the Montgomery 333 curve Curve25519. This key agreement scheme was already specified in 334 Section 6.1.2.2 of NIST SP 800-56a [SP-800-56a] for elliptic curves 335 in short-Weierstrass form. Hence, one can implement X25519 using 336 existing NIST routines by (1) representing a point of the Montgomery 337 curve Curve25519 as a point of the Weierstrass curve Wei25519; (2) 338 instantiating the co-factor Diffie-Hellman key agreement scheme of 339 the NIST specification with the resulting point and Wei25519 domain 340 parameters; (3) representing the key resulting from this scheme 341 (which is a point of the curve Wei25519 in Weierstrass form) as a 342 point of the Montgomery curve Curve25519. The representation change 343 can be implemented via a simple wrapper and involves a single modular 344 addition (see Appendix E.2). Using this method has the additional 345 advantage that one can reuse the public-private key pair routines, 346 domain parameter validation, and other checks that are already part 347 of the NIST specifications. 349 A NIST-compliant version of the co-factor Diffie-Hellman key 350 agreement scheme (denoted by ECDH25519) results if one keeps inputs 351 (key contributions) and pre-output (shared key K) in the short- 352 Weierstrass format (and, hence, does not perform Steps (1) and (3) 353 above), where the actual output (shared secret Z) is the x-coordinate 354 of K (if this is an affine point of the curve), represented as a 355 fixed-size octet string in tight MSB/msb-order using the FE2OS 356 mapping of Appendix I.5, and where the output is an error indicator 357 otherwise (i.e., if K is the point at infinity O of the curve). 359 NOTE 1: A Montgomery version of the co-factor Diffie-Hellman key 360 agreement scheme (denoted by X25519+) results by incorporating Steps 361 (1), (2), and (3) above, i.e., where one keeps inputs (key 362 contributions) and pre-output (shared key K) in the Montgomery curve 363 format, as points of Curve25519, where one represents each affine 364 point by only its x-coordinate, represented as a fixed-size octet 365 string in tight LSB/msb-order using the FE2OS mapping and its 366 reverse, the strict OS2FE mapping, of Appendix I.5, and where the 367 actual output (shared secret Z) is the representation of the shared 368 key K as defined above (if this is an affine point of the curve), and 369 where the output is an error indicator otherwise (i.e., if K is the 370 point at infinity O of the curve). The scheme X25519, as specified 371 in [RFC7748], is a more lenient version of this X25519+ scheme, 372 whereby one does not mandate rejection of shared keys in the small 373 subgroup (which are instead represented as if these were the point 374 (0,0) of order two), where one does not check whether a received key 375 contribution is a point of Curve25519 rather than a point of a 376 quadratic twist of this curve (for definitions of these terms, see 377 Appendix B.1), and where one uses the non-strict (rather than strict) 378 OS2FE mapping (which, in this case, is always applied after setting 379 the leftmost bit of the rightmost octet to zero). Moreover, with 380 X25519, private keys are generated in the interval [2^251,2^252-1] 381 rather than in the interval [1,n-1] (the so-called "clamping") and 382 one uses as base point G':=h*G, where G, n, and h are, respectively, 383 the fixed base point, the order of the base point, and the co-factor 384 of the curve in question. 386 NOTE 2: At this point, it is unclear whether a FIPS-accredited module 387 implementing the co-factor Diffie-Hellman scheme with, e.g., P-256 388 would also extend this accreditation to the Montgomery versions 389 X25519+ or X25519. (For cryptographic module validation program 390 guidance, see, e.g., [FIPS-140-2].) 392 4.2. Implementation of Ed25519 394 RFC 8032 [RFC8032] specifies Ed25519, a "full" Schnorr signature 395 scheme, with instantiation by the twisted Edwards curve Edwards25519. 396 One can implement the computation of the ephemeral key pair for 397 Ed25519 using an existing Montgomery curve implementation by (1) 398 generating a random public-private key pair (k, R':=k*G') for 399 Curve25519; (2) representing this public-private key as the pair (k, 400 R:=k*G) for Ed25519. As before, the representation change can be 401 implemented via a simple wrapper. Note that the Montgomery ladder 402 specified in Section 5 of RFC7748 [RFC7748] does not provide 403 sufficient information to reconstruct R':=(u, v) (since it does not 404 compute the v-coordinate of R'). However, this deficiency can be 405 remedied by using a slightly modified version of the Montgomery 406 ladder that includes reconstruction of the v-coordinate of R':=k*G' 407 at the end of the Montgomery ladder (which uses the v-coordinate of 408 the base point G' of Curve25519 as well). For details, see 409 Appendix C.2. 411 4.3. Specification of ECDSA25519 413 FIPS Pub 186-4 [FIPS-186-4] specifies the signature scheme ECDSA and 414 can be instantiated not just with the NIST prime curves, but also 415 with other Weierstrass curves (that satisfy additional cryptographic 416 criteria). In particular, one can instantiate this scheme with the 417 Weierstrass curve Wei25519 and the hash function SHA-256 418 [FIPS-180-4], where an implementation may generate an ephemeral 419 public-private key pair for Wei25519 by (1) internally carrying out 420 these computations on the Montgomery curve Curve25519, the twisted 421 Edwards curve Edwards25519, or even the Weierstrass curve Wei25519.-3 422 (with hardcoded a=-3 domain parameter); (2) representing the result 423 as a key pair for the curve Wei25519. Note that, in either case, one 424 can implement these schemes with the same representation conventions 425 as used with existing NIST specifications, including bit/byte- 426 ordering, compression functions, and the like. This allows generic 427 implementations of ECDSA with the hash function SHA-256 and with the 428 NIST curve P-256 or with the curve Wei25519 specified in this 429 specification to reuse the same implementation (instantiated with, 430 respectively, the NIST P-256 elliptic curve domain parameters or with 431 the domain parameters of curve Wei25519 specified in Appendix E). We 432 denote by ECDSA25519 the instantiation of ECDSA with SHA-256 and with 433 curve Wei25519, where the signature (r,s) is represented as the 434 right-concatenation of the integers r and s in the interval [1,n-1], 435 where n is the order of the base point of the curve in question, each 436 represented as fixed-size octet strings in tight MSB/msb-order using 437 the ZnE2OS mapping of Appendix I.6. 439 4.4. Other Uses (Wei448, ECDH448, ECDSA448, and Others) 441 Any existing specification of cryptographic schemes using elliptic 442 curves in Weierstrass form and that allows introduction of a new 443 elliptic curve (here: Wei25519) is amenable to similar constructs, 444 thus spawning "offspring" protocols, simply by instantiating these 445 using the new curve in short-Weierstrass form, thereby allowing code 446 and/or specifications reuse and, for implementations that so desire, 447 carrying out curve computations "under the hood" on Montgomery curve 448 and twisted Edwards curve cousins hereof (where these exist). This 449 would simply require definition of a new object identifier for any 450 such envisioned "offspring" protocol. This could significantly 451 simplify standardization of schemes and help keeping at bay the 452 resource and maintenance cost of implementations supporting algorithm 453 agility [RFC7696]. 455 We illustrate the construction of such offspring protocols for 456 Curve448, another Montgomery curve recently standardized by IETF (see 457 [RFC7748]). Similar to the case with Curve25519, one can represent 458 points of this curve via different curve models, viz. as points of an 459 Edwards curve (Ed448) or as points of a short-Weierstrass curve 460 (Wei448). For the specification of Wei448 and its relationship to 461 Curve448 and Ed448, see Appendix M. As with ECDH25519, one can now 462 easily define a NIST-compliant version of co-factor Diffie-Hellman 463 key agreement (denoted by ECDH448), by simply reusing the example of 464 Section 4.1, but now using the short-Weierstrass curve Wei448, rather 465 than Wei25519 (with the same representation and bit/byte-ordering 466 conventions). Similarly, one can easily specify ECDSA with Wei448 467 and a suitable hash function, by simply reusing the example of 468 Section 4.3, but now using the short-Weierstrass curve Wei448, rather 469 than Wei25519, and picking as hash function SHAKE256 (see Section 6.3 470 of [FIPS-202]) with output size of d0=512 bits. We denote by 471 ECDSA448 the resulting signature scheme (with the same representation 472 and bit/byte-ordering conventions). 474 NOTE: A Montgomery version of the co-factor Diffie-Hellman key 475 agreement scheme (denoted by X448+) results by reusing the 476 description of X25519+ in Section 4.1, but now using the Montgomery 477 curve Curve448, rather than Curve25519 (with the same checks and 478 representation and bit/byte-ordering conventions). The scheme X448, 479 as specified in [RFC7748], is a more lenient version of this X448+ 480 scheme, whereby one does not mandate rejection of shared keys in the 481 small subgroup (which are instead represented as if these were the 482 point (0,0) of order two), nor checks whether a received key 483 contribution is a point of Curve448 rather than a point of a 484 quadratic twist of this curve, and where one uses the non-strict 485 (rather than the strict) OS2FE mapping for converting octet strings 486 to field elements. Moreover, with X448, private keys are generated 487 in the interval [2^445,2^446-1] rather than in the interval [1,n-1] 488 (the so-called "clamping") and one uses as base point G':=h*G, where 489 G, n, and h are, respectively, the fixed base point, the order of the 490 base point, and the co-factor of the curve in question. 492 5. Caveats 494 The examples above illustrate how specifying the Weierstrass curve 495 Wei25519 (or any curve in short-Weierstrass format, for that matter) 496 may facilitate reuse of existing code and may simplify standards 497 development. However, the following caveats apply: 499 5.1. Wire Format 501 The transformations between alternative curve representations can be 502 implemented at negligible relative incremental cost if the curve 503 points are represented as affine points. If a point is represented 504 in compressed format, conversion usually requires a costly point 505 decompression step. This is the case in [RFC7748], where the inputs 506 to the co-factor Diffie-Hellman scheme X25519, as well as its output, 507 are represented in u-coordinate-only format. This is also the case 508 in [RFC8032], where the EdDSA signature includes the ephemeral 509 signing key represented in compressed format (see Appendix H for 510 details). Note that in the latter case compression is lossless, 511 whereas it is lossy in the former case. 513 5.2. Representation Conventions 515 While elliptic curve computations are carried-out in a field GF(q) 516 and, thereby, involve large integer arithmetic, these integers are 517 represented as bit- and byte-strings. Here, [RFC8032] uses least- 518 significant-byte (LSB)/least-significant-bit (lsb) conventions, 519 whereas [RFC7748] uses LSB/most-significant-bit (msb) conventions, 520 and where most other cryptographic specifications, including NIST 521 SP800-56a [SP-800-56a], FIPS Pub 186-4 [FIPS-186-4], and ANSI 522 X9.62-2005 [ANSI-X9.62] use most-significant-byte (MSB)/msb 523 conventions. Since each pair of conventions is different (see 524 Appendix I for details and Appendix J for examples), this does 525 necessitate bit/byte representation conversions. 527 5.3. Domain Parameters 529 All traditional NIST curves are Weierstrass curves with domain 530 parameter a=-3, while all Brainpool curves [RFC5639] are isomorphic 531 to a Weierstrass curve of this form. Thus, one can expect there to 532 be existing Weierstrass implementations with a hardcoded a=-3 domain 533 parameter ("Jacobian-friendly"). For those implementations, 534 including the curve Wei25519 as a potential vehicle for offering 535 support for the CFRG curves Curve25519 and Edwards25519 is not 536 possible, since it is not of the required form. Instead, one has to 537 implement Wei25519.-3 and include code that implements the isogeny 538 and dual isogeny from and to Wei25519. The lowest odd-degree isogeny 539 has degree l=47 and requires roughly 9kB of storage for isogeny and 540 dual-isogeny computations (see the tables in Appendix G.4). Note 541 that storage would have reduced to a single 64-byte table if only the 542 Curve25519 curve would have been generated so as to be isomorphic to 543 a Weierstrass curve with hardcoded a=-3 parameter (this corresponds 544 to l=1). 546 NOTE 1: An example of a Montgomery curve defined over the same field 547 as Curve25519 that is isomorphic to a Weierstrass curve with 548 hardcoded a=-3 parameter is the Montgomery curve M_{A,B} with B=1 and 549 A=-1410290 (or, if one wants the base point to still have 550 u-coordinate u=9, with B=1 and A=-3960846). In either case, the 551 resulting curve has the same cryptographic properties as Curve25519 552 and the same performance (which relies on A being a 3-byte integer, 553 as is the case with the domain parameter A=486662 of Curve25519, and 554 using the same special prime p=2^255-19), while at the same time 555 being "Jacobian-friendly" by design. 557 NOTE 2: While an implementation of Curve25519 via an isogenous 558 Weierstrass curve with domain parameter a=-3 requires a relatively 559 large table (of size roughly 9kB), for a quadratic twist of 560 Curve25519 (e.g., the Montgomery curve M_{A,B'} with A=486662 and 561 B'=2) this implementation approach only requires a table of size less 562 than 0.5kB (over 20x smaller), solely due to the fact that it is 563 l-isogenous to a Weierstrass curve with a=-3 parameter with 564 relatively small parameter l=2 (compared to l=47, as is the case with 565 Curve25519 itself). 567 6. Implementation Considerations 569 The efficiency of elliptic curve arithmetic is primarily determined 570 by the efficiency of its group operations (see Appendix C). Numerous 571 optimized formulae exist, such as the use of so-called Montgomery 572 ladders with Montgomery curves [Mont-Ladder] or with Weierstrass 573 curves [Wei-Ladder], the use of hardcoded a=-3 domain parameter for 574 Weierstrass curves [ECC-Isogeny], and the use of hardcoded a=-1 575 domain parameters for twisted Edwards curves [tEd-Formulas]. These 576 all target reduction of the number of finite field operations 577 (primarily, finite field multiplications and squarings). Other 578 optimizations target more efficient modular reductions underlying 579 these finite field operations, by specifying curves defined over a 580 field GF(q), where the field size q has a special form or a specific 581 bit-length (typically, close to a multiple of a machine word). 582 Depending on the implementation strategy, the bit-length of q may 583 also facilitate reduced so-called "carry-effects" of integer 584 arithmetic. 586 Most curves use a combination of these design philosophies. All NIST 587 curves [FIPS-186-4] and Brainpool curves [RFC5639] are Weierstrass 588 curves with a=-3 domain parameter, thus facilitating more efficient 589 elliptic curve group operations than with a<>-3 (via so-called 590 Jacobian coordinates). The NIST curves and the Montgomery curve 591 Curve25519 are defined over prime fields, where the prime number has 592 a special form, whereas the Brainpool curves - by design - use a 593 generic prime number. None of the NIST prime curves, nor the 594 Brainpool curves, can be expressed as Montgomery or twisted Edwards 595 curves, whereas - conversely - Montgomery curves and twisted curves 596 can be expressed as Weierstrass curves. 598 While use of Wei25519 allows reuse of existing generic code that 599 implements short-Weierstrass curves, such as the NIST curve P-256, to 600 also implement the CFRG curves Curve25519 or Edwards25519, this 601 obviously does not result in an implementation of these CFRG curves 602 that exploits the specific structure of the underlying field or other 603 specific domain parameters (since generic). Reuse of generic code, 604 therefore, may result in a less computationally efficient curve 605 implementation than would have been possible if the implementation 606 had specifically targeted Curve25519 or Edwards25519 alone (with the 607 overall cost differential estimated to be somewhere in the interval 608 [1.00-1.25]). If existing generic code offers hardware support, 609 however, the overall speed may still be larger, since less efficient 610 formulae for curve arithmetic using Wei25519 curves compared to a 611 direct implementation of Curve25519 or Edwards25519 arithmetic may be 612 more than compensated for by faster implementations of the finite 613 field arithmetic itself. 615 Overall, one should consider not just code reuse and computational 616 efficiency, but also development and maintenance cost, and, e.g, the 617 cost of providing effective implementation attack countermeasures 618 (see also Section 8). 620 7. Implementation Status 622 [Note to the RFC Editor] Please remove this entire section before 623 publication, as well as the reference to [RFC7942]. 625 This section records the status of known implementations of the 626 protocol defined by this specification at the time of posting of this 627 Internet-Draft, and is based on a proposal described in [RFC7942]. 628 The description of implementations in this section is intended to 629 assist the IETF in its decision processes in progressing drafts to 630 RFCs. Please note that the listing of any individual implementation 631 here does not imply endorsement by the IETF. Furthermore, no effort 632 has been spent to verify the information presented here that was 633 supplied by IETF contributors. This is not intended as, and must not 634 be construed to be, a catalog of available implementations or their 635 features. Readers are advised to note that other implementations may 636 exist. 638 According to [RFC7942], "this will allow reviewers and working groups 639 to assign due consideration to documents that have the benefit of 640 running code, which may serve as evidence of valuable experimentation 641 and feedback that have made the implemented protocols more mature. 642 It is up to the individual working groups to use this information as 643 they see fit. 645 Nikolas Rosener evaluated the performance of switching between 646 different curve models in his Master's thesis [Rosener]. For an 647 implementation of Wei25519, see . 648 For support of this curve in tinydtls, see . 651 ANSSI (the national cybersecurity agency of France) implemented the 652 Ed25519 signature scheme using a generic ECC library for short- 653 Weierstrass curves instantiated with the Wei25519 domain parameters, 654 where this was motivated by the desire to both keep the library core 655 mathematical foundations simple and keep the defense-in-depth 656 (regarding software security and side-channels) focused on a rather 657 limited part. For further details, see 658 . 660 According to , an 661 implementation of Wei25519 on the Kinets LTC ECC HW platform improves 662 the performance by over a factor ten compared to a stand-alone 663 implementation of Curve25519 without hardware support. 665 The signature scheme ECDSA25519 (see Section 4.3) is supported in 666 [RFC8928]. 668 8. Security Considerations 670 The different representations of elliptic curve points discussed in 671 this document are all obtained using a publicly known transformation, 672 which is either an isomorphism or a low-degree isogeny. It is well- 673 known that an isomorphism maps elliptic curve points to equivalent 674 mathematical objects and that the complexity of cryptographic 675 problems (such as the discrete logarithm problem) of curves related 676 via a low-degree isogeny are tightly related. Thus, the use of these 677 techniques does not negatively impact cryptographic security of 678 elliptic curve operations. 680 As to implementation security, reusing existing high-quality code or 681 generic implementations that have been carefully designed to 682 withstand implementation attacks for one curve model may allow a more 683 economical way of development and maintenance than providing this 684 same functionality for each curve model separately (if multiple curve 685 models need to be supported) and, otherwise, may allow a more gradual 686 migration path, where one may initially use existing and accredited 687 chipsets that cater to the pre-dominant curve model used in practice 688 for over 15 years. 690 Elliptic curves are generally used as objects in a broader 691 cryptographic scheme that may include processing steps that depend on 692 the representation conventions used (such as with, e.g., key 693 derivation following key establishment). These schemes should 694 (obviously) unambiguously specify fixed representations of each input 695 and output (e.g., representing each elliptic curve point always in 696 short-Weierstrass form and in uncompressed tight MSB/msb format). 698 To prevent cross-protocol attacks, private keys SHOULD only be used 699 with one cryptographic scheme. 701 Private keys MUST NOT be reused between Ed25519 (as specified in 702 [RFC8032]) and ECDSA25519 (as specified in Section 4.3). Similarly, 703 private keys MUST NOT be reused between Ed448 (as specified in 704 [RFC8032]) and ECDSA448 (as specified in Section 4.4). 706 To prevent intra-protocol cross-instantiation attacks, ephemeral 707 private keys MUST NOT be reused between instantiations of ECDSA25519 708 or of ECDSA448. 710 With ECDSA25519 and ECDSA448, the same private signature key MUST NOT 711 be reused between application scenarios where message encoding and 712 decoding rules vary, since this may jeopardize message unforgeability 713 properties; see also the Note in Section 10.2.1. (In fact, this 714 holds for any signature scheme, not just ECDSA.) 716 9. Privacy Considerations 718 The transformations between different curve models described in this 719 document are publicly known and, therefore, do not affect privacy 720 provisions. 722 Use of a public key in any protocol for which successful execution 723 evidences knowledge of the corresponding private key implicitly 724 indicates the entity holding this private key. Reuse of this public 725 key with more than one protocol or more than one protocol 726 instantiation may, therefore, allow traceability of this entity. It 727 may also allow correlation of meta-data communicated with this common 728 data element (e.g., different addressing information), even if an 729 observer cannot technically verify the binding of this meta-data. 731 The randomized representation described in Appendix K.5 allows random 732 curve points to be represented as random pairs of field elements, 733 thereby assisting in obfuscating the presence of these curve points 734 in some applications. For representations as random binary strings, 735 see Appendix K.6. 737 10. Using Wei25519 and Wei448 with COSE and JOSE 739 This section defines algorithm encodings and representations enabling 740 the use of the curves Wei25519 and Wei448 and their use with ECDH and 741 ECDSA with JOSE [RFC7518] and COSE [RFC8152] messages. 743 All octet string encodings below use the MSB/msb-ordering conventions 744 as defined in Appendix I.7. For CBOR representation details, we 745 refer to [RFC8949]; for base64url encodings, we refer to [RFC4648]. 747 10.1. Using Wei25519 and Wei448 Keys with COSE and JOSE 749 For Weierstrass curves, the representation of the point at infinity O 750 is curve-specific (see Appendix H.1). For the short-Weierstrass 751 curve Wei25519, we define O:=(-1,0), whereas for Wei448, we define 752 O:=(1,0). 754 The encodings below specify the use of short-Weierstrass curves with 755 COSE (see Section 10.1.1) and JOSE (see Section 10.1.2), where the 756 encoding for a specific curve results by setting the "crv" parameter 757 to the unique name of the curve in question (i.e., "Wei25519" for the 758 curve Wei25519 and "Wei448" for the curve Wei448). 760 10.1.1. Encoding of Short-Weierstrass Curves with COSE 762 With COSE, points of short-Weierstrass curves are encoded using the 763 "EC2" key type (Section 13.1.1 of [RFC8152]) or the "OKP" key type 764 (Section 7.2 of [I-D.ietf-cose-rfc8152bis-algs]), which are 765 instantiated by setting the "crv" parameter to the (unique) name of 766 the curve in question and the "kty" parameter to "EC2" or "OKP", 767 respectively, where key type-specific settings are as follows: 769 a. With the "EC2" type, each affine point (X, Y) is encoded by 770 setting the parameters "x" and "y" to the octet string 771 representations of the elements X and Y, respectively, in tight 772 MSB/msb-order, and converting each to a CBOR byte string. Each 773 compressed point (X, t) is encoded by setting the parameter "x" 774 to the octet representation of the element X, in tight MSB/msb- 775 order, converted to a CBOR byte string, and by setting the 776 parameter "y" to the CBOR false or CBOR true value, depending on 777 whether, respectively, t=0 or t=1. For representation details 778 and for details on the reverse mappings, see Appendix I.8. (Note 779 that for affine points of a curve defined over a prime field this 780 representation is consistent with the "EC2" representation in 781 Section 13.1.1 of [RFC8152].) 783 b. With the "OKP" type, each point is encoded by setting the 784 parameter "x" to the "squeezed" point representation of this 785 point, in MSB/msb-order, and converting this to a CBOR byte 786 string. For representation details and for details on the 787 reverse mappings, see Appendix I.8. (Note that for affine points 788 of a curve defined over a prime field this representation is 789 consistent with the "OKP" representation in Section 7.2 of 790 [I-D.ietf-cose-rfc8152bis-algs], which affords a curve-specific 791 octet string encoding.) 793 In either case, if the point is a public key (i.e., the private key 794 is well-defined), the parameter "d" encodes the corresponding private 795 key, using the octet string representation, in tight MSB/msb-order, 796 and converting this to a CBOR byte string (see Appendix I.6). 798 For curve points, the "crv" parameter and the parameters referenced 799 with the applicable key type-specific settings above MUST be present 800 in the structure, whereas the parameter "d" MUST NOT be present, 801 while for private keys, the parameters "crv" and "d" MUST be present 802 and the applicable key type-specific parameters of the corresponding 803 public-key are RECOMMENDED to be present. 805 10.1.2. Encoding of Short-Weierstrass Curves with JOSE 807 With JOSE, points of short-Weierstrass curves are encoded using the 808 "EC" key type (Section 6.2 of [RFC7518]) or the "OKP" key type 809 (Section 2 of [RFC8037]), which are instantiated by setting the "crv" 810 parameter to the (unique) name of the curve in question and the "kty" 811 parameter to "EC" or "OKP", respectively, where key type-specific 812 settings are as follows: 814 a. With the "EC" type, each affine curve point (X, Y) is encoded by 815 setting the parameters "x" and "y" to the octet string 816 representations of the elements X and Y, respectively, in tight 817 MSB/msb-order, and converting each using the base64url encoding. 818 The point at infinity O is encoded as if this were an affine 819 point. For representation details and details on the reverse 820 mappings, see Appendix I.8. (Note that for affine points of a 821 curve defined over a prime field this representation is 822 consistent with the "EC" representation in Section 6.2 of 823 [RFC7518]).) 825 b. With the "OKP" type, each curve point is encoded by setting the 826 parameter "x" to the "squeezed" point representation of this 827 point, in MSB/msb-order, and converting this using the base64url 828 encoding. For representation details and for details on the 829 reverse mappings, see Appendix I.8. (Note that for affine points 830 of a curve defined over a prime field this representation is 831 consistent with the "OKP" representation in Section 2 of 832 [RFC8037], which affords a curve-specific octet string encoding.) 834 In either case, if the point is a public key (i.e., the private key 835 is well-defined), the parameter "d" encodes the corresponding private 836 key, using the octet string representation, in tight MSB/msb-order, 837 and converting this using the base64url encoding (see Appendix I.6). 839 For curve points, the "crv" parameter and the parameters referenced 840 with the applicable key type-specific settings above MUST be present 841 in the structure, whereas the parameter "d" MUST NOT be present, 842 while for private keys, the parameters "crv" and "d" MUST be present 843 and the applicable key type-specific parameters of the corresponding 844 public-key are RECOMMENDED to be present. 846 10.2. Using ECDSA25519 and ECDSA448 with COSE and JOSE 848 FIPS Pub 186-4 [FIPS-186-4] specifies the signature scheme ECDSA and 849 can be instantiated with suitable combinations of elliptic curves in 850 short-Weierstrass form and hash functions (that satisfy particular 851 cryptographic criteria). While this completely specifies the 852 internal workings of the signing and signature verification 853 operations, this does not uniquely specify the input/output formats: 855 a. The signing operation takes as inputs a message m (represented as 856 a bit string) and a private key d in the interval [1,n-1] and 857 produces as output a signature, which is an ordered pair (r, s) 858 of integers in the interval [1,n-1], where n is the order of the 859 base point of the curve in question; 861 b. The signature verification operation takes as inputs a message m, 862 a public key Q, and a signature (r,s) and produces as output the 863 value "valid" or "invalid", depending upon whether the message 864 was purportedly signed by a holder of the private key of the 865 public-private key pair (d, Q) for the curve used with the 866 signature scheme in question. 868 All inputs and outputs are uniquely determined by specifying the 869 encodings of the message m, the private key d, the public key Q, the 870 signature, and the values "valid" and "invalid". 872 The encodings below specify the use of instantiations of ECDSA with 873 COSE (see Section 10.2.1) and JOSE (see Section 10.2.2), where the 874 encoding for a specific ECDSA instantiation (i.e., with a specific 875 short-Weierstrass curve and specific hash function) results by 876 setting the "crv" parameter to the unique name of the underlying 877 curve in question and the "alg" parameter to the unique name of the 878 specific signature scheme instantiation. For JOSE, this is realized 879 by setting the "alg" parameter to "ECDSA25519" for the ECDSA scheme 880 defined in Section 4.3 and to "ECDSA448" for the scheme defined in 881 Section 4.4. For COSE, this is realized by setting the "alg" 882 parameter to "ES256" (short-hand for "ECDSA with SHA-256") for the 883 ECDSA scheme defined in Section 4.3 and to "ECDSA with SHAKE256" for 884 the scheme defined in Section 4.4. Note that, in the case of JOSE, 885 the "alg" name uniquely defines the curve (and, thereby, implicitly 886 the underlying "crv" parameter) and the underlying hash function, 887 while in the case of COSE, the "alg" name uniquely defines the 888 underlying hash function, but not the underlying curve. 890 10.2.1. Encoding of ECDSA Instantiations with COSE 892 Instantiations of ECDSA used with COSE use the following encodings of 893 inputs and outputs: 895 a. The message m is the COSE Sig_structure as specified in 896 Section 4.4 of [RFC8152], converted to the CBOR byte string 897 ToBeSigned in accordance with the Core Deterministic Encoding 898 Requirements of Section 4.2.1 of [RFC8949]), converted to a bit 899 string using the OS2BS mapping of Appendix I.4; 901 b. The public key Q and the private key d are encoded as specified 902 in Section 10.1.1, where the "crv" parameter is set to the unique 903 name of the curve used with this particular instantiation of 904 ECDSA; 906 c. The Cose signature is encoded as the right-concatenation of the 907 octet string representations of the coordinates of the signature 908 pair (r, s), in left-to-right order, where r and s are each 909 represented as octet strings in tight MSB/msb-order using the 910 ZnE2OS mapping of Appendix I.6, converted to a CBOR byte string. 911 Note that, since we use a tight representation, this right- 912 concatenated octet string has fixed size 2*l, where the parameter 913 l is uniquely defined by the set Z_n in question (where n is the 914 (prime) order of the base point of the curve in question). The 915 inverse mapping results by checking that the purported encoded 916 signature (after CBOR decoding) has indeed size 2*l, and by 917 converting the left-side and right-side halves of this octet 918 string (each of length l) to, respectively, the integers r and s 919 in Z_n, via the strict OS2ZnE mapping of Appendix I.6. 921 When using a COSE key for this algorithm, if the "alg" field is 922 present, it MUST be set to the (unique) name of this particular 923 instantiation of ECDSA and the "crv" parameter MUST be set to the 924 (unique) name of the corresponding curve; if the "key_ops" field is 925 present, it MUST include "sign" when creating an ECDSA signature and 926 it MUST include "verify" when verifying an ECDSA signature. 928 NOTE: Care should be taken that signers and verifiers do have a 929 common understanding of message encoding rules, since otherwise 930 signature verification may fail for messages with the same semantics. 931 As an example, if there is ambiguity as to whether to represent the 932 binary digit 0 as the integer 0 or as the CBOR false value 933 (represented as the CBOR bit string b000_00000 or b111_10100, 934 respectively), signing and signature verification may depend on 935 different ToBeSigned strings and, thereby, may fail unexpectedly. 936 This explains the (strong) requirement for deterministic encoding 937 rules above and, thereby, the requirement for strong typing of any 938 CBOR encodings used with signed messages. Further care should be 939 taken that message decoding rules are always unambiguous, since 940 otherwise the semantics of signed messages may not be clear or the 941 unforgeability property of signatures may be jeopardized. 943 10.2.2. Encoding of ECDSA Instantiations with JOSE 945 Instantiations of ECDSA used with JOSE use the following encodings of 946 inputs and outputs: 948 a. The message m is the JWS Signing Input as specified in [RFC7515], 949 converted to a bit string, using the OS2BS mapping of 950 Appendix I.4; 952 b. The public key and the private key are encoded as specified in 953 Section 10.1.2, where the "crv" parameter is set to the unique 954 name of the curve used with this particular instantiation of 955 ECDSA; 957 c. The JWS signature is encoded as the right-concatenation of the 958 octet string representations of the coordinates of the signature 959 pair (r, s), in left-to-right order, where r and s are each 960 represented as octet strings in tight MSB/msb-order using the 961 ZnE2OS mapping of Appendix I.6, converted using the base64url 962 encoding. Note that, since we use a tight representation, this 963 right-concatenated octet string has fixed size 2*l, where the 964 parameter l is uniquely defined by the set Z_n in question (where 965 n is the (prime) order of the base point of the curve in 966 question). The inverse mapping results by checking that the 967 purported encoded signature (after base64url decoding) has indeed 968 size 2*l, and by converting the left-side and right-side halves 969 of this octet string (each of length l) to, respectively, the 970 integers r and s in Z_n, via the strict OS2ZnE mapping of 971 Appendix I.6. 973 When using a JOSE key for this algorithm, if the "alg" field is 974 present, it MUST be set to the (unique) name of this particular 975 instantiation of ECDSA and the "crv" parameter MUST be set to the 976 (unique) name of the corresponding curve; if the "key_ops" field is 977 present, it MUST include "sign" when creating an ECDSA signature and 978 it MUST include "verify" when verifying an ECDSA signature; if the 979 JWK _use_ field is present, its value MUST be "sig". 981 10.3. Using ECDH25519 and ECDH448 with COSE and JOSE 983 Section 6.1.2.2 of NIST SP 800-56a [SP-800-56a] specifies the co- 984 factor elliptic-curve Diffie-Hellman key agreement scheme (co-factor 985 ECDH) and can be instantiated with a suitable elliptic curve in 986 short-Weierstrass form (that satisfies particular cryptographic 987 criteria). While this completely specifies the internal workings of 988 the key agreement scheme in question, this does not uniquely specify 989 the input/output formats: 991 a. The co-factor Diffie-Hellman primitive (Section 5.7.1.2 of 992 [SP-800-56a]) takes as inputs a private key d in the interval 993 [1,n-1] from one of the parties and a point Q' obtained from the 994 other party and produces the shared key K:=h*(d*Q'), where h and 995 n are, respectively, the co-factor and the order of the base 996 point of the curve in question and where Q' is a point of this 997 curve. If this shared key K is the point at infinity O of the 998 curve, the output is an error indicator; 1000 b. If the shared key K is an affine point of the curve, the output 1001 is the (raw) shared secret Z, which is the fixed-size octet 1002 representation of the x-coordinate of K, using the FE2OS mapping 1003 of Appendix I.5, represented in tight-MSB/msb-order (see 1004 Appendix I.7). 1006 (NOTE: A subsequent key derivation function (kdf) takes as inputs 1007 the shared secret Z and side information OtherInfo and produces 1008 as output an octet string of DerivedKeyingMaterial, where details 1009 depend on the used kdf in question. This step is out of scope.) 1011 The inputs and outputs are uniquely determined by specifying the 1012 encodings of private keys, curve points, and the error indicator for 1013 this key agreement scheme. 1015 The encodings below specify the use of instantiations of ECDH with 1016 COSE (see Section 10.3.1) and JOSE (see Section 10.3.2), where the 1017 encoding for a specific co-factor ECDH instantiation (i.e., with a 1018 specific short-Weierstrass curve) results by setting the "crv" 1019 parameter to the unique name of the underlying curve in question and 1020 the "alg" parameter to the unique name of the specific key agreement 1021 scheme instantiation (i.e., "ECDH25519" for the co-factor ECDH scheme 1022 defined in Section 4.1 and "ECDH448" for the scheme defined in 1023 Section 4.4). Note that, in this case, the "alg" name uniquely 1024 defines the curve (and, thereby, implicitly the underlying "crv" 1025 parameter). 1027 10.3.1. Encoding of co-factor ECDH with COSE 1029 Instantiations of co-factor ECDH used with COSE use the following 1030 encodings of inputs and outputs: 1032 a. Curve points and private keys are encoded as specified in 1033 Section 10.1.1, where the "crv" parameter is set to the unique 1034 name of the curve used with this particular instantiation of 1035 ECDH. 1037 When using a COSE key for this algorithm, if the "alg" field is 1038 present, it MUST be set to the (unique) name of this particular 1039 instantiation of co-factor ECDH and the "crv" parameter MUST be set 1040 to the (unique) name of the corresponding curve; if the "key_ops" 1041 field is present, it MUST include "derive shared secret" for the 1042 private key. 1044 10.3.2. Encoding of co-factor ECDH with JOSE 1046 Instantiations of co-factor ECDH used with JOSE use the following 1047 encodings of inputs and outputs: 1049 a. Curve points and private keys are encoded as specified in 1050 Section 10.1.2, where the "crv" parameter is set to the unique 1051 name of the curve used with this particular instantiation of 1052 ECDH. 1054 When using a JOSE key for this algorithm, if the "alg" field is 1055 present, it MUST be set to the (unique) name of this particular 1056 instantiation of co-factor ECDH and the "crv" parameter MUST be set 1057 to the (unique) name of the corresponding curve; if the "key_ops" 1058 field is present, it MUST include "derive shared secret" for the 1059 private key. 1061 11. Using Wei25519 and Wei448 with PKIX and CMS 1063 This section illustrates how to use the curves Wei25519 and Wei448 1064 with ECDH and ECDSA with PKIX certificates (see [RFC5280] and 1065 [RFC5480]) and with CMS (see [RFC5652] and [RFC5753]). 1067 11.1. Encoding of Short-Weierstrass Curves with PKIX 1069 The namedCurve field in the ECParameters field in the 1070 SubjectPublicKeyInfo structure [RFC5280] indicates the elliptic curve 1071 domain parameters for a specific curve, via a unique name of the 1072 curve in question (where these are the unique object identifiers id- 1073 Wei25519 for the curve Wei25519 and id-Wei448 for the curve Wei448). 1075 Affine and compressed curve points are encoded using the "SEC1"- 1076 representation (see Note 2 of Appendix I.8), using the tight MSB/msb- 1077 ordering conventions. This is consistent with the representation in 1078 Section 2.2 of [RFC5480], after correcting for the error in [SEC1] 1079 (for the correction, see Note in Appendix H.1). 1081 11.2. Encoding of ECDSA Instantiations with PKIX 1083 ECDSA25519, as defined in Section 4.3, is the instantiation of ECDSA 1084 with SHA-256 and with curve Wei25519. With [RFC5480], ECDSA can be 1085 instantiated with suitable elliptic curves and hash functions. This 1086 allows support for ECDSA25519 by instantiating ECDSA with the curve 1087 Wei25519 and the hash function SHA-256, where curve Wei25519 is 1088 identified by its object identifier id-Wei25519 (see Section 11.1), 1089 where ECDSA with SHA-256 is identified by the object identifier id- 1090 ecdsa-with-SHA256 (see [RFC5480]), and where all other aspects are 1091 specified in [RFC5480]. 1093 ECDSA448, as defined in Section 4.4, is the instantiation of ECDSA 1094 with SHAKE256 with output size d=512 bits and with curve Wei448. 1095 With [RFC5480], ECDSA can be instantiated with suitable elliptic 1096 curves and hash functions. This allows support for ECDSA448 by 1097 instantiating ECDSA with the curve Wei448 and the hash function 1098 SHAKE256 with output size of d=512 bits, where curve Wei448 is 1099 identified by its object identifier id-Wei448 (see Section 11.1), 1100 where ECDSA with SHAKE256 with output size of d=512 bits is 1101 identified by the object identifier id-ecdsa-with-shake256 (see 1102 [RFC8692]), and where all other aspects are specified in [RFC5480]. 1104 11.3. Encoding of co-factor ECDH and Other Algorithms with PKIX 1106 With [RFC5480], the algorithm field in the SubjectPublicKeyInfo 1107 structure indicates the algorithm and the elliptic curve domain 1108 parameters for a specific curve, where that specification defines 1109 three algorithm identifiers (viz. id-ecPublicKey, id-ecDH, and id- 1110 ecMQV). Each of these algorithms can be instantiated with suitable 1111 elliptic curves, thereby allowing support for their use with the 1112 curves Wei25519 and Wei448, where these curves are identified by 1113 their unique object identifiers id-Wei25519 and id-Wei448, 1114 respectively, (see Section 11.1) and where all other aspects are 1115 specified in [RFC5480]. 1117 11.4. Encoding of Elliptic-Curve-Based Algorithms with CMS 1119 With [RFC5753], elliptic-curve based algorithms should use one of the 1120 elliptic curve domain parameters specified in [RFC5480], where the 1121 unique name of each such curve is identified by the object identifier 1122 of this curve defined in that document. Each of these algorithms can 1123 be instantiated with suitable elliptic curves, thereby allowing 1124 support for their use with the curves Wei25519 and Wei448, where 1125 these curves are identified by their unique object identifiers id- 1126 Wei25519 and id-Wei448, respectively, (see Section 11.1) and where 1127 all other aspects are specified in [RFC5753]. 1129 12. IANA Considerations 1131 Code points are requested for curves Wei25519 and Wei448 and their 1132 use with ECDSA and co-factor ECDH, using the representation 1133 conventions of this document. 1135 New code points would be required in case one wishes to specify one 1136 or more other "offspring" protocols beyond those exemplified in 1137 Section 4.4. Specification hereof is, however, outside the scope of 1138 the current document. 1140 12.1. OIDs for Use with PKIX and CMS 1142 This section registers the following object identifiers for the 1143 curves introduced in this document: 1145 a. id-Wei25519 OBJECT IDENTIFIER ::= TBD (Requested value: {iso(1) 1146 identified-organization(3) thawte (101) 108 }); 1148 b. id-Wei448 OBJECT IDENTIFIER ::= TBD (Requested value: {iso(1) 1149 identified-organization(3) thawte (101) 109 }). 1151 For a description of how these are used with PKIX certificates and 1152 CMS, see Section 11. 1154 12.2. COSE/JOSE IANA Considerations for Wei25519 1156 12.2.1. COSE Elliptic Curves Registration 1158 This section registers the following value in the IANA "COSE Elliptic 1159 Curves" registry [IANA.COSE.Curves]. 1161 Name: Wei25519; 1163 Value: TBD (Requested value: -1); 1165 Key Type: EC2 or OKP; 1167 Description: short-Weierstrass curve Wei25519; 1169 Change Controller: IESG; 1171 Reference: specified in Appendix E.3 of this specification; for 1172 encodings, see Section 10.1; 1174 Recommended: Yes. 1176 (Note that The "kty" value for Wei25519 may be "EC2" or "OKP".) 1178 12.2.2. COSE Algorithms Registration 1180 This section registers the following value in the IANA "COSE 1181 Algorithms" registry [IANA.COSE.Algorithms]. 1183 Name: ECDH25519; 1185 Value: TBD (Requested value: -24); 1186 Description: NIST-compliant co-factor Diffie-Hellman w/ curve 1187 Wei25519 and key derivation function HKDF SHA256; 1189 Change Controller: IESG; 1191 Reference: specified in Section 4.1 of this specification; for 1192 encodings, see Section 10.3; 1194 Recommended: Yes. 1196 12.2.3. JOSE Elliptic Curves Registration 1198 This section registers the following value in the IANA "JSON Web Key 1199 Elliptic Curve" registry [IANA.JOSE.Curves]. 1201 Curve Name: Wei25519; 1203 Curve Description: short-Weierstrass curve Wei25519; 1205 JOSE Implementation Requirements: Optional; 1207 Change Controller: IESG; 1209 Reference: specified in Appendix E.3 of this specification; for 1210 encodings, see Section 10.1. 1212 (Note that The "kty" value for Wei25519 may be "EC" or "OKP".) 1214 12.2.4. JOSE Algorithms Registration (1/2) 1216 This section registers the following value in the IANA "JSON Web 1217 Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. 1219 Algorithm Name: ECDSA25519; 1221 Algorithm Description: ECDSA using SHA-256 and curve Wei25519; 1223 Algorithm Usage Locations: alg; 1225 JOSE Implementation Requirements: Optional; 1227 Change Controller: IESG; 1229 Reference: specified in Section 4.3 of this specification; for 1230 encodings, see Section 10.2; 1232 Algorithm Analysis Document(s): Section 4.3 of this specification. 1234 12.2.5. JOSE Algorithms Registration (2/2) 1236 This section registers the following value in the IANA "JSON Web 1237 Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. 1239 Algorithm Name: ECDH25519; 1241 Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ 1242 curve Wei25519 and key derivation function HKDF SHA256; 1244 Algorithm Usage Locations: alg; 1246 JOSE Implementation Requirements: Optional; 1248 Change Controller: IESG; 1250 Reference: specified in Section 4.1 of this specification; for 1251 encodings, see Section 10.3; 1253 Algorithm Analysis Document(s): Section 4.1 of this specification. 1255 12.3. COSE/JOSE IANA Considerations for Wei448 1257 12.3.1. COSE Elliptic Curves Registration 1259 This section registers the following value in the IANA "COSE Elliptic 1260 Curves" registry [IANA.COSE.Curves]. 1262 Name: Wei448; 1264 Value: TBD (Requested value: -2); 1266 Key Type: EC2 or OKP; 1268 Description: short-Weierstrass curve Wei448; 1270 Change Controller: IESG; 1272 Reference: specified in Appendix M.3 of this specification; for 1273 encodings, see Section 10.1; 1275 Recommended: Yes. 1277 (Note that The "kty" value for Wei448 may be "EC2" or "OKP".) 1279 12.3.2. COSE Algorithms Registration (1/2) 1281 This section registers the following value in the IANA "COSE 1282 Algorithms" registry [IANA.COSE.Algorithms]. 1284 Name: ECDSA with SHAKE256; 1286 Value: TBD (Requested value: -48); 1288 Description: ECDSA with SHAKE256; 1290 Change Controller: IESG; 1292 Reference: specified in Section 4.4 of this specification; for 1293 encodings, see Section 10.2; 1295 Recommended: Yes. 1297 12.3.3. COSE Algorithms Registration (2/2) 1299 This section registers the following value in the IANA "COSE 1300 Algorithms" registry [IANA.COSE.Algorithms]. 1302 Name: ECDH448; 1304 Value: TBD (Requested value: -49); 1306 Description: NIST-compliant co-factor Diffie-Hellman w/ curve Wei448 1307 and key derivation function HKDF SHA512; 1309 Change Controller: IESG; 1311 Reference: specified in Section 4.4 of this specification; for 1312 encodings, see Section 10.1; for key derivation, see 1313 Section 11.1 of [RFC8152]; 1315 Recommended: Yes. 1317 12.3.4. JOSE Elliptic Curves Registration 1319 This section registers the following value in the IANA "JSON Web Key 1320 Elliptic Curve" registry [IANA.JOSE.Curves]. 1322 Curve Name: Wei448; 1324 Curve Description: short-Weierstrass curve Wei448; 1326 JOSE Implementation Requirements: Optional; 1327 Change Controller: IESG; 1329 Reference: specified in Appendix M.3 of this specification; for 1330 encodings, see Section 10.1. 1332 (Note that The "kty" value for Wei448 may be "EC" or "OKP".) 1334 12.3.5. JOSE Algorithms Registration (1/2) 1336 This section registers the following value in the IANA "JSON Web 1337 Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. 1339 Algorithm Name: ECDSA448; 1341 Algorithm Description: ECDSA using SHAKE256 and curve Wei448; 1343 Algorithm Usage Locations: alg; 1345 JOSE Implementation Requirements: Optional; 1347 Change Controller: IESG; 1349 Reference: specified in Section 4.4 of this specification; for 1350 encodings, see Section 10.2; 1352 Algorithm Analysis Document(s): Section 4.4 of this specification. 1354 12.3.6. JOSE Algorithms Registration (2/2) 1356 This section registers the following value in the IANA "JSON Web 1357 Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. 1359 Algorithm Name: ECDH448; 1361 Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ 1362 curve Wei448; 1364 Algorithm Usage Locations: alg; 1366 JOSE Implementation Requirements: Optional; 1368 Change Controller: IESG; 1370 Reference: specified in Section 4.4 of this specification; for 1371 encodings, see Section 10.3; 1373 Algorithm Analysis Document(s): Section 4.4 of this specification. 1375 13. Acknowledgements 1377 Thanks to Nikolas Rosener for discussions surrounding implementation 1378 details of the techniques described in this document and to Phillip 1379 Hallam-Baker for triggering inclusion of verbiage on the use of 1380 Montgomery ladders with recovery of the y-coordinate. Thanks to 1381 Stanislav Smyshlyaev, Vasily Nikolaev, and Benjamin Smith for their 1382 careful reviews. 1384 14. References 1386 14.1. Normative References 1388 [ANSI-X9.62] 1389 ANSI X9.62-2005, "Public Key Cryptography for the 1390 Financial Services Industry: The Elliptic Curve Digital 1391 Signature Algorithm (ECDSA)", American National Standard 1392 for Financial Services, Accredited Standards Committee X9, 1393 Inc, Anapolis, MD, 2005. 1395 [FIPS-180-4] 1396 FIPS 180-4, "Secure Hash Standard (SHS), Federal 1397 Information Processing Standards Publication 180-4", US 1398 Department of Commerce/National Institute of Standards and 1399 Technology, Gaithersburg, MD, August 2015. 1401 [FIPS-186-4] 1402 FIPS 186-4, "Digital Signature Standard (DSS), Federal 1403 Information Processing Standards Publication 186-4", US 1404 Department of Commerce/National Institute of Standards and 1405 Technology, Gaithersburg, MD, July 2013. 1407 [FIPS-202] 1408 FIPS 202, "SHA-3 Standard: Permutation-Based Hash and 1409 Extendable-Output Functions, Federal Information 1410 Processing Standards Publication 202", US Department of 1411 Commerce/National Institute of Standards and 1412 Technology, Gaithersburg, MD, August 2015. 1414 [I-D.ietf-cose-rfc8152bis-algs] 1415 Schaad, J., "CBOR Object Signing and Encryption (COSE): 1416 Initial Algorithms", draft-ietf-cose-rfc8152bis-algs-12 1417 (work in progress), September 2020. 1419 [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, 1420 RFC 20, DOI 10.17487/RFC0020, October 1969, 1421 . 1423 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1424 Requirement Levels", BCP 14, RFC 2119, 1425 DOI 10.17487/RFC2119, March 1997, 1426 . 1428 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1429 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 1430 . 1432 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1433 Housley, R., and W. Polk, "Internet X.509 Public Key 1434 Infrastructure Certificate and Certificate Revocation List 1435 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 1436 . 1438 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 1439 "Elliptic Curve Cryptography Subject Public Key 1440 Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, 1441 . 1443 [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography 1444 (ECC) Brainpool Standard Curves and Curve Generation", 1445 RFC 5639, DOI 10.17487/RFC5639, March 2010, 1446 . 1448 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1449 RFC 5652, DOI 10.17487/RFC5652, September 2009, 1450 . 1452 [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve 1453 Cryptography (ECC) Algorithms in Cryptographic Message 1454 Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January 1455 2010, . 1457 [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 1458 Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 1459 2015, . 1461 [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, 1462 DOI 10.17487/RFC7518, May 2015, 1463 . 1465 [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm 1466 Agility and Selecting Mandatory-to-Implement Algorithms", 1467 BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, 1468 . 1470 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 1471 for Security", RFC 7748, DOI 10.17487/RFC7748, January 1472 2016, . 1474 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 1475 Code: The Implementation Status Section", BCP 205, 1476 RFC 7942, DOI 10.17487/RFC7942, July 2016, 1477 . 1479 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 1480 Signature Algorithm (EdDSA)", RFC 8032, 1481 DOI 10.17487/RFC8032, January 2017, 1482 . 1484 [RFC8037] Liusvaara, I., "CFRG Elliptic Curve Diffie-Hellman (ECDH) 1485 and Signatures in JSON Object Signing and Encryption 1486 (JOSE)", RFC 8037, DOI 10.17487/RFC8037, January 2017, 1487 . 1489 [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", 1490 RFC 8152, DOI 10.17487/RFC8152, July 2017, 1491 . 1493 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1494 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1495 May 2017, . 1497 [RFC8692] Kampanakis, P. and Q. Dang, "Internet X.509 Public Key 1498 Infrastructure: Additional Algorithm Identifiers for 1499 RSASSA-PSS and ECDSA Using SHAKEs", RFC 8692, 1500 DOI 10.17487/RFC8692, December 2019, 1501 . 1503 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object 1504 Representation (CBOR)", STD 94, RFC 8949, 1505 DOI 10.17487/RFC8949, December 2020, 1506 . 1508 [SEC1] SEC1, "SEC 1: Elliptic Curve Cryptography, Version 2.0", 1509 Standards for Efficient Cryptography, , June 2009. 1511 [SEC2] SEC2, "SEC 2: Elliptic Curve Cryptography, Version 2.0", 1512 Standards for Efficient Cryptography, , January 2010. 1514 [SP-800-56a] 1515 NIST SP 800-56a, "Recommendation for Pair-Wise Key 1516 Establishment Schemes Using Discrete Log Cryptography, 1517 Revision 3", US Department of Commerce/National Institute 1518 of Standards and Technology, Gaithersburg, MD, April 2018. 1520 [SP-800-56c] 1521 NIST SP 800-56c, "Recommendation for Key-Derivation 1522 Methods in Key-Establishment Schemes, Revision 1", US 1523 Department of Commerce/National Institute of Standards and 1524 Technology, Gaithersburg, MD, April 2018. 1526 14.2. Informative References 1528 [comm-FIPS-186-5] 1529 FIPS 186-5, "Public Comments Received on Draft FIPS Pub 1530 186-5", US Department of Commerce/National Institute of 1531 Standards and Technology, Gaithersburg, MD, April 6, 2020. 1533 [draft-FIPS-186-5] 1534 FIPS 186-5, "Digital Signature Standard (DSS) (Draft)", US 1535 Department of Commerce/National Institute of Standards and 1536 Technology, Gaithersburg, MD, October 31, 2019. 1538 [draft-NIST-800-186] 1539 NIST SP 800-186, "Recommendations for Discrete Logarithm- 1540 Based Cryptography, Elliptic Curve Domain Parameters 1541 (Draft)", US Department of Commerce/National Institute of 1542 Standards and Technology, Gaithersburg, MD, October 31, 1543 2019. 1545 [ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in 1546 Cryptography", Cambridge University Press, Lecture Notes 1547 Series 265, July 1999. 1549 [ECC-Isogeny] 1550 E. Brier, M. Joye, "Fast Point Multiplication on Elliptic 1551 Curves through Isogenies", AAECC, Lecture Notes in 1552 Computer Science, Vol. 2643, New York: Springer-Verlag, 1553 2003. 1555 [FIPS-140-2] 1556 FIPS 140-2, "Implementation Guidance for FIPS 140-2 and 1557 the Cryptographic Module Validation Program", US 1558 Department of Commerce/National Institute of Standards and 1559 Technology, Gaithersburg, MD, August 28, 2020. 1561 [GECC] D. Hankerson, A.J. Menezes, S.A. Vanstone, "Guide to 1562 Elliptic Curve Cryptography", New York: Springer-Verlag, 1563 2004. 1565 [Handbook] 1566 A.J. Menezes, P. van Oorschot, S.A. Vanstone,, "Handbook 1567 of Applied Cryptography", Boca Raton: CRC Press, 1995. 1569 [IANA.COSE.Algorithms] 1570 IANA, "COSE Algorithms", IANA, 1571 https://www.iana.org/assignments/cose/ 1572 cose.xhtml#algorithms. 1574 [IANA.COSE.Curves] 1575 IANA, "COSE Elliptic Curves", IANA, 1576 https://www.iana.org/assignments/cose/cose.xhtml#elliptic- 1577 curves. 1579 [IANA.JOSE.Algorithms] 1580 IANA, "JSON Web Signature and Encryption Algorithms", 1581 IANA, 1582 https://www.iana.org/assignments/jose/jose.xhtml#web- 1583 signature-encryption-algorithms. 1585 [IANA.JOSE.Curves] 1586 IANA, "JSON Web Key Elliptic Curve", IANA, 1587 https://www.iana.org/assignments/jose/jose.xhtml#web-key- 1588 elliptic-curve. 1590 [Mont-Ladder] 1591 P.L. Montgomery, "Speeding the Pollard and Elliptic Curve 1592 Methods of Factorization", Mathematics of 1593 Computation, Vol. 48, 1987. 1595 [RFC8928] Thubert, P., Ed., Sarikaya, B., Sethi, M., and R. Struik, 1596 "Address-Protected Neighbor Discovery for Low-Power and 1597 Lossy Networks", RFC 8928, DOI 10.17487/RFC8928, November 1598 2020, . 1600 [Rosener] N. Rosener, "Evaluating the Performance of Transformations 1601 Between Curve Representations in Elliptic Curve 1602 Cryptography for Constrained Device Security", 1603 M.Sc. Universitat Bremen, August 2018. 1605 [SWUmap] E. Brier, J-S. Coron, Th. Icart, D. Madore, H. Randriam, 1606 M. Tibouchi, "Efficient Indifferentiable Hashing into 1607 Ordinary Elliptic Curves", CRYPTO 2010, Lecture Notes in 1608 Computer Science, Vol. 6223, New York: Springer-Verlag, 1609 2010. 1611 [tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, 1612 "Twisted Edwards Curves", Africacrypt 2008, Lecture Notes 1613 in Computer Science, Vol. 5023, New York: Springer-Verlag, 1614 2008. 1616 [tEd-Formulas] 1617 H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted 1618 Edwards Curves Revisited", ASIACRYPT 2008, Lecture Notes 1619 in Computer Science, Vol. 5350, New York: Springer-Verlag, 1620 2008. 1622 [Tibouchi] 1623 M. Tibouchi, "Elligator Squared -- Uniform Points on 1624 Elliptic Curves of Prime Order as Uniform Random Strings", 1625 Financial Cryptography 2014, Lecture Notes in Computer 1626 Science, Vol. 8437, New York: Springer-Verlag, 2014. 1628 [Tibouchi-cleancut] 1629 T. Kim, M. Tibouchi, "Improved Elliptic Curve Hashing and 1630 Point Representation", DCC 2017, Des. Codes Cryptogr., 1631 Vol. 82, pp. 161-177, New York: Springer-Verlag, 2017. 1633 [Wei-Ladder] 1634 T. Izu, Ts. Takagi,, "A Fast Parallel Elliptic Curve 1635 Multiplication Resistant Against Side Channel Attacks", 1636 Centre for Applied Cryptographic Research, Corr 2002-03, 1637 2002. 1639 Appendix A. Some (Non-Binary) Elliptic Curves 1641 This section defines the three different curve models we consider, 1642 viz. short-Weierstrass curves, Montgomery curves, and twisted Edwards 1643 curves. For nomenclature, see Appendix B. 1645 A.1. Curves in Short-Weierstrass Form 1647 Let GF(q) denote the finite field with q elements, where q is an odd 1648 prime power and where q is not divisible by three. Let W_{a,b} be 1649 the Weierstrass curve with defining equation Y^2 = X^3 + a*X + b, 1650 where a and b are elements of GF(q) and where 4*a^3 + 27*b^2 is 1651 nonzero. The points of W_{a,b} are the ordered pairs (X, Y) whose 1652 coordinates are elements of GF(q) and that satisfy the defining 1653 equation (the so-called affine points), together with the special 1654 point O (the so-called "point at infinity"). This set forms a group 1655 under addition, via the so-called "chord-and-tangent" rule, where the 1656 point at infinity serves as the identity element. See Appendix C.1 1657 for details of the group operation. 1659 A quadratic twist of W_{a,b} is a curve W_{a',b'} defined over the 1660 same field for which a':= a*gamma^2 and b':=b*gamma^3, where gamma is 1661 an element of GF(q) that is not a square in GF(q). 1663 A.2. Montgomery Curves 1665 Let GF(q) denote the finite field with q elements, where q is an odd 1666 prime power. Let M_{A,B} be the Montgomery curve with defining 1667 equation B*v^2 = u^3 + A*u^2 + u, where A and B are elements of GF(q) 1668 and where A is unequal to (+/-)2 and where B is nonzero. The points 1669 of M_{A,B} are the ordered pairs (u, v) whose coordinates are 1670 elements of GF(q) and that satisfy the defining equation (the so- 1671 called affine points), together with the special point O (the so- 1672 called "point at infinity"). This set forms a group under addition, 1673 via the so-called "chord-and-tangent" rule, where the point at 1674 infinity serves as the identity element. See Appendix C.2 for 1675 details of the group operation. 1677 A quadratic twist of M_{A,B} is a curve M_{A',B'} defined over the 1678 same field for which A':= A and B':=B*gamma, where gamma is an 1679 element of GF(q) that is not a square in GF(q). 1681 A.3. Twisted Edwards Curves 1683 Let GF(q) denote the finite field with q elements, where q is an odd 1684 prime power. Let E_{a,d} be the twisted Edwards curve with defining 1685 equation a*x^2 + y^2 = 1+ d*x^2*y^2, where a and d are distinct 1686 nonzero elements of GF(q). The points of E_{a,d} are the ordered 1687 pairs (x, y) whose coordinates are elements of GF(q) and that satisfy 1688 the defining equation (the so-called affine points). It can be shown 1689 that this set forms a group under addition if a is a square in GF(q), 1690 whereas d is not, where the point O:=(0, 1) serves as the identity 1691 element. (Note that the identity element satisfies the defining 1692 equation.) See Appendix C.3 for details of the group operation. 1693 (All curves E_{a,d} in this document are assumed to satisfy the 1694 condition on domain parameters a and d above and, thereby, satisfy 1695 the Note in that appendix.) 1697 An Edwards curve is a twisted Edwards curve with a=1. 1699 A quadratic twist of E_{a,d} is a curve E_{a',d'} defined over the 1700 same field for which a':= a*gamma and d':=d*gamma, where gamma is an 1701 element of GF(q) that is not a square in GF(q). 1703 Appendix B. Elliptic Curve Nomenclature and Finite Fields 1705 This section provides brief background information on elliptic curves 1706 and finite fields that should be sufficient to understand 1707 constructions and examples in this document. 1709 B.1. Elliptic Curve Nomenclature 1711 The set of points of each curve defined in Appendix A forms a 1712 commutative group under addition (denoted by '+'). In Appendix C we 1713 specify the group laws, which depend on the curve model in question. 1714 For completeness, we here include some common elliptic curve 1715 nomenclature and basic properties (primarily so as to keep this 1716 document self-contained). These notions are mainly used in 1717 Appendix E and Appendix G and not essential for our exposition. This 1718 section can be skipped at first reading. 1720 Any point P of a curve E is a generator of the cyclic subgroup 1721

:={k*P | k = 0, 1, 2,...} of the curve. (Here, k*P denotes the 1722 sum of k copies of P, where 0*P is the identity element O of the 1723 curve; k*P is commonly referred to as scalar multiplication of P by 1724 k.) If

has cardinality l, then l is called the order of P and l 1725 is the smallest positive integer so that l*P=O. The order of curve E 1726 is the cardinality of the set of its points, commonly denoted by |E|. 1727 A curve is cyclic if it is generated by some point of this curve. 1728 All curves of prime order are cyclic, while all curves of order h*n, 1729 where n is a large prime number and where h is a small number (the 1730 so-called co-factor), have a large cyclic subgroup of prime order n. 1731 In this case, a generator of order n is called a base point, commonly 1732 denoted by G, while a point of order dividing h is said to be in the 1733 small subgroup (or said to be a low-order point). For curves of 1734 prime order, this small subgroup is the singleton set, consisting of 1735 only the identity element O. A point that is not in the small 1736 subgroup is said to be a high-order point (since it has order at 1737 least n). A point P of the curve is in the small subgroup if h*P=O 1738 (and is a high-order point otherwise); this point P has order n if 1739 n*P=O and if it is not the identity element O. (The latter order 1740 check is commonly called full public key validation.) The above 1741 definitions extend to curves with a relatively large co-factor, by 1742 defining n to be the size of its largest prime-order subgroup. 1744 If R is a point of the curve that is also contained in

, there is 1745 a unique integer k in the interval [0, l-1] so that R=k*P, where l is 1746 the order of P. This number is called the discrete logarithm of R to 1747 the base P. The discrete logarithm problem is the problem of finding 1748 the discrete logarithm of R to the base P for any two points P and R 1749 of the curve, if such a number exists. 1751 Random points R of

, where P has order l, can be computed by 1752 generating a random integer k in the interval [0, l-1] and by 1753 subsequently computing R:=k*P, where R then has order l/gcd(k,l). In 1754 particular, if P is a high-order point (of curve E of order h*n), 1755 then so is R, unless k is a multiple of n (in which case R is a low- 1756 order point). For methods for generating k, see Appendix P. 1758 If P is a fixed base point G of the curve, the pair (k, R:=k*G) is 1759 commonly called a public-private key pair, the integer k the private 1760 key, and the point R the corresponding public key. The private key k 1761 can be represented as an integer in the interval [0,n-1], where G has 1762 order n. If this representation is nonzero, R has order n; 1763 otherwise, it has order one and is the identity element O of the 1764 curve. 1766 A curve E defined over the field GF(q) has order |E| relatively close 1767 to q. More precisely, |E|=q+1-t for some integer t (the so-called 1768 trace) with absolute value at most 2*|sqrt(q)|. This is commonly 1769 referred to as the Hasse bound. 1771 In this document, a quadratic twist of a curve E defined over a field 1772 GF(q) is a specific curve E' related to E defined over the same 1773 field, with cardinality |E'|, where |E|+|E'|=2*(q+1). If E is a 1774 curve in one of the curve models specified in this document, a 1775 quadratic twist E' of this curve can be expressed using the same 1776 curve model, although (naturally) with its own curve parameters (see 1777 Appendix A). Points that are points of both E and E' have order one 1778 or two. Two curves E1 and E2 defined over the field GF(q) are said 1779 to be isogenous if these have the same order and are said to be 1780 isomorphic if the defining equation of E1 can be transformed into the 1781 defining equation of E2 via a so-called admissible change of 1782 variables. Note that isomorphic curves have necessarily the same 1783 order and are, thus, a special case of isogenous curves. Isomorphic 1784 curves have the same group structure, whereas this is not necessarily 1785 the case for isogenous curves. Further details are out of scope. 1787 Curves in short-Weierstrass form can have prime order, whereas 1788 Montgomery curves and twisted Edwards curves always have an order 1789 that is a multiple of four (and, thereby, a small subgroup of 1790 cardinality four). 1792 An ordered pair (x, y) whose coordinates are elements of GF(q) can be 1793 associated with any ordered triple of the form [x*z: y*z: z], where z 1794 is a nonzero element of GF(q), and can be uniquely recovered from 1795 such a representation. The latter representation is commonly called 1796 a representation in projective coordinates. Sometimes, yet other 1797 representations are useful (e.g., representation in Jacobian 1798 coordinates). Further details are out of scope. 1800 The group laws in Appendix C are mostly expressed in terms of affine 1801 points, but can also be expressed in terms of the representation of 1802 these points in projective coordinates, thereby allowing clearing of 1803 denominators. The group laws may also involve non-affine points 1804 (such as the point at infinity O of a Weierstrass curve or of a 1805 Montgomery curve). Those can also be represented in projective 1806 coordinates. Further details are out of scope. 1808 B.2. Finite Fields 1810 The field GF(q), where q is a prime power, is defined as follows. 1812 If q:=p is a prime number, the field GF(p) consists of the integers 1813 in the interval [0,p-1] and two binary operations on this set: 1814 addition and multiplication modulo p. This field is commonly called 1815 a prime field. The additive and multiplicative identity elements are 1816 0 and 1, respectively. 1818 If q:=p^m, where p is a prime number and where m>0, the field GF(q) 1819 is defined in terms of an irreducible polynomial f(z) in z of degree 1820 m with coefficients in GF(p) (i.e., f(z) cannot be written as the 1821 product of two polynomials in z of lower degree with coefficients in 1822 GF(p)): in this case, GF(q) consists of the polynomials in z of 1823 degree smaller than m with coefficients in GF(p) and two binary 1824 operations on this set: polynomial addition and polynomial 1825 multiplication modulo the irreducible polynomial f(z). By 1826 definition, each element x of GF(q) is a polynomial in z of degree 1827 smaller than m and can, therefore, be uniquely represented as a 1828 vector (x_{m-1}, x_{m-2}, ..., x_1, x_0) of length m with 1829 coefficients in GF(p), where x_i is the coefficient of z^i of 1830 polynomial x. Note that this representation depends on the 1831 irreducible polynomial f(z) of the field GF(p^m) in question (which 1832 is often fixed in practice). Note that GF(q) contains the prime 1833 field GF(p) as a subset. If m=1, the definitions of GF(p) and 1834 GF(p^1) above coincide, since each nonzero element of GF(p) can be 1835 viewed as a polynomial in z of degree zero. If m>1 (i.e., if q is a 1836 strict prime power), then GF(q) is called a (nontrivial) extension 1837 field of GF(p). The number p is called the characteristic of GF(q). 1839 Any nonzero element g of GF(q) is a generator of the cyclic 1840 multiplicative subgroup :={g^k | k = 0, 1, 2,...} of GF(q)\{0}. 1841 (Here, g^k denotes the product of k copies of g, where g^0 is the 1842 multiplicative identity element 1 of GF(q)\{0}.) If has 1843 cardinality l, then l is called the order of g and l is the smallest 1844 positive integer so that g^l=1. For each finite field GF(q), the set 1845 GF(q)\{0} forms a cyclic group, i.e., it is generated by some nonzero 1846 element hereof. Each such generator is called a primitive element of 1847 GF(q) and has order q-1. Each nonzero element of GF(q) has order 1848 dividing q-1 (a property commonly referred to as Fermat's Little 1849 Theorem). 1851 A field element y is called a square in GF(q) if it can be expressed 1852 as y:=x^2 for some x in GF(q); it is called a non-square in GF(q) 1853 otherwise. If y is a square in GF(q), we denote by sqrt(y) one of 1854 its square roots (the other one being -sqrt(y)). For methods for 1855 computing square roots in GF(q) - if these exist - and for computing 1856 inverses in GF(q)\{0}, see Appendix K.1 and Appendix K.2, 1857 respectively. For methods for mapping a nonzero field element that 1858 is not a square in GF(q) to a point of a curve, see Appendix K.3 (or 1859 see Appendix K.4, if one wishes to always obtain a high-order point 1860 of the curve in question). 1862 NOTE: The curves in Appendix E and Appendix G are all defined over a 1863 prime field GF(p), thereby reducing all operations to simple modular 1864 integer arithmetic. Strictly speaking we could, therefore, have 1865 refrained from introducing extension fields. Nevertheless, we 1866 included the more general exposition, so as to accommodate potential 1867 introduction of new curves that are defined over a (nontrivial) 1868 extension field at some point in the future. This includes curves 1869 proposed for post-quantum isogeny-based schemes, which are defined 1870 over a quadratic extension field (i.e., where q:=p^2), and elliptic 1871 curves used with pairing-based cryptography. The exposition in 1872 either case is almost the same and now automatically yields, e.g., 1873 data conversion routines for any finite field object (see 1874 Appendix I). Readers not interested in this could simply view all 1875 fields as prime fields. 1877 Appendix C. Elliptic Curve Group Operations 1879 This section specifies group operations for elliptic curves in short- 1880 Weierstrass form, for Montgomery curves, and for twisted Edwards 1881 curves. 1883 C.1. Group Laws for Weierstrass Curves 1885 For each point P of the Weierstrass curve W_{a,b}, the point at 1886 infinity O serves as identity element, i.e., P + O = O + P = P. 1888 For each affine point P:=(X, Y) of the Weierstrass curve W_{a,b}, the 1889 point -P is the point (X, -Y) and one has P + (-P) = O (i.e., -P is 1890 the inverse of P). For the point at infinity O, one has -O:=O. 1892 Let P1:=(X1, Y1) and P2:=(X2, Y2) be distinct affine points of the 1893 Weierstrass curve W_{a,b} and let Q:=P1 + P2, where Q is not the 1894 identity element. Then Q=(X, Y), where 1896 X + X1 + X2 = lambda^2 and Y + Y1 = lambda*(X1 - X), where 1898 lambda:= (Y2 - Y1)/(X2 - X1). 1900 Let P:=(X1, Y1) be an affine point of the Weierstrass curve W_{a,b} 1901 and let Q:=2*P, where Q is not the identity element. Then Q=(X, Y), 1902 where 1904 X + 2*X1 = lambda^2 and Y + Y1 = lambda*(X1 - X), where 1906 lambda:=(3*X1^2 + a)/(2*Y1). 1908 From the group laws above it follows that if P=(X, Y), P1=(X1, Y1), 1909 and P2=(X2, Y2) are distinct affine points of the Weierstrass curve 1910 W_{a,b} with P2:=P+P1 and if Y is nonzero, then the Y-coordinate of 1911 P1 can be expressed in terms of the X-coordinates of P, P1, and P2, 1912 and the Y-coordinate of P, since 1914 2*Y*Y1=(X*X1+a)*(X+X1)+2*b-X2*(X-X1)^2. 1916 This property allows recovery of the Y-coordinate of a point P1=k*P 1917 that is computed via the so-called Montgomery ladder, where P is an 1918 affine point with nonzero Y-coordinate (i.e., it does not have order 1919 two). For future reference, note that the expression above uniquely 1920 determines the X-coordinate of P2 in terms of the X-coordinates of P 1921 and P1 and the product of their Y-coordinates. Further details are 1922 out of scope. 1924 C.2. Group Laws for Montgomery Curves 1926 For each point P of the Montgomery curve M_{A,B}, the point at 1927 infinity O serves as identity element, i.e., P + O = O + P = P. 1929 For each affine point P:=(u, v) of the Montgomery curve M_{A,B}, the 1930 point -P is the point (u, -v) and one has P + (-P) = O (i.e., -P is 1931 the inverse of P). For the point at infinity O, one has -O:=O. 1933 Let P1:=(u1, v1) and P2:=(u2, v2) be distinct affine points of the 1934 Montgomery curve M_{A,B} and let Q:=P1 + P2, where Q is not the 1935 identity element. Then Q=(u, v), where 1937 u + u1 + u2 = B*lambda^2 - A and v + v1 = lambda*(u1 - u), where 1939 lambda:=(v2 - v1)/(u2 - u1). 1941 Let P:=(u1, v1) be an affine point of the Montgomery curve M_{A,B} 1942 and let Q:=2*P, where Q is not the identity element. Then Q=(u, v), 1943 where 1945 u + 2*u1 = B*lambda^2 - A and v + v1 = lambda*(u1 - u), where 1947 lambda:=(3*u1^2 + 2*A*u1+1)/(2*B*v1). 1949 From the group laws above it follows that if P=(u, v), P1=(u1, v1), 1950 and P2=(u2, v2) are distinct affine points of the Montgomery curve 1951 M_{A,B} with P2:=P+P1 and if v is nonzero, then the v-coordinate of 1952 P1 can be expressed in terms of the u-coordinates of P, P1, and P2, 1953 and the v-coordinate of P, since 1955 2*B*v*v1=(u*u1+1)*(u+u1+2*A)-2*A-u2*(u-u1)^2. 1957 This property allows recovery of the v-coordinate of a point P1=k*P 1958 that is computed via the so-called Montgomery ladder, where P is an 1959 affine point with nonzero v-coordinate (i.e., it does not have order 1960 two). For future reference, note that the expression above uniquely 1961 determines the u-coordinate of P2 in terms of the u-coordinates of P 1962 and P1 and the product of their v-coordinates. Further details are 1963 out of scope. 1965 C.3. Group Laws for Twisted Edwards Curves 1967 Note: The group laws below hold for twisted Edwards curves E_{a,d} 1968 where a is a square in GF(q), whereas d is not. In this case, the 1969 addition formulae below are defined for each pair of points, without 1970 exceptions. Generalizations of this group law to other twisted 1971 Edwards curves are out of scope. 1973 For each point P of the twisted Edwards curve E_{a,d}, the point 1974 O:=(0,1) serves as identity element, i.e., P + O = O + P = P. 1976 For each point P:=(x, y) of the twisted Edwards curve E_{a,d}, the 1977 point -P is the point (-x, y) and one has P + (-P) = O (i.e., -P is 1978 the inverse of P). 1980 Let P1:=(x1, y1) and P2:=(x2, y2) be points of the twisted Edwards 1981 curve E_{a,d} and let Q:=P1 + P2. Then Q=(x, y), where 1983 x = (x1*y2 + x2*y1)/(1 + d*x1*x2*y1*y2) and 1985 y = (y1*y2 - a*x1*x2)/(1 - d*x1*x2*y1*y2). 1987 Let P:=(x1, y1) be a point of the twisted Edwards curve E_{a,d} and 1988 let Q:=2*P. Then Q=(x, y), where 1989 x = (2*x1*y1)/(1 + d*x1^2*y1^2) and 1991 y = (y1^2 - a*x1^2)/(1 - d*x1^2*y1^2). 1993 Note that one can use the formulae for point addition for point 1994 doubling, taking inverses, and adding the identity element as well 1995 (i.e., the point addition formulae are uniform and complete (subject 1996 to our Note above)). 1998 From the group laws above (subject to our Note above) it follows that 1999 if P=(x, y), P1=(x1, y1), and P2=P=(x2, y2) are points of the twisted 2000 Edwards curve E_{a,d} with P2:=P+P1 and if x is nonzero, then the 2001 x-coordinate of P1 can be expressed in terms of the y-coordinates of 2002 P, P1, and P2, and the x-coordinate of P, since 2004 x*x1*(a-d*y*y1*y2)=y*y1-y2. 2006 (Here, observe that a-d*y*y1*y2 is nonzero per our Note above.) This 2007 property allows recovery of the x-coordinate of a point P1=k*P that 2008 is computed via the so-called Montgomery ladder, where P is an affine 2009 point with nonzero x-coordinate (i.e., it does not have order one or 2010 two). For future reference, note that the group law (subject to our 2011 Note above) uniquely determines the y-coordinate of P2 in terms of 2012 the y-coordinates of P and P1 and the product of their x-coordinates. 2013 Further details are out of scope. 2015 Appendix D. Relationships Between Curve Models 2017 The non-binary curves specified in Appendix A are expressed in 2018 different curve models, viz. as curves in short-Weierstrass form, as 2019 Montgomery curves, or as twisted Edwards curves. These curve models 2020 are related, as follows. 2022 D.1. Mapping between Twisted Edwards Curves and Montgomery Curves 2024 One can map points of the Montgomery curve M_{A,B} to points of the 2025 twisted Edwards curve E_{a,d}, where a:=(A+2)/B and d:=(A-2)/B and, 2026 conversely, map points of the twisted Edwards curve E_{a,d} to points 2027 of the Montgomery curve M_{A,B}, where A:=2*(a+d)/(a-d) and where 2028 B:=4/(a-d). For twisted Edwards curves we consider (i.e., those 2029 where a is a square in GF(q), whereas d is not), this defines a one- 2030 to-one correspondence, which - in fact - is an isomorphism between 2031 M_{A,B} and E_{a,d}, thereby showing that, e.g., the discrete 2032 logarithm problem in either curve model is equally hard. 2034 For the Montgomery curves and twisted Edwards curves we consider, the 2035 mapping from M_{A,B} to E_{a,d} is defined by mapping the point at 2036 infinity O and the point (0, 0) of order two of M_{A,B} to, 2037 respectively, the point (0, 1) and the point (0, -1) of order two of 2038 E_{a,d}, while mapping each other point (u, v) of M_{A,B} to the 2039 point (x,y):=(u/v,(u-1)/(u+1)) of E_{a,d}. (Note that this is well- 2040 defined, since neither (A-2)/B nor A^2-4 are squares in GF(q), so 2041 M_{A,B} has a single point of order two and no affine points (u,v) 2042 with u=-1.) The inverse mapping from E_{a,d} to M_{A,B} is defined 2043 by mapping the point (0, 1) and the point (0, -1) of order two of 2044 E_{a,d} to, respectively, the point at infinity O and the point (0, 2045 0) of order two of M_{A,B}, while each other point (x, y) of E_{a,d} 2046 is mapped to the point (u,v):=((1+y)/(1-y),(1+y)/((1-y)*x)) of 2047 M_{A,B}. (Note that this is well-defined, since for points (x,y) of 2048 E_{a,d}, x=0 only if y=(+/-)1.) 2050 Implementations may take advantage of this mapping to carry out 2051 elliptic curve group operations originally defined for a twisted 2052 Edwards curve on the corresponding Montgomery curve, or vice-versa, 2053 and translating the result back to the original curve, thereby 2054 potentially allowing code reuse. 2056 D.2. Mapping between Montgomery Curves and Weierstrass Curves 2058 One can map points of the Montgomery curve M_{A,B} to points of the 2059 Weierstrass curve W_{a,b}, where a:=(3-A^2)/(3*B^2) and 2060 b:=(2*A^3-9*A)/(27*B^3). This defines a one-to-one correspondence, 2061 which - in fact - is an isomorphism between M_{A,B} and W_{a,b}, 2062 thereby showing that, e.g., the discrete logarithm problem in either 2063 curve model is equally hard. 2065 The mapping from M_{A,B} to W_{a,b} is defined by mapping the point 2066 at infinity O of M_{A,B} to the point at infinity O of W_{a,b}, while 2067 mapping each other point (u,v) of M_{A,B} to the point 2068 (X,Y):=((u+A/3)/B,v/B) of W_{a,b}. 2070 Note that not all Weierstrass curves can be mapped to Montgomery 2071 curves, since the latter have a point of order two and the former may 2072 not. In particular, if a Weierstrass curve has prime order, such as 2073 is the case with the so-called NIST prime curves, this inverse 2074 mapping is not defined. 2076 If the Weierstrass curve W_{a,b} has a point (alpha,0) of order two 2077 and c:=a+3*(alpha)^2 is a square in GF(q), one can map points of this 2078 curve to points of the Montgomery curve M_{A,B}, where A:=3*alpha/ 2079 gamma and B:=1/gamma and where gamma is any square root of c. In 2080 this case, the mapping from W_{a,b} to M_{A,B} is defined by mapping 2081 the point at infinity O of W_{a,b} to the point at infinity O of 2082 M_{A,B}, while mapping each other point (X,Y) of W_{a,b} to the point 2083 (u,v):=((X-alpha)/gamma,Y/gamma) of M_{A,B}. As before, this defines 2084 a one-to-one correspondence, which - in fact - is an isomorphism 2085 between W_{a,b} and M_{A,B}. It is easy to see that the mapping from 2086 W_{a,b} to M_{A,B} and that from M_{A,B} to W_{a,b} (if defined) are 2087 each other's inverse. 2089 This mapping can be used to implement elliptic curve group operations 2090 originally defined for a twisted Edwards curve or for a Montgomery 2091 curve using group operations for the corresponding elliptic curve in 2092 short-Weierstrass form and translating the result back to the 2093 original curve, thereby potentially allowing code reuse. 2095 Note that implementations for elliptic curves with short-Weierstrass 2096 form that hard-code the domain parameter a to a= -3 (which value is 2097 known to allow more efficient implementations) cannot always be used 2098 this way, since the curve W_{a,b} resulting from an isomorphic 2099 mapping cannot always be expressed as a Weierstrass curve with a=-3 2100 via a coordinate transformation. For more details, see Appendix F. 2102 D.3. Mapping between Twisted Edwards Curves and Weierstrass Curves 2104 One can map points of the twisted Edwards curve E_{a,d} to points of 2105 the Weierstrass curve W_{a,b}, via function composition, where one 2106 uses the isomorphic mapping between twisted Edwards curves and 2107 Montgomery curves of Appendix D.1 and the one between Montgomery and 2108 Weierstrass curves of Appendix D.2. Obviously, one can use function 2109 composition (now using the respective inverses - if these exist) to 2110 realize the inverse of this mapping. 2112 Appendix E. Curve25519 and Cousins 2114 This section introduces curves related to Curve25519 and explains 2115 their relationships. 2117 E.1. Curve Definition and Alternative Representations 2119 The elliptic curve Curve25519 is the Montgomery curve M_{A,B} defined 2120 over the prime field GF(p), with p:=2^{255}-19, where A:=486662 and 2121 B:=1. This curve has order h*n, where h=8 and where n is a prime 2122 number. For this curve, A^2-4 is not a square in GF(p), whereas A+2 2123 is. The quadratic twist of this curve has order h1*n1, where h1=4 2124 and where n1 is a prime number. For this curve, the base point is 2125 the point (Gu, Gv), where Gu=9 and where Gv is an odd integer in the 2126 interval [0, p-1]. 2128 This curve has the same group structure as (is "isomorphic" to) the 2129 twisted Edwards curve E_{a,d} defined over GF(p), with as base point 2130 the point (Gx, Gy), where parameters are as specified in 2131 Appendix E.3. This curve is denoted as Edwards25519. For this 2132 curve, the parameter a is a square in GF(p), whereas d is not, so the 2133 group laws of Appendix C.3 apply. 2135 The curve is also isomorphic to the elliptic curve W_{a,b} in short- 2136 Weierstrass form defined over GF(p), with as base point the point 2137 (GX, GY), where parameters are as specified in Appendix E.3. This 2138 curve is denoted as Wei25519. For this curve, the parameter b is a 2139 square in GF(p). (For future reference, we note that this curve has 2140 no affine points with x-coordinate -1.) 2142 E.2. Switching between Alternative Representations 2144 Each affine point (u, v) of Curve25519 corresponds to the point (X, 2145 Y):=(u + A/3, v) of Wei25519, while the point at infinity of 2146 Curve25519 corresponds to the point at infinity of Wei25519. (Here, 2147 we used the mappings of Appendix D.2 and that B=1.) Under this 2148 mapping, the base point (Gu, Gv) of Curve25519 corresponds to the 2149 base point (GX, GY) of Wei25519. The inverse mapping maps the affine 2150 point (X, Y) of Wei25519 to (u, v):=(X - A/3, Y) of Curve25519, while 2151 mapping the point at infinity of Wei25519 to the point at infinity of 2152 Curve25519. Note that this mapping involves a simple shift of the 2153 first coordinate and can be implemented via integer-only arithmetic 2154 as a shift of delta for the isomorphic mapping and a shift of -delta 2155 for its inverse, where delta:=(p+A)/3 is the integer defined by 2157 delta 19298681539552699237261830834781317975544997444273427339909597 2158 334652188435537 2160 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa 2161 aaaaaaaa aaad2451). 2163 (Note that, depending on the implementation details of the field 2164 arithmetic, one may have to shift the result by +p or -p if this 2165 integer is not in the interval [0,p-1].) 2167 The curve Edwards25519 is isomorphic to the curve Curve25519, where 2168 the base point (Gu, Gv) of Curve25519 corresponds to the base point 2169 (Gx,Gy) of Edwards25519 and where the point at infinity and the point 2170 (0,0) of order two of Curve25519 correspond to, respectively, the 2171 point (0, 1) and the point (0, -1) of order two of Edwards25519 and 2172 where each other point (u, v) of Curve25519 corresponds to the point 2173 (c*u/v, (u-1)/(u+1)) of Edwards25519, where c is the element of GF(p) 2174 defined by 2176 c sqrt(-(A+2)/B) 2178 51042569399160536130206135233146329284152202253034631822681833788 2179 666877215207 2180 (=0x70d9120b 9f5ff944 2d84f723 fc03b081 3a5e2c2e b482e57d 2181 3391fb55 00ba81e7). 2183 (Here, we used the mapping of Appendix D.1 and normalized this using 2184 the mapping of Appendix F.1 (where the element s of that appendix is 2185 set to c above).) The inverse mapping from Edwards25519 to 2186 Curve25519 is defined by mapping the point (0, 1) and the point (0, 2187 -1) of order two of Edwards25519 to, respectively, the point at 2188 infinity and the point (0,0) of order two of Curve25519 and having 2189 each other point (x, y) of Edwards25519 correspond to the point ((1 + 2190 y)/(1 - y), c*(1 + y)/((1-y)*x)) of Curve25519. 2192 The curve Edwards25519 is isomorphic to the Weierstrass curve 2193 Wei25519, where the base point (Gx, Gy) of Edwards25519 corresponds 2194 to the base point (GX,GY) of Wei25519 and where the identity element 2195 (0,1) and the point (0,-1) of order two of Edwards25519 correspond 2196 to, respectively, the point at infinity O and the point (A/3, 0) of 2197 order two of Wei25519 and where each other point (x, y) of 2198 Edwards25519 corresponds to the point (X, Y):=((1+y)/(1-y)+A/3, 2199 c*(1+y)/((1-y)*x)) of Wei25519, where c was defined before. (Here, 2200 we used the mapping of Appendix D.3.) The inverse mapping from 2201 Wei25519 to Edwards25519 is defined by mapping the point at infinity 2202 O and the point (A/3, 0) of order two of Wei25519 to, respectively, 2203 the identity element (0,1) and the point (0,-1) of order two of 2204 Edwards25519 and having each other point (X, Y) of Wei25519 2205 correspond to the point (c*(X-A/3)/Y, (X-A/3-1)/(X-A/3+1)) of 2206 Edwards25519. 2208 Note that these mappings can be easily realized if points are 2209 represented in projective coordinates, using a few field 2210 multiplications only, thus allowing switching between alternative 2211 curve representations with negligible relative incremental cost. 2213 E.3. Domain Parameters 2215 The parameters of the Montgomery curve and the corresponding 2216 isomorphic curves in twisted Edwards curve and short-Weierstrass form 2217 are as indicated below. Here, the domain parameters of the 2218 Montgomery curve Curve25519 and of the twisted Edwards curve 2219 Edwards25519 are as specified in [RFC7748]; the domain parameters of 2220 Wei25519 are "new". 2222 General parameters (for all curve models): 2224 p 2^{255}-19 2226 (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff 2227 ffffffff ffffffed) 2229 h 8 2231 n 72370055773322622139731865630429942408571163593799076060019509382 2232 85454250989 2234 (=2^{252} + 0x14def9de a2f79cd6 5812631a 5cf5d3ed) 2236 h1 4 2238 n1 14474011154664524427946373126085988481603263447650325797860494125 2239 407373907997 2241 (=2^{253} - 0x29bdf3bd 45ef39ac b024c634 b9eba7e3) 2243 Montgomery curve-specific parameters (for Curve25519): 2245 A 486662 (=0x076d06) 2247 B 1 (=0x01) 2249 Gu 9 (=0x09) 2251 Gv 14781619447589544791020593568409986887264606134616475288964881837 2252 755586237401 2254 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 2255 29e9c5a2 7eced3d9) 2257 Twisted Edwards curve-specific parameters (for Edwards25519): 2259 a -1 (-0x01) 2261 d -121665/121666 = - (A-2)/(A+2) 2263 (=370957059346694393431380835087545651895421138798432190163887855 2264 33085940283555) 2266 (=0x52036cee 2b6ffe73 8cc74079 7779e898 00700a4d 4141d8ab 2267 75eb4dca 135978a3) 2269 Gx 15112221349535400772501151409588531511454012693041857206046113283 2270 949847762202 2272 (=0x216936d3 cd6e53fe c0a4e231 fdd6dc5c 692cc760 9525a7b2 2273 c9562d60 8f25d51a) 2275 Gy 4/5 2276 (=463168356949264781694283940034751631413079938662562256157830336 2277 03165251855960) 2279 (=0x66666666 66666666 66666666 66666666 66666666 66666666 2280 66666666 66666658) 2282 Weierstrass curve-specific parameters (for Wei25519): 2284 a 19298681539552699237261830834781317975544997444273427339909597334 2285 573241639236 2287 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa 2288 aaaaaa98 4914a144) 2290 b 55751746669818908907645289078257140818241103727901012315294400837 2291 956729358436 2293 (=0x7b425ed0 97b425ed 097b425e d097b425 ed097b42 5ed097b4 2294 260b5e9c 7710c864) 2296 GX 19298681539552699237261830834781317975544997444273427339909597334 2297 652188435546 2299 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa 2300 aaaaaaaa aaad245a) 2302 GY 14781619447589544791020593568409986887264606134616475288964881837 2303 755586237401 2305 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 2306 29e9c5a2 7eced3d9) 2308 Appendix F. Further Mappings 2310 The non-binary curves specified in Appendix A are expressed in 2311 different curve models, viz. as curves in short-Weierstrass form, as 2312 Montgomery curves, or as twisted Edwards curves. In Appendix D we 2313 already described relationships between these various curve models. 2314 Further mappings exist between elliptic curves within the same curve 2315 model. These can be exploited to force some of the domain parameters 2316 to specific values that allow for a more efficient implementation of 2317 the addition formulae. 2319 F.1. Isomorphic Mapping between Twisted Edwards Curves 2321 One can map points of the twisted Edwards curve E_{a,d} to points of 2322 the twisted Edwards curve E_{a',d'}, where a:=a'*s^2 and d:=d'*s^2 2323 for some nonzero element s of GF(q). This defines a one-to-one 2324 correspondence, which - in fact - is an isomorphism between E_{a,d} 2325 and E_{a',d'}. 2327 The mapping from E_{a,d} to E_{a',d'} is defined by mapping the point 2328 (x,y) of E_{a,d} to the point (x', y'):=(s*x, y) of E_{a',d'}. The 2329 inverse mapping from E_{a',d'} to E_{a,d} is defined by mapping the 2330 point (x', y') of E_{a',d'} to the point (x, y):=(x'/s, y') of 2331 E_{a,d}. 2333 Implementations may take advantage of this mapping to carry out 2334 elliptic curve group operations originally defined for a twisted 2335 Edwards curve with generic domain parameters a and d on a 2336 corresponding isomorphic twisted Edwards curve with domain parameters 2337 a' and d' that have a more special form and that are known to allow 2338 for more efficient implementations of addition laws and translating 2339 the result back to the original curve. In particular, it is known 2340 that such efficiency improvements exist if a':=(+/-)1 (see 2341 [tEd-Formulas]). 2343 F.2. Isomorphic Mapping between Montgomery Curves 2345 One can map points of the Montgomery curve M_{A,B} to points of the 2346 Montgomery curve M_{A',B'}, where A:=A' and B:=B'*s^2 for some 2347 nonzero element s of GF(q). This defines a one-to-one 2348 correspondence, which - in fact - is an isomorphism between M_{A,B} 2349 and M_{A',B'}. 2351 The mapping from M_{A,B} to M_{A',B'} is defined by mapping the point 2352 at infinity O of M_{A,B} to the point at infinity O of M_{A',B'}, 2353 while mapping each other point (u,v) of M_{A,B} to the point (u', 2354 v'):=(u, s*v) of M_{A',B'}. The inverse mapping from M_{A',B'} to 2355 M_{A,B} is defined by mapping the point at infinity O of M_{A',B'} to 2356 the point at infinity O of M_{A,B}, while mapping each other point 2357 (u',v') of M_{A',B'} to the point (u,v):=(u',v'/s) of M_{A,B}. 2359 One can also map points of the Montgomery curve M_{A,B} to points of 2360 the Montgomery curve M_{A',B'}, where A':=-A and B':=-B. This 2361 defines a one-to-one correspondence, which - in fact - is an 2362 isomorphism between M_{A,B} and M_{A',B'}. 2364 In this case, the mapping from M_{A,B} to M_{A',B'} is defined by 2365 mapping the point at infinity O of M_{A,B} to the point at infinity O 2366 of M_{A',B'}, while mapping each other point (u,v) of M_{A,B} to the 2367 point (u',v'):=(-u,v) of M_{A',B'}. The inverse mapping from 2368 M_{A',B'} to M_{A,B} is defined by mapping the point at infinity O of 2369 M_{A',B'} to the point at infinity O of M_{A,B}, while mapping each 2370 other point (u',v') of M_{A',B'} to the point (u,v):=(-u',v') of 2371 M_{A,B}. 2373 Implementations may take advantage of these mappings to carry out 2374 elliptic curve groups operations originally defined for a Montgomery 2375 curve with generic domain parameters A and B on a corresponding 2376 isomorphic Montgomery curve with domain parameters A' and B' that 2377 have a more special form and that are known to allow for more 2378 efficient implementations of addition laws and translating the result 2379 back to the original curve. In particular, it is known that such 2380 efficiency improvements exist if B' assumes a small absolute value, 2381 such as B':=(+/-)1. (see [Mont-Ladder]). 2383 F.3. Isomorphic Mapping between Weierstrass Curves 2385 One can map points of the Weierstrass curve W_{a,b} to points of the 2386 Weierstrass curve W_{a',b'}, where a':=a*s^4 and b':=b*s^6 for some 2387 nonzero element s of GF(q). This defines a one-to-one 2388 correspondence, which - in fact - is an isomorphism between W_{a,b} 2389 and W_{a',b'}. 2391 The mapping from W_{a,b} to W_{a',b'} is defined by mapping the point 2392 at infinity O of W_{a,b} to the point at infinity O of W_{a',b'}, 2393 while mapping each other point (X,Y) of W_{a,b} to the point 2394 (X',Y'):=(X*s^2, Y*s^3) of W_{a',b'}. The inverse mapping from 2395 W_{a',b'} to W_{a,b} is defined by mapping the point at infinity O of 2396 W_{a',b'} to the point at infinity O of W_{a,b}, while mapping each 2397 other point (X', Y') of W_{a',b'} to the point (X,Y):=(X'/s^2,Y'/s^3) 2398 of W_{a,b}. 2400 Implementations may take advantage of this mapping to carry out 2401 elliptic curve group operations originally defined for a Weierstrass 2402 curve with generic domain parameters a and b on a corresponding 2403 isomorphic Weierstrass curve with domain parameter a' and b' that 2404 have a more special form and that are known to allow for more 2405 efficient implementations of addition laws and translating the result 2406 back to the original curve. In particular, it is known that such 2407 efficiency improvements exist if a'=-3 (mod p), where p is the 2408 characteristic of GF(q), and one uses so-called Jacobian coordinates 2409 with a particular projective version of the addition laws of 2410 Appendix C.1. While not all Weierstrass curves can be put into this 2411 form, all traditional NIST curves have domain parameter a=-3, while 2412 all Brainpool curves [RFC5639] are isomorphic to a Weierstrass curve 2413 of this form via the above mapping. 2415 Note that implementations for elliptic curves with short-Weierstrass 2416 form that hard-code the domain parameter a to a= -3 cannot always be 2417 used this way, since the curve W_{a,b} cannot always be expressed in 2418 terms of a Weierstrass curve with a'=-3 via a coordinate 2419 transformation: this only holds if a'/a is a fourth power in GF(q) 2420 (see Section 3.1.5 of [GECC]). However, even in this case, one can 2421 still express the curve W_{a,b} as a Weierstrass curve with a small 2422 domain parameter value a', thereby still allowing a more efficient 2423 implementation than with a general domain parameter value a. 2425 F.4. Isogenous Mapping between Weierstrass Curves 2427 One can still map points of the Weierstrass curve W_{a,b} to points 2428 of the Weierstrass curve W_{a',b'}, where a':=-3 (mod p) and where p 2429 is the characteristic of GF(q), even if a'/a is not a fourth power in 2430 GF(q). In that case, this mappping cannot be an isomorphism (see 2431 Appendix F.3). Instead, the mapping is a so-called isogeny (or 2432 homomorphism). Since most elliptic curve operations process points 2433 of prime order or use so-called "co-factor multiplication", in 2434 practice the resulting mapping has similar properties as an 2435 isomorphism. In particular, one can still take advantage of this 2436 mapping to carry out elliptic curve group operations originally 2437 defined for a Weierstrass curve with domain parameter a unequal to -3 2438 (mod p) on a corresponding isogenous Weierstrass curve with domain 2439 parameter a'=-3 (mod p) and translating the result back to the 2440 original curve. 2442 In this case, the mapping from W_{a,b} to W_{a',b'} is defined by 2443 mapping the point at infinity O of W_{a,b} to the point at infinity O 2444 of W_{a',b'}, while mapping each other point (X,Y) of W_{a,b} to the 2445 point (X',Y'):=(u(X)/w(X)^2,Y*v(X)/w(X)^3) of W_{a',b'}. Here, u(X), 2446 v(X), and w(X) are polynomials in X that depend on the isogeny in 2447 question, as do domain parameters a' and b'. The inverse mapping 2448 from W_{a',b'} to W_{a,b} is again an isogeny (called the dual 2449 isogeny) and defined by mapping the point at infinity O of W_{a',b'} 2450 to the point at infinity O of W_{a,b}, while mapping each other point 2451 (X', Y') of W_{a',b'} to the point 2452 (X,Y):=(u'(X')/w'(X')^2,Y'*v'(X')/w'(X')^3) of W_{a,b}, where -- 2453 again -- u'(X'), v'(X'), and w'(X') are polynomials in X' that depend 2454 on the isogeny in question. These mappings have the property that 2455 their composition is not the identity mapping (as was the case with 2456 the isomorphic mappings discussed in Appendix F.3), but rather a 2457 fixed multiple hereof: if this multiple is l then the isogeny is 2458 called an isogeny of degree l (or l-isogeny) and u, v, and w (and, 2459 similarly, u', v', and w') are polynomials of degrees l, 3*(l-1)/2, 2460 and (l-1)/2, respectively. Note that an isomorphism is simply an 2461 isogeny of degree l=1. Details of how to determine isogenies are out 2462 of the scope of this document. The above formulas assume that the 2463 isogeny has odd degree (i.e., l is odd); detailed formulas for even- 2464 degree isogenies are similar, but out of scope. 2466 Implementations may take advantage of this mapping to carry out 2467 elliptic curve group operations originally defined for a Weierstrass 2468 curve with a generic domain parameter a on a corresponding isogenous 2469 Weierstrass curve with domain parameter a'=-3 (mod p), where one can 2470 use so-called Jacobian coordinates with a particular projective 2471 version of the addition laws of Appendix C.1. Since all traditional 2472 NIST curves have domain parameter a=-3, while all Brainpool curves 2473 [RFC5639] are isomorphic to a Weierstrass curve of this form, this 2474 allows taking advantage of existing implementations for these curves 2475 that may have a hardcoded a=-3 (mod p) domain parameter, provided one 2476 switches back and forth to this curve form using the isogenous 2477 mapping in question. 2479 Note that isogenous mappings can be easily realized using 2480 representations in projective coordinates and involves roughly 3*l 2481 finite field multiplications, thus allowing switching between 2482 alternative representations at relatively low incremental cost 2483 compared to that of elliptic curve scalar multiplications (provided 2484 the isogeny has low degree l). Note, however, that this does require 2485 storage of the polynomial coefficients of the isogeny and dual 2486 isogeny involved. This illustrates that low-degree isogenies are to 2487 be preferred, since an l-isogeny (usually) requires storing roughly 2488 6*l elements of GF(q). While there are many isogenies, we therefore 2489 only consider those with the desired property with lowest possible 2490 degree. 2492 Appendix G. Further Cousins of Curve25519 2494 This section introduces some further curves related to Curve25519 and 2495 explains their relationships. 2497 G.1. Further Alternative Representations 2499 The Weierstrass curve Wei25519 is isomorphic to the Weierstrass curve 2500 Wei25519.2 defined over GF(p), with as base point the pair (G2X,G2Y), 2501 and isogenous to the Weierstrass curve Wei25519.-3 defined over 2502 GF(p), with as base point the pair (G3X, G3Y), where parameters are 2503 as specified in Appendix G.3 and where the related mappings are as 2504 specified in Appendix G.2. 2506 G.2. Further Switching 2508 Each affine point (X, Y) of Wei25519 corresponds to the point (X', 2509 Y'):=(X*s^2,Y*s^3) of Wei25519.2, where s is the element of GF(p) 2510 defined by 2512 s 20343593038935618591794247374137143598394058341193943326473831977 2513 39407761440 2515 (=0x047f6814 6d568b44 7e4552ea a5ed633d 02d62964 a2b0a120 2516 5e7941e9 375de020), 2518 while the point at infinity of Wei25519 corresponds to the point at 2519 infinity of Wei25519.2. (Here, we used the mapping of Appendix F.3.) 2520 Under this mapping, the base point (GX, GY) of Wei25519 corresponds 2521 to the base point (G2X,G2Y) of Wei25519.2. The inverse mapping maps 2522 the affine point (X', Y') of Wei25519.2 to (X,Y):=(X'/s^2,Y'/s^3) of 2523 Wei25519, while mapping the point at infinity O of Wei25519.2 to the 2524 point at infinity O of Wei25519. Note that this mapping (and its 2525 inverse) involves a modular multiplication of both coordinates with 2526 fixed constants s^2 and s^3 (respectively, 1/s^2 and 1/s^3), which 2527 can be precomputed. 2529 Each affine point (X,Y) of Wei25519 corresponds to the point 2530 (X',Y'):=(X1*t^2,Y1*t^3) of Wei25519.-3, where 2531 (X1,Y1)=(u(X)/w(X)^2,Y*v(X)/w(X)^3), where u, v, and w are the 2532 polynomials with coefficients in GF(p) as defined in Appendix G.4.1 2533 and where t is the element of GF(p) defined by 2535 t 35728133398289175649586938605660542688691615699169662967154525084 2536 644181596229 2538 (=0x4efd6829 88ff8526 e189f712 5999550c e9ef729b ed1a7015 2539 73b1bab8 8bfcd845), 2541 while the point at infinity of Wei25519 corresponds to the point at 2542 infinity of Wei25519.-3. (Here, we used the isogenous mapping of 2543 Appendix F.4.) Under this isogenous mapping, the base point (GX,GY) 2544 of Wei25519 corresponds to the base point (G3X,G3Y) of Wei25519.-3. 2545 The dual isogeny maps the affine point (X',Y') of Wei25519.-3 to the 2546 affine point (X,Y):=(u'(X1)/w'(X1)^2,Y1*v'(X1)/w'(X1)^3) of Wei25519, 2547 where (X1,Y1)=(X'/t^2,Y'/t^3) and where u', v', and w' are the 2548 polynomials with coefficients in GF(p) as defined in Appendix G.4.2, 2549 while mapping the point at infinity O of Wei25519.-3 to the point at 2550 infinity O of Wei25519. Under this dual isogenous mapping, the base 2551 point (G3X, G3Y) of Wei25519.-3 corresponds to a multiple of the base 2552 point (GX, GY) of Wei25519, where this multiple is l=47 (the degree 2553 of the isogeny; see the description in Appendix F.4). Note that this 2554 isogenous map (and its dual) primarily involves the evaluation of 2555 three fixed polynomials involving the x-coordinate, which takes 2556 roughly 140 modular multiplications (or less than 5-10% relative 2557 incremental cost compared to the cost of an elliptic curve scalar 2558 multiplication). 2560 G.3. Further Domain Parameters 2562 The parameters of the Weierstrass curve with a=2 that is isomorphic 2563 with Wei25519 and the parameters of the Weierstrass curve with a=-3 2564 that is isogenous with Wei25519 are as indicated below. Both domain 2565 parameter sets can be exploited directly to derive more efficient 2566 point addition formulae, should an implementation facilitate this. 2568 General parameters: same as for Wei25519 (see Appendix E.3) 2570 Weierstrass curve-specific parameters (for Wei25519.2, i.e., with 2571 a=2): 2573 a 2 (=0x02) 2575 b 12102640281269758552371076649779977768474709596484288167752775713 2576 178787220689 2578 (=0x1ac1da05 b55bc146 33bd39e4 7f94302e f19843dc f669916f 2579 6a5dfd01 65538cd1) 2581 G2X 10770553138368400518417020196796161136792368198326337823149502681 2582 097436401658 2584 (=0x17cfeac3 78aed661 318e8634 582275b6 d9ad4def 072ea193 2585 5ee3c4e8 7a940ffa) 2587 G2Y 54430575861508405653098668984457528616807103332502577521161439773 2588 88639873869 2590 (=0x0c08a952 c55dfad6 2c4f13f1 a8f68dca dc5c331d 297a37b6 2591 f0d7fdcc 51e16b4d) 2593 Weierstrass curve-specific parameters (for Wei25519.-3, i.e., with 2594 a=-3): 2596 a -3 2598 (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff 2599 ffffffff ffffffea) 2601 b 29689592517550930188872794512874050362622433571298029721775200646 2602 451501277098 2604 (=0x41a3b6bf c668778e be2954a4 b1df36d1 485ecef1 ea614295 2605 796e1022 40891faa) 2607 G3X 53837179229940872434942723257480777370451127212339198133697207846 2608 219400243292 2610 (=0x7706c37b 5a84128a 3884a5d7 1811f1b5 5da3230f fb17a8ab 2611 0b32e48d 31a6685c) 2613 G3Y 69548073091100184414402055529279970392514867422855141773070804184 2614 60388229929 2616 (=0x0f60480c 7a5c0e11 40340adc 79d6a2bf 0cb57ad0 49d025dc 2617 38d80c77 985f0329) 2619 G.4. Isogeny Details 2621 The isogeny and dual isogeny are both isogenies with degree l=47. 2622 Both are specified by a triple of polynomials u, v, and w (resp. u', 2623 v', and w') of degree 47, 69, and 23, respectively, with coefficients 2624 in GF(p). The coeffients of each of these polynomials are specified 2625 in Appendix G.4.1 (for the isogeny) and in Appendix G.4.2 (for the 2626 dual isogeny). For each polynomial in variable x, the coefficients 2627 are tabulated as the sequence of coefficients of x^0, x^1, x^2, ..., 2628 in hexadecimal format. 2630 G.4.1. Isogeny Parameters 2632 G.4.1.1. Coefficients of u(x) 2634 0 0x670ed14828b6f1791ceb3a9cc0edfe127dee8729c5a72ddf77bb1abaebbba1e8 2636 1 0x1135ca8bd5383cb3545402c8bce2ced14b45c29b241e4751b035f27524a9f932 2638 2 0x3223806ff5f669c430efd74df8389f058d180e2fcffa5cdef3eacecdd2c34771 2640 3 0x31b8fecf3f17a819c228517f6cd9814466c8c8bea2efccc47a29bfc14c364266 2642 4 0x2541305c958c5a326f44efad2bec284e7abee840fadb08f2d994cd382fd8ce42 2644 5 0x6e6f9c5792f3ff497f860f44a9c469cec42bd711526b733e10915be5b2dbd8c6 2646 6 0x3e9ad2e5f594b9ce6b06d4565891d28a1be8790000b396ef0bf59215d6cabfde 2648 7 0x278448895d236403bbc161347d19c913e7df5f372732a823ed807ee1d30206be 2650 8 0x42f9d171ea8dc2f4a14ea46cc0ee54967175ecfe83a975137b753cb127c35060 2652 9 0x128e40efa2d3ccb51567e73bae91e7c31eac45700fa13ce5781cbe5ddc985648 2654 10 0x450e5086c065430b496d88952dd2d5f2c5102bc27074d4d1e98bfa47413e0645 2656 11 0x487ef93da70dfd44a4db8cb41542e33d1aa32237bdca3a59b3ce1c59585f253d 2658 12 0x33d209270026b1d2db96efb36cc2fa0a49be1307f49689022eab1892b010b785 2660 13 0x4732b5996a20ebc4d5c5e2375d3b6c4b700c681bd9904343a14a0555ef0ecd48 2661 14 0x64dc9e8272b9f5c6ad3470db543238386f42b18cb1c592cc6caf7893141b2107 2663 15 0x52bbacd1f85c61ef7eafd8da27260fa2821f7a961867ed449b283036508ac5c5 2665 16 0x320447ed91210985e2c401cfe1a93db1379424cf748f92fd61ab5cc356bc89a2 2667 17 0x23d23a49bbcdf8cf4c4ce8a4ff7dd87d1ad1970317686254d5b4d2ec050d019f 2669 18 0x1601fca063f0bbbf15f198b3c20e474c2170294fa981f73365732d2372b40cd4 2671 19 0x7bf3f93840035e9688cfff402cee204a17c0de9779fc33503537dd78021bf4c4 2673 20 0x311998ce59fb7e1cd6af591ece3e84dfcb1c330cbcf28c0349e37b9581452853 2675 21 0x7ae5e41acfd28a9add2216dfed34756575a19b16984c1f3847b694326dad7f99 2677 22 0x704957e279244a5b107a6c57bd0ab9afe5227b7c0be2052cd3513772a40efee7 2679 23 0x56b918b5a0c583cb763550f8f71481e57c13bdcef2e5cfc8091d0821266f233b 2681 24 0x677073fed43ab291e496f798fbcf217bac3f014e35d0c2fa07f041ae746a04d7 2683 25 0x22225388e76f9688c7d4053b50ba41d0d8b71a2f21da8353d98472243ef50170 2685 26 0x66930b3dffdd3995a2502cef790d78b091c875192d8074bb5d5639f736400555 2687 27 0x79eb677c5e36971e8d64d56ebc0dedb4e9b7dd2d7b01343ebbd4d358d376e490 2689 28 0x48a204c2ca6d8636e9994842605bd648b91b637844e38d6c7dd707edce8256e2 2691 29 0x0fb3529b0d4b9ce2d70760f33e8ce997a58999718e9277caf48623d27ae6a788 2693 30 0x4352604bffd0c7d7a9ed898a2c6e7cf2512ffb89407271ba1f2c2d0ead8cc5aa 2695 31 0x6667697b29785fb6f0bd5e04d828991a5fe525370216f347ec767a26e7aac936 2697 32 0x09fc950b083c56dbd989badf9887255e203c879f123a7cb28901e50aea6d64dc 2699 33 0x41e51b51b5caadd1c15436bbf37596a1d7288a5f495d6b5b1ae66f8b2942b31d 2701 34 0x073b59fec709aa1cabd429e981c6284822a8b7b07620c831ab41fd31d5cf7430 2703 35 0x67e9b88e9a1bfbc2554107d67d814986f1b09c3107a060cba21c019a2d5dc848 2705 36 0x6881494a1066ca176c5e174713786040affb4268b19d2abf28ef4293429f89c1 2707 37 0x5f4d30502ff1e1ccd624e6f506569454ab771869d7483e26afc09dea0c5ccd3d 2708 38 0x02a814cfc5859bca51e539c159955cbe729a58978b52329575d09bc6c3bf97ad 2710 39 0x1313c8aaae20d6f4397f0d8b19e52cfcdf8d8e10fba144aec1778fd10ddf4e9c 2712 40 0x7008d38f434b98953a996d4cc79fcbef9502411dcdf92005f725cea7ce82ad47 2714 41 0x5a74d1296aaaa245ffb848f434531fa3ba9e5cb9098a7091d36c2777d4cf5a13 2716 42 0x4bd3b700606397083f8038177bdaa1ac6edbba0447537582723cae0fd29341a9 2718 43 0x573453fb2b093016f3368356c786519d54ed05f5372c01723b4da520597ec217 2720 44 0x77f5c605bdb3a30d7d9c8840fce38650910d4418eed707a212c8927f41c2c812 2722 45 0x16d6b9f7ff57ca32350057de1204cc6d69d4ef1b255dfef8080118e2fef6ace3 2724 46 0x34e8595832a4021f8b5744014c6b4f7da7df0d0329e8b6b4d44c8fadad6513b7 2726 47 0x01 2728 G.4.1.2. Coefficients of v(x) 2730 0 0x0f9f5eb7134e6f8dafa30c45afa58d7bfc6d4e3ccbb5de87b562fd77403972b2 2732 1 0x36c2dcd9e88f0d2d517a15fc453a098bbbb5a05eb6e8da906fae418a4e1a13f7 2734 2 0x0b40078302c24fa394a834880d5bf46732ca1b4894172fb7f775821276f558b3 2736 3 0x53dd8e2234573f7f3f7df11e90a7bdd7b75d807f9712f521d4fb18af59aa5f26 2738 4 0x6d4d7bb08de9061988a8cf6ff3beb10e933d4d2fbb8872d256a38c74c8c2ceda 2740 5 0x71bfe5831b30e28cd0fbe1e9916ab2291c6beacc5af08e2c9165c632e61dd2f5 2742 6 0x7c524f4d17ff2ee88463da012fc12a5b67d7fb5bd0ab59f4bbf162d76be1c89c 2744 7 0x758183d5e07878d3364e3fd4c863a5dc1fe723f48c4ab4273fc034f5454d59a4 2746 8 0x1eb41ef2479444ecdccbc200f64bde53f434a02b6c3f485d32f14da6aa7700e1 2748 9 0x1490f3851f016cc3cf8a1e3c16a53317253d232ed425297531b560d70770315c 2750 10 0x09bc43131964e46d905c3489c9d465c3abbd26eab9371c10e429b36d4b86469c 2752 11 0x5f27c173d94c7a413a288348d3fc88daa0bcf5af8f436a47262050f240e9be3b 2754 12 0x1d20010ec741aaa393cd19f0133b35f067adab0d105babe75fe45c8ba2732ceb 2755 13 0x01b3c669ae49b86be2f0c946a9ff6c48e44740d7d9804146915747c3c025996a 2757 14 0x24c6090f79ec13e3ae454d8f0f98e0c30a8938180595f79602f2ba013b3c10db 2759 15 0x4650c5b5648c6c43ac75a2042048c699e44437929268661726e7182a31b1532f 2761 16 0x0957a835fb8bac3360b5008790e4c1f3389589ba74c8e8bf648b856ba7f22ba5 2763 17 0x1cd1300bc534880f95c7885d8df04a82bd54ed3e904b0749e0e3f8cb3240c7c7 2765 18 0x760b486e0d3c6ee0833b34b64b7ebc846055d4d1e0beeb6aedd5132399ada0ea 2767 19 0x1c666846c63965ef7edf519d6ada738f2b676ae38ff1f4621533373931b3220e 2769 20 0x365055118b38d4bc0df86648044affea2ef33e9a392ad336444e7d15e45585d1 2771 21 0x736487bde4b555abfccd3ea7ddcda98eda0d7c879664117dee906a88bc551194 2773 22 0x70de05ab9520222a37c7a84c61eedff71cb50c5f6647fc2a5d6e0ff2305cea37 2775 23 0x59053f6cdf6517ab3fe4bd9c9271d1892f8cf353d8041b98409e1e341a01f8b5 2777 24 0x375db54ed12fe8df9a198ea40200e812c2660b7022681d7932d89fafe7c6e88d 2779 25 0x2a070c31d1c1a064daf56c79a044bd1cd6d13f1ddb0ff039b03a6469aaa9ed77 2781 26 0x41482351e7f69a756a5a2c0b3fa0681c03c550341d0ca0f76c5b394db9d2de8d 2783 27 0x747ac1109c9e9368d94a302cb5a1d23fcc7f0fd8a574efb7ddcaa738297c407a 2785 28 0x45682f1f2aab6358247e364834e2181ad0448bb815c587675fb2fee5a2119064 2787 29 0x148c5bf44870dfd307317f0a0e4a8c163940bee1d2f01455a2e658aa92c13620 2789 30 0x6add1361e56ffa2d2fbbddba284b35be5845aec8069fc28af009d53290a705ce 2791 31 0x6631614c617400dc00f2c55357f67a94268e7b5369b02e55d5db46c935be3af5 2793 32 0x17cffb496c64bb89d91c8c082f4c288c3c87feabd6b08591fe5a92216c094637 2795 33 0x648ff88155969f54c955a1834ad227b93062bb191170dd8c4d759f79ad5da250 2797 34 0x73e50900b89e5f295052b97f9d0c9edb0fc7d97b7fa5e3cfeefe33dd6a9cb223 2799 35 0x6afcb2f2ffe6c08508477aa4956cbd3dc864257f5059685adf2c68d4f2338f00 2801 36 0x372fd49701954c1b8f00926a8cb4b157d4165b75d53fa0476716554bf101b74c 2802 37 0x0334ed41325f3724ff8becbf2b3443fea6d30fa543d1ca13188aceb2bdaf5f4e 2804 38 0x70e629c95a94e8e1b3974acb25e18ba42f8d5991786f0931f650c283adfe82fd 2806 39 0x738a625f4c62d3d645f1274e09ab344e72d441f3c0e82989d3e21e19212f23f3 2808 40 0x7093737294b29f21522f5664a9941c9b476f75d443b647bd2c777040bcd12a6a 2810 41 0x0a996bad5863d821ccb8b89fa329ddbe5317a46bcb32552db396bea933765436 2812 42 0x2da237e3741b75dd0264836e7ef634fc0bc36ab187ebc790591a77c257b06f53 2814 43 0x1902f3daa86fa4f430b57212924fdc9e40f09e809f3991a0b3a10ab186c50ee5 2816 44 0x12baffec1bf20c921afd3cdf67a7f1d87c00d5326a3e5c83841593c214dadcb1 2818 45 0x6460f5a68123cb9e7bc1289cd5023c0c9ccd2d98eea24484fb3825b59dcd09aa 2820 46 0x2c7d63a868ffc9f0fd034f821d84736c5bc33325ce98aba5f0d95fef6f230ec8 2822 47 0x756e0063349a702db7406984c285a9b6bfba48177950d4361d8efa77408dc860 2824 48 0x037f3e30032b21e0279738e0a2b689625447831a2ccf15c638672da9aa7255ae 2826 49 0x1107c0dbe15d6ca9e790768317a40bcf23c80f1841f03ca79dd3e3ef4ea1ae30 2828 50 0x61ff7f25721d6206041c59a788316b09e05135a2aad94d539c65daa68b302cc2 2830 51 0x5dbfe346cbd0d61b9a3b5c42ec0518d3ae81cabcc32245060d7b0cd982b8d071 2832 52 0x4b6595e8501e9ec3e75f46107d2fd76511764efca179f69196eb45c0aa6fade3 2834 53 0x72d17a5aa7bd8a2540aa9b02d9605f2a714f44abfb4c35d518b7abc39b477870 2836 54 0x658d8c134bac37729ec40d27d50b637201abbf1ab4157316358953548c49cf22 2838 55 0x36ac53b9118581ace574d5a08f9647e6a916f92dda684a4dbc405e2646b0243f 2840 56 0x1917a98f387d1e323e84a0f02d53307b1dd949e1a27b0de14514f89d9c0ef4b6 2842 57 0x21573434fde7ce56e8777c79539479441942dba535ade8ecb77763f7eb05d797 2844 58 0x0e0bf482dc40884719bea5503422b603f3a8edb582f52838caa6eaab6eeac7ef 2846 59 0x3b0471eb53bd83e14fbc13928fe1691820349a963be8f7e9815848a53d03f5eb 2848 60 0x1e92cb067b24a729c42d3abb7a1179c577970f0ab3e6b0ce8d66c5b8f7001262 2849 61 0x74ea885c1ebed6f74964262402432ef184c42884fceb2f8dba3a9d67a1344dd7 2851 62 0x433ebce2ce9b0dc314425cfc2b234614d3c34f2c9da9fff4fdddd1ce242d035b 2853 63 0x33ac69e6be858dde7b83a9ff6f11de443128b39cec6e410e8d3b570e405ff896 2855 64 0x0dab71e2ae94e6530a501ed8cf3df26731dd1d41cd81578341e12dca3cb71aa3 2857 65 0x537f58d52d18ce5b1d5a6bd3a420e796e64173491ad43dd4d1083a7dcc7dd201 2859 66 0x49c2f6afa93fdcc4e0f8128a8b06da4c75049be14edf3e103821ab604c60f8ae 2861 67 0x10a333eabd6135aeaa3f5f5f7e73d102e4fd7e4bf0902fc55b00da235fa1ad08 2863 68 0x0f5c86044bf6032f5102e601f2a0f73c7bce9384bedd120f3e72d78484179d9c 2865 69 0x01 2867 G.4.1.3. Coefficients of w(x) 2869 0 0x3da24d42421264f30939ff00203880f2b017eb3fecf8933ae61e18df8c8ba116 2871 1 0x0457f20bc393cdc9a66848ce174e2fa41d77e6dbae05a317a1fb6e3ae78760f8 2873 2 0x7f608a2285c480d5c9592c435431fae94695beef79d770bb6d029c1d10a53295 2875 3 0x3832accc520a485100a0a1695792465142a5572bed1b2e50e1f8f662ac7289bb 2877 4 0x2df1b0559e31b328eb34beedd5e537c3f4d7b9befb0749f75d6d0d866d26fbaa 2879 5 0x25396820381d04015a9f655ddd41c74303ded05d54a7750e2f58006659adda28 2881 6 0x6fa070a70ca2bc6d4d0795fb28d4990b2cc80cd72d48b603a8ac8c8268bef6a6 2883 7 0x27f488578357388b20fbc7503328e1d10de602b082b3c7b8ceb33c29fea7a0d2 2885 8 0x15776851a7cabcfe84c632118306915c0c15c75068a47021968c7438d46076e6 2887 9 0x101565b08a9af015c172fb194b940a4df25c4fb1d85f72d153efc79131d45e8f 2889 10 0x196b0ffbf92f3229fea1dac0d74591b905ccaab6b83f905ee813ee8449f8a62c 2891 11 0x01f55784691719f765f04ee9051ec95d5deb42ae45405a9d87833855a6d95a94 2893 12 0x628858f79cca86305739d084d365d5a9e56e51a4485d253ae3f2e4a379fa8aff 2895 13 0x4a842dcd943a80d1e6e1dab3622a8c4d390da1592d1e56d1c14c4d3f72dd01a5 2896 14 0x0f3bfc9cb17a1125f94766a4097d0f1018963bc11cb7bc0c7a1d94d65e282477 2898 15 0x1c4bd70488c4882846500691fa7543b7ef694446d9c3e3b4707ea2c99383e53c 2900 16 0x2d7017e47b24b89b0528932c4ade43f09091b91db0072e6ebdc5e777cb215e35 2902 17 0x781d69243b6c86f59416f91f7decaca93eab9cdc36a184191810c56ed85e0fdc 2904 18 0x5f20526f4177357da40a18da054731d442ad2a5a4727322ba8ed10d32eca24fb 2906 19 0x33e4cab64ed8a00d8012104fe8f928e6173c428eff95bbbe569ea46126a4f3cd 2908 20 0x050555b6f07e308d33776922b6566829d122e19b25b7bbacbb0a4b1a7dc40192 2910 21 0x533fa4bf1e2a2aae2f979065fdbb5b667ede2f85543fddbba146aa3a4ef2d281 2912 22 0x5a742cac1952010fc5aba200a635a7bed3ef868194f45b5a6a2647d6d6b289d2 2914 23 0x01 2916 G.4.2. Dual Isogeny Parameters 2918 G.4.2.1. Coefficients of u'(x) 2920 0 0x0f0eddb584a20aaac8f1419efdd02a5cca77b21e4cfae78c49b5127d98bc5882 2922 1 0x7115e60d44a58630417df33dd45b8a546fa00b79fea3b2bdc449694bade87c0a 2924 2 0x0b3f3a6f3c445c7dc1f91121275414e88c32ff3f367ba0edad4d75b7e7b94b65 2926 3 0x1eb31bb333d7048b87f2b3d4ec76d69035927b41c30274368649c87c52e1ab30 2928 4 0x552c886c2044153e280832264066cce2a7da1127dc9720e2a380e9d37049ac64 2930 5 0x4504f27908db2e1f5840b74ae42445298755d9493141f5417c02f04d47797dda 2932 6 0x082c242cce1eb19698a4fa30b5affe64e5051c04ae8b52cb68d89ee85222e628 2934 7 0x480473406add76cf1d77661b3ff506c038d9cdd5ad6e1ea41969430bb876d223 2936 8 0x25f47bb506fba80c79d1763365fa9076d4c4cb6644f73ed37918074397e88588 2938 9 0x10f13ed36eab593fa20817f6bb70cac292e18d300498f6642e35cbdf772f0855 2940 10 0x7d28329d695fb3305620f83a58df1531e89a43c7b3151d16f3b60a8246c36ade 2942 11 0x02c5ec8c42b16dc6409bdd2c7b4ffe9d65d7209e886badbd5f865dec35e4ab4a 2943 12 0x7f4f33cd50255537e6cde15a4a327a5790c37e081802654b56c956434354e133 2945 13 0x7d30431a121d9240c761998cf83d228237e80c3ef5c7191ec9617208e0ab8cec 2947 14 0x4d2a7d6609610c1deed56425a4615b92f70a507e1079b2681d96a2b874cf0630 2949 15 0x74676df60a9906901d1dc316c639ff6ae0fcdb02b5571d4b83fc2eedcd2936a8 2951 16 0x22f8212219aca01410f06eb234ed53bd5b8fbe7c08652b8002bcd1ea3cdae387 2953 17 0x7edb04449565d7c566b934a87fadade5515f23bda1ce25daa19fff0c6a5ccc2f 2955 18 0x106ef71aa3aa34e8ecf4c07a67d03f0949d7d015ef2c1e32eb698dd3bec5a18c 2957 19 0x0017913eb705db126ac3172447bcd811a62744d505ad0eea94cfcfdde5ca7428 2959 20 0x2cc793e6d3b592dcf5472057a991ff1a5ab43b4680bb34c0f5faffc5307827c1 2961 21 0x6dafcc0b16f98300cddb5e0a7d7ff04a0e73ca558c54461781d5a5ccb1ea0122 2963 22 0x7e418891cf222c021b0ae5f5232b9c0dc8270d4925a13174a0f0ac5e7a4c8045 2965 23 0x76553bd26fecb019ead31142684789fea7754c2dc9ab9197c623f45d60749058 2967 24 0x693efb3f81086043656d81840902b6f3a9a4b0e8f2a5a5edf5ce1c7f50a3898e 2969 25 0x46c630eac2b86d36f18a061882b756917718a359f44752a5caf41be506788921 2971 26 0x01dcfa01773628753bc6f448ac11be8a3bffa0011b9284967629b827e064f614 2973 27 0x08430b5b97d49b0938d1f66ecb9d2043025c6eec624f8f02042b9621b2b5cb19 2975 28 0x66f66a6669272d47d3ec1efea36ee01d4a54ed50e9ec84475f668a5a9850f9be 2977 29 0x539128823b5ef3e87e901ab22f06d518a9bad15f5d375b49fe1e893ab38b1345 2979 30 0x2bd01c49d6fff22c213a8688924c10bf29269388a69a08d7f326695b3c213931 2981 31 0x3f7bea1baeccea3980201dc40d67c26db0e3b15b5a19b6cdac6de477aa717ac1 2983 32 0x6e0a72d94867807f7150fcb1233062f911b46e2ad11a3eac3c6c4c91e0f4a3fa 2985 33 0x5963f3cc262253f56fc103e50217e7e5b823ae8e1617f9e11f4c9c595fbb5bf6 2987 34 0x41440b6fe787777bc7b63afac9f4a38ddadcebc3d72f8fc73835247ba05f3a1d 2989 35 0x66d185401c1d2d0b84fcf6758a6a985bf9695651271c08f4b69ce89175fb7b34 2990 36 0x2673fb8c65bc4fe41905381093429a2601c46a309c03077ca229bac7d6ccf239 2992 37 0x1ce4d895ee601918a080de353633c82b75a3f61e8247763767d146554dd2f862 2994 38 0x18efa6c72fa908347547a89028a44f79f22542baa588601f2b3ed25a5e56d27c 2996 39 0x53de362e2f8ff220f8921620a71e8faa1aa57f8886fcbb6808fa3a5560570543 2998 40 0x0dc29a73b97f08aa8774911474e651130ed364e8d8cffd4a80dee633aacecc47 3000 41 0x4e7eb8584ae4de525389d1e9300fc4480b3d9c8a5a45ecfbe33311029d8f6b99 3002 42 0x6c3cba4aa9229550fa82e1cfaee4b02f2c0cb86f79e0d412b8e32b00b7959d80 3004 43 0x5a9d104ae585b94af68eeb16b1349776b601f97b7ce716701645b1a75b68dcf3 3006 44 0x754e014b5e87af035b3d5fe6fb49f4631e32549f6341c6693c5172a6388e273e 3008 45 0x6710d8265118e22eaceba09566c86f642ab42da58c435083a353eaa12d866c39 3010 46 0x6e88ac659ce146c369f8b24c3a49f8dca547827250cf7963a455851cfc4f8d22 3012 47 0x0971eb5f253356cd1fde9fb21f4a4902aa5b8d804a2b57ba775dc130181ae2e8 3014 G.4.2.2. Coefficients of v'(x) 3016 0 0x043c9b67cc5b16e167b55f190db61e44d48d813a7112910f10e3fd8da85d61d3 3018 1 0x72046db07e0e7882ff3f0f38b54b45ca84153be47a7fd1dd8f6402e17c47966f 3020 2 0x1593d97b65a070b6b3f879fe3dc4d1ef03c0e781c997111d5c1748f956f1ffc0 3022 3 0x54e5fec076b8779338432bdc5a449e36823a0a7c905fd37f232330b026a143a0 3024 4 0x46328dd9bc336e0873abd453db472468393333fbf2010c6ac283933216e98038 3026 5 0x25d0c64de1dfe1c6d5f5f2d98ab637d8b39bcf0d886a23dabac18c80d7eb03ce 3028 6 0x3a175c46b2cd8e2b313dde2d5f3097b78114a6295f283cf58a33844b0c8d8b34 3030 7 0x5cf4e6f745bdd61181a7d1b4db31dc4c30c84957f63cdf163bee5e466a7a8d38 3032 8 0x639071c39b723eea51cfd870478331d60396b31f39a593ebdd9b1eb543875283 3034 9 0x7ea8f895dcd85fc6cb2b58793789bd9246e62fa7a8c7116936876f4d8dff869b 3036 10 0x503818acb535bcaacf8ad44a83c213a9ce83af7c937dc9b3e5b6efedc0a7428c 3037 11 0x0e815373920ec3cbf3f8cae20d4389d367dc4398e01691244af90edc3e6d42b8 3039 12 0x7e4b23e1e0b739087f77910cc635a92a3dc184a791400cbceae056c19c853815 3041 13 0x145322201db4b5ec0a643229e07c0ab7c36e4274745689be2c19cfa8a702129d 3043 14 0x0fde79514935d9b40f52e33429621a200acc092f6e5dec14b49e73f2f59c780d 3045 15 0x37517ac5c04dc48145a9d6e14803b8ce9cb6a5d01c6f0ad1b04ff3353d02d815 3047 16 0x58ae96b8eefe9e80f24d3b886932fe3c27aaea810fa189c702f93987c8c97854 3049 17 0x6f6402c90fa379096d5f436035bebc9d29302126e9b117887abfa7d4b3c5709a 3051 18 0x01dbdf2b9ec09a8defeb485cc16ea98d0d45c5b9877ff16bd04c0110d2f64961 3053 19 0x53c51706af523ab5b32291de6c6b1ee7c5cbd0a5b317218f917b12ff38421452 3055 20 0x1b1051c7aec7d37a349208e3950b679d14e39f979db4fcd7b50d7d27dc918650 3057 21 0x1547e8d36262d5434cfb029cdd29385353124c3c35b1423c6cca1f87910b305b 3059 22 0x198efe984efc817835e28f704d41e4583a1e2398f7ce14045c4575d0445c6ce7 3061 23 0x492276dfe9588ee5cd9f553d990f377935d721822ecd0333ce2eb1d4324d539c 3063 24 0x77bad5319bacd5ed99e1905ce2ae89294efa7ee1f74314e4095c618a4e580c9b 3065 25 0x2cb3d532b8eac41c61b683f7b02feb9c2761f8b4286a54c3c4b60dd8081a312e 3067 26 0x37d189ea60443e2fee9b7ba8a34ed79ff3883dcefc06592836d2a9dd2ee3656e 3069 27 0x79a80f9a0e6b8ded17a3d6ccf71eb565e3704c3543b77d70bca854345e880aba 3071 28 0x47718530ef8e8c75f069acb2d9925c5537908e220b28c8a2859b856f46d5f8db 3073 29 0x7dc518f82b55a36b4fa084b05bf21e3efce481d278a9f5c6a49701e56dac01ec 3075 30 0x340a318dad4b8d348a0838659672792a0f00b7105881e6080a340f708a9c7f94 3077 31 0x55f04d9d8891636d4e9c808a1fa95ad0dae7a8492257b20448023aad3203278e 3079 32 0x39dc465d58259f9f70bb430d27e2f0ab384a550e1259655443e14bdecba85530 3081 33 0x757385464cff265379a1adfadfd6f6a03fa8a2278761d4889ab097eff4d1ac28 3083 34 0x4d575654dbe39778857f4e688cc657416ce524d54864ebe8995ba766efa7ca2b 3084 35 0x47adb6aecc1949f2dc9f01206cc23eb4a0c29585d475dd24dc463c5087809298 3086 36 0x30d39e8b0c451a8fcf3d2abab4b86ffa374265abbe77c5903db4c1be8cec7672 3088 37 0x28cf47b39112297f0daeaa621f8e777875adc26f35dec0ba475c2ee148562b41 3090 38 0x36199723cc59867e2e309fe9941cd33722c807bb2d0a06eeb41de93f1b93f2f5 3092 39 0x5cdeb1f2ee1c7d694bdd884cb1c5c22de206684e1cafb8d3adb9a33cb85e19a2 3094 40 0x0f6e6b3fc54c2d25871011b1499bb0ef015c6d0da802ae7eccf1d8c3fb73856c 3096 41 0x0c1422c98b672414344a9c05492b926f473f05033b9f85b8788b4bb9a080053c 3098 42 0x19a8527de35d4faacb00184e0423962247319703a815eecf355f143c2c18f17f 3100 43 0x7812dc3313e6cf093da4617f06062e8e8969d648dfe6b5c331bccd58eb428383 3102 44 0x61e537180c84c79e1fd2d4f9d386e1c4f0442247605b8d8904d122ee7ef9f7be 3104 45 0x544d8621d05540576cfc9b58a3dab19145332b88eb0b86f4c15567c37205adf9 3106 46 0x11be3ef96e6e07556356b51e2479436d9966b7b083892b390caec22a117aa48e 3108 47 0x205cda31289cf75ab0759c14c43cb30f7287969ea3dc0d5286a3853a4d403187 3110 48 0x048d8fc6934f4f0a99f0f2cc59010389e2a0b20d6909bfcf8d7d0249f360acdc 3112 49 0x42cecc6d9bdca6d382e97fcea46a79c3eda2853091a8f399a2252115bf9a1454 3114 50 0x0117d41b24f2f69cb3270b359c181607931f62c56d070bbd14dc9e3f9ab1432e 3116 51 0x7c51564c66f68e2ad4ce6ea0d68f920fafa375376709c606c88a0ed44207aa1e 3118 52 0x48f25191fc8ac7d9f21adf6df23b76ccbca9cb02b815acdbebfa3f4eddc71b34 3120 53 0x4fc21a62c4688de70e28ad3d5956633fc9833bc7be09dc7bc500b7fae1e1c9a8 3122 54 0x1f23f25be0912173c3ef98e1c9990205a69d0bf2303d201d27a5499247f06789 3124 55 0x3131495618a0ac4cb11a702f3f8bab66c4fa1066d0a741af3c92d5c246edd579 3126 56 0x0d93fe40faa53913638e497328a1b47603cb062c7afc9e96278603f29fd11fd4 3128 57 0x6b348bc59e984c91d696d1e3c3cfae44021f06f74798c787c355437fb696093d 3130 58 0x65af00e73043edcb479620c8b48098b89809d577a4071c8e33e8678829138b8a 3131 59 0x5e62ffb032b2ddb06591f86a46a18effd5d6ecf3f129bb2bacfd51a3739a98b6 3133 60 0x62c974ef3593fc86f7d78883b8727a2f7359a282cbc0196948e7a793e60ce1a1 3135 61 0x204d708e3f500aad64283f753e7d9bab976aa42a4ca1ce5e9d2264639e8b1110 3137 62 0x0a90f0059da81a012e9d0a756809fab2ce61cb45965d4d1513a06227783ee4ea 3139 63 0x39fa55971c9e833f61139c39e243d40869fd7e8a1417ee4e7719dd2dd242766f 3141 64 0x22677c1e659caa324f0c74a013921facf62d0d78f273563145cc1ddccfcc4421 3143 65 0x3468cf6df7e93f7ff1fe1dd7e180a89dec3ed4f72843b4ea8a8d780011a245b2 3145 66 0x68f75a0e2210f52a90704ed5f511918d1f6bcfcd26b462cc4975252369db6e9d 3147 67 0x6220c0699696e9bcab0fe3a80d437519bd2bdf3caef665e106b2dd47585ddd9f 3149 68 0x553ad47b129fb347992b576479b0a89f8d71f1196f83e5eaab5f533a1dd6f6d7 3151 69 0x239aef387e116ec8730fa15af053485ca707650d9f8917a75f22acf6213197df 3153 G.4.2.3. Coefficients of w'(x) 3155 0 0x6bd7f1fc5dd51b7d832848c180f019bcbdb101d4b3435230a79cc4f95c35e15e 3157 1 0x17413bb3ee505184a504e14419b8d7c8517a0d268f65b0d7f5b0ba68d6166dd0 3159 2 0x47f4471beed06e5e2b6d5569c20e30346bdba2921d9676603c58e55431572f90 3161 3 0x2af7eaafd04f6910a5b01cdb0c27dca09487f1cd1116b38db34563e7b0b414eb 3163 4 0x57f0a593459732eef11d2e2f7085bf9adf534879ba56f7afd17c4a40d3d3477b 3165 5 0x4da04e912f145c8d1e5957e0a9e44cca83e74345b38583b70840bdfdbd0288ed 3167 6 0x7cc9c3a51a3767d9d37c6652c349adc09bfe477d99f249a2a7bc803c1c5f39ed 3169 7 0x425d7e58b8adf87eebf445b424ba308ee7880228921651995a7eab548180ad49 3171 8 0x48156db5c99248234c09f43fedf509005943d3d5f5d7422621617467b06d314f 3173 9 0x0d837dbbd1af32d04e2699cb026399c1928472aa1a7f0a1d3afd24bc9923456a 3175 10 0x5b8806e0f924e67c1f207464a9d025758c078b43ddc0ea9afe9993641e5650be 3177 11 0x29c91284e5d14939a6c9bc848908bd9df1f8346c259bbd40f3ed65182f3a2f39 3178 12 0x25550b0f3bceef18a6bf4a46c45bf1b92f22a76d456bfdf19d07398c80b0f946 3180 13 0x495d289b1db16229d7d4630cb65d52500256547401f121a9b09fb8e82cf01953 3182 14 0x718c8c610ea7048a370eabfd9888c633ee31dd70f8bcc58361962bb08619963e 3184 15 0x55d8a5ceef588ab52a07fa6047d6045550a5c52c91cc8b6b82eeb033c8ca557d 3186 16 0x620b5a4974cc3395f96b2a0fa9e6454202ef2c00d82b0e6c534b3b1d20f9a572 3188 17 0x4991b763929b00241a1a9a68e00e90c5df087f90b3352c0f4d8094a51429524e 3190 18 0x18b6b49c5650fb82e36e25fd4eb6decfdd40b46c37425e6597c7444a1b6afb4e 3192 19 0x6868305b4f40654460aad63af3cb9151ab67c775eaac5e5df90d3aea58dee141 3194 20 0x16bc90219a36063a22889db810730a8b719c267d538cd28fa7c0d04f124c8580 3196 21 0x3628f9cf1fbe3eb559854e3b1c06a4cd6a26906b4e2d2e70616a493bba2dc574 3198 22 0x64abcc6759f1ce1ab57d41e17c2633f717064e35a7233a6682f8cf8e9538afec 3200 23 0x01 3202 Appendix H. Point Compression 3204 Point compression allows a shorter representation of affine points of 3205 an elliptic curve by exploiting algebraic relationships between the 3206 coordinate values based on the defining equation of the curve in 3207 question. Point decompression refers to the reverse process, where 3208 one tries and recover an affine point from its compressed 3209 representation and information on the domain parameters of the curve. 3210 Consequently, point compression followed by point decompression is 3211 the identity map. 3213 The description below makes use of an auxiliary function (the parity 3214 function), which we first define for prime fields GF(p), with p odd, 3215 and then extend to all fields GF(q), where q is an odd prime power. 3216 We assume each finite field to be unambiguously defined and known 3217 from context. 3219 Let y be a nonzero element of GF(q). If q:=p is an odd prime number, 3220 y and p-y can be uniquely represented as integers in the interval 3221 [1,p-1] and have odd sum p. Consequently, one can distinguish y from 3222 -y via the parity of this representation, i.e., via par(y):=y (mod 3223 2). If q:=p^m, where p is an odd prime number and where m>0, both y 3224 and -y can be uniquely represented as vectors of length m, with 3225 coefficients in GF(p) (see Appendix B.2). In this case, the leftmost 3226 nonzero coordinate values of y and -y are in the same position and 3227 have representations in [1,p-1] with different parity. As a result, 3228 one can distinguish y from -y via the parity of the representation of 3229 this coordinate value. This extends the definition of the parity 3230 function to any odd-size field GF(q), where one defines par(0):=0. 3231 The value of the parity function is commonly called the parity bit. 3233 H.1. Point Compression for Weierstrass Curves 3235 If P:=(X, Y) is an affine point of the Weierstrass curve W_{a,b} 3236 defined over the field GF(q), then so is -P:=(X, -Y). Since the 3237 defining equation Y^2=X^3+a*X+b has at most two solutions with fixed 3238 X-value, one can represent P by its X-coordinate and one bit of 3239 information that allows one to distinguish P from -P, i.e., one can 3240 represent P as the ordered pair compr(P):=(X, par(Y)). If P is a 3241 point of order two, one can uniquely represent P by its X-coordinate 3242 alone, since Y=0 and has fixed parity. Conversely, given the ordered 3243 pair (X, t), where X is an element of GF(q) and where t=0 or t=1, and 3244 the domain parameters of the curve W_{a,b}, one can use the defining 3245 equation of the curve to try and determine candidate values for the 3246 Y-coordinate given X, by solving the quadratic equation Y^2:=alpha, 3247 where alpha:=X^3+a*X+b. If alpha is not a square in GF(q), this 3248 equation does not have a solution in GF(q) and the ordered pair (X, 3249 t) does not correspond to a point of this curve. Otherwise, there 3250 are two solutions, viz. Y=sqrt(alpha) and -Y. If alpha is a nonzero 3251 element of GF(q), one can uniquely recover the Y-coordinate for which 3252 par(Y):=t and, thereby, the point P:=(X, Y). This is also the case 3253 if alpha=0 and t=0, in which case Y=0 and the point P has order two. 3254 However, if alpha=0 and t=1, the ordered pair (X, t) does not 3255 correspond to the outcome of the point compression function. 3257 NOTE: the procedure above corrects an error in the point 3258 decompression procedure for Weierstrass curves defined over the prime 3259 field GF(p) of [SEC1], which erroneously converts a purported 3260 compressed point for which alpha=0 and t=1 (in the notation above), 3261 to the ordered pair (0,p). 3263 We extend the definition of the point compression function to all 3264 points of the curve W_{a,b}, by associating the (non-affine) point at 3265 infinity O with any ordered pair compr(O):=(X,0), where X is any 3266 element of GF(q) for which alpha:=X^3+a*X+b is not a square in GF(q), 3267 and recover this point accordingly. In this case, the point at 3268 infinity O can be represented by any ordered pair (X,0) of elements 3269 of GF(q) for which X^3+a*X+b is not a square in GF(q). Note that 3270 this ordered pair does not satisfy the defining equation of the curve 3271 in question. An application may fix a specific suitable value of X 3272 or choose multiple such values and use this to encode additonal 3273 information. Further details are out of scope. 3275 H.2. Point Compression for Montgomery Curves 3277 If P:=(u, v) is an affine point of the Montgomery curve M_{A,B} 3278 defined over the field GF(q), then so is -P:=(u, -v). Since the 3279 defining equation B*v^2=u^3+A*u^2+u has at most two solutions with 3280 fixed u-value, one can represent P by its u-coordinate and one bit of 3281 information that allows one to distinguish P from -P, i.e., one can 3282 represent P as the ordered pair compr(P):=(u, par(v)). If P is a 3283 point of order two, one can uniquely represent P by its u-coordinate 3284 alone, since v=0 and has fixed parity. Conversely, given the ordered 3285 pair (u, t), where u is an element of GF(q) and where t=0 or t=1, and 3286 the domain parameters of the curve M_{A,B}, one can use the defining 3287 equation of the curve to try and determine candidate values for the 3288 v-coordinate given u, by solving the quadratic equation v^2:=alpha, 3289 where alpha:=(u^3+A*u^2+u)/B. If alpha is not a square in GF(q), 3290 this equation does not have a solution in GF(q) and the ordered pair 3291 (u, t) does not correspond to a point of this curve. Otherwise, 3292 there are two solutions, viz. v=sqrt(alpha) and -v. If alpha is a 3293 nonzero element of GF(q), one can uniquely recover the v-coordinate 3294 for which par(v):=t and, thereby, the affine point P:=(u, v). This 3295 is also the case if alpha=0 and t=0, in which case v=0 and the point 3296 P has order two. However, if alpha=0 and t=1, the ordered pair (u, 3297 t) does not correspond to the outcome of the point compression 3298 function. 3300 We extend the definition of the point compression function to all 3301 points of the curve M_{A,B}, by associating the (non-affine) point at 3302 infinity O with the ordered pair compr(O):=(0,1) and recover this 3303 point accordingly. (Note that this corresponds to the case alpha=0 3304 and t=1 above.) The point at infinity O can be represented by the 3305 ordered pair (0, 1) of elements of GF(q). Note that this ordered 3306 pair does not satisfy the defining equation of the curve in question. 3308 H.3. Point Compression for Twisted Edwards Curves 3310 If P:=(x, y) is an affine point of the twisted Edwards curve E_{a,d} 3311 defined over the field GF(q), then so is -P:=(-x, y). Since the 3312 defining equation a*x^2+y^2=1+d*x^2*y^2 has at most two solutions 3313 with fixed y-value, one can represent P by its y-coordinate and one 3314 bit of information that allows one to distinguish P from -P, i.e., 3315 one can represent P as the ordered pair compr(P):=(par(x), y). If P 3316 is a point of order one or two, one can uniquely represent P by its 3317 y-coordinate alone, since x=0 and has fixed parity. Conversely, 3318 given the ordered pair (t, y), where y is an element of GF(q) and 3319 where t=0 or t=1, and the domain parameters of the curve E_{a,d}, one 3320 can use the defining equation of the curve to try and determine 3321 candidate values for the x-coordinate given y, by solving the 3322 quadratic equation x^2:=alpha, where alpha:=(1-y^2)/(a-d*y^2). 3324 (Here, observe that the denominator is nonzero for any point of 3325 E_{a,d}.) If alpha is not a square in GF(q), this equation does not 3326 have a solution in GF(q) and the ordered pair (t, y) does not 3327 correspond to a point of this curve. Otherwise, there are two 3328 solutions, viz. x=sqrt(alpha) and -x. If alpha is a nonzero element 3329 of GF(q), one can uniquely recover the x-coordinate for which 3330 par(x):=t and, thereby, the affine point P:=(x, y). This is also the 3331 case if alpha=0 and t=0, in which case x=0 and the point P has order 3332 one or two. However, if alpha=0 and t=1, the ordered pair (t, y) 3333 does not correspond to the outcome of the point compression function. 3335 Note that the point compression function is defined for all points of 3336 the twisted Edwards curve E_{a,d}. Here, the identity element 3337 O:=(0,1) is associated with the compressed point compr(O):=(0,1). 3338 (Note that this corresponds to the case alpha=0 and t=0 above.) 3340 We extend the definition of the compression function further, to also 3341 include a special marker element 'btm', by associating this marker 3342 element with the ordered pair compr(btm):=(1,1) and recover this 3343 marker element accordingly. (Note that this corresponds to the case 3344 alpha=0 and t=1 above.) The marker element 'btm' can be represented 3345 by the ordered pair (1,1) of elements of GF(q). Note that this 3346 ordered pair does not satisfy the defining equation of the curve in 3347 question. 3349 Appendix I. Data Conversions 3351 This section introduces various data conversion routines that are 3352 useful when representing integers, finite field elements, and curve 3353 points as binary or octet strings. 3355 I.1. Strings and String Operations 3357 The string over some alphabet S consisting of the symbols x_{l-1}, 3358 x_{l-2}, ..., x_1, x_0 (each in S), in this order, is denoted by 3359 str(x_{l-1}, x_{l-2}, ..., x_1, x_0) (or simply as x_{l-1} x_{l-2} 3360 ... x_1 x0, if the individual symbols can be uniquely identified). 3361 The length of this string (over S) is the number of symbols it 3362 contains (here: l). The empty string is the (unique) string of 3363 length l=0. Strings are commonly indicated by surrounding these by 3364 double quotation marks. 3366 The right-concatenation of two strings X and Y (defined over the same 3367 alphabet) is the string Z consisting of the symbols of X (in the same 3368 order) followed by the symbols of Y (in the same order). The length 3369 of the resulting string Z is the sum of the lengths of X and Y. This 3370 string operation is denoted by Z:=X||Y. The string X is called a 3371 prefix of Z; the string Y a postfix of Z. The t-prefix of a string Z 3372 of length l is its unique prefix X of length t; the t-postfix its 3373 unique postfix Y of length t (where in both cases t is an integer in 3374 the interval [0,l]). One can define these notions as well if t is 3375 outside the interval [0,l] by stipulating that a t-prefix or 3376 t-postfix is the empty string if t is negative and that it is the 3377 entire string Z if t is larger than l. Sometimes, a t-prefix of a 3378 string Z is denoted by trunc-left(Z,t); a t-postfix by trunc- 3379 right(Z,t). A string X is called a substring of Z if it is a prefix 3380 of some postfix of Z. The string resulting from prepending the 3381 string Y with X is the string X||Y. The symbols of a string Z of 3382 length l can be labelled from left to right, using consecutive 3383 integers in the interval [0,l) starting with zero, where each label 3384 identifies a symbol via its position in the string. 3386 An octet (or byte) is an integer in the interval [0,256). An octet 3387 string is a string, where the alphabet is the set of all octets. A 3388 binary string (or bit string, for short) is a string, where the 3389 alphabet is the set {0,1} of binary digits. A hex digit is an 3390 integer in the interval [0,16), with the convention to denote the 3391 integers 10, 11, 12, 13, 14, and 15 by the symbols 'a', 'b', 'c', 3392 'd', 'e', and 'f', respectively. A hexadecimal string (or hex 3393 string, for short) is a string, where the alphabet is the set of all 3394 hex digits. Note that the length of a string is defined in terms of 3395 the underlying alphabet, as are the operations in the previous 3396 paragraph. 3398 Note that an octet z can be uniquely represented in base 16 as the 3399 integer z:=16*z1+z0, where z1 and z0 are hex digits, and, thereby, as 3400 the hexadecimal string z1||z0 of length two. This allows a concise 3401 description of octet strings as hex strings (commonly indicated by 3402 the "0x"-prefix). 3404 An ASCII character is a symbol of the so-called ASCII alphabet: the 3405 set of symbols corresponding to the set of integers in the interval 3406 [0,128) according to the ASCII-table (see [RFC0020]). An ASCII 3407 string is a string, where the alphabet is the set of all ASCII 3408 characters. All ASCII characters corresponding to integers in the 3409 interval [33,126] are single printable characters (and can therefore 3410 be uniquely identified in a printable ASCII string). There is a 1-1 3411 correspondence between ASCII characters and integers in the interval 3412 [0,128), thereby allowing each ASCII character to be uniquely 3413 represented by an octet. 3415 I.2. Conversion between Bit Strings and Integers (BS2I, I2BS) 3417 There is a 1-1 correspondence between bit strings of length l and 3418 integers in the interval [0, 2^l), where the bit string 3419 X:=str(x_{l-1}, x_{l-2}, ..., x_1, x_0) corresponds to the integer 3420 x:=x_{l-1}*2^{l-1} + x_{l-2}*2^{l-2} + ... + x_1*2 + x_0*1. (If l=0, 3421 the empty bit string corresponds to the integer zero.) Note that 3422 while the mapping from bit strings to integers is uniquely defined, 3423 the inverse mapping from integers to bit strings is not, since any 3424 non-negative integer smaller than 2^t can be represented as a bit 3425 string of length at least t (due to leading zero coefficients in base 3426 2 representation). The latter representation is called tight if the 3427 bit string representation has minimal length (the so-called bit- 3428 length of the integer in question). This defines the mapping BS2I 3429 from bit strings to integers and the mapping I2BS(x,l) from non- 3430 negative integers smaller than 2^l to bit strings of length l. Note 3431 that this also defines a 1-1 correspondence between bit strings of 3432 length four and hex digits, and the encoding of ASCII characters as 3433 bit strings of length eight (where the leftmost bit has the value 3434 zero), as stipulated in [RFC0020]. 3436 I.3. Conversion between Octet Strings and Integers (OS2I, I2OS) 3438 There is a 1-1 correspondence between octet strings of length l and 3439 integers in the interval [0, 256^l), where the octet string 3440 X:=str(X_{l-1}, X_{l-2}, ..., X_1, X_0) corresponds to the integer 3441 x:=X_{l-1}*256^{l-1} + X^{l-2}*256^{l-2} + ... + X_1*256 + X_0*1. 3442 (If l=0, the empty string corresponds to the integer zero.) Note 3443 that while the mapping from octet strings to integers is uniquely 3444 defined, the inverse mapping from integers to octet strings is not, 3445 since any non-negative integer smaller than 256^t can be represented 3446 as an octet string of length at least t (due to leading zero 3447 coefficients in base 256 representation). The latter representation 3448 is called tight if the octet string representation has minimal length 3449 (the so-called byte-length of the integer in question). This defines 3450 the mapping OS2I from octet strings to integers and the mapping 3451 I2OS(x,l) from non-negative integers smaller than 256^l to octet 3452 strings of length l. 3454 I.4. Conversion between Octet Strings and Bit Strings (OS2BS, BS2OS) 3456 There is a 1-1 correspondence between octet strings of length l and 3457 bit strings of length 8*l, where the octet string X:=str(X_{l-1}, 3458 X_{l-2}, ..., X_1, X_0) corresponds to the right-concatenation of the 3459 8-bit strings x_{l-1}, x_{l-2}, ..., x_1, x_0, where each octet X_i 3460 corresponds to the 8-bit string x_i according to the mapping of 3461 Appendix I.2 above. Note that the mapping from octet strings to bit 3462 strings is uniquely defined and so is the inverse mapping from bit 3463 strings to octet strings, if one prepends each bit string with the 3464 smallest number of 0 bits so as to result in a bit string of length 3465 divisible by eight (i.e., one uses pre-padding). This defines the 3466 mapping OS2BS from octet strings to bit strings and the corresponding 3467 mapping BS2OS from bit strings to octet strings. When we refer to a 3468 specific bit position in an octet string, this indicates the 3469 corresponding position, when this octet string is viewed as a bit 3470 string using the OS2BS mapping above. 3472 I.5. Conversion between Field Elements and Octet Strings (FE2OS, OS2FE) 3474 There is a 1-1 correspondence between elements of the fixed finite 3475 field GF(q), where q:=p^m, where p is a prime number and where m>0, 3476 and vectors of length m, with coefficients in GF(p), where each 3477 element x of GF(q) is a vector (x_{m-1}, x_{m-2}, ..., x_1, x_0) 3478 according to the conventions of Appendix B.2. In this case, this 3479 field element can be uniquely represented by the right-concatenation 3480 of the octet strings X_{m-1}, X_{m-2}, ..., X_1, X_0, where each 3481 octet string X_i corresponds to the integer x_i in the interval 3482 [0,p-1] according to the mapping of Appendix I.3 above. Note that 3483 both the mapping from field elements to octet strings and the inverse 3484 mapping from octet strings to field elements are only uniquely 3485 defined if each octet string X_i has the same fixed size (e.g., the 3486 smallest integer l so that 256^l >= p) and if all integers are 3487 reduced modulo p. If so, the latter representation is called tight 3488 if l is minimal so that 256^l >= p. This defines the mapping 3489 FE2OS(x,l) from field elements to octet strings and the mapping 3490 OS2FE(X,l) from octet strings to field elements, where the underlying 3491 field is implicit and assumed to be known from context. In this 3492 case, the octet string has length l*m. (Observe that with tight 3493 representations, the parameter l is uniquely defined by the 3494 characteristic p of the field GF(q) in question.) The OS2FE(X,l) 3495 mapping is called strict if it operates as the OS2FE(X,l) function, 3496 except that it fails whenever it would require at least one modular 3497 reduction. Notice that the tight FE2OS mapping followed by the 3498 strict OS2FE mapping is the identity map (and, hence, OS2FE never 3499 fails in this case). 3501 I.6. Conversion between Elements of Z_n and Octet Strings (ZnE2OS, 3502 OS2ZnE) 3504 There is a 1-1 correspondence between elements of the set Z_n of 3505 integers modulo n and integers in the interval [0,n), where each 3506 element x of Z_n is uniquely represented by the integer x mod n. In 3507 this case, x mod n can be uniquely represented by the octet string X 3508 according to the mapping of Appendix I.3 above. Note that both the 3509 mapping from elements of Z_n to octet strings and the inverse mapping 3510 from octet strings to elements of Z_n are only uniquely defined if 3511 the octet string has a fixed size (e.g., the smallest integer l so 3512 that 256^l >= n) and if all integers are first reduced modulo n. If 3513 so, the latter representation is called tight if l is minimal so that 3514 256^l >= n. This defines the mapping ZnE2OS(x,l) from elements of 3515 Z_n to octet strings and the mapping OS2ZnE(X,l) from octet strings 3516 to elements of Z_n, where the underlying modulus n is implicit and 3517 assumed to be known from context. In this case, the octet string has 3518 length l. (Observe that with tight representations, the parameter l 3519 is uniquely defined by the parameter n in question.) The OS2ZnE(X,l) 3520 mapping is called strict if it operates as the OS2ZnE(X,l) function, 3521 except that it fails whenever it would require at least one modular 3522 reduction. Notice that the tight ZnE2OS mapping followed by the 3523 strict OS2ZnE mapping is the identity map (and, hence, ZnE2OS never 3524 fails in this case). 3526 Note that if n is a prime number p, the conversions ZnE2OS and FE2OS 3527 are consistent, as are OS2ZnE and OS2FE. This is, however, no longer 3528 the case if n is a strict prime power. 3530 The conversion rules for composite (i.e., non-prime) n values may be 3531 useful, e.g., when encoding RSA parameters (or elements of any other 3532 non-prime size set Z_n, for that matter). 3534 I.7. Ordering Conventions 3536 One can consider various representation functions, depending on bit- 3537 ordering and octet-ordering conventions. 3539 The description below makes use of an auxiliary function (the 3540 reversion function), where the reverse of the string X:=str(x_{l-1}, 3541 x_{l-2}, ..., x_1, x_0) is defined to be the string 3542 X':=rev(X):=str(x_0, x_1, ..., x_{l-2}, x_{l-1}). Below, we use this 3543 reversion function with binary and octet strings. 3545 We now describe representations in most-significant-bit first (msb) 3546 or least-significant-bit first (lsb) order and those in most- 3547 significant-byte first (MSB) or least-significant-byte first (LSB) 3548 order. 3550 One distinguishes the following octet-string representations of 3551 integers and field elements: 3553 1. MSB, msb: represent field elements and integers as above, 3554 yielding the octet string str(X_{l-1}, X_{l-2}, ..., X_1, X_0). 3556 2. MSB, lsb: reverse the bit-order of each octet, viewed as 8-bit 3557 string, yielding the octet string str((rev(X_{l-1}), 3558 rev(X_{l-2}), ..., rev(X_1), rev(X_0)). 3560 3. LSB, lsb: reverse the octet string and bit-order of each octet, 3561 yielding the octet string str(rev(X_{0}), rev(X_{1}), ..., 3562 rev(X_{l-2}), rev(X_{l-1})). 3564 4. LSB, msb: reverse the octet string, yielding the octet string 3565 str(X_{0}, X_{1}, ..., X_{l-2}, X_{l-1}). 3567 Thus, the 2-octet string "07e3" represents the integer 2019 (=0x07e3) 3568 in MSB/msb order, the integer 57,543 (0xe0c7) in MSB/lsb order, the 3569 integer 51,168 (0xc7e0) in LSB/lsb order, and the integer 58,119 3570 (=0xe307) in LSB/msb order. 3572 Note that, with the above data conversions, there is still some 3573 ambiguity as to how to represent an integer or a field element as a 3574 bit string or octet string (due to leading zeros). However, tight 3575 representations (as defined above) are non-ambiguous. (Note, in 3576 particular, that tightness implies that elements of GF(q) are always 3577 uniquely represented.) 3579 I.8. Conversion Between Curve Points and Octet Strings 3581 For each of the curve models we consider, each affine point is an 3582 ordered pair (X, Y) whose coordinates are elements of a finite field 3583 GF(q) and that satisfy the defining equation for the curve in 3584 question. Each compressed point is an ordered pair (X,t) (for 3585 Weierstrass curves and Montgomery curves) or (t, X) (for twisted 3586 Edwards curves) where X is an element of GF(q) and where t is an 3587 element of {0,1} (see Appendix H). 3589 The affine point (X, Y) is represented by the ordered pair whose 3590 coordinates are the octet string representations of the elements X 3591 and Y of GF(q), respectively, using the tight FE2OS mapping of 3592 Appendix I.5. Note that, since we use a tight representation, this 3593 results in a pair of octet strings (each of length l*m), where the 3594 parameters l and m are uniquely defined by the field GF(q) in 3595 question. The inverse mapping results by converting the first and 3596 second coordinate of this pair (each an octet string of length l*m) 3597 to, respectively, the elements X and Y of GF(q) via the strict OS2FE 3598 mapping of Appendix I.5. Note that if it is not a priori known 3599 whether the input to this inverse mapping actually represents an 3600 affine curve point, one should check that the output (X,Y) -- if 3601 defined -- is indeed an affine point of the curve in question, where 3602 this operation fails if this is not the case. (This check involves 3603 simply checking whether the ordered pair (X,Y) satisfies the defining 3604 equation for this curve.) 3606 The compressed point (X, t) or (t, X) is represented by the ordered 3607 pair whose coordinates are the octet string representations of the 3608 parity bit t in {0,1} and the element X of GF(q), respectively, using 3609 the tight FE2OS mapping of Appendix I.5. Note that, since we use 3610 tight representations, this results in an ordered pair of octet 3611 strings (of length 1 and l*m, respectively), where the parameters l 3612 and m are uniquely defined by the field GF(q) in question. The 3613 inverse mapping results by converting the first and second coordinate 3614 of this pair (each an octet string, of length 1 and l*m, 3615 respectively) to, respectively, the element t of {0,1} and the 3616 element X of GF(q) via the strict OS2FE mapping of Appendix I.5, and 3617 representing this as the compressed point (X, t) or (t, X) according 3618 to the curve model in question. Note that if it is not a priori 3619 known whether the input to this inverse mapping actually represents a 3620 compressed curve point, one should check that the output (X, t) or 3621 (t, X) -- if defined -- is indeed a compressed point of the curve in 3622 question, using the point decompression process for this curve (see 3623 Appendix H), where this operation fails if this is not the case. 3624 (This check does include checking whether an element is a square in 3625 GF(q), but does not require actually computing square roots (see also 3626 the Note in Appendix K.1).) 3628 NOTE 1: The representations of affine and compressed points above are 3629 as ordered pairs of octet strings. In practice, one often represents 3630 these as octet strings instead, via right-concatenation of its 3631 coordinates (in left-to-right order). Since each coordinate has 3632 known length, this operation is reversible. When appropriate, we 3633 refer to the latter as the octet (rather than the pair) 3634 representation of a point. 3636 NOTE 2: The octet representation of compressed points above 3637 identifies the parity bit t of the curve point in question via the 3638 1-octet representations of the integers 0 and 1. Obviously, other 3639 1-1 mappings are also possible. As an example, with [SEC1], the 3640 parity bit t is represented by 0x02 or 0x03 depending on whether t=0 3641 or t=1, respectively. The same [SEC1] specification represents 3642 affine points as above (as octet string), but prepends this with the 3643 1-octet prefix 0x04, and represents the identity element of the curve 3644 as the 1-octet string 0x00. This variable-size point representation 3645 has the property that its 1-octet prefix identifies whether it 3646 encodes an affine curve point, a compressed point (including parity 3647 bit), or the identity element, while the remainder of this 3648 representation uniquely determines the curve point's value. While 3649 the description in [SEC1] only applies to Weierstrass curves, the 3650 description above applies to each of the curve models we consider 3651 (i.e., these apply to Montgomery curves and twisted Edwards curves as 3652 well) and also applies to curves defined over extension fields. 3653 Collectively, we simply refer to this as the "SEC1" point 3654 representation. 3656 Note that elements of a prime field GF(p), where p is a 255-bit prime 3657 number, have a tight representation as a 32-octet string, where a 3658 fixed bit position is always set to zero. (This is the leftmost bit 3659 position of this octet string if one follows the MSB/msb 3660 representation conventions.) This allows the parity bit of a 3661 compressed point (see Appendix H) to be encoded in this bit position 3662 and, thereby, allows a compressed point and an element of GF(p) to be 3663 represented by an octet string of the same length. This is called 3664 the "squeezed" point representation. (We will use this squeezed 3665 representation in Appendix J.) Obviously, other representations 3666 (e.g., those of elements of Z_n) may also have fixed bit values in 3667 certain positions, which can be used to squeeze-in additional 3668 information. Further details are out of scope. 3670 Notice that elements of a prime field GF(p), where p is a prime 3671 number with bit-length m divisible by eight, have a tight 3672 representation as an (m/8)-octet string, but do not have a bit 3673 position that is always set to zero. Thus, in this case, one cannot 3674 represent a compressed point as an octet string of the same length as 3675 an element of GF(p). However, one can still encode this as an octet 3676 string of length (m/8)+1 (see Note 1 above). If one uses right- 3677 concatenation as in Note 1, but (for historial reasons) represents 3678 the parity bit t of the compressed point in question by 0x00 or 0x80 3679 depending on whether t=0 or t=1, respectively, this is again called 3680 the "squeezed' representation (despite this being somewhat a 3681 misnomer, since each point is now represented as an octet string that 3682 is one octet longer than the tight representation of elements of 3683 GF(p)). Notice that this representation corresponds to the 3684 compressed point representation of Appendix I.8 as octet string, but 3685 with the bit-ordering in the 1-octet representation of t reversed. 3686 (Note that this puts the parity bit t in the leftmost bit position of 3687 the octet string if one follows the MSB/msb representation 3688 conventions.) We will use this squeezed represenation in Appendix O. 3690 Appendix J. Representation Examples Curve25519 Family Members 3692 We present some examples of computations using the curves introduced 3693 in Appendix E and Appendix G of this document. In each case, we 3694 indicate the values of P, k*P, and (k+1)*P, where P is a fixed 3695 multiple (here: 2019) of the base point of the curve in question and 3696 where the private key k is the integer 3698 k 45467544759954639344191351164156560595299236761702065033670739677 3699 691372543056 3701 (=0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 3702 c08d5abd 15e29c50). 3704 In the examples below, each curve point is represented using the 3705 "squeezed" point representation (see Appendix I.8), whereby each 3706 point is represented as a 32-octet string, where the ordering 3707 convention (see Appendix I.7) depends on the underlying curve model 3708 in question. Here, points of a Weierstrass curve are represented in 3709 tight MSB/msb-order, points of a Montgomery curve in tight LSB/msb- 3710 order, and points of a twisted Edwards curve in tight LSB/lsb-order. 3711 For points that are a public key, the corresponding private keys are 3712 represented as 32-octet strings, using the same (tight) ordering 3713 conventions as with the public keys. For affine points, we also give 3714 the tight representation of each of its coordinates, using the same 3715 ordering conventions as used with the squeezed point representation. 3716 For further details, see the examples themselves. 3718 J.1. Example with Curve25519 3720 Pm=(u, v), k*Pm=(u1, v1), and (k+1)*Pm=(u2, v2) with Curve25519: 3722 u 53025657538808013645618620393754461319535915376830819974982289332 3723 088255623750 3725 (=0x753b7566 df35d574 4734142c 9abf931c ea290160 aa75853c 3726 7f972467 b7f13246). 3728 v 53327798092436462013048370302019946300826511459161905709144645521 3729 233690313086 3731 (=0x75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b 3732 ae35ca26 df75417e). 3734 u1 42039618818474335439333192910143029294450651736166602435248528442 3735 691717668056 3737 (=0x5cf194be f0bdd6d6 be58e18a 8f16740a ec25f4b0 67f7980a 3738 23bb6468 88bb9cd8). 3740 v1 76981661982917351630937517222412729130882368858134322156485762195 3741 67913357634 3743 (=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd 3744 f5771306 479ad142). 3746 u2 34175116482377882355440137752573651838273760818624557524643126101 3747 82464621878 3749 (=0x078e3e38 41c3e0d0 373e5454 ecffae33 2798b10a 55c72117 3750 62629f97 f1394d36). 3752 v2 43046985853631671610553834968785204191967171967937842531656254539 3753 962663994648 3754 (=0x5f2bbb06 f7ec5953 2c2a1a62 21124585 1d2682e0 cc37307e 3755 fbc17f7f 7fda8518). 3757 As suggested in Appendix C.2, the v-coordinate of k*Pm can be 3758 indirectly computed from the u-coordinates of Pm, k*Pm, and (k+1)*Pm, 3759 and the v-coordinate of Pm, which allows computation of the entire 3760 point k*Pm (and not just its u-coordinate) if k*Pm is computed using 3761 the Montgomery ladder (as, e.g., [RFC7748] recommends), since that 3762 algorithm computes both u1 and u2 and the v-coordinate of the point 3763 Pm may be available from context. 3765 The representation of k and the compressed representations of Pm and 3766 k*Pm in tight LSB/msb-order are given by 3768 repr(k) 0x509ce215 bd5a8dc0 c3328c77 5dc6f59c 4d4915f9 e4bf5d0d 3769 c2e583cd e6b78564 3771 repr(Pm) 0x4632f1b7 6724977f 3c8575aa 600129ea 1c93bf9a 2c143447 3772 74d535df 66753b75; 3774 repr(k*Pm) 0xd89cbb88 6864bb23 0a98f767 b0f425ec 0a74168f 8ae158be 3775 d6d6bdf0 be94f15c, 3777 where the leftmost bit of the rightmost octet indicates the parity of 3778 the v-coordinate of the point of Curve25519 in question (which, in 3779 this case, are both zero, since v and v1 are even). See Appendix H.2 3780 and Appendix I for further detail on (squeezed) point compression. 3782 The scalar representation and (squeezed) point representation 3783 illustrated above are consistent with the representations specified 3784 in [RFC7748], except that in [RFC7748] only an affine point's 3785 u-coordinate is represented (i.e., the v-coordinate of any point is 3786 always implicitly assumed to have an even value) and that the 3787 representation of the point at infinity is not specified. Another 3788 difference is that [RFC7748] allows non-unique representations of 3789 some elements of GF(p), whereas our representation conventions do not 3790 (since tight). 3792 A randomized representation (t1, t2) of the point k*Pm in tight LSB/ 3793 msb order is given by 3795 t1 409531317901122685707535715924445398426503483189854716584 3796 37762538294289253464 3798 (=0x5844b232 8c4586dc 62f593c5 599c2a8c e61ba893 bb052de6 3799 77510a42 b3a68a5a) 3801 t2 451856098332889407421278004628150814449259902023388533929 3802 08848927625430980881 3804 (=0x11598452 e65138dc ce948d7e d8f46a18 b640722c 8e170957 3805 751b7729 1b26e663), 3807 where this representation is defined in Appendix K.5 and uses the 3808 mapping of Appendix K.3.2 with the default square root function. 3810 This representation can also be expressed in tight LSB/msb order as 3811 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(0,0) and where 3813 u1 545187339829846945538068364048581821018455714632595988990 3814 2000416117254237099 3816 (=0xabab17e4 f1dbafb1 ede0c4b3 bedb7734 9c85f2a7 917c5edf 3817 ad4bd96a a7a60d0c) 3819 u2 236263468848031270223854046645772980064576816578949344957 3820 7618817248044779847 3822 (=0x47099c3e 9b5cc8fe eaac5db0 6fb413fa b3ef4516 7bfcdc4b 3823 8368f22e 2f343905), 3825 where this uses the default completed mapping defined in Appendix K.6 3826 and the mapping of Appendix K.4.2 (with the default square root 3827 function). 3829 J.2. Example with Edwards25519 3831 Pe=(x, y), k*Pe=(x1, y1), and (k+1)*Pe=(x2, y2) with Edwards25519: 3833 x 25301662348702136092602268236183361085863932475593120475382959053 3834 365387223252 3836 (=0x37f03bc0 1070ed12 d3218f8b ba1abb74 fd6b94eb 62033d09 3837 83851e21 d6a460d4). 3839 y 54434749145175762798550436656748568411099702168121592090608501578 3840 942019473360 3842 (=0x7858f9e7 6774ed8e 23d614d2 36715fc7 56813b02 9aa13c18 3843 960705c5 b3a30fd0). 3845 x1 42966967796585460733861724865699548279978730460766025087444502812 3846 416557284873 3847 (=0x5efe7124 465b5bdb b364bb3e e4f106e2 18d59b36 48f4fe83 3848 c11afc91 785d7e09). 3850 y1 46006463385134057167371782068441558951541960707376246310705917936 3851 352255317084 3853 (=0x65b6bc49 985badaf bc5fdd96 fb189502 35d5effd 540b439d 3854 60508827 80bc945c). 3856 x2 42629294840915692510487991904657367226900127896202625319538173473 3857 104931719808 3859 (=0x5e3f536a 3be2364a 1fa775a3 5f8f65ae 93f4a89d 81a04a2e 3860 87783748 00120a80). 3862 y2 29739282897206659585364020239089516293417836047563355347155817358 3863 737209129078 3865 (=0x41bfd66e 64bdd801 c581a720 f48172a8 187445fa 350924a2 3866 c92c791e 38d57876). 3868 The representation of k and the compressed representations of Pe and 3869 k*Pe in tight LSB/lsb-order are given by 3871 repr(k) =0x0a3947a8 bd5ab103 c34c31ee ba63af39 b292a89f 27fdbab0 3872 43a7c1b3 67eda126; 3874 repr(Pe) =0x0bf0c5cd a3a0e069 183c8559 40dc816a e3fa8e6c 4b286bc4 3875 71b72ee6 e79f1a1e; 3877 repr(k*Pe) =0x3a293d01 e4110a06 b9c2d02a bff7abac 40a918df 69bbfa3d 3878 f5b5da19 923d6da7, 3880 where the rightmost bit of the rightmost octet indicates the parity 3881 of the x-coordinate of the point of Edwards25519 in question (which, 3882 in this case, are zero and one, respectively, since x is even and x1 3883 is odd). See Appendix H.3 and Appendix I for further detail on 3884 (squeezed) point compression. 3886 The scalar representation and (squeezed) point representation 3887 illustrated above are fully consistent with the representations 3888 specified in [RFC8032]. Note that, contrary to [RFC7748], [RFC8032] 3889 requires unique representations of all elements of GF(p). 3891 A randomized representation (t1, t2) of the point k*Pe in tight LSB/ 3892 lsb order is given by 3893 t1 577913017083163641949634219017190182170288776648725395935 3894 97750427519399254040 3896 (=0x181a32c5 10e06dbc ea321882 f3519055 535e289e 8faac654 3897 82e26f61 aded23fe) 3899 t2 454881407940919718426608573125377401686255068210624245884 3900 05479716220480287974 3902 (=0x672e36c5 ae353073 cdfac343 e8297b05 1b010d0f 5b1016db 3903 dd4baf54 28068926), 3905 where this representation is defined in Appendix K.5 and uses the 3906 mapping of Appendix K.3.3 with the default square root function and 3907 underlying isomorphic mapping between Edwards25519 and Curve25519 of 3908 Appendix E.2. 3910 This representation can also be expressed in tight LSB/lsb order as 3911 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(0,1) and where 3913 u1 224462652213914013165861386626523724285418072774741333590 3914 46191305234585192644 3916 (=0x2311ee45 c788a81b 7fcd7ae1 c6982d7b 537011fd d49e2eb4 3917 62b9c08c 5344058c) 3919 u2 103951215490226901552766901992808623194604650181530822362 3920 9026508474142603215 3922 (=0xf3ed475b fd95335c 3a0ceb7e 319f8d3c cc651d5b 17eb4439 3923 e3b25693 0bea3240), 3925 where this uses the default completed mapping defined in Appendix K.6 3926 and the mapping of Appendix K.4.3 (with the default square root 3927 function). 3929 J.3. Example with Wei25519 3931 Pw=(X, Y), k*Pw=(X1, Y1), and (k+1)*Pw=(X2, Y2) with Wei25519: 3933 X 14428294459702615171094958724191825368445920488283965295163094662 3934 783879239338 3936 (=0x1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 3937 2a41cf12 629e56aa). 3939 Y 53327798092436462013048370302019946300826511459161905709144645521 3940 233690313086 3941 (=0x75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b 3942 ae35ca26 df75417e). 3944 X1 34422557393689369648095312405803933433606568476197477554293337733 3945 87341283644 3947 (=0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 3948 ce660f13 3368c13c). 3950 Y1 76981661982917351630937517222412729130882368858134322156485762195 3951 67913357634 3953 (=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd 3954 f5771306 479ad142). 3956 X2 22716193187790487472805844610038683159372373526135883092373909944 3957 834653057415 3959 (=0x3238e8e2 ec6e8b7a e1e8feff 97aa58dd d2435bb5 0071cbc2 3960 0d0d4a42 9be67187). 3962 Y2 43046985853631671610553834968785204191967171967937842531656254539 3963 962663994648 3965 (=0x5f2bbb06 f7ec5953 2c2a1a62 21124585 1d2682e0 cc37307e 3966 fbc17f7f 7fda8518). 3968 The representation of k and the compressed representations of Pw and 3969 k*Pw in tight MSB/msb-order are given by 3971 repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 3972 c08d5abd 15e29c50; 3974 repr(Pw) =0x1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 3975 2a41cf12 629e56aa; 3977 repr(k*Pw) =0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 3978 ce660f13 3368c13c, 3980 where the leftmost bit of the leftmost octet indicates the parity of 3981 the Y-coordinate of the point of Wei25519 in question (which, in this 3982 case, are both zero, since Y and Y1 are even). See Appendix H.1 and 3983 Appendix I for further detail on (squeezed) point compression. 3985 The scalar representation is consistent with the representations 3986 specified in [SEC1]; the (squeezed) point representation illustrated 3987 above is "new". For completeness, we include a SEC1-consistent 3988 representation of the point Pw in affine format and in compressed 3989 format below. 3991 The SEC1-compliant affine representation of the point Pw in tight 3992 MSB/msb-order is given by 3994 aff(Pw) =0x04 1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 3995 55202fe7 2a41cf12 629e56aa 3997 75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b 3998 ae35ca26 df75417e, 4000 whereas the SEC1-compliant compressed representation of the point Pw 4001 in tight MSB/msb-order is given by 4003 compr(Pw) =0x02 1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 4004 55202fe7 2a41cf12 629e56aa; 4006 The SEC1-compliant uncompressed format aff(Pw) of an affine point Pw 4007 corresponds to the right-concatenation of its X- and Y-coordinates, 4008 each in tight MSB/msb-order, prepended by the string 0x04, where the 4009 reverse procedure is uniquely defined, since elements of GF(p) have a 4010 unique fixed-size representation. The (squeezed) compressed format 4011 repr(Pw) corresponds to the SEC1-compliant compressed format by 4012 extracting the parity bit t from the leftmost bit of the leftmost 4013 octet of repr(Pw), replacing the bit position by the value zero, and 4014 prepending the octet string with 0x02 or 0x03, depending on whether 4015 t=0 or t=1, respectively, where the reverse procedure is uniquely 4016 defined, since GF(p) is a 255-bit prime field. For further details, 4017 see [SEC1]. Note that, due to the bit-length of the prime p, the 4018 squeezed compressed format repr(Pw) is one octet shorter than the 4019 SEC1-compliant compressed format compr(Pw). 4021 A randomized representation (t1, t2) of the point k*Pw in tight MSB/ 4022 msb order is given by 4024 t1 446363445988889734093446280484122107283059206243307955388 4025 84223152228795899590 4027 (=0x62af4697 4dd469ac 96c64809 c16c8517 b6a0cee5 40ba0e2e 4028 6dd2b36a fcc75ec6) 4030 t2 213890166610228613105792710708385961712211281744756216061 4031 11930888059603107561 4033 (=0x2f49c121 8fed7912 031157ee ae066507 a972320b 6180e267 4034 4025b006 2e67bee9), 4036 where this representation is defined in Appendix K.5 and uses the 4037 mapping of Appendix K.3.1 with the default square root function. 4039 This representation can also be expressed in tight MSB/msb order as 4040 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(1,0) and where 4042 u1 520092833970966289810117689157951302936446424265230088162 4043 65117106436465991934 4045 (=0x72fc3612 b18d2644 c2a85b3b dd66cd58 07ebf07b 2131b77d 4046 6d7579da 5efba0fe) 4048 u2 134005949856425653115405838878115551263976839535650697250 4049 78991786686428785368 4051 (=0x1da077cd 6fa87515 731029a8 bd88da6a 34e38b83 51191edf 4052 8a3b92d7 ba24aad8), 4054 where this uses the default completed mapping defined in Appendix K.6 4055 and the mapping of Appendix K.4.1 (with the default square root 4056 function). 4058 J.4. Example with Wei25519.2 4060 Pw2=(X, Y), k*Pw2=(X1, Y1), and (k+1)*Pw2=(X2, Y2) with Wei25519.2: 4062 X 17830493209951148331008014701079988862634531394137235438571836389 4063 227198459763 4065 (=0x276bb396 d766b695 bfe60ab1 3c0260dd c09f5bcf 7b3ca47c 4066 f21c8672 d1ecaf73). 4068 Y 21064492012933896105338241940477778461866060481408222122979836206 4069 137075789640 4071 (=0x2e921479 5ad47af7 784831de 572ed8e9 7e20e137 cc67378c 4072 184ca19f f9136f48). 4074 X1 65470988951686461979789632362377759464688342154017353834939203791 4075 39281908968 4077 (=0x0e7986d2 e94354ab 8abd8806 3154536a 4dcf8e6e 65557183 4078 e242192d 3b87f4e8). 4080 Y1 51489590494292183562535790579480033229043271539297275888817125227 4081 35262330110 4082 (=0x0b623521 c1ff84bc 1522ff26 3376796d be77fcad 1fcabc28 4083 98f1be85 d7576cfe). 4085 X2 83741788501517200942826153677682120998854086551751663061374935388 4086 3494226693 4088 (=0x01d9f633 b2ac2606 9e6e93f7 6917446c 2b27c16f 729121d7 4089 709c0a58 00ef9b05). 4091 Y2 42567334190622848157611574766896093933050043101247319937794684825 4092 168161540336 4094 (=0x5e1c41e1 fb74e41b 3a19ce50 e1b2caf7 7cabcbb3 0c1c1474 4095 a4fd13e6 6c4c08f0). 4097 The representation of k and the compressed representations of Pw2 and 4098 k*Pw2 in tight MSB/msb-order are given by 4100 repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 4101 c08d5abd 15e29c50; 4103 repr(Pw2) =0x276bb396 d766b695 bfe60ab1 3c0260dd c09f5bcf 7b3ca47c 4104 f21c8672 d1ecaf73; 4106 repr(k*Pw2) =0x0e7986d2 e94354ab 8abd8806 3154536a 4dcf8e6e 65557183 4107 e242192d 3b87f4e8, 4109 where the leftmost bit of the leftmost octet indicates the parity of 4110 the Y-coordinate of the point of Wei25519.2 in question (which, in 4111 this case, are both zero, since Y and Y1 are even). See 4112 Appendix Appendix H.1 and Appendix I for further detail on (squeezed) 4113 point compression. 4115 A randomized representation (t1, t2) of the point k*Pw2 in tight MSB/ 4116 msb order is given by 4118 t1 416669672354928148679758598803660112405431159793278161879 4119 36189858804289581274 4121 (=0x5c1eaaef 80f9d4af 33c119fc c99acd58 f81e7d69 999c7048 4122 e4043a77 87a930da) 4124 t2 361115271162391608083096560179337391059615651279123199921 4125 18531180247832114098 4127 (=0x4fd66668 e7174775 de44c852 92df8cfe b9832ef8 2570b3b8 4128 fe5ec21a b2d4b3b2), 4130 where this representation is defined in Appendix K.5 and uses the 4131 mapping of Appendix K.3.1 with the default square root function. 4133 This representation can also be expressed in tight MSB/msb order as 4134 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(1,0) and where 4136 u1 138215499313862453472915174740765454800858627563772726738 4137 62176256261157017834 4139 (=0x1e8eb854 2ce139f7 fdbf2059 ac257c89 d7e2e5fe 9c4b97e6 4140 7656d42c 590bd8ea) 4142 u2 528750192685398685104289021251049791405104665681275304080 4143 7706116783659458600 4145 (=0x0bb09eba b0470a84 0ce1ba90 0aeab208 7e8d4760 1309d7af 4146 e3712e1f 2232a028), 4148 where this uses the default completed mapping defined in Appendix K.6 4149 and the mapping of Appendix K.4.1 (with the default square root 4150 function). 4152 J.5. Example with Wei25519.-3 4154 Pw3=(X, Y), k*Pw3=(X1, Y1), and (k+1)*Pw3=(X2, Y2) with Wei25519.-3: 4156 X 14780197759513083469009623947734627174363231692126610860256057394 4157 455099634096 4159 (=0x20ad4ba4 612f0586 221787b0 d01ba46c d1d8cd5a 0348ef00 4160 eb4c9272 03ca71b0). 4162 Y 45596733430378470319805536538617129933663237960146030424392249401 4163 952949482817 4165 (=0x64ced628 e982648e 4bfcf30c 71c4d267 ba48b0ce fee20062 4166 b43ef4c9 73f7b541). 4168 X1 47362979975244556396292400751828272600887612546997532158738958926 4169 60745725532 4171 (=0x0a78a650 a39995ef dcf4de88 940d4ce9 5b2ca35c c5d70e06 4172 63b8455e 2e04e65c). 4174 Y1 30318112837157047703426636957515037640997356617656007157255559136 4175 153389790354 4176 (=0x4307719a 20d08741 58d5889e 8c8ec27e 246b0342 55f8fd62 4177 dbc9ca09 e79c7492). 4179 X2 23778942085873786433506063022059853212880296499622328201295446580 4180 293591664363 4182 (=0x3492677e 6ae9d1c3 e08f908b 61033f3d 4e8322c9 fba6da81 4183 2c95b067 9b1486eb). 4185 Y2 44846366394651736248316749170687053272682847823018287439056537991 4186 969511150494 4188 (=0x632624d4 ab94c83a 796511c0 5f5412a3 876e56d2 ed18eca3 4189 21b95bef 7bf9939e). 4191 The representation of k and the compressed representations of Pw3 and 4192 k*Pw3 in tight MSB/msb-order are given by 4194 repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 4195 c08d5abd 15e29c50; 4197 repr(Pw3) =0xa0ad4ba4 612f0586 221787b0 d01ba46c d1d8cd5a 0348ef00 4198 eb4c9272 03ca71b0; 4200 repr(k*Pw3) =0x0a78a650 a39995ef dcf4de88 940d4ce9 5b2ca35c c5d70e06 4201 63b8455e 2e04e65c, 4203 where the leftmost bit of the leftmost octet indicates the parity of 4204 the Y-coordinate of the point of Wei25519.-3 in question (which, in 4205 this case, are one and zero, respectively, since Y is odd and Y1 is 4206 even). See Appendix H.1 and Appendix I for further detail on 4207 (squeezed) point compression. 4209 A randomized representation (t1, t2) of the point k*Pw3 in tight MSB/ 4210 msb order is given by 4212 t1 573714937613596601525680684642155667097217474964816246889 4213 88981227297409008259 4215 (=0x7ed71d5f 566d2259 99bdb404 bfb9d6cf d2e86ccb 1894d4a6 4216 c75e3c69 e5eb0283) 4218 t2 269945781324580189815142015663892935722419453863927287235 4219 57891665397640090729 4221 (=0x3bae63c8 70f60de0 c2e35f94 d24220f1 bb6efd00 37625869 4222 f84923de ff4c5469), 4224 where this representation is defined in Appendix K.5 and uses the 4225 mapping of Appendix K.3.1 with the default square root function. 4227 This representation can also be expressed in tight MSB/msb order as 4228 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(1,1) and where 4230 u1 273592510979600674027837477146355037032732195078153389134 4231 81162438438522584713 4233 (=0x3c7cc990 81eed784 9ca746d7 c479a902 ce9de65f 1150e7b9 4234 c87d08d2 9785fe89) 4236 u2 271488765024747755704729103260177059745349171282146823458 4237 00069381584030663589 4239 (=0x3c05b835 1283fca7 705eba74 1e6b853e db3ed5dc d1891daa 4240 c1643d8d d63a03a5), 4242 where this uses the default completed mapping defined in Appendix K.6 4243 and the mapping of Appendix K.4.1 (with the default square root 4244 function). 4246 Appendix K. Auxiliary Functions 4248 This section illustrates how one could implement common routines, 4249 such as taking square roots and inverses in finite fields, and how to 4250 map field elements to curve points and to curve points that avoid 4251 outlier points in the small subgroup. 4253 K.1. Square Roots in GF(q) 4255 Square roots are easy to compute in GF(q) if q = 3 (mod 4) (see 4256 Appendix K.1.1) or if q = 5 (mod 8) (see Appendix K.1.2). Details on 4257 how to compute square roots for other values of q are out of scope. 4258 If square roots are easy to compute in GF(q), then so are these in 4259 GF(q^2). 4261 NOTE: If one wishes to check whether an element is a square in GF(q), 4262 rather than actually compute square roots, more efficient methods can 4263 be used. As an example, if GF(q) is a prime field (i.e., q:=p), one 4264 can efficiently check whether an element y is a square in GF(p) by 4265 computing its Legendre symbol (y/p) (see Section 2.4.5 of 4266 [Handbook]). Details on how to efficiently check whether an element 4267 is a square in GF(q) for other values of q are out of scope. If 4268 checking whether an element is a square is easy in GF(q), then so it 4269 is in GF(q^2). 4271 K.1.1. Square Roots in GF(q), where q = 3 (mod 4) 4273 If y is a nonzero element of GF(q) and z:=y^{(q-3)/4}, then y is a 4274 square in GF(q) only if y*z^2=1. 4276 a. If y*z^2=+1, z is a square root of 1/y and y*z is a square root 4277 of y in GF(q); 4279 b. If y*z^2=-1, z is a square root of -1/y and y*z is a square root 4280 of -y in GF(q). 4282 (Note that the field element -1 is a non-square in GF(q).) 4284 K.1.2. Square Roots in GF(q), where q = 5 (mod 8) 4286 If y is a nonzero element of GF(q) and z:=y^{(q-5)/8}, then y is a 4287 square in GF(q) only if y^2*z^4=1. 4289 a. If y*z^2=+1, z is a square root of 1/y and y*z is a square root 4290 of y in GF(q); 4292 b. If y*z^2=-1, i*z is a square root of 1/y and i*y*z is a square 4293 root of y in GF(q); 4295 c. If y*z^2=+i, z is a square root of i/y and y*z is a square root 4296 of i*y in GF(q); 4298 d. If y*z^2=-i, z is a square root of -i/y and i*y*z is a square 4299 root of i*y in GF(q). 4301 Here, i is an element of GF(q) for which i^2=-1 (e.g., 4302 i:=2^{(q-1)/4}). This field element is a non-square in GF(q) and can 4303 be precomputed. 4305 K.2. Inversion 4307 If y is an integer and gcd(y,n)=1, one can efficiently compute 1/y 4308 (mod n) via the extended Euclidean Algorithm (see Section 2.2.5 of 4309 [GECC]). One can use this algorithm as well to compute the inverse 4310 of a nonzero element y of a prime field GF(p), since gcd(y,p)=1. 4312 The inverse of a nonzero element y of GF(q) can be computed as 4314 1/y:=y^{q-2} (since y^{q-1}=1 by Fermat's Little Theorem). 4316 If inverses are easy to compute in GF(q), then so are these in 4317 GF(q^2). Further details are out of scope. 4319 The inverses of two nonzero elements y1 and y2 of GF(q) can be 4320 computed by first computing the inverse z of y1*y2 and by 4321 subsequently computing y2*z=:1/y1 and y1*z=:1/y2. 4323 NOTE 1: This method can be used to compute the inverse of a nonzero 4324 element y of GF(q) indirectly, as lambda*(lambda*y)^{-1}, where 4325 lambda is a random nonzero element of GF(q). This yields an 4326 inversion routine (commonly called "blinded inversion") where the 4327 inversion operation itself does not leak information on y. 4329 NOTE 2: This method can also be used to compute the inverse and a 4330 square root, respectively, of two nonzero elements x and y of GF(q) 4331 (where y is a square in GF(q)) by first computing a square root z of 4332 1/(y*x^2) (see Appendix K.1) and by subsequently computing a square 4333 root of y as x*y*z and the inverse of x as x*y*z^2. 4335 K.3. Mappings to Curve Points 4337 One can map elements of GF(q) that are not a square in GF(q) to 4338 points of a Weierstrass curve (see Appendix K.3.1), to points of a 4339 Montgomery curve (see Appendix K.3.2), or to points of a twisted 4340 Edwards curve (see Appendix K.3.3), under some mild conditions on the 4341 domain parameters. Full details on mappings that apply if these 4342 conditions are not satisfied are out of scope. 4344 K.3.1. Mapping to Points of Weierstrass Curve 4346 The description below assumes that the domain parameters a and b of 4347 the Weierstrass curve W_{a,b} are nonzero. For ease of exposition, 4348 we define f(z):=z^3+a*z+b. (Note that for an affine point (X,Y) of 4349 W_{a,b} one has Y^2=f(X).) 4351 If t is an element of GF(q) that is not a square in GF(q) and that is 4352 unequal to -1, then the element X:=(-b/a)*(1+1/(t+t^2)) is the unique 4353 solution of the equation f(t*X)=t^3*f(X) and is nonzero. 4354 Consequently, either X or X':=t*X is the x-coordinate of an affine 4355 point of W_{a,b}, depending on whether f(X) is a square in GF(q). 4357 a. If f(X) is a square in GF(q) and Y:=sqrt(f(X)), then t is mapped 4358 to the point P(t):=(X, Y); 4360 b. If f(X) is not a square in GF(q) and Y':=sqrt(f(X')), then t is 4361 mapped to the point P(t):=(X', -Y'). 4363 Formally, this mapping is not properly defined, since a nonzero 4364 square y:=x^2 in GF(q) has two solutions, viz. x and -x; it is 4365 properly defined, however, if one designates for each element of 4366 GF(q) that is a square in GF(q) precisely one square root as "the" 4367 square root of this element. Note that always picking the square 4368 root with zero parity (see Appendix H) satisfies this condition 4369 (henceforth called the default square root function). 4371 If -1 is not a square in GF(q), this element is mapped to the point 4372 at infinity O of W_{a,b}. 4374 The set of points of W_{a,b} that arises this way has size roughly 4375 3/8 of the order of the curve and each such point arises as image of 4376 one or two t values. Further details are out of scope. 4378 NOTE 1: If -1 is not a square in GF(q), the mapping above yields the 4379 point at infinity for t=-1. One can modify this mapping, by mapping 4380 the element -1 to any suitable point P0 of W_{a,b} (e.g., its base 4381 point G or any other affine point) and leaving the remainder of the 4382 mapping the same. Suitability of such a modification is application- 4383 specific. Details are out of scope. 4385 NOTE 2: The description above assumes that the domain parameters a 4386 and b of the Weierstrass curve W_{a,b} are nonzero. If this is not 4387 the case, one can often find an isogenous curve W_{a',b'} for which 4388 the domain parameters a' and b' are nonzero. If so, one can map 4389 elements of GF(q) that are not a square in GF(q) to points of W_{a,b} 4390 via function composition, where one uses the mapping above to arrive 4391 at a point of W_{a',b'} and where one subsequently uses the dual 4392 isogeny from W_{a',b'} to W_{a,b} to arrive at a point of W_{a,b}. As 4393 an example, one can show that if a is zero and if -4*b is a cube in 4394 GF(q) (such as is the case with, e.g., the "BitCoin" curve secp256k1 4395 [SEC2]), this curve is 3-isogenous to a curve with this property and 4396 the strategy above applies (for an example with secp256k1, see 4397 Appendix L). Further details are out of scope. 4399 K.3.2. Mapping to Points of Montgomery Curve 4401 The description below assumes that the domain parameter A of the 4402 Montgomery curve M_{A,B} is nonzero. For ease of exposition, we 4403 define f(z):=z^3+A*z^2+z. (Note that for an affine point (u,v) of 4404 M_{A,B} one has B*v^2=f(u).) 4406 If t is an element of GF(q) that is not a square in GF(q) and that is 4407 unequal to -1, then the element u:=-(1+1/t)/A is the unique nonzero 4408 solution of the equation f(t*u)=t^3*f(u). Consequently, either u or 4409 u':=t*u is the u-coordinate of an affine point of M_{A,B}, depending 4410 on whether f(u)/B is a square in GF(q). 4412 a. If f(u)/B is a square in GF(q) and v:=sqrt(f(u)/B), then t is 4413 mapped to the point P(t):=(u, v); 4415 b. If f(u)/B is a not a square in GF(q) and v':=sqrt(f(u')/B), then 4416 t is mapped to the point P(t):=(u', -v'). 4418 As before, formally, this mapping is not properly defined, since a 4419 nonzero square y:=x^2 in GF(q) has two solutions, viz. x and -x; it 4420 is properly defined, however, if one designates for each element of 4421 GF(q) that is a square in GF(q) precisely one square root as "the" 4422 square root of this element. Note that always picking the square 4423 root with zero parity (see Appendix H) satisfies this condition 4424 (henceforth called the default square root function). 4426 If -1 is not a square in GF(q), this element is mapped to the point 4427 at infinity O of M_{A,B}. 4429 The set of points of M_{A,B} that arises this way has size roughly 4430 1/2 of the order of the curve and each such point arises as image of 4431 precisely one t value. Further details are out of scope. 4433 NOTE 1: If -1 is not a square in GF(q), the mapping above yields the 4434 point at infinity for t=-1. One can modify this mapping, by mapping 4435 the element -1 to any suitable point P0 of M_{a,b} (e.g., its base 4436 point G or any other affine point) and leaving the remainder of the 4437 mapping the same. Suitability of such a modification is application- 4438 specific. Details are out of scope. 4440 NOTE 2: The description above assumes that the domain parameter A of 4441 the Montgomery curve M_{A,B} is nonzero. If this is not the case, 4442 the curve is a Weierstrass curve for which the domain parameter b is 4443 zero and Note 2 of Appendix K.3.1 applies. If q = 3 (mod 4), an even 4444 simpler approach is possible, where one modifies the construction 4445 above and simply takes u:=t and u':=-t (which works, since -1 is not 4446 a square in GF(q) and f(-t)=-f(t)). In this case, this construction 4447 can be extended to all elements t of GF(q) and, if so, yields a 1-1 4448 mapping between GF(q) and all affine curve points. 4450 K.3.3. Mapping to Points of Twisted Edwards Curve 4452 One can map elements of GF(q) that are not a square in GF(q) to 4453 points of the twisted Edwards curve E_{a,d} via function composition, 4454 where one uses the mapping of Appendix K.3.1 to arrive at a point of 4455 the Weierstrass curve W_{a,b} and where one subsequently uses the 4456 isomorphic mapping between twisted Edwards curves and Weierstrass 4457 curves of Appendix D.3 to arrive at a point of E_{a,d}. Another 4458 mapping is obtained by function composition, where one instead uses 4459 the mapping of Appendix K.3.2 to arrive at a point of the Montgomery 4460 curve M_{A,B} and where one subsequently uses the isomorphic mapping 4461 between twisted Edwards curves and Montgomery curves of Appendix D.1 4462 to arrive at a point of E_{a,d}. Obviously, one can use function 4463 composition (now using the respective pre-images - if these exist) to 4464 realize the pre-images of either mapping. 4466 K.4. Mappings to High-Order Curve Points 4468 Appendix K.3 described how one can map elements of GF(q) that are not 4469 a square in GF(q) to points of a Weierstrass curve, to points of a 4470 Montgomery curve, or to points of a twisted Edwards curve, under some 4471 mild conditions on the domain parameters. Below, we use the mappings 4472 of that appendix and the parity function par(.) specified in 4473 Appendix H to construct mappings to high-order curve points only 4474 (i.e., mappings that avoid points in the small subgroup, see 4475 Appendix B.1). We consider mappings to high-order points of a 4476 Weierstrass curve (see Appendix K.4.1), to high-order points of a 4477 Montgomery curve (see Appendix K.4.2), and to high-order points of a 4478 twisted Edwards curve (see Appendix K.4.3). As before, full details 4479 on mappings that apply if the mild conditions on the domain 4480 parameters are not satisfied are out of scope. 4482 K.4.1. Mapping to High-Order Points of Weierstrass Curve 4484 The description below assumes that the domain parameters a and b of 4485 the Weierstrass curve W_{a,b} are nonzero. For ease of exposition, 4486 we define f(z):=z^3+a*z+b. (Note that for an affine point (X,Y) of 4487 W_{a,b} one has Y^2=f(X).) 4489 If t is an element of GF(q) that is not a square in GF(q) and that is 4490 unequal to -1, the mapping of Appendix K.3.1 yields an affine point 4491 P(t):=(X, Y) of W_{a,b}. Let P0:=(X0, Y0) be a fixed affine point of 4492 W_{a,b} for which neither P0, P0 + P(t), nor P0 - P(t) is in the 4493 small subgroup of W_{a,b} (for any non-square element t<>-1 of 4494 GF(q)). (Note that this implies that P0 and P(t) are distinct affine 4495 points of the curve and that these are not each other's inverse.) 4496 For binary digit s, the point Q(t,s) is now defined as follows: 4498 a. If par(Y0*Y)=s, then the pair (t,s) is mapped to the point 4499 Q(t,s):=P0 + P(t); 4501 b. If par(Y0*Y)<>s, then the pair (t,s) is mapped to the point 4502 Q(t,s):=P0 - P(t). 4504 Note that this mapping is properly defined as long as the fixed point 4505 P0 (the so-called "curve offset") alluded to above indeed exists. In 4506 cases of practical interest that we are aware of, this is indeed the 4507 case (see, e.g., Table 1). 4509 If -1 is not a square in GF(q), the pair (-1,s) is mapped to the 4510 affine point P0 of W_{a,b} (irrespective of the value of s). 4512 The set of points of W_{a,b} that arises this way has size roughly 4513 3/8 of the order of the curve and each such point arises as image of 4514 up to four values of the pair (t,s). Further details are out of 4515 scope. 4517 From the group law for Weierstrass curves (see Appendix C.1) it 4518 follows that one can express the coordinates of Q(t,s), with t<>-1, 4519 in terms of the X-coordinates of P0 and P(t) and the product of their 4520 Y-coordinates. (Here, observe that Y0*Y is a square root of 4521 f(X0)*f(X).) Thus, Q(t,s) can be computed without the need to fully 4522 compute P(t). 4524 K.4.2. Mapping to High-Order Points of Montgomery Curve 4526 The description below assumes that the domain parameters A and B of 4527 the Montgomery curve M_{A,B} are nonzero. For ease of exposition, we 4528 define f(z):=z^3+A*z^2+z. (Note that for an affine point (u,v) of 4529 M_{A,B} one has B*v^2=f(u).) 4531 If t is an element of GF(q) that is not a square in GF(q) and that is 4532 unequal to -1, the mapping of Appendix K.3.2 yields an affine point 4533 P(t):=(u, v) of M_{A,B}. Let P0:=(u0, v0) be a fixed affine point of 4534 M_{A,B} for which neither P0, P0 + P(t), nor P0 - P(t) is in the 4535 small subgroup of M_{A,B} (for any non-square element t<>-1 of 4536 GF(q)). (Note that this implies that P0 and P(t) are distinct affine 4537 points of the curve and that these are not each other's inverse.) 4538 For binary digit s, the point Q(t,s) is now defined as follows: 4540 a. If par(B*v0*v)=s, then the pair (t,s) is mapped to the point 4541 Q(t,s):=P0 + P(t); 4543 b. If par(B*v0*v)<>s, then the pair (t,s) is mapped to the point 4544 Q(t,s):=P0 - P(t). 4546 Note that this mapping is properly defined as long as the fixed point 4547 P0 (the so-called "curve offset") alluded to above indeed exists. In 4548 cases of practical interest that we are aware of, this is indeed the 4549 case (see, e.g., Table 1). 4551 If -1 is not a square in GF(q), the pair (-1,s) is mapped to the 4552 affine point P0 of M_{A,B} (irrespective of the value of s). 4554 The set of points of M_{A,B} that arises this way has size roughly 4555 1/2 of the order of the curve and each such point arises as image of 4556 up to two values of the pair (t,s). Further details are out of 4557 scope. 4559 From the group law for Montgomery curves (see Appendix C.2) it 4560 follows that one can express the coordinates of Q(t,s), with t<>-1, 4561 in terms of the u-coordinates of P0 and P(t) and the product of their 4562 v-coordinates. (Here, observe that B*v0*v is a square root of 4563 f(u0)*f(u).) Thus, Q(t,s) can be computed without the need to fully 4564 compute P(t). 4566 +----------------------------+------------------------+-------------+ 4567 | Curve | Fixed curve offset P0 | Non-Square | 4568 +----------------------------+------------------------+-------------+ 4569 | NIST P-224 [FIPS-186-4] | Base point (Gx,Gy) | 11 | 4570 | NIST P-256 [FIPS-186-4] | P0:=(0,y), y even | -1 | 4571 | NIST P-384 [FIPS-186-4] | P0:=(0,y), y even | -1 | 4572 | NIST P-521 [FIPS-186-4] | P0:=(0,y), y even | -1 | 4573 | brainpoolP224r1 [RFC5639] | Base point (Gx, Gy) | -1 | 4574 | brainpoolP256r1 [RFC5639] | Base point (Gx, Gy) | -1 | 4575 | brainpoolP320r1 [RFC5639] | Base point (Gx, Gy) | -1 | 4576 | brainpoolP384r1 [RFC5639] | Base point (Gx, Gy) | -1 | 4577 | brainpoolP512r1 [RFC5639] | P0:=(3,y), y even | -1 | 4578 | Curve25519 [RFC7748] | P0:=(90,v), v even | 2 | 4579 | Wei25519 [Appendix E.3] | P0:=(3,y), y even | 2 | 4580 | Wei25519.2 [Appendix G.3] | P0:=(244,y), y even | 2 | 4581 | Wei25519.-3 [Appendix G.3] | P0:=(41,y), y even | 2 | 4582 | Curve448 [RFC7748] | P0:=(50,v), v even | -1 | 4583 | Wei448 [Appendix M.3] | P0:=(18,y), y even | -1 | 4584 | Wei448.1 [Appendix N.3] | P0:=(10,y), y even | -1 | 4585 | Wei448.-3 [Appendix N.3] | P0:=(8,y), y even | -1 | 4586 | secp256k1.m [Appendix L.3] | P0:=(0,y), y even | -1 | 4587 +----------------------------+------------------------+-------------+ 4589 Table 1: Fixed curve offsets for mappings that avoid low-order 4590 points, for some curves of practical interest, including listing of 4591 fixed non-square elements of their underlying finite fields. 4593 K.4.3. Mapping to High-Order Points of Twisted Edwards Curve 4595 One can map elements of GF(q) that are not a square in GF(q) to 4596 points of the twisted Edwards curve E_{a,d} via function composition, 4597 where one uses the mapping of Appendix K.4.1 to arrive at a point of 4598 the Weierstrass curve W_{a,b} that is not in the small subgroup and 4599 where one subsequently uses the isomorphic mapping between twisted 4600 Edwards curves and Weierstrass curves of Appendix D.3 to arrive at a 4601 point of E_{a,d} with this property. Another mapping is obtained by 4602 function composition, where one instead uses the mapping of 4603 Appendix K.4.2 to arrive at a point of the Montgomery curve M_{A,B} 4604 that does not have low order and where one subsequently uses the 4605 isomorphic mapping between twisted Edwards curves and Montgomery 4606 curves of Appendix D.1 to arrive at a point of E_{a,d} with this 4607 property. Obviously, one can use function composition (now using the 4608 respective pre-images - if these exist) to realize the pre-images of 4609 either mapping. 4611 K.5. Randomized Representation of Curve Points 4613 The mappings of Appendix K.3 allow one to represent a curve point Q 4614 as a specific element t of GF(q), provided this point arises as a 4615 point in the range of the mapping at hand. For Montgomery curves and 4616 twisted Edwards curves, this covers roughly half of the curve points; 4617 for Weierstrass curves, roughly 3/8 of the curve points. One can 4618 extend the mappings above, by mapping a pair (t1, t2) of inputs to 4619 the point Q:=P2(t1, t2):=P(t1) + P(t2). In this case, each curve 4620 point has roughly q/4 representations as an ordered pair (t1, t2) on 4621 average. In fact, one can show that if the input pairs are generated 4622 uniformly at random, then the corresponding curve points follow a 4623 distribution that is also (statistically indistinguishable from) a 4624 uniform distribution, and vice-versa. Here, each pair (t1, t2) 4625 deterministically yields a curve point, whereas for each curve point 4626 Q, a randomized algorithm yields an ordered pair (t1, t2) of pre- 4627 images of Q, where the expected number of randomized pre-images one 4628 has to try is small (four if one uses the mapping of Appendix K.3.1; 4629 two if one uses the mapping of Appendix K.3.2). For further details, 4630 see Algorithm 1 of [Tibouchi]. 4632 Similar properties hold if one uses the mappings of Appendix K.4 4633 (rather than those of Appendix K.3): in this case, the mapping allows 4634 one to represent a curve point Q as a specific element (t,s) of 4635 GF(q)x{0,1}, provided this point arises as a point in the range of 4636 the mapping at hand. For Montgomery curves and twisted Edwards 4637 curves, this covers roughly half of the curve points; for Weierstrass 4638 curves, roughly 3/8 of the curve points. One can extend the mappings 4639 above, by mapping a pair ((t1,s1), (t2,s2)) of inputs to the point 4640 Q:=Q2((t1,s1), (t2,s2)):=Q(t1,s1) - Q(t2,s2). In this case, each 4641 curve point has roughly q representations as an ordered pair 4642 ((t1,s1), (t2,s2)) on average. In fact, one can show that if the 4643 input pairs are generated uniformly at random, then the corresponding 4644 curve points follow a distribution that is also (statistically 4645 indistinguishable from) a uniform distribution, and vice-versa. 4646 Here, each pair ((t1,s1), (t2,s2)) deterministically yields a curve 4647 point, whereas for each curve point Q, a randomized algorithm yields 4648 an ordered pair ((t1,s1), (t2,s2)) of pre-images of Q, where the 4649 expected number of randomized pre-images one has to try is small 4650 (four if one uses the mapping of Appendix K.4.1; two if one uses the 4651 mapping of Appendix K.4.2). Further details are out of scope. 4653 NOTE 1: The main difference between the two constructions above is 4654 that the first construction uses the mappings to curve points 4655 described in Appendix K.3, while the second construction uses the 4656 mappings to high-order curve points described in Appendix K.4. Note 4657 that Q2((t1,s1), (t2,s2)) assumes all values (+/-) P(t1) (+/-) P(t2) 4658 if one considers all possible values for the binary digits s1 and s2. 4659 (This, thereby, includes the value P2(t1, t2).) 4661 NOTE 2: The results on the statistical distributions mentioned above 4662 still hold in practice if one makes a few localized changes to the 4663 constructions. In particular, these are independent of the specific 4664 choices for the point P0 (used with input -1 with the mappings of 4665 Appendix K.3, if applicable, respectively, used with the mappings of 4666 Appendix K.4) and also still hold if one re-defines the mappings P2 4667 or Q2 locally so as to avoid points in the small subgroup. 4669 K.6. Completing the Mappings to Curve Points 4671 The mappings of Appendix K.4 operate on input pairs (t, s), where t 4672 is an element of GF(q) that is not a square in GF(q) and where s is a 4673 binary digit from the set {0,1}. One can use these mappings to 4674 produce mappings that operate on input pairs (u, s), where u is any 4675 nonzero element of GF(q), via function composition, where one first 4676 maps the pair (u,s) to the pair (t,s):=(delta*u^2,s), where delta is 4677 a fixed element of GF(q) that is not a square in GF(q), and where one 4678 subsequently applies any of forementioned mappings to the resulting 4679 pair to yield a point of the curve in question. The resulting 4680 mapping to high-order curve points can be extended further to one 4681 that operates on all elements of GF(q)x{0,1} by mapping each input 4682 (u, s) with u=0 to any fixed high-order point P1 of the curve in 4683 question. The resulting mapping is uniquely defined after fixing the 4684 curve offset P0 (used with the mappings of Appendix K.4), the high- 4685 order point P1 (used for inputs with u=0 above), and the non-square 4686 element delta of GF(q) (used for nonzero inputs u above). 4688 For the mappings of Appendix K.3, one can use a similar function 4689 composition, where one simply drops the binary digit s and maps 0 to 4690 the point at infinity or any other suitable curve point P1. As 4691 before, the resulting mapping is uniquely defined after fixing the 4692 point P0 (for input -1 with the mappings of Appendix K.3, if 4693 applicable), the point P1 (used for input u=0 above), and the non- 4694 square element delta of GF(q) (used for nonzero inputs u above). 4695 Further details are out of scope. 4697 Similarly, one can use the completed mappings above to map a pair 4698 ((u1,s1), (u2,s2)) of elements of GF(q)x{0,1} to a point of a curve, 4699 via function composition, where, in the first case, one first maps 4700 the pair ((u1,s1),(u2,s2)) to the pair ((t1,s1), 4701 (t2,s2)):=((delta*u1^2, s1), (delta*u2^2, s2)) and subsequently 4702 computes Q2compl((t1,s1), (t2,s2)):=Qcompl(t1,s1) - Qcompl(t2,s2), 4703 where Qcompl(t,s):=Q(t,s) if t is nonzero and where Qcompl(0,s):=P0 4704 otherwise (irrespective of the value of s). In the second case, one 4705 first maps the pair (u1, u2) to the pair (t1, t2):=(delta*u1^2, 4706 delta*u2^2) and subsequently computes P2compl(t1, t2):=Pcompl(t1) + 4707 Pcompl(t2), where Pcompl(t):=P(t) if t is nonzero and where 4708 Pcompl(0):=P1 otherwise. In either case, again, the resulting 4709 mapping is uniquely defined after fixing the points P0 and P1 and the 4710 non-square element delta of GF(q). 4712 NOTE 1: Each of the above mappings is fully and unambiguously defined 4713 by the triple (P0,P1,delta). One can locally change this mapping so 4714 as to avoid points in the small subgroup, should these otherwise 4715 occur, e.g., by setting any such re-defined image to any fixed high- 4716 order point P2 of the curve in question. In this case, the 4717 corresponding mapping is uniquely defined by the quadruple 4718 (P0,P1,P2,delta) and -- in practice -- has the same statistical 4719 distribution properties as the original mapping (see NOTE 2 of 4720 Appendix K.5). For each curve in Table 1, these completed mappings 4721 are uniquely defined by the mentioned fixed curve offset P0 and non- 4722 square element delta of GF(q), if one defines P2:=P1:=P0 (henceforth 4723 called the default completed mappings). 4725 NOTE 2: For elliptic curves defined over prime fields (i.e., q:=p) 4726 one can relax the completed mappings above and show that the 4727 statistical properties for randomized representations still hold if 4728 u1 is a random element of a sufficiently large interval in GF(p) and 4729 if u2 is a random element of a sufficiently large subset of GF(p) 4730 (see, e.g., [Tibouchi-cleancut]). This allows generating u1 and u2, 4731 e.g., each as random bit strings of length m-1, where m is the bit- 4732 length of p, thereby allowing the pair (u1, u2) -- a random (2*m-2)- 4733 bit string -- to be used unaltered in this construction, without the 4734 need to carry out a reduction modulo p first. Table 2 illustrates 4735 how this can be used to realize randomized representations and 4736 completed mappings for each curve in Table 1, where these randomized 4737 bit strings have the same byte-length as the (tight) representation 4738 of affine curve points. (Here, the field elements u1 and u2 are 4739 obtained from their bit string representations using the BS2OS 4740 mapping of Appendix I.4 and the (non-strict) OS2FE mapping of 4741 Appendix I.5.) For each curve in Table 2, we refer to this version 4742 of the default completed mapping as being the "clean-cut" default 4743 completed mapping. 4745 +--------------------------+-----------------+----------------------+ 4746 | Curve | left-side | right-side | 4747 +--------------------------+-----------------+----------------------+ 4748 | NIST P-224 [FIPS-186-4] | {u1:224} | {s1:1, s2:1, u2:222} | 4749 | NIST P-256 [FIPS-186-4] | {s1:1, u1:255} | {s2:1, u2:255} | 4750 | NIST P-384 [FIPS-186-4] | {u1:384} | {s1:1, s2:1, u2:382} | 4751 | NIST P-521 [FIPS-186-4] | {s1:1, u1:527} | {s2:1, u2:527} | 4752 | brainpoolP224r1 | {s1:1, u1:223} | {s2:1, u2:223} | 4753 | [RFC5639] | | | 4754 | brainpoolP256r1 | {s1:1, u1:255} | {s2:1, u2:255} | 4755 | [RFC5639] | | | 4756 | brainpoolP320r1 | {s1:1, u1:319} | {s2:1, u2:319} | 4757 | [RFC5639] | | | 4758 | brainpoolP384r1 | {s1:1, u1:383} | {s2:1, u2:383} | 4759 | [RFC5639] | | | 4760 | brainpoolP512r1 | {s1:1, u1:511} | {s2:1, u2:511} | 4761 | [RFC5639] | | | 4762 | Curve25519 [RFC7748] | {s1:1, u1:255} | {s2:1, u2:255} | 4763 | Wei25519 [Appendix E.3] | {s1:1, u1:255} | {s2:1, u2:255} | 4764 | Wei25519.2 | {s1:1, u1:255} | {s2:1, u2:255} | 4765 | [Appendix G.3] | | | 4766 | Wei25519.-3 | {s1:1, u1:255} | {s2:1, u2:255} | 4767 | [Appendix G.3] | | | 4768 | Curve448 [RFC7748] | {u1:448} | {s1:1, s2:1, u2:446} | 4769 | Wei448 [Appendix M.3] | {u1:448} | {s1:1, s2:1, u2:446} | 4770 | Wei448.1 [Appendix N.3] | {u1:448} | {s1:1, s2:1, u2:446} | 4771 | Wei448.-3 [Appendix N.3] | {u1:448} | {s1:1, s2:1, u2:446} | 4772 | secp256k1.m | {u1:256} | {s1:1, s2:1, u2:254} | 4773 | [Appendix L.3] | | | 4774 +--------------------------+-----------------+----------------------+ 4776 Table 2: Randomized representation of curve points, for some curves 4777 of practical interest, including curve-specific relative ordering and 4778 bit-length of substrings representing the tuple ((u1,s1),(u2,s2)), 4779 resulting in the bit string left-side || right-side. (Tailored 4780 towards avoiding modular reductions in mappings to curve points.) 4782 Table 3 shows an alternative arrangement, tailored towards optimizing 4783 the efficiency of computing randomized representations of curve 4784 points (see Appendix K.5), rather than towards avoiding modular 4785 reductions in the mappings to curve points. (Here, we used 4786 randomized representations of elements of GF(p), when appropriate, 4787 and the bias upper bound 2^{-64} from Table 4.) For each curve in 4788 Table 3, we refer to this version of the default completed mapping as 4789 being the "point-randomization-optimized" default completed mapping 4790 (where both versions coincide if the prime number p is relatively 4791 close to a power of two). (Here, the field elements u1 and u2 are 4792 obtained from their bit string representations using the BS2OS 4793 mapping of Appendix I.4 and the (non-strict) OS2FE mapping of 4794 Appendix I.5.) Suitability of each of these completed mappings is 4795 application-specific (and also depends on the maximum bias one can 4796 tolerate). Further details are out of scope of this document. 4798 +--------------------------+-----------------+----------------------+ 4799 | Curve | left-side | right-side | 4800 +--------------------------+-----------------+----------------------+ 4801 | NIST P-224 [FIPS-186-4] | {u1:224} | {s1:1, s2:1, u2:222} | 4802 | NIST P-256 [FIPS-186-4] | {u1:288} | {s1:1, s2:1, u2:222} | 4803 | NIST P-384 [FIPS-186-4] | {u1:384} | {s1:1, s2:1, u2:382} | 4804 | NIST P-521 [FIPS-186-4] | {s1:1, u1:527} | {s2:1, u2:527} | 4805 | brainpoolP224r1 | {s1:1, u1:287} | {s2:1, u2:159} | 4806 | [RFC5639] | | | 4807 | brainpoolP256r1 | {s1:1, u1:319} | {s2:1, u2:191} | 4808 | [RFC5639] | | | 4809 | brainpoolP320r1 | {s1:1, u1:383} | {s2:1, u2:255} | 4810 | [RFC5639] | | | 4811 | brainpoolP384r1 | {s1:1, u1:447} | {s2:1, u2:319} | 4812 | [RFC5639] | | | 4813 | brainpoolP512r1 | {s1:1, u1:575} | {s2:1, u2:447} | 4814 | [RFC5639] | | | 4815 | Curve25519 [RFC7748] | {s1:1, u1:255} | {s2:1, u2:255} | 4816 | Wei25519 [Appendix E.3] | {s1:1, u1:255} | {s2:1, u2:255} | 4817 | Wei25519.2 | {s1:1, u1:255} | {s2:1, u2:255} | 4818 | [Appendix G.3] | | | 4819 | Wei25519.-3 | {s1:1, u1:255} | {s2:1, u2:255} | 4820 | [Appendix G.3] | | | 4821 | Curve448 [RFC7748] | {u1:448} | {s1:1, s2:1, u2:446} | 4822 | Wei448 [Appendix M.3] | {u1:448} | {s1:1, s2:1, u2:446} | 4823 | Wei448.1 [Appendix N.3] | {u1:448} | {s1:1, s2:1, u2:446} | 4824 | Wei448.-3 [Appendix N.3] | {u1:448} | {s1:1, s2:1, u2:446} | 4825 | secp256k1.m | {u1:256} | {s1:1, s2:1, u2:254} | 4826 | [Appendix L.3] | | | 4827 +--------------------------+-----------------+----------------------+ 4829 Table 3: Randomized representation of curve points, for some curves 4830 of practical interest, including curve-specific relative ordering and 4831 bit-length of substrings representing the tuple ((u1,s1),(u2,s2)), 4832 resulting in the bit string left-side || right-side. (Tailored 4833 towards efficient computation of randomized representations of curve 4834 points.) 4836 Appendix L. Curve secp256k1 and Friend 4838 This section illustrates how isogenies can be used to yield curves 4839 with specific properties (here, illustrated for the "BitCoin" curve 4840 secp256k1). 4842 L.1. Curve Definition and Alternative Representation 4844 The elliptic curve secp256k1 is the Weierstrass curve W_{a,b} defined 4845 over the prime field GF(p), with p:=2^256-2^32-2^9-2^8-2^7-2^6-2^4-1, 4846 where a:=0 and b:=7. This curve has order h*n, where h=1 and where n 4847 is a prime number. For this curve, domain parameter a is zero, 4848 whereas b is not. The quadratic twist of this curve has order h1*n1, 4849 where h1 is a 37-bit integer and where n1 is a prime number. For 4850 this curve, the base point is the point (GX, GY). 4852 The curve secp256k1 is 3-isogenous to the Weierstrass curve 4853 secp256k1.m defined over GF(p), which has nonzero domain parameters a 4854 and b and has as base point the pair (GmX,GmY), where parameters are 4855 as specified in Appendix L.3 and where the related mappings are as 4856 specified in Appendix L.2. 4858 L.2. Switching Between Representations 4860 Each affine point (X,Y) of secp256k1 corresponds to the point 4861 (X',Y'):=(u(X)/w(X)^2,Y*v(X)/w(X)^3) of secp256k1.m, where u, v, and 4862 w are the polynomials with coefficients in GF(p) as defined in 4863 Appendix L.4.1, while the point at infinity of secp256k1 corresponds 4864 to the point at infinity of secp256k1.m. Under this isogenous 4865 mapping, the base point (GX,GY) of secp256k1 corresponds to the base 4866 point (GmX,GmY) of secp256k1.m. The dual isogeny maps the affine 4867 point (X',Y') of secp256k1.m to the affine point 4868 (X,Y):=(u'(X')/w'(X')^2,Y'*v'(X')/w'(X')^3) of secp256k1, where u', 4869 v', and w' are the polynomials with coefficients in GF(p) as defined 4870 in Appendix L.4.2, while mapping the point at infinity O of 4871 secp256k1.m to the point at infinity O of secp256k1. Under this dual 4872 isogenous mapping, the base point (GmX, GmY) of secp256k1.m 4873 corresponds to a multiple of the base point (GX, GY) of secp256k1, 4874 where this multiple is l=3 (the degree of the isogeny; see the 4875 description in Appendix F.4). Note that this isogenous map (and its 4876 dual) primarily involves the evaluation of three fixed polynomials 4877 involving the x-coordinate, which takes roughly 10 modular 4878 multiplications (or less than 1% relative incremental cost compared 4879 to the cost of an elliptic curve scalar multiplication). 4881 L.3. Domain Parameters 4883 The parameters of the curve sec256k1 and the corresponding 4884 3-isogenous curve sec256k1.m are as indicated below. Here, the 4885 domain parameters of the curve secp256k1 are as specified in [SEC2]; 4886 the domain parameters of secp256k1.m are "new". 4888 General parameters (for all curves): 4890 p 2^256-2^32-2^9-2^8-2^7-2^6-2^4-1 4892 (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 4893 fffffffe fffffc2f) 4895 h 1 4897 n 11579208923731619542357098500868790785283756427907490438260516314 4898 1518161494337 4900 (=0xffffffff ffffffff ffffffff fffffffe baaedce6 af48a03b 4901 bfd25e8c d0364141) 4903 h1 23479460174521 (=0x1a 9bfcab89) 4905 n1 10131766773001318469008702396060356387381009972480920692566974370 4906 31 4908 (=0x099ee564 ea5d84f5 08913936 a761b0d5 d792a426 a7779817 4909 ae2f5b67) 4911 Weierstrass curve-specific parameters (for secp256k1): 4913 a 0 (=0x00) 4915 b 7 (=0x07) 4917 GX 55066263022277343669578718895168534326250603453777594175500187360 4918 389116729240 4920 (=0x79be667e f9dcbbac 55a06295 ce870b07 029bfcdb 2dce28d9 4921 59f2815b 16f81798) 4923 GY 32670510020758816978083085130507043184471273380659243275938904335 4924 757337482424 4926 (=0x483ada77 26a3c465 5da4fbfc 0e1108a8 fd17b448 a6855419 4927 9c47d08f fb10d4b8) 4929 Weierstrass curve-specific parameters (for secp256k1.m): 4931 a 93991599167772749909245591943117186381494883464374162770646538702 4932 960816911535 4934 (=0xcfcd5c21 75e2ef7d ccdce737 770b7381 5a2f13c5 09035ca2 4935 54a14ac9 f08974af) 4937 b 1771 (=0x06eb) 4938 GmX 26591621185618668069038227574782692264471832498547635565821216767 4939 730887659845 4941 (=0x3aca5300 959fa1d0 baf78dcf f77a616f 395e586d 67aced0a 4942 88798129 0c279145) 4944 GmY 67622516283223102233819216063319565850973524550533340939716651159 4945 860372686848 4947 (=0x9580fce5 3a170f4f b744579f f3d62086 12cd6a23 3e2de237 4948 f976c6a7 8611c800) 4950 L.4. Isogeny Details 4952 The isogeny and dual isogeny are both isogenies with degree l=3. 4953 Both are specified by a triple of polynomials u, v, and w (resp. u', 4954 v', and w') of degree 3, 3, and 1, respectively, with coefficients in 4955 GF(p). The coeffients of each of these polynomials are specified in 4956 Appendix L.4.1 (for the isogeny) and in Appendix L.4.2 (for the dual 4957 isogeny). For each polynomial in variable x, the coefficients are 4958 tabulated as the sequence of coefficients of x^0, x^1, x^2, ..., in 4959 hexadecimal format. 4961 L.4.1. Isogeny Parameters 4963 L.4.1.1. Coefficients of u(x) 4965 0 0x54 4967 1 0xa4d89db3ed06c81e6143ec2eca9f761d8d17260dc229e1da1f73f714506872a9 4969 2 0xcc58ffccbd9febb4a66222c7d1311d988d88c0624bcd68ec4c758a8e67dfd99b 4971 3 0x01 4973 L.4.1.2. Coefficients of v(x) 4975 0 0x1c 4977 1 0x94c7bc69befd17f2fae2e3ebf24df1f355d181fa1a8056103ba9baad4b40f029 4979 2 0xb2857fb31c6fe18ef993342bb9c9ac64d44d209371b41d6272b04fd61bcfc851 4981 3 0x01 4983 L.4.1.3. Coefficients of w(x) 4985 0 0xe62c7fe65ecff5da53311163e8988ecc46c4603125e6b476263ac546b3efeae5 4987 1 0x01 4989 L.4.2. Dual Isogeny Parameters 4991 L.4.2.1. Coefficients of u'(x) 4993 0 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7 4995 1 0x44cd5cd7ce55a801725891578fbe7356bd936355fd0e2f538797cecff7a37244 4997 2 0x668d0011162006c3c889f4680f9a4b77d0d26a89e6bb87b13bd8d1cfdd600a41 4999 3 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c 5001 L.4.2.2. Coefficients of v'(x) 5003 0 0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c 5005 1 0x519ba9c1f48f68054def6a410f0fa6e8b71c6c3b4a8958324681f6508c01fada 5007 2 0xb34680088b100361e444fa3407cd25bbe8693544f35dc3d89dec68e76eb00338 5009 3 0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84 5011 L.4.2.3. Coefficients of w'(x) 5013 0 0x4d7a804ce3901e71066ccbd44636539b2bb2df6c8e4be29d8d4fb028e43033de 5015 1 0x01 5017 Appendix M. Curve448 and Cousins 5019 This section introduces curves related to Curve448 and explains their 5020 relationships. 5022 M.1. Curve Definition and Alternative Representations 5024 The elliptic curve Curve448 is the Montgomery curve M_{A,B} defined 5025 over the prime field GF(p), with p:=2^{448}-2^{224}-1, where 5026 A:=156326 and B:=1. This curve has order h*n, where h=4 and where n 5027 is a prime number. For this curve, A^2-4 is not a square in GF(p), 5028 whereas A-2 is. The quadratic twist of this curve has order h1*n1, 5029 where h1=4 and where n1 is a prime number. For this curve, the base 5030 point is the point (Gu, Gv), where Gu=5 and where Gv is an even 5031 integer in the interval [0, p-1]. 5033 This curve has the same group structure as (is "isomorphic" to) the 5034 twisted Edwards curve E_{a,d} defined over GF(p), with as base point 5035 the point (Gx, Gy), where parameters are as specified in 5036 Appendix M.3. This curve is denoted as Ed448. For this curve, the 5037 parameter a is a square in GF(p), whereas d is not, so the group laws 5038 of Appendix C.3 apply. 5040 The curve is also isomorphic to the elliptic curve W_{a,b} in short- 5041 Weierstrass form defined over GF(p), with as base point the point 5042 (GX, GY), where parameters are as specified in Appendix M.3. This 5043 curve is denoted as Wei448. 5045 M.2. Switching between Alternative Representations 5047 Each affine point (u, v) of Curve448 corresponds to the point (X, 5048 Y):=(u + A/3, v) of Wei448, while the point at infinity of Curve448 5049 corresponds to the point at infinity of Wei448. (Here, we used the 5050 mappings of Appendix D.2 and that B=1.) Under this mapping, the base 5051 point (Gu, Gv) of Curve448 corresponds to the base point (GX, GY) of 5052 Wei448. The inverse mapping maps the affine point (X, Y) of Wei448 5053 to (u, v):=(X - A/3, Y) of Curve448, while mapping the point at 5054 infinity of Wei448 to the point at infinity of Curve448. Note that 5055 this mapping involves a simple shift of the first coordinate and can 5056 be implemented via integer-only arithmetic as a shift of -delta for 5057 the isomorphic mapping and a shift of delta for its inverse, where 5058 delta:=(p-A)/3 is the integer defined by 5060 delta 24227957476520229684977460262933484478454712022910602009383006 5061 63935374427222435908954654612328921819766962948206145457870178326 5062 72736371 5064 (=0x55555555 55555555 55555555 55555555 55555555 55555555 5065 55555554 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 5066 ffff3473). 5068 (Note that, depending on the implementation details of the field 5069 arithmetic, one may have to shift the result by +p or -p if this 5070 integer is not in the interval [0,p-1].) 5072 The curve Ed448 is isomorphic to the curve Curve448, where the base 5073 point (Gu, Gv) of Curve448 corresponds to the base point (Gx,Gy) of 5074 Ed448 and where the point at infinity and the point (0,0) of order 5075 two of Curve448 correspond to, respectively, the point (0, 1) and the 5076 point (0, -1) of order two of Ed448 and where each other point (u, v) 5077 of Curve448 corresponds to the point (c*u/v, (u+1)/(u-1)) of Ed448, 5078 where c is the element of GF(p) defined by 5080 c sqrt((A-2)/B) 5082 19788846729546443953835400975385803825683515259105980214819977919 5083 60874042320025157136042631277930307478554244641856917664538448351 5084 92428 5086 (=0x45b2c5f7 d649eed0 77ed1ae4 5f44d541 43e34f71 4b71aa96 5087 c945af01 2d182975 0734cde9 faddbda4 c066f7ed 54419ca5 2c85de1e 5088 8aae4e6c). 5090 (Here, we used the mapping of Appendix D.1 and normalized this using 5091 the mapping of Appendix F.1 (where the element s of that appendix is 5092 set to c above).) The inverse mapping from Ed448 to Curve448 is 5093 defined by mapping the point (0, 1) and the point (0, -1) of order 5094 two of Ed448 to, respectively, the point at infinity and the point 5095 (0,0) of order two of Curve448 and having each other point (x, y) of 5096 Ed448 correspond to the point ((y + 1)/(y - 1), c*(y + 1)/((y-1)*x)) 5097 of Curve448. 5099 The curve Ed448 is isomorphic to the Weierstrass curve Wei448, where 5100 the base point (Gx, Gy) of Ed448 corresponds to the base point 5101 (GX,GY) of Wei448 and where the identity element (0,1) and the point 5102 (0,-1) of order two of Ed448 correspond to, respectively, the point 5103 at infinity O and the point (A/3, 0) of order two of Wei448 and where 5104 each other point (x, y) of Ed448 corresponds to the point (X, 5105 Y):=((y+1)/(y-1)+A/3, c*(y+1)/((y-1)*x)) of Wei448, where c was 5106 defined before. (Here, we used the mapping of Appendix D.3.) The 5107 inverse mapping from Wei448 to Ed448 is defined by mapping the point 5108 at infinity O and the point (A/3, 0) of order two of Wei448 to, 5109 respectively, the identity element (0,1) and the point (0,-1) of 5110 order two of Ed448 and having each other point (X, Y) of Wei448 5111 correspond to the point (c*(X-A/3)/Y, (X-A/3+1)/(X-A/3-1)) of Ed448. 5113 Note that these mappings can be easily realized if points are 5114 represented in projective coordinates, using a few field 5115 multiplications only, thus allowing switching between alternative 5116 curve representations with negligible relative incremental cost. 5118 M.3. Domain Parameters 5120 The parameters of the Montgomery curve and the corresponding 5121 isomorphic curves in twisted Edwards curve and short-Weierstrass form 5122 are as indicated below. Here, the domain parameters of the 5123 Montgomery curve Curve448 and of the twisted Edwards curve Ed448 are 5124 as specified in [RFC7748]; the domain parameters of Wei448 are "new". 5126 IMPORTANT NOTE: the supposed base point of Ed448 specified in 5127 [RFC7748] is incorrect, since it has order 2*n, and - in the notation 5128 below - that point is the point (Gx,-Gy)=-(Gx, Gy)+(0,-1). The 5129 birational map in that document is also incorrect. 5131 General parameters (for all curve models): 5133 p 2^{448}-2^{224}-1 5135 (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 5136 fffffffe ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 5137 ffffffff) 5139 h 4 5141 n 18170968107390172263733095197200113358841034017182951507037254979 5142 51460039615395857161957552916923759633102937090916623047737558596 5143 49779 5145 (=2^{446} - 0x8335dc16 3bb124b6 5129c96f de933d8d 723a70aa 5146 dc873d6d 54a7bb0d) 5148 h1 4 5150 n1 18170968107390172263733095197200113358841034017182951507037254979 5151 51601601218258006270024365576458970017341485218301563757529931495 5152 32941 5154 (=2^{446} + 0x0335dc16 3bb124b6 5129c96f de933d8d 723a70aa 5155 dc873d6d 54a7bb0d) 5157 Montgomery curve-specific parameters (for Curve448): 5159 A 156326 (=0x0262a6) 5161 B 1 (=0x01) 5163 Gu 5 (=0x05) 5165 Gv 35529392678556817526412750206378333480897639938771427183188089843 5166 51690887869674100029326737658645509101427741472681058389855952906 5167 06362 5169 (=0x7d235d12 95f5b1f6 6c98ab6e 58326fce cbae5d34 f55545d0 5170 60f75dc2 8df3f6ed b8027e23 46430d21 1312c4b1 50677af7 6fd7223d 5171 457b5b1a) 5173 Edwards curve-specific parameters (for Ed448): 5175 a 1 (0x01) 5177 d 39082/39081 = (A+2)/(A-2) 5179 (=611975850744529176160423220965553317543219696871016626328968936 5180 41508786004263647489178559928366602041476867897998937814706546281 5181 5545017) 5183 (=0xd78b4bdc 7f0daf19 f24f38c2 9373a2cc ad461572 42a50f37 5184 809b1da3 412a12e7 9ccc9c81 264cfe9a d0809970 58fb61c4 243cc32d 5185 baa156b9) 5187 Gx 34539749303972951637400860415053741026665526007518329021640697028 5188 16456950736723444304817877593406332217083915834240417889241245677 5189 00732 5191 (=0x79a70b2b 70400553 ae7c9df4 16c792c6 1128751a c9296924 5192 0c25a07d 728bdc93 e21f7787 ed697224 9de732f3 8496cd11 69871309 5193 3e9c04fc) 5195 Gy 3/2 5197 36341936214780344527466190394400226717682068034365903014074509959 5198 03061640833653863431981918493382729650444422309218186805267490091 5199 82721 5201 (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff 5202 ffffffff 80000000 00000000 00000000 00000000 00000000 00000000 5203 00000001) 5205 Weierstrass curve-specific parameters (for Wei448): 5207 a 48455914953040459369954920525866968956909424045821204018766013278 5208 70748854444871817909309224657843639533925896412290915740356571996 5209 37535 5211 (=0xaaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa 5212 aaaaaaa9 ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe 5213 1a76d41f) 5215 b 26919952751689144094419400292148316087171902247678446677092229599 5216 28193808024928787727394013698802021963292164673494953191916856645 5217 13904 5219 (=0x5ed097b4 25ed097b 425ed097 b425ed09 7b425ed0 97b425ed 5220 097b425e 71c71c71 c71c71c7 1c71c71c 71c71c71 c71c71c7 1c72c87b 5221 7cc69f70) 5223 GX 48455914953040459369954920525866968956909424045821204018766013278 5224 70748854444871817909309224657843639533925896412290915740356653456 5225 29073 5227 (=0xaaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa 5228 aaaaaaaa 00000000 00000000 00000000 00000000 00000000 00000000 5229 0000cb91) 5231 GY 35529392678556817526412750206378333480897639938771427183188089843 5232 51690887869674100029326737658645509101427741472681058389855952906 5233 06362 5235 (=0x7d235d12 95f5b1f6 6c98ab6e 58326fce cbae5d34 f55545d0 5236 60f75dc2 8df3f6ed b8027e23 46430d21 1312c4b1 50677af7 6fd7223d 5237 457b5b1a) 5239 Appendix N. Further Cousins of Curve448 5241 This section introduces some further curves related to Curve448 and 5242 explains their relationships. 5244 N.1. Further Alternative Representations 5246 The Weierstrass curve Wei448 is isomorphic to the Weierstrass curve 5247 Wei448.1 defined over GF(p), with as base point the pair (G1X,G1Y), 5248 and isogenous to the Weierstrass curve Wei448.-3 defined over GF(p), 5249 with as base point the pair (G3X, G3Y), where parameters are as 5250 specified in Appendix N.3 and where the related mappings are as 5251 specified in Appendix N.2. 5253 The Edwards curve Ed448 is isogenous to the Edwards curve Edwards448 5254 defined over GF(p), with as base point the pair (G1x,G1y), where 5255 parameters are as specified in Appendix N.3 and where the related 5256 mappings are as specified in Appendix N.2. For this curve, the 5257 domain parameter a is a square in GF(p), whereas d1 is not, so the 5258 group laws of Appendix C.3 apply. 5260 N.2. Further Switching 5262 Each affine point (X, Y) of Wei448 corresponds to the point (X', 5263 Y'):=(X*s^2,Y*s^3) of Wei448.1, where s is the element of GF(p) 5264 defined by 5266 s 52322274343677442779379520589771028818568404587729117919590511061 5267 93509510238347880134473888687471465216641846232724641298954890800 5268 00881 5269 (=0xb848cd01 981d2f83 f2829b42 eb86914e 88f44c9d 05dcbdff 5270 dbdd1e56 c4674bc8 d6d90d91 862a38f5 ca797ca7 f21c05cf a7ac32bf 5271 d2ca0171), 5273 while the point at infinity of Wei448 corresponds to the point at 5274 infinity of Wei448.1. (Here, we used the mapping of Appendix F.3.) 5275 Under this mapping, the base point (GX, GY) of Wei448 corresponds to 5276 the base point (G1X,G1Y) of Wei448.1. The inverse mapping maps the 5277 affine point (X', Y') of Wei448.1 to (X,Y):=(X'/s^2,Y'/s^3) of 5278 Wei448, while mapping the point at infinity O of Wei448.1 to the 5279 point at infinity O of Wei448. Note that this mapping (and its 5280 inverse) involves a modular multiplication of both coordinates with 5281 fixed constants s^2 and s^3 (respectively, 1/s^2 and 1/s^3), which 5282 can be precomputed. 5284 The point at infinity and the point (A/3,0) of order two of Wei448 5285 both correspond to the point at infinity of Wei448.-3, while each 5286 other point (X,Y) of Wei448 corresponds to the point 5287 (X',Y'):=(X1*t^2,Y1*t^3) of Wei448.-3, where 5288 (X1,Y1)=(u(X)/w(X),Y*v(X)/w(X)^2), where u, v, and w are the 5289 polynomials with coefficients in GF(p) as defined in Appendix N.4.1 5290 and where t is the element of GF(p) defined by 5292 t 23579450751475691430882365546539966269774125426758968522698856022 5293 13378944265540874438945283200254318223329383397068961863760712339 5294 07365 5296 (=0x530c9a1d 7cf071d0 9646b83d b246626b 4e57ba5d 6a791bef 5297 76197254 3209dc5c 20d81498 d5ab8d7a 2fb22507 ca68c040 a6c82eb3 5298 b6c7aaa5). 5300 (Here, we used the isogenous mapping of Appendix F.4.) Under this 5301 isogenous mapping, the base point (GX,GY) of Wei448 corresponds to 5302 the base point (G3X,G3Y) of Wei448.-3. The dual isogeny maps the 5303 point at infinity O and the point (tau,0) of order two of Wei448.-3, 5304 where tau is the element of GF(p) defined by 5306 tau 42178595713080601145580616893463205889346047807394283240821661315 5307 01870168726890624132409486822657385666418069563147259152341712826 5308 86207 5310 (=0x948eabcf 057e0d55 9c372c98 075ddacf 6f3d19bc 514e5d23 5311 248d685b 75f97a10 36696aaf 61c02d8e 3da778c3 8d9fda05 54c9258b 5312 3c0e80ff), 5314 to the point at infinity O of Wei448, while mapping each other point 5315 (X',Y') of Wei448.-3 to the affine point 5316 (X,Y):=(u'(X1)/w'(X1),Y1*v'(X1)/w'(X1)^2) of Wei448, where 5317 (X1,Y1)=(X'/t^2,Y'/t^3) and where u', v', and w' are the polynomials 5318 with coefficients in GF(p) as defined in Appendix N.4.2. Under this 5319 dual isogenous mapping, the base point (G3X, G3Y) of Wei448.-3 5320 corresponds to a multiple of the base point (GX, GY) of Wei448, where 5321 this multiple is l=2 (the degree of the isogeny; see the description 5322 in Appendix F.4). Note that this isogenous map (and its dual) 5323 primarily involves the evaluation of three fixed polynomials 5324 involving the x-coordinate, which takes only a few modular 5325 multiplications (less than 0.5% relative incremental cost compared to 5326 the cost of an elliptic curve scalar multiplication). 5328 Each point (x1,y1) of Edwards448 with nonzero coordinates corresponds 5329 to the point (x,y) of Ed448, where 5331 x = c*x1*y1/(1-d1*x1^2*y1^2) = c*x1*y1/(2-x1^2-y1^2) and 5333 y =(1 + d1*x1^2*y1^2)/(y1^2-x1^2) = -(x1^2+y1^2)/(x1^2-y1^2), 5335 while each other point (i.e., a point of order 1, 2, or 4) 5336 corresponds to the identity element (0,1) of Ed448. (Here, we used 5337 the 4-isogenous mapping of Appendix F.4). Under this isogenous 5338 mapping, the base point (G1x, G1y) of Edwards448 corresponds to the 5339 base point (Gx,Gy) of Ed448. The dual isogeny maps each point (x,y) 5340 of Ed448 to the point (x1,y1) of Edwards448, where 5342 x1 = (4*x*y/c)/(y^2-x^2) and 5344 y1 = (1 - d*x^2*y^2)/(1 + d*x^2*y^2) = (2-x^2-y^2)/(x^2+y^2). 5346 Under this dual isogenous mapping, the base point (Gx, Gy) of Ed448 5347 corresponds to a multiple of the base point (G1x, G1y) of Edwards448, 5348 where this multiple is l=4 (the degree of the isogeny; see the 5349 description in Appendix F.4). Note that this isogenous map (and its 5350 dual) primarily involves the evaluation of three fixed polynomials, 5351 which takes only a few multiplications (less than 0.5% relative 5352 incremental cost compared to the cost of an elliptic curve scalar 5353 multiplication). 5355 Each point (x1,y1) of Edwards448 with nonzero coordinates corresponds 5356 to the point (u,v) of Curve448, where 5358 u = y1^2/x1^2 and v = y1*(2-x1^2-y1^2)/x1^3, 5360 while each other point (i.e., a point of order 1, 2, or 4) 5361 corresponds to the point at infinity of Curve448. Under this 5362 isogenous mapping, the base point (G1x, G1y) of Edwards448 5363 corresponds to the base point (Gu,Gv) of Curve448. The dual isogeny 5364 maps both the point at infinity and the point (0,0) of order two of 5365 Curve448 to the identity element (0,1) of Edwards448, while each 5366 other point (u,v) of Curve448 corresponds to the point (x1,y1) of 5367 Edwards448, where 5369 x1 = 4*(u^2-1)*v/((u^2-1)^2+4*v^2) and 5371 y1 = u*((u^2-1)^2-4*v^2)/(2*(u^2+1)*v^2-u*(u^2-1)^2). 5373 Under this dual isogenous mapping, the base point (Gu, Gv) of 5374 Curve448 corresponds to a multiple of the base point (G1x, G1y) of 5375 Edwards448, where this multiple is l=4 (the degree of the isogeny; 5376 see above). 5378 N.3. Further Domain Parameters 5380 The parameters of the Weierstrass curve with a=1 that is isomorphic 5381 with Wei448 and the parameters of the Weierstrass curve with a=-3 5382 that is isogenous with Wei448 are as indicated below. Both domain 5383 parameter sets can be exploited directly to derive more efficient 5384 point addition formulae, should an implementation facilitate this. 5385 The domain parameters of the Edwards curve Edwards448 are as 5386 specified in [RFC7748]. 5388 General parameters: same as for Wei448 (see Appendix M.3) 5390 Weierstrass curve-specific parameters (for Wei448.1, i.e., with a=1): 5392 a 1 (=0x01) 5394 b 65961281701807170531944804985907990287225248056560036392380945951 5395 38183088507635437786021044927715119224497407914895790669345268896 5396 52743 5398 (=0xe8528596 bfbcbac9 7ebdbe4e 9683e25c 73a5ff37 6c4cd400 5399 5a75c425 8e3eb05a 9f6f8c24 24cb5aa9 0dcf9fa4 cab6691d 5530347c 5400 28437207) 5402 G1X 19236211982508211644805033459306273038523230481309141518540414163 5403 72091186292458482231912460243257247478684005448999746809691007995 5404 9723 5406 (=0x06c672d5 b5bae33b 010fa210 9de7937a 95db8ffc 043c507f 5407 5e0d07a1 25382eaf 13f5fc3b 75db2614 6e6d002f d8364ed6 c9bc8fbf 5408 bbda22ab) 5410 G1Y 30319443056877169804488072384563064288675576234196773667920807567 5411 79177927858755621958756222206632465988308466319556948821775845861 5412 64158 5413 (=0x6ac9c53c 767cd3ae cbf904a1 2923502f 115355d1 6ae8911c 5414 5c92f612 aa854455 d1e6d29f 4db4ddea 519a174f c0dd2505 ec3328ba 5415 250a07be) 5417 Weierstrass curve-specific parameters (for Wei448.-3, i.e., with a=- 5418 3): 5420 a -3 5422 (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 5423 fffffffe ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 5424 fffffffc) 5426 b 69993768681000150084833669961900533067383335592494498709534693464 5427 91314250731583068774689950893229681024927315747794587331422088592 5428 54465 5430 (=0xf686723d 80e29d06 2d00a9f1 3305b698 85790019 cca78035 5431 9dac226b efb1ae21 125397dd 16f255b0 cc5d18e5 43582a1c af90dfe2 5432 c0aeaec1) 5434 G3X 40677474994869876470916133424311516856662407970799424837841348421 5435 87696274665113140719001227030116551378877280368526334985627104680 5436 88795 5438 (=0x8f452c6b dc3265dd 580b2638 59a02b20 198cc020 1dd7fba1 5439 8b431694 4a936052 fb4e4a41 93d01fa5 5fb5c732 7393208b 8170f3f2 5440 be78d3db) 5442 G3Y 54594210970205994927260789585006437115117066846498189378285031510 5443 90310290468347714929366106635470978666795512446629051235704504868 5444 06147 5446 (=0xc0494f90 461db11c 35fb7646 8349399a ae230351 11330cce 5447 b7473244 ab63c955 cf6ec02f 2656b439 44b19f4b 52eef12e 73026bbc 5448 84444683) 5450 Edwards curve-specific parameters (for Edwards448): 5452 a 1 (0x01) 5454 d1 -39081 = -(A-2)/4 5456 (=726838724295606890549323807888004534353641360687318060281490199 5457 18061232816673077268639638369867654593008888446184363736105349801 5458 8326358) 5459 (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 5460 fffffffe ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 5461 ffff6756) 5463 G1x 22458004029592430018760433409989603624678964163256413424612546168 5464 69504154674060329090291928693579532825780320751464461736746026352 5465 47710 5467 (=0x4f1970c6 6bed0ded 221d15a6 22bf36da 9e146570 470f1767 5468 ea6de324 a3d3a464 12ae1af7 2ab66511 433b80e1 8b00938e 2626a82b 5469 c70cc05e) 5471 G1y 29881921007848149267601793044393067343754404015408024209592824137 5472 23315061898358760035368786554187847339823032335034625005315450628 5473 32660 5475 (=0x693f4671 6eb6bc24 88762037 56c9c762 4bea7373 6ca39840 5476 87789c1e 05a0c2d7 3ad3ff1c e67c39c4 fdbd132c 4ed7c8ad 9808795b 5477 f230fa14) 5479 N.4. Isogeny Details 5481 The isogeny and dual isogeny are both isogenies with degree l=2. 5482 Both are specified by a triple of polynomials u, v, and w (resp. u', 5483 v', and w') of degree 2, 2, and 1, respectively, with coefficients in 5484 GF(p). The coeffients of each of these polynomials are specified in 5485 Appendix N.4.1 (for the isogeny) and in Appendix N.4.2 (for the dual 5486 isogeny). For each polynomial in variable x, the coefficients are 5487 tabulated as the sequence of coefficients of x^0, x^1, x^2, ..., in 5488 hexadecimal format. 5490 N.4.1. Isogeny Parameters 5492 N.4.1.1. Coefficients of u(x) 5494 0 0x01 5496 1 0x55555555555555555555555555555555555555555555555555555554ffffffff 5497 ffffffffffffffffffffffffffffffffffffffffffff3473 5499 2 0x01 5501 N.4.1.2. Coefficients of v(x) 5503 0 0x1c71c71c71c71c71c71c71c71c71c71c71c71c71c71c71c71c71c71c55555555 5504 5555555555555555555555555555555555555555f72db94a 5506 1 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa9ffffffff 5507 fffffffffffffffffffffffffffffffffffffffffffe68e6 5509 2 0x01 5511 N.4.1.3. Coefficients of w(x) 5513 0 0x55555555555555555555555555555555555555555555555555555554ffffffff 5514 ffffffffffffffffffffffffffffffffffffffffffff3473 5516 1 0x01 5518 N.4.2. Dual Isogeny Parameters 5520 N.4.2.1. Coefficients of u'(x) 5522 0 0x016c26e0e8 5524 1 0x5555555555555555555555555555555555555555555555555555555500000000 5525 0000000000000000000000000000000000000000000065c6 5527 2 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffc0000000 5528 000000000000000000000000000000000000000000000000 5530 N.4.2.2. Coefficients of v'(x) 5532 0 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaaaaa 5533 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa45836c31 5535 1 0x5555555555555555555555555555555555555555555555555555555500000000 5536 0000000000000000000000000000000000000000000065c6 5538 2 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffe0000000 5539 000000000000000000000000000000000000000000000000 5541 N.4.2.3. Coefficients of w'(x) 5543 0 0x5555555555555555555555555555555555555555555555555555555500000000 5544 000000000000000000000000000000000000000000019719 5546 1 0x01 5548 Appendix O. Representation Examples Curve448 Family Members 5550 We present some examples of computations using the curves introduced 5551 in Appendix M and Appendix N of this document. In each case, we 5552 indicate the values of P, k*P, and (k+1)*P, where P is a fixed 5553 multiple (here: 2019) of the base point of the curve in question and 5554 where the private key k is the integer 5556 k 62662039304523906689788124833289384446202946474440057655160773695 5557 63756342505410402166230018620066482794080866641616932013327623579 5558 01952 5560 (=0xdcb3bbb9 e42d7aca fe62052d 902123c7 0872b984 4c1e199f 5561 7c5d37bd 1171102b c20a6352 d9c91886 29b685de 51441e84 3afe2665 5562 5251aa80). 5564 In the examples below, each curve point is represented using the 5565 compressed point representation (see Appendix I.8), but where (for 5566 historical reasons) the parity bit t of the compressed curve point in 5567 question is represented by 0x00 or 0x80 depending on whether t=0 or 5568 t=1, respectively. Notice that this representation corresponds to 5569 the compressed point representation of Appendix I.8, but with the 5570 bit-ordering in the 1-octet representation of t reversed. (Note that 5571 this puts the parity bit t in the leftmost bit position of the octet 5572 string if one follows the MSB/msb representation conventions.) For 5573 simplicity, this representation is again called the "squeezed" 5574 representation, although each point is now represented as a 57-octet 5575 string and, thereby, one octet longer than the tight representation 5576 of elements of GF(p). As before, the ordering convention (see 5577 Appendix I.7) depends on the underlying curve model in question. 5578 Here, points of a Weierstrass curve are represented in tight MSB/msb- 5579 order, points of a Montgomery curve in tight LSB/msb-order, and 5580 points of a twisted Edwards curve in tight LSB/lsb-order. For points 5581 that are a public key, the corresponding private keys are represented 5582 as 56-octet strings, using the same ordering conventions as with the 5583 public keys. For affine points, we also give the tight 5584 representation of each of its coordinates (as 56-octet strings), 5585 using the same ordering conventions as used with the squeezed point 5586 representation. For further details, see the examples themselves. 5588 O.1. Example with Curve448 5590 Pm=(u, v), k*Pm=(u1, v1), and (k+1)*Pm=(u2, v2) with Curve448: 5592 u 53298594738299085772373536080133483236673782578895339676785179923 5593 90764298300090102709453866054695061082746243636045110750296444932 5594 27715 5596 (=0xbbb91ba3 b0ef74c3 214394b4 d8f0d32d c4a92193 5f573009 5597 39fd86a3 8d54be2a 4d63380b 692381bb ed7339fd dca7b0cd a80166fe 5598 18c086c3). 5600 v 30578727850066757341435137807347775064915058999485530015946871157 5601 86794631407274936870618580714107931661730999350222644894729285604 5602 97149 5604 (=0x6bb38e82 8d52337f 6f0395ef dc16c776 52162f5e 309112ae 5605 fc7401bf 0cfb0499 eb1ed555 bf507ebc c33b4753 2d6dc6c5 d68dea1c 5606 c1e4c1fd). 5608 u1 64579461799301726935877447646800238443923683299745374127971411973 5609 12515295161791889743228049222279188968365877164188075095074418806 5610 82513 5612 (=0xe37497bf 9f704689 54ec6537 cbbe91d0 3ffcdcdb 8b707253 5613 a2212cdb e020ba9a 0bf65a1d 5d9a128a f85c63a2 79a00139 7aca56db 5614 15335011). 5616 v1 55735504615964066386264989698774850924544182484936624265048483231 5617 35693859362627880184586282439234602798023594054611737412667543758 5618 11547 5620 (=0xc44e5e0f 2c254d23 1dc082db 77175e8c fd37793c 22ebe200 5621 77905a5f 750b3c9f 4a95d4d5 4e1a1e54 d2d31689 4249252d 0c8b1c45 5622 1c1481db). 5624 u2 32685564331119553171673802371596819258307818641496728161547328225 5625 07595618587323619256769558535630624960575212644680149034661008254 5626 8876 5628 (=0x0b831eca 9c6215b0 5d830361 4013732f 7a9dd07f ebb9441e 5629 49129264 eb724f44 dc53671c ffabb9ee 0c02aa74 b083cd82 a821a4cf 5630 6f6d8c8c). 5632 v2 57682103223585233918507344950062950306770296215271320612937204938 5633 77499282103483092990510136901415757273082719665657484294344333591 5634 20741 5636 (=0xcb2988a4 6e37f9a9 a7a1255b 2fd2eea9 82308e7c eb8e18b8 5637 2252175f fd416a10 5984c6b8 36470e48 31879293 8f6139c6 f96164cb 5638 14010965). 5640 As suggested in Appendix C.2, the v-coordinate of k*Pm can be 5641 indirectly computed from the u-coordinates of Pm, k*Pm, and (k+1)*Pm, 5642 and the v-coordinate of Pm, which allows computation of the entire 5643 point k*Pm (and not just its u-coordinate) if k*Pm is computed using 5644 the Montgomery ladder (as, e.g., [RFC7748] recommends), since that 5645 algorithm computes both u1 and u2 and the v-coordinate of the point 5646 Pm may be available from context. 5648 The representation of k and the compressed representations of Pm and 5649 k*Pm in tight LSB/msb-order are given by 5651 repr(k) 0x80aa5152 6526fe3a 841e4451 de85b629 8618c9d9 52630ac2 5652 2b107111 bd375d7c 9f191e4c 84b97208 c7232190 2d0562fe 5653 ca7a2de4 b9bbb3dc; 5655 repr(Pm) 0xc386c018 fe6601a8 cdb0a7dc fd3973ed bb812369 0b38634d 5656 2abe548d a386fd39 0930575f 9321a9c4 2dd3f0d8 b4944321 5657 c374efb0 a31bb9bb 80; 5659 repr(k*Pm) 0x11503315 db56ca7a 3901a079 a2635cf8 8a129a5d 1d5af60b 5660 9aba20e0 db2c21a2 5372708b dbdcfc3f d091becb 3765ec54 5661 8946709f bf9774e3 80, 5663 where the leftmost bit of the rightmost octet indicates the parity of 5664 the v-coordinate of the point of Curve448 in question (which, in this 5665 case, are both one, since v and v1 are odd). See Appendix H.2 and 5666 Appendix I for further detail on (squeezed) point compression. 5668 The scalar representation and (squeezed) point representation 5669 illustrated above are consistent with the representations specified 5670 in [RFC7748], except that in [RFC7748] only an affine point's 5671 u-coordinate is represented (i.e., the v-coordinate of any point is 5672 always implicitly assumed to have an even value) and that the 5673 representation of the point at infinity is not specified. (Note that 5674 due to the bit-length of the prime p, the lossless representation 5675 requires an additional octet compared to the lossy representation 5676 without v-coordinate.) Another difference is that [RFC7748] allows 5677 non-unique representations of some elements of GF(p), whereas our 5678 representation conventions do not (since tight). 5680 A randomized representation (t1, t2) of the point k*Pm in tight LSB/ 5681 msb order is given by 5683 t1 642695971489808425948939115432957219707501931105169269237 5684 122551860533279049805112466411050091592893048844749561382 5685 909707113070546618079 5687 (=0xdf86cb83 ae1ca6e6 da6afbaf afbb2fc0 606a136f 80eea078 5688 c868a5d7 7e638d09 99518385 65250cf1 9c034f96 1fa28f54 5689 f3016600 68335de2) 5691 t2 569275737967591640709387827593956375775147481657775744720 5692 460881642951497067363381071471046477130052706607411985560 5693 522861593611384288817 5694 (=0x3176361c 580a7bcd d7880d84 aba10bc6 57010328 afb728cc 5695 2016461b 246bef46 0eb4bb04 8c1a3616 c3f74a56 3cc1790f 5696 6472256b ca3481c8), 5698 where this representation is defined in Appendix K.5 and uses the 5699 mapping of Appendix K.3.2 with the default square root function. 5701 This representation can also be expressed in tight LSB/msb order as 5702 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(0,1) and where 5704 u1 136243399181827781288243566840664309780937553734476297986 5705 555794212826774821697384612603539068963961668560923975117 5706 429548012444908081181 5708 (=0x1d50f12f 9d4a9f5b c49d8a59 0403a454 e9ab4208 ccde0595 5709 11d72af1 f44cefe4 0c743579 6502c443 730c55e9 2981fce1 5710 f172d988 fa7efc2f) 5712 u2 316511454563659405723248762668968632925539726790750815582 5713 281632434431599609191814743278306058750675581434472930261 5714 478756904493088717708 5716 (=0x8c3b4bf7 5ff5eaf5 4df2119b a413785d 73059f0b aa677e16 5717 e6eb7cf6 1e066961 e54e4b52 6ae528b1 d3c8cf8e aa3a7df0 5718 3b7a9a0d bb827a6f), 5720 where this uses the default completed mapping defined in Appendix K.6 5721 and the mapping of Appendix K.4.2 (with the default square root 5722 function). 5724 O.2. Example with Ed448 5726 Pe=(x, y), k*Pe=(x1, y1), and (k+1)*Pe=(x2, y2) with Ed448: 5728 x 12711234107145442394649604543297947887906244696692372551963816418 5729 93066253979844478364753304240794498368174540810674220788120782656 5730 62747 5732 (=0x2cc52fd1 6370554f 00c0f73f 64bda240 f5950177 d9033f6d 5733 74acd12d 68c79a51 315f556f 240973f9 e5f71ed7 9314ee9d c87f0b1b 5734 bcc0fd1b). 5736 y 69251010954633529003803699627438795111055087299023774963200632446 5737 22677618700964599963790149315020469517869703738619380660774687159 5738 85238 5739 (=0xf3e8bb95 c9675fd0 0c388fc5 e96cfbc7 3c19d945 76849979 5740 34c4ab60 73c4a763 c2a89bac d3879838 f4de11a3 3a4710c2 396dea1d 5741 cc012956). 5743 x1 69268794439088733926883958090256942256857349796922332363888137509 5744 71700910417786272464007666020220956482611896297610096130434552586 5745 39205 5747 (=0xf3f8c472 ca2e730b 05cc9092 f9d40956 029113e3 e92c2d55 5748 76406db2 c2903721 62f43371 1c0ec80c f8d7222d 1d701467 9da18531 5749 0fb5bb65). 5751 y1 50516707418203531159001223293623288296803299598968490915066154362 5752 78541820739332329525138363312119838075438487384161435963107103409 5753 09734 5755 (=0xb1eccbfc 5f5f92e8 d9129d14 b721c524 96fc1b1f a4c17c5f 5756 e4979b0c 763f34ba 91299376 d2499220 19b05f56 c3bb6b5d ac988271 5757 287d7aa6). 5759 x2 67287262124444231243108222498849910362455590990935326363062127166 5760 04126947894055981270997819628982374416022607672923451356182938105 5761 87868 5763 (=0xecfe1a4f a4cd7e2f 19afcf16 1ce2198f 0a850beb 41afa209 5764 94741609 5b1a858a 8e9548f5 011d188e d50484d3 119103f6 8bcd5ba2 5765 a6e3e8dc). 5767 y2 13744276256057290540518554008940700979716578667786691114397525367 5768 92684542875757407063179870154307882588988293167000249160114881659 5769 30341 5771 (=0x3068a338 4016ebfd a229ac73 b5c30bba ff67e183 71d1185f 5772 19dfbbee 28478baf 9034ebad 51407f01 35162743 c2c234bc 2d484c13 5773 552ea565). 5775 The representation of k and the compressed representations of Pe and 5776 k*Pe in tight LSB/lsb-order are given by 5778 repr(k) =0x01558a4a a6647f5c 2178228a 7ba16d94 6118939b 4ac65043 5779 d4088e88 bdecba3e f9987832 219d4e10 e3c48409 b4a0467f 5780 535eb427 9dddcd3b; 5782 repr(Pe) =0x6a948033 b857b69c 4308e25c c5887b2f 1c19e1cb 35d91543 5783 c6e523ce 06d5232c 9e99216e a29b983c e3df3697 a3f11c30 5784 0bfae693 a9dd17cf 01; 5786 repr(k*Pe) =0x655ebe14 8e411935 bad6ddc3 6afa0d98 0449924b 6ec99489 5787 5d2cfc6e 30d9e927 fa3e8325 f8d83f69 24a384ed 28b9489b 5788 1749fafa 3fd3378d 01, 5790 where the rightmost bit of the rightmost octet indicates the parity 5791 of the x-coordinate of the point of Ed448 in question (which, in this 5792 case, are both one, since x and x1 are odd). See Appendix H.3 and 5793 Appendix I for further detail on (squeezed) point compression. 5795 The scalar representation and (squeezed) point representation 5796 illustrated above are fully consistent with the representations 5797 specified in [RFC8032]. Note that, contrary to [RFC7748], [RFC8032] 5798 requires unique representations of all elements of GF(p). 5800 A randomized representation (t1, t2) of the point k*Pe in tight LSB/ 5801 lsb order is given by 5803 t1 397357047759003459380102071532091085834125520561197668989 5804 747600577137881485970346806080038194336473483709104865191 5805 806326006691504231547 5807 (=0xde295d0e 5efceb9b f43967ca be45a54b a1f75bdd a4b1b1b3 5808 b24a8d1d f2056329 e506867e c968aa8b 866017e4 f0cbc343 5809 2cf8e7fa 0b202fd1) 5811 t2 711800301530600330791068062467600183663589340593884950808 5812 136091389056251997893995894309660827763434071897306280320 5813 151044063120296064809 5815 (=0x94ecb72a 069a5322 e62d9357 c49d5664 1c351611 d1f361a8 5816 cbb8a12c f410e821 4fbe8e02 8d85d404 399b4c7c 5a6a72ce 5817 deef7b08 96302d5f), 5819 where this representation is defined in Appendix K.5 and uses the 5820 mapping of Appendix K.3.3 with the default square root function and 5821 underlying isomorphic mapping between Ed448 and Curve448 of 5822 Appendix M.2. 5824 This representation can also be expressed in tight LSB/lsb order as 5825 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(1,1) and where 5827 u1 799430080555285542466583392114886786202374259081179178887 5828 990338902005327496428208435321295787094454554911799066625 5829 85567756287085693163 5831 (=0xd713005d bece883b de9e7077 e0084c74 e3f8ccf3 dcdf9af2 5832 2db99b77 5a9c3de7 c8d14433 634cee63 531d3d85 0637c24d 5833 a28691a3 ac041438) 5835 u2 273728972604711260959662149917071768586371733548553856048 5836 628325847723030459670661529224890730701519431099205367639 5837 437006368499972842925 5839 (=0xb5a46d1d be03f21b a4070e3c 51e42a50 1de9a4e6 3155b58c 5840 41dbdaed d5089539 cf69bbc8 78f3809d 5630ab65 c250e49b 5841 3a91a31d 067f1606), 5843 where this uses the default completed mapping defined in Appendix K.6 5844 and the mapping of Appendix K.4.3 (with the default square root 5845 function). 5847 O.3. Example with Wei448 5849 Pw=(X, Y), k*Pw=(X1, Y1), and (k+1)*Pw=(X2, Y2) with Wei448: 5851 X 29070637261778856087396075817199998758219070555984737667402173284 5852 55389871077654193754799253725773241315783295429899652880118118204 5853 91344 5855 (=0x6663c64e 5b9a1f6d cbee3f5f 839b7dd8 6f53cc3e 0a01dab3 5856 e4a8314e 8d54be2a 4d63380b 692381bb ed7339fd dca7b0cd a80166fe 5857 18c15250). 5859 Y 30578727850066757341435137807347775064915058999485530015946871157 5860 86794631407274936870618580714107931661730999350222644894729285604 5861 97149 5863 (=0x6bb38e82 8d52337f 6f0395ef dc16c776 52162f5e 309112ae 5864 fc7401bf 0cfb0499 eb1ed555 bf507ebc c33b4753 2d6dc6c5 d68dea1c 5865 c1e4c1fd). 5867 X1 40351504322781497250899987383866753965468971276834772118588405333 5868 77140867939355980788573436893357369201402928958042617224896092079 5869 46142 5871 (=0x8e1f426a 4a1af133 ff970fe2 76693c7a eaa78786 361b1cfe 5872 4ccbd786 e020ba9a 0bf65a1d 5d9a128a f85c63a2 79a00139 7aca56db 5873 15341b9e). 5875 Y1 55735504615964066386264989698774850924544182484936624265048483231 5876 35693859362627880184586282439234602798023594054611737412667543758 5877 11547 5879 (=0xc44e5e0f 2c254d23 1dc082db 77175e8c fd37793c 22ebe200 5880 77905a5f 750b3c9f 4a95d4d5 4e1a1e54 d2d31689 4249252d 0c8b1c45 5881 1c1481db). 5883 X2 51724471386152414687122300763026650882740205909970876834920746101 5884 21508416303604179834986180511406702029983417676758930643822754281 5885 77944 5887 (=0xb62dc975 470cc05b 082dae0b eabe1dda 25487b2a 9663eec8 5888 f3bd3d0e eb724f44 dc53671c ffabb9ee 0c02aa74 b083cd82 a821a4cf 5889 6f6e5818). 5891 Y2 57682103223585233918507344950062950306770296215271320612937204938 5892 77499282103483092990510136901415757273082719665657484294344333591 5893 20741 5895 (=0xcb2988a4 6e37f9a9 a7a1255b 2fd2eea9 82308e7c eb8e18b8 5896 2252175f fd416a10 5984c6b8 36470e48 31879293 8f6139c6 f96164cb 5897 14010965). 5899 The representation of k and the compressed representations of Pw and 5900 k*Pw in tight MSB/msb-order are given by 5902 repr(k) =0xdcb3bbb9 e42d7aca fe62052d 902123c7 0872b984 4c1e199f 5903 7c5d37bd 1171102b c20a6352 d9c91886 29b685de 51441e84 5904 3afe2665 5251aa80; 5906 repr(Pw) =0x80 6663c64e 5b9a1f6d cbee3f5f 839b7dd8 6f53cc3e 5907 0a01dab3 e4a8314e 8d54be2a 4d63380b 692381bb ed7339fd 5908 dca7b0cd a80166fe 18c15250; 5910 repr(k*Pw) =0x80 8e1f426a 4a1af133 ff970fe2 76693c7a eaa78786 5911 361b1cfe 4ccbd786 e020ba9a 0bf65a1d 5d9a128a f85c63a2 5912 79a00139 7aca56db 15341b9e, 5914 where the leftmost bit of the leftmost octet indicates the parity of 5915 the Y-coordinate of the point of Wei448 in question (which, in this 5916 case, are both one, since Y and Y1 are odd). See Appendix H.1 and 5917 Appendix I for further detail on (squeezed) point compression. 5919 The scalar representation is consistent with the representations 5920 specified in [SEC1]; the (squeezed) point representation illustrated 5921 above is "new". For completeness, we include a SEC1-consistent 5922 representation of the point Pw in affine format and in compressed 5923 format below. 5925 The SEC1-compliant affine representation of the point Pw in tight 5926 MSB/msb-order is given by 5928 aff(Pw) =0x6663c64e 5b9a1f6d cbee3f5f 839b7dd8 6f53cc3e 0a01dab3 5929 e4a8314e 8d54be2a 4d63380b 692381bb ed7339fd dca7b0cd 5930 a80166fe 18c15250 5931 6bb38e82 8d52337f 6f0395ef dc16c776 52162f5e 309112ae 5932 fc7401bf 0cfb0499 eb1ed555 bf507ebc c33b4753 2d6dc6c5 5933 d68dea1c c1e4c1fd, 5935 whereas the SEC1-compliant compressed representation of the point Pw 5936 in tight MSB/msb-order is given by 5938 compr(Pw) =0x03 6663c64e 5b9a1f6d cbee3f5f 839b7dd8 6f53cc3e 5939 0a01dab3 e4a8314e 8d54be2a 4d63380b 692381bb ed7339fd 5940 dca7b0cd a80166fe 18c15250. 5942 The SEC1-compliant uncompressed format aff(Pw) of an affine point Pw 5943 corresponds to the right-concatenation of its X- and Y-coordinates, 5944 each in tight MSB/msb-order, prepended by the string 0x04, where the 5945 reverse procedure is uniquely defined, since elements of GF(p) have a 5946 unique fixed-size representation. The (squeezed) compressed format 5947 repr(Pw) corresponds to the SEC1-compliant compressed format by 5948 extracting the parity bit t from the leftmost bit of the leftmost 5949 octet of repr(Pw), and replacing this leftmost octet with 0x02 or 5950 0x03, depending on whether t=0 or t=1, respectively, where the 5951 reverse procedure is uniquely defined. For further details, see 5952 [SEC1]. Note that, due to the bit-length of the prime p, the 5953 squeezed compressed format repr(Pw) and the SEC1-compliant compressed 5954 format compr(Pw) have the same size. 5956 A randomized representation (t1, t2) of the point k*Pw in tight MSB/ 5957 msb order is given by 5959 t1 655783099225353926682910498535559663266263823350679216116 5960 172951494291735730803127024621397533084891460609898061397 5961 896825551162064841608 5963 (=0xe6f93655 2765628b accfe61c 7dc6a594 e06fb243 70195ded 5964 74d88a53 fdedc2e8 077e0eff 62fa6a80 fa26b499 1f8796f5 5965 21f2f03b f7e92b88) 5967 t2 357918241879339174086992006475988394618511927120788596330 5968 507910466738735762660894972854331591097934354210992993787 5969 402433561014235472657 5971 (=0x7e0ffcaf 7add27bc bb723629 95fdedd0 8769f676 78d953bc 5972 0d38f4f6 d63a59dc 00f2d55a a4db7dab 16364503 591edcb1 5973 e095a577 43dea311), 5975 where this representation is defined in Appendix K.5 and uses the 5976 mapping of Appendix K.3.1 with the default square root function. 5978 This representation can also be expressed in tight MSB/msb order as 5979 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(0,0) and where 5981 u1 276116573473684049599673971142041943002546018725744504858 5982 999210132924481156665376801365226215725437541502686055399 5983 974543995300346621026 5985 (=0x6140460c 1860a8cb 7c8ab942 b9509a84 95b4093c 95be5c8b 5986 df46e24c 069fe28a a23e4bfc 5bc29543 ee9ff503 febb80c8 5987 eb207253 8d7c6c62) 5989 u2 128692595060487759871442054704123965938223087241863768179 5990 405512569340496286539849938457727539660932642464491037369 5991 291713756051590336193 5993 (=0x2d53abf2 370638a2 c2d38efe 718d0189 18d15d15 f132741b 5994 34405174 97fc0884 0c6be3a5 d9c201b9 cb0c3637 2674078e 5995 59ac8cd7 4f9fcec1), 5997 where this uses the default completed mapping defined in Appendix K.6 5998 and the mapping of Appendix K.4.1 (with the default square root 5999 function). 6001 O.4. Example with Wei448.1 6003 Pw1=(X, Y), k*Pw1=(X1, Y1), and (k+1)*Pw1=(X2, Y2) with Wei448.1: 6005 X 41414505267302962826496323862800346730148184600706317030200831678 6006 13123337737005257876668389910719145841028692415431602235556184165 6007 13314 6009 (=0x91ddb90a 3c19f561 21de39ad a8c6bb00 579a6d2d 9ff6b810 6010 b109bf41 6e4e6227 0fc34010 be9ec68e 5ca11111 bc99e998 cff0f6db 6011 f4225122). 6013 Y 21678703524693091005728527221124083240889481089231739678311939020 6014 43874709051080711177237887514058399787606848450432099149433728340 6015 08081 6017 (=0x4c5ac727 121de1f1 be917280 829a6d4c 9f615e3a 879a7dfd 6018 50f8bdcc 75d5856b 1d01ffaa 44e5ba0a ed0e341d 9383e15a 6cd48db8 6019 c1e26c11). 6021 X1 21211734920525001827254082557112140340208109740004519264558098189 6022 40985376833176210029490012696175276046779431389727351279961384020 6023 21113 6024 (=0x4ab5bb5f ca80119b 6280f5d1 aec51745 23ab57ab 4d617195 6025 38f453dd 2e8d9b66 a5417d1b ed0cee3d 4d6c84ca abda1d41 b7a805dc 6026 cbaefef9). 6028 Y1 14152482531219571027190110620355502977165146571026919001455348108 6029 06142769037926777863731011790633441497896003632149582109867558046 6030 16181 6032 (=0x31d8b337 09272016_25d2f9d6 cb0e2396 b7088c79 ffc8571f 6033 6dc9bfe9 9e0783d4 1f684439 c02981f1 83f6696d 9c0377c9 431b8186 6034 f503d5f5). 6036 X2 30394319241133688143587947164786865078477223372122681434460686381 6037 23744153597949961703624604448300529949032402198106459850911229168 6038 46262 6040 (=0x6b0d487d cba3633b_034f65a5 bbd1c8eb 1b6dcb1f 8d787db1 6041 a581c08d ad23cbcd 6faa39d5 36731645 fd2fd6c0 03367bff 9093d29d 6042 550d6ab6). 6044 Y2 18866191129065867707969757296934620738822864945913956797432892866 6045 18725386530370846638505587040510045280940919798896557156654042590 6046 85719 6048 (=0x4272da7b 7ad66918 144ae679 3811eb6b 2124b02f 42fd51f2 6049 34e6f3ea 6285d40e 43cf726f 585b7e74 c4448acb b0c3ab89 d5a55678 6050 c4622d97). 6052 The representation of k and the compressed representations of Pw1 and 6053 k*Pw1 in tight MSB/msb-order are given by 6055 repr(k) =0xdcb3bbb9 e42d7aca fe62052d 902123c7 0872b984 4c1e199f 6056 7c5d37bd 1171102b c20a6352 d9c91886 29b685de 51441e84 6057 3afe2665 5251aa80; 6059 repr(Pw1) =0x80 0x91ddb90a 3c19f561 21de39ad a8c6bb00 579a6d2d 6060 9ff6b810 b109bf41 6e4e6227 0fc34010 be9ec68e 5ca11111 6061 bc99e998 cff0f6db f4225122; 6063 repr(k*Pw1) =0x80 0x4ab5bb5f ca80119b 6280f5d1 aec51745 23ab57ab 6064 4d617195 38f453dd 2e8d9b66 a5417d1b ed0cee3d 4d6c84ca 6065 abda1d41 b7a805dc cbaefef9, 6067 where the leftmost bit of the leftmost octet indicates the parity of 6068 the Y-coordinate of the point of Wei448.1 in question (which, in this 6069 case, are both one, since Y and Y1 are odd). See Appendix H.1 and 6070 Appendix I for further detail on (squeezed) point compression. 6072 A randomized representation (t1, t2) of the point k*Pw1 in tight MSB/ 6073 msb order is given by 6075 t1 303494474566270819668963081208440311422386279248346372989 6076 800906749888679443057479207554461646083343330145746687567 6077 323228377891922156528 6079 (=0x6ae4d2fc 57e63e5e bfdc44e6 5148d1bd b30b7c7b 2ca2a66a 6080 8a2bea6c 69113c79 7a4d6d0f 3c89b06a 3883ab2c e7d73f42 6081 24c82419 391e9bf0) 6083 t2 637873534161581517938168102871523640780662020357386089328 6084 144426836947858617075256828298188817117945599296940030103 6085 858866119361786506090 6087 (=0xe0aa61c1 213a19b4 a9fddbb3 4c1377d0 4cd1fb84 017a1719 6088 e57b243b 31b13406 d5d77138 23c5a1b8 4fe271a5 2e53c98f 6089 900f2900 d1e76b6a), 6091 where this representation is defined in Appendix K.5 and uses the 6092 mapping of Appendix K.3.1 with the default square root function. 6094 This representation can also be expressed in tight MSB/msb order as 6095 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(1,0) and where 6097 u1 258036413119309433113527846878476684681744445436114935036 6098 372455666259396397921645423893888406553811930237985641251 6099 551672383206550397837 6101 (=0x5ae20fb6 5cafa07a 40421568 72419f49 dc31cbe9 766806f6 6102 8b1dbd7f 628c8ecf 10577848 e2e87ac2 fead0f09 6726ee34 6103 c2ed465f 5b7be38d) 6105 u2 193962140052429320576140519455776109491178991023347646634 6106 723564200925012444187815484406230413980100291233975929881 6107 580671116555136082409 6109 (=0x4450c0ba ba9ee42a 4723b3b4 dbe7613f a78a2feb ee01752f 6110 9f8f51d6 41476eb8 041c9d87 d1b6df7b 9c6b48ad 2cdf4c20 6111 02d22f0c fbf521e9), 6113 where this uses the default completed mapping defined in Appendix K.6 6114 and the mapping of Appendix K.4.1 (with the default square root 6115 function). 6117 O.5. Example with Wei448.-3 6119 Pw3=(X, Y), k*Pw3=(X1, Y1), and (k+1)*Pw3=(X2, Y2) with Wei448.-3: 6121 X 54121793865726175505902038600562190720650456678500106168173285986 6122 99999531708218763586616425010404811083912084906688745035466757984 6123 48968 6125 (=0xbe9f5a23 51709e13 d5ad50c2 a27be8ee 1b051970 2580d5c3 6126 c2de7f75 3010635e d89ef547 8b67dc54 16d63c5b 1cc1116f dd453515 6127 71b39b48). 6129 Y 14962282101304548030627835311887275833718070818965306362006934455 6130 59168773381983445709256615887526455657034051121085622763637035580 6131 12661 6133 (=0x34b2dcc4 92d6a940 e6249c14 122d0ba4 5dc040e9 3f060d8f 6134 a65fa300 eb3cc969 25188b59 2d31039c f7a8e14a 48320a32 efe9b42b 6135 986afef5). 6137 X1 18808295916646645825216065847266150404062470629833854840155953858 6138 63091795696773741607659794828181692381790403935750135247605982648 6139 6547 6141 (=0x069fdd7c 2ec1ecbf d3cd0e27 1e8110c6 d2e478f2 aa393928 6142 64a5511e da0b8dc7 3834fd57 b5ef8527 361a8176 c6da44ee 63701c0c 6143 f49d7d13). 6145 Y1 12212945244064471634326466576257313927639904273911210953487761656 6146 77684161144865373513143868308041748047828401098060667767703779846 6147 85920 6149 (=0x2b03e68e b61581c4 9f977443 3e1ddc63 976f8f1d cdb185ee 6150 9c53328d b425973d 359bbc09 468645c4 0996a2c7 fda561be acb4d0b5 6151 745ab760). 6153 X2 58672976485086436102048679093716482249296622848351051568512020319 6154 97872083950108489407370832733527154843728068195507632886574086695 6155 12670 6157 (=0xcea6f66e e741e7b3 ee50acd4 bd6eacbf 821fab72 bf5fe85b 6158 8f614af9 04aff677 15e820b9 e4bcc159 f67a97f3 2c176d2c d9b7cdeb 6159 f753f3de). 6161 Y2 63661899992109030051219177516378471383513217472497460517936503629 6162 79522840238080543318627428149249774773108009447466292682661818280 6163 41265 6164 (=0xe0394408 ed2b4efb b6b6ac7e bc815516 fdf31a6e d32db3f9 6165 54cd8ac1 c7ddf0cc e7507688 a70f219a 57eef863 49003560 66747ca3 6166 00105a31). 6168 The representation of k and the compressed representations of Pw3 and 6169 k*Pw3 in tight MSB/msb-order are given by 6171 repr(k) =0xdcb3bbb9 e42d7aca fe62052d 902123c7 0872b984 4c1e199f 6172 7c5d37bd 1171102b c20a6352 d9c91886 29b685de 51441e84 6173 3afe2665 5251aa80; 6175 repr(Pw3) =0x80 be9f5a23 51709e13 d5ad50c2 a27be8ee 1b051970 6176 2580d5c3 c2de7f75 3010635e d89ef547 8b67dc54 16d63c5b 6177 1cc1116f dd453515 71b39b48; 6179 repr(k*Pw3) =0x00 069fdd7c 2ec1ecbf d3cd0e27 1e8110c6 d2e478f2 6180 aa393928 64a5511e da0b8dc7 3834fd57 b5ef8527 361a8176 6181 c6da44ee 63701c0c f49d7d13, 6183 where the leftmost bit of the leftmost octet indicates the parity of 6184 the Y-coordinate of the point of Wei448.-3 in question (which, in 6185 this case, are one and zero, respectively, since Y is odd and Y1 is 6186 even). See Appendix H.1 and Appendix I for further detail on 6187 (squeezed) point compression. 6189 A randomized representation (t1, t2) of the point k*Pw3 in tight MSB/ 6190 msb order is given by 6192 t1 450833060883286904091316612794941178576639837300736625958 6193 696097131313213727115363096930063001237631586932727905179 6194 306828042642854311987 6196 (=0x9ec9ba07 3fb2bb5e 9dbee995 067ce094 63601ecd 325f0930 6197 aea79cb8 745fa71d 4caa37ee f04fab67 ab2de747 4ac0a025 6198 830f4828 429cf833) 6200 t2 339205723274519707955026734148022275762579914421865223818 6201 363622725164496136165251928391223173879522521195772276587 6202 373445978123589677750 6204 (=0x7778c1f9 9d900633 d161d7ea a963ddad e9101d3f f4f04710 6205 623d2a51 6ca10133 3db9ccc3 86df9271 fbb72740 77f79dd1 6206 9aed0bfb e3bc72b6), 6208 where this representation is defined in Appendix K.5 and uses the 6209 mapping of Appendix K.3.1 with the default square root function. 6211 This representation can also be expressed in tight MSB/msb order as 6212 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(0,1) and where 6214 u1 589255274721777493669102139212346422449226408440608788354 6215 266603544786997157375671957901717836941301424106139118763 6216 92799989153446639329 6218 (=0x14c11156 85eab1a5 f6c00d37 a3f6bd73 fe403dd1 31e337e7 6219 15927c25 0264a8f8 d2cd661e b5138468 92a3b91d 09284398 6220 17c2e361 96fa36e1) 6222 u2 213991023129828413030692573508989139610229330687681826719 6223 574082317313789459478773972345123463766002343322541837566 6224 496527438452046182709 6226 (=0x4b5eac5a 3632b273 012a1050 7762eba4 8df1ccad 16dd9e6f 6227 d68e57a9 89de5a0c 1eda0951 e4f3de0e 39f5c37b 2f8f04d5 6228 52c093d8 fb983935), 6230 where this uses the default completed mapping defined in Appendix K.6 6231 and the mapping of Appendix K.4.1 (with the default square root 6232 function). 6234 O.6. Example with Edwards448 6236 Pe1=(x, y), k*Pe1=(x1, y1), and (k+1)*Pe1=(x2, y2) with Edwards448: 6238 x 70320395893028961673046639985409870226249442701760956079298956688 6239 26896600999421897751877804946848997852325361659665744287620719558 6240 67733 6242 (=0xf7acf3ca b79b29c2 aa44863d 9edaeca4 8c90ad84 e460df42 6243 7dd9ab59 1bd8a844 07cb3419 59309b33 1e22bfa1 a2d37e10 e2e42a1f 6244 170f0855). 6246 y 70628706854857281648863291487942166052137991441320055237644304464 6247 58787938273165391464653528929699350754224243613996187734424074211 6248 98773 6250 (=0xf8c2f181 3bceee8e 085ecd70 d1b6aa4c ea9b95bd 8f36ab44 6251 c79e9124 1ea625b7 f9f5ec57 89cc5af2 a2eb255a b252b874 509dc0d9 6252 685841b5). 6254 x1 38125875041649701211705790554244713713134918749445854542272999596 6255 74058986304488795258334978838809456257721496105769894880185657328 6256 40277 6257 (=0x864880b9 e1900c68 ba4a545a 6fe2b161 62dcc3b9 fa218e4b 6258 feba9828 5cee5193 f2c989f6 c3b94eb6 2914dce7 b4818e4d 8fc8d51f 6259 05a13355). 6261 y1 11060653846610182753991162627427631707898421166839907726978369444 6262 53337541552746428662176632660036639406375548888849623833963458813 6263 1154 6265 (=0x03e54af3 7f4cf5e6 5f1e2acd 5c4a4554 76adc652 b198ab2a 6266 719e5aa9 ee749871 0193da82 ab6d000b f55836b1 0615653f 69514297 6267 f4459f52). 6269 x2 15620503788413497044804517304021524439062374489822547728508337937 6270 50606335270276724725939683726318058744384611584731365019896485812 6271 8760 6273 (=0x05806f71 95e85352 ef3960ac 1ff9cf6c 3c99e0ee 2e75edfc 6274 a133cafc 4a4b5fbf e4339859 c5fa123b 70ad2faf 7584ab9d 264540e7 6275 7d560978). 6277 y2 40019917514121727463122190125689377890703570698337158159153510836 6278 68442386516751945577468473801561261386285902585868517988506010293 6279 44096 6281 (=0x8cf44811 3cec6e07 d1bbe9f5 4062075c 6fec0ac5 31272dce 6282 1f446aeb d895373d e312c18d 6a345755 2861e014 0cc23158 a46ace4c 6283 9ca21b60). 6285 The representation of k and the compressed representations of Pe1 and 6286 k*Pe1 in tight LSB/lsb-order are given by 6288 repr(k) =0x01558a4a a6647f5c 2178228a 7ba16d94 6118939b 4ac65043 6289 d4088e88 bdecba3e f9987832 219d4e10 e3c48409 b4a0467f 6290 535eb427 9dddcd3b; 6292 repr(Pe1) =0xad821a16 9b03b90a 2e1d4a4d 5aa4d745 4f5a3391 ea37af9f 6293 eda46578 248979e3 22d56cf1 bda9d957 32556d8b 0eb37a10 6294 717773dc 818f431f 01; 6296 repr(k*Pe1) =0x4af9a22f e9428a96 fca6a860 8d6c1aaf d000b6d5 415bc980 6297 8e192e77 955a798e 54d5198d 4a63b56e 2aa2523a b35478fa 6298 67af32fe cf52a7c0 01, 6300 where the rightmost bit of the rightmost octet indicates the parity 6301 of the x-coordinate of the point of Edwards448 in question (which, in 6302 this case, are both one, since x and x1 are odd). See Appendix H.3 6303 and Appendix I for further detail on (squeezed) point compression. 6305 The scalar representation and (squeezed) point representation 6306 illustrated above are fully consistent with the representations 6307 specified in [RFC8032]. Note that, contrary to [RFC7748], [RFC8032] 6308 requires unique representations of all elements of GF(p). 6310 A randomized representation (t1, t2) of the point k*Pe1 in tight LSB/ 6311 lsb order is given by 6313 t1 125390048858887400104074787879402833851854739339836093733 6314 734638776755983021034212058415891288350265701101219981698 6315 849086128138510420407 6317 (=0xed921f3d 6ea4e452 dd06e783 782cbeb3 c5847a79 d9e6b993 6318 bd387cf5 feeddafe af8c038d f2732362 92724d37 273eedfc 6319 f2ab2499 98a79434) 6321 t2 493324858478481242405018423865550638507715454654135514168 6322 842560149827360763382889199963980056979895918545280883247 6323 787003997982869314731 6325 (=0xd53a5125 193b6ab9 8db48161 20fb4865 02cf0546 3b48d8a6 6326 514af28f 43c026cb 0f2ff3d5 e558bb03 4b833cd1 1ca710cc 6327 9bf0c2a3 351083b5), 6329 where this representation is defined in Appendix K.5 and uses the 6330 mapping of Appendix K.3.3 with the default square root function and 6331 underlying 4-isogenous mapping between Edwards448 and Curve448 of 6332 Appendix N.2. 6334 This representation can also be expressed in tight LSB/lsb order as 6335 the pair ((u1,s1),(u2,s2)), where (s1,s2):=(0,0) and where 6337 u1 135993582308059710871118067705651831584215992415511174727 6338 255533641033816319052989477276487981998957706382391254504 6339 484510842833065141388 6341 (=0x31276f5f d399d1cd 5d18c46a eba5388f 93effaf7 9574b23b 6342 ce34ba45 5050c160 477ae803 9c3112be 596281a7 b7ae4da6 6343 e9dd7688 191fa7f4) 6345 u2 300725936379847215929002275525633229576034707671620463143 6346 626393832660436027759737097637786753095880885199368686863 6347 187789449179730426477 6349 (=0xb65c5ee8 597b5b55 a87e266f b9c1f5cb 5d224ec3 8fb22f32 6350 b0378e70 47ecc389 9585b06e 7fb4f70b 38a3b453 ab5c03d8 6351 37b5093b 9a4cd796), 6353 where this uses the default completed mapping defined in Appendix K.6 6354 and the mapping of Appendix K.4.3 (with the default square root 6355 function) and underlying 4-isogenous mapping between Edwards448 and 6356 Curve448 of Appendix N.2. 6358 Appendix P. Random Integers in Z_n 6360 Any probability distribution on the interval [0,N-1] can be converted 6361 to a probability distribution on [0,n-1], via a suitable function 6362 that maps inputs from the source distribution [0,N-1] to values in 6363 the interval [0,n-1]. We consider three such functions, each with 6364 the property that if the source distribution on [0,N-1] is 6365 statistically close to the uniform distribution, then so is the 6366 output distribution on [0,n-1]. (Here, we assume n and N to be 6367 integers of cryptographic interest, so large.) In practical 6368 applications, one can use these functions to convert the output of a 6369 cryptographically strong random bit generator (where N is a power of 6370 two and after conversion of the random bit string to an integer via 6371 the BS2I mapping of Appendix I.2) to a pseudo-random integer in the 6372 interval [0,n-1], where the bias is small if N is suitably picked. 6374 We consider mappings that convert an output of the source 6375 distribution to an integer in the interval [0,n-1] via modular 6376 reduction (Appendix P.1), via scaling (Appendix P.2), or via a 6377 membership test (Appendix P.3). For suitably picked N values and not 6378 too poor source distributions, the first two mappings never fail and 6379 any bias introduced by the conversion process can be made negligible 6380 in practice, while the third mapping (if it does not fail) inflates 6381 the bias by a small factor only in practice. (For details, see the 6382 remarks following each of the mappings below.) 6384 NOTE: Each of the mappings below may yield a zero output value. One 6385 can modify each such mapping to always yield nonzero outputs, by 6386 setting output x to 1 if the original mapping would yield x=0 for a 6387 specific input y and leaving the mapping the same otherwise 6388 (henceforth called the modified conversion function). This 6389 modification has negligible impact on the bias and does yield a 6390 conversion function to integers in the interval [1,n-1]. A similar 6391 remark applies if n=h*n1, where h is a small integer: in that case, 6392 one can locally modify each mapping to always yield outputs in the 6393 interval [0, h*n1-1] that are not divisible by n1, simply by setting 6394 output x to x+1 if the original mapping would otherwise yield x=0 6395 (mod n1). (Notice that both modifications coincide if h=1.) These 6396 modifications may be useful if one wishes to generate integers in an 6397 interval of size n and where one wishes to avoid specific output 6398 values (e.g., if one wishes to generate high-order points of a curve 6399 of order h*n1, with co-factor h (see Appendix B.1)). For simplicity, 6400 we again refer to this as "the" modified conversion function (or 6401 h-modified conversion function, if h is not clear from context). 6403 P.1. Conversion to Integers in Z_n via Modular Reduction 6405 This function maps each integer y in the interval [0,N-1] to its 6406 remainder modulo n, i.e., y is mapped to x:= y (mod n). 6408 One can show that the bias introduced by this conversion function is 6409 at most epsilon:=2*rho*(1-rho)/(N/n), where r:=N (mod n) and where 6410 rho:=r/n. Details are out of scope. 6412 Note that if n does not divide N, this invariably introduces some 6413 bias, no matter the quality of the source distribution. In 6414 particular, the statistical distance of the distribution on Z_n can 6415 be much larger than the statistical distance of the source 6416 distribution on Z_N, since the bias introduced by the modular 6417 reduction step may be significantly larger than the bias of the 6418 source distribution on Z_N if the value rho above is not close to 6419 zero or one and if n/N is not sufficiently small. The maximum bias 6420 is, however, easy to determine from n and N. In particular, if the 6421 bit-length of N is sufficiently larger than that of n, the bias 6422 introduced by the modular reduction operation is negligible in 6423 practice. The same holds if N is close to a multiple of n (e.g., if 6424 n is close to a power of two and the input distribution is generated 6425 by a high-quality random bit generator with outputs of fixed bit- 6426 length). 6428 Note: In practice, one does not determine the maximum bias epsilon 6429 from n and N, but rather specifies a required upper bound (usually 6430 set to a value at most 2^{-64}) for epsilon and subsequently 6431 determines the minimal value of N (where N is a power of two) for 6432 which this upper bound indeed applies, as a function of n. Table 4 6433 illustrates this for several curves of practical interest. 6435 +----------------------------+--------------+----------------+ 6436 | Curve | eps0=2^{-64} | eps0=2^{-100} | 6437 +----------------------------+--------------+----------------+ 6438 | NIST P-224 [FIPS-186-4] | 224 | 224 | 6439 | NIST P-256 [FIPS-186-4] | 288 | 352 | 6440 | NIST P-384 [FIPS-186-4] | 384 | 384 | 6441 | NIST P-521 [FIPS-186-4] | 521 | 521 | 6442 | brainpoolP224r1 [RFC5639] | 287 | 323 | 6443 | brainpoolP256r1 [RFC5639] | 319 | 354 | 6444 | brainpoolP320r1 [RFC5639] | 379 | 417 | 6445 | brainpoolP384r1 [RFC5639] | 445 | 482 | 6446 | brainpoolP512r1 [RFC5639] | 575 | 608 | 6447 | Curve25519 [RFC7748] | 252 | 252 | 6448 | Wei25519 [Appendix E.3] | 252 | 252 | 6449 | Wei25519.2 [Appendix G.3] | 252 | 252 | 6450 | Wei25519.-3 [Appendix G.3] | 252 | 252 | 6451 | Curve448 [RFC7748] | 446 | 446 | 6452 | Wei448 [Appendix M.3] | 446 | 446 | 6453 | Wei448.1 [Appendix N.3] | 446 | 446 | 6454 | Wei448.-3 [Appendix N.3] | 446 | 446 | 6455 | secp256k1.m [Appendix L.3] | 256 | 256 | 6456 +----------------------------+--------------+----------------+ 6458 Table 4: Minimum value of m for which the bias (epsilon) introduced 6459 by converting integers in Z_N, where N:=2^m, to integers in Z_n via 6460 modular reduction or via scaling is lower than the indicated eps0 6461 value, for some curves of practical interest (where n is the order of 6462 the base point of the curve in question). 6464 P.2. Conversion to Integers in Z_n via Scaling 6466 This function maps each integer y in the interval [0,N-1] to the 6467 integer x:=floor(n*y/N), where the floor function rounds real numbers 6468 downwards to an integer (i.e., floor(z) is the unique integer i for 6469 which z is an element of the interval [i,i+1) of real numbers). 6471 One can show that the bias introduced by this conversion function is 6472 at most epsilon:=2*rho*(1-rho)/(N/n), where r:=N (mod n) and where 6473 rho:=r/n. Details are out of scope. 6475 The same remarks as in Appendix P.1 apply. 6477 Note: this mapping corresponds to interpolation on the line with 6478 endpoints (0,0) and (N,n), where values are truncated to integers. 6479 The division operation in this conversion function reduces to a 6480 binary string truncation operation if N is a power of two (which is 6481 often the case in practice). See also [comm-FIPS-186-5], pp. 80-82. 6483 P.3. Conversion to Integers in Z_n via the Discard Method 6485 This function (defined for N at least n) is the identity map on the 6486 interval [0,n-1] and fails for each integer y outside this interval. 6488 One can show that the statistical distance of the distribution on Z_n 6489 is at most roughly N/n times as large as the statistical distance of 6490 the source distribution on Z_N (if the latter is relatively 6491 negligible compared to n/N). Details are out of scope. 6493 Note that, under the above conditions, if N:=2^m and if n has bit- 6494 length m, this conversion function fails with probability 1- n/N 6495 (which is at most 1/2) and, if it succeeds, does not inflate the 6496 statistical distance by more than (roughly) a factor two. 6498 Appendix Q. ECDSA signatures 6500 The ECDSA signature scheme is specified in FIPS Pub 186-4 6501 [FIPS-186-4], ANSI X9.62-2005 [ANSI-X9.62], SEC 1 [SEC1], and many 6502 other standards and can be instantiated with suitable combinations of 6503 short-Weierstrass curves and hash functions (that satisfy particular 6504 cryptographic criteria). Despite its wide-spread use, some details 6505 seem less well-understood. We, therefore, provide a concise 6506 specification of ECDSA (for short-Weierstrass curves defined over a 6507 prime field GF(p)) and give some examples of ECDSA computations where 6508 the underlying short-Weierstrass curve has co-factor h>1 and where 6509 the bit-length of the domain parameter n differs from the digest size 6510 of the used hash function, illustrated with the curves Wei25519 and 6511 Wei448 introduced in this document. Our description is consistent 6512 with all forementioned standards. 6514 The signing operation takes as inputs a message m (represented as a 6515 bit string) and a private key d in the interval [1,n-1] and produces 6516 as output a signature, which is an ordered pair (r, s) of integers in 6517 the interval [1,n-1], where n is the order of the base point G of the 6518 curve in question. The signature verification operation takes as 6519 inputs a message m, a public key Q, and a signature (r,s) and 6520 produces as output the value "valid" or "invalid", depending upon 6521 whether the message was purportedly signed by a holder of the private 6522 key of the public-private key pair (d, Q) for the curve used with the 6523 signature scheme. Full details are provided below, where we denote 6524 the applicable hash function by H. 6526 Q.1. ECDSA Signing Operation 6528 The signing operation involves the following steps: 6530 a. Generate a random ephemeral public-private key pair (k, R:=k*G), 6531 by generating a random integer k in the interval [1,n-1] and 6532 computing R:=k*G (see, e.g., Appendix B.1); 6534 b. Compute k1:=(1/k) (mod n) (see, e.g., NOTE 1 of Appendix K.2); 6536 c. Set xR to the x-coordinate of the (affine) point R, convert this 6537 element of the field GF(p) to the integer r0 in the interval 6538 [0,p-1], and set r:= r0 (mod n), where xR is converted to r0 by 6539 subsequently using the FE2OS and OS2I mappings of Appendix I.5 6540 and Appendix I.3, respectively; 6542 d. Compute the hash value E:=H(m) according to the applicable hash 6543 function H, where E is a bit string of length hashlen (the digest 6544 size of H); 6546 e. Represent E as the integer e in the interval [0, 2^l-1], where e 6547 is the integer representation of the l-prefix of E, using the 6548 BS2I mapping of Appendix I.2, and where l is the bit-length of n. 6549 (For a definition of the l-prefix, see Appendix I.1); 6551 f. Compute s:= k1*(e+ r*d) (mod n). Securely destroy k and k1; 6553 g. Return to the first step (Step a) if r and s are not both 6554 integers in the interval [1,n-1]; 6556 h. Output the ordered pair (r, s) as the signature. 6558 Q.2. ECDSA Verification Operation 6560 The verification operation involves the following steps: 6562 a. Check that the purported signer's public key Q is a point of the 6563 curve in question of order n (and output "reject" if this is not 6564 the case); 6566 b. Check that the coordinates of the purported signature (r, s) are 6567 both integers in the interval [1,n-1] (and output "reject" if 6568 this is not the case); 6570 c. Compute the hash value E:=H(m) according to the applicable hash 6571 function H, where E is a bit string of length hashlen (the digest 6572 size of H); 6574 d. Represent E as the integer e in the interval [0, 2^l-1], where e 6575 is the integer representation of the l-prefix of E, using the 6576 BS2I mapping of Appendix I.2, and where l is the bit-length of n. 6577 (For a definition of the l-prefix, see Appendix I.1); 6579 e. Compute s1:=(1/s) (mod n) (see, e.g., Appendix K.2); compute u:= 6580 e*s1 (mod n) and v:= r*s1 (mod n); 6582 f. Compute the point R':= u*G+v*Q. Check whether R' is the identity 6583 element O of the curve (and output "reject" if this is the case); 6585 g. Set xR' to the x-coordinate of the (affine) point R', convert 6586 this element of the field GF(p) to the integer r0' in the 6587 interval [0,p-1], and set r':= r0' (mod n), where xR' is 6588 converted to r0' by subsequently using the FE2OS and OS2I 6589 mappings of Appendix I.5 and Appendix I.3, respectively; 6591 h. Output "accept" if r'=r; output "reject" otherwise. 6593 NOTE 1: For prime-order curves, r generally uniquely represents the 6594 x-coordinate of R (since, by the Hasse bound, |E|=n is relatively 6595 close to p). For curves with co-factor h>1, this result holds only 6596 if one would know r0 (mod h*n), rather than r:= r0 (mod n). 6598 NOTE 2: If an ECDSA signature (r, s) is valid for a particular 6599 message m and public key Q, then so is (r,-s) -- the so-called 6600 malleability. Note that this corresponds to changing the ephemeral 6601 signing key pair (k, R) in the first step of the signing operation to 6602 (-k, -R), where the y-coordinates of R:=(xR, yR) and -R=(xR, -yR) 6603 have different parity (see Appendix H). Since any party (not just 6604 the signer) can recompute the ephemeral signing key R' from a valid 6605 signature, since R':=(1/s)(e*G+r*Q), this implies that any party can 6606 retroactively put the ECDSA signature in a form where the 6607 y-coordinate of the ephemeral signing key R has a fixed parity. This 6608 observation can be used to put ECDSA signatures in a form that 6609 generally allows unique and efficient recovery of R from r for prime- 6610 order curves (due to NOTE 1 above) and more efficient signature 6611 verification methods. Further details are out of scope. 6613 Q.3. Representation Examples ECDSA 6615 We present some examples of ECDSA computations, when used with curve 6616 Wei25519 and SHA-256 (see Appendix Q.3.1), with Wei25519 and SHAKE128 6617 with output size d0=256 (see Appendix Q.3.2), and with Wei448 and 6618 SHAKE256 with output size d0=512 (see Appendix Q.3.3). In each case, 6619 we indicate the signer's public key Q:=d*G, the ephemeral signing key 6620 R:=k*G ,the message m that is signed, and some intermediate values in 6621 the ECDSA signing operation resulting in signature (r,s). We write 6622 R:=(xR, yR) and Q:=(xQ, yQ), and include the ASCII string 6623 corresponding to message m. Note that the domain parameter n of 6624 curve Wei25519 has bit-length l:=253, whereas the corresponding 6625 domain parameter for Wei448 has bit-length l:=446 (which, in either 6626 case, differs from the digest size of the underlying hash function). 6628 For completeness, we also provide an example of ECDSA computations, 6629 when used with NIST curve P-256 (see [FIPS-186-4]) and hash function 6630 SHA-256 (see [FIPS-180-4]), where the domain parameter n of the curve 6631 in question has bit-length l:=256, which is equal to the digest size 6632 of the underlying hash function (see Appendix Q.3.4). For details of 6633 the encoding of ASCII strings as bit strings, see Appendix I.4. 6635 Q.3.1. Example of ECDSA with Wei25519 and SHA-256 6637 d 47941274660029138864396347947568908774951195017212284524777080461 6638 79444885588 6640 (=0x0a996146 d73d096f 6a606ad8 72e11b12 ce973033 524591c3 6641 ebcc630d b6368854). 6643 xQ 34422557393689369648095312405803933433606568476197477554293337733 6644 87341283644 6646 (=0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 6647 ce660f13 3368c13c). 6649 yQ 76981661982917351630937517222412729130882368858134322156485762195 6650 67913357634 6652 (=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd 6653 f5771306 479ad142). 6655 k 17426547602876470587191777825317027698752636279275919375559360929 6656 53735113209 6658 (=0x03da4ec1 8dc83b53 5ab8857c bbd289ae 40e6d25b ba52923c 6659 e6b217a0 348ca9f9). 6661 xR 38236544880946097675798638032669186189501319930946799635186226253 6662 710117141679 6664 (=0x54891e12 88cf078e f3f1444c c1919e30 67eb5dd6 1c6f45d1 6665 94b9c0e1 192d7caf). 6667 yR 24120175139256121256267158437786975197587143475570212981221664791 6668 614551611968 6670 (=0x3553890b d265d561 032e2daa 10b9820c 4845dbf8 f6b4f432 6671 08f5df99 c375da40). 6673 r 20515169942847866059327052174542149852157381340472616051764715622 6674 82845886734 6675 (=0x04891e12 88cf078e f3f1444c c1919e2f ff907c7c ed9935a1 6676 dc5dd15d 4860590e). 6678 1/k 41122695303709273156068243481808769134600808188172269288861174824 6679 34446546266 6681 (=0x0917764a 5a76024b e9608472 bfec99be 0cffacbe 0a5a6805 6682 0e4e75bc 36a0d55a). 6684 m "example ECDSA w/ Wei25519 and SHA-256" 6686 (=0x65 78616d70 6c652045 43445341 20772f20 57656932 35353139 6687 20616e64 20534841 2d323536). 6689 E 10340924651306471157182528854495725311608440786255119926874295925 6690 4624066081637 6692 (=0xe49f8f34 0ac7fd87 1ca6c035 1ac83b97 2ec4711e f4a79d37 6693 214b6b94 c6f41365). 6695 e 12926155814133088946478161068119656639510550982818899908592869906 6696 828008260204 6698 (=0x1c93f1e6 8158ffb0 e394d806 a3590772 e5d88e23 de94f3a6 6699 e4296d72 98de826c). 6701 s 18145968192643101430203980459406244543409512911444833316246990876 6702 74236833451 6704 (=0x04030680 d490837e 0b50800d 5052feb3 8181da43 f14fea65 6705 d75fff8e 095d8eab). 6707 The ECDSA signature (r,s) can be represented uniquely as the 64-octet 6708 string 6710 0x04891e12 88cf078e f3f1444c c1919e2f ff907c7c ed9935a1 dc5dd15d 6711 4860590e 6713 04030680 d490837e 0b50800d 5052feb3 8181da43 f14fea65 d75fff8e 6714 095d8eab, 6716 where this string is the right-concatenation of the integers r and s, 6717 each represented as fixed-size octet string in tight MSB/msb-order 6718 using the ZnE2OS mapping of Appendix I.6. Since an ECDSA signature 6719 (r, s) is valid only if the ECDSA signature (r,-s) is, one can 6720 alternatively use the representation 6721 0x04891e12 88cf078e f3f1444c c1919e2f ff907c7c ed9935a1 dc5dd15d 6722 4860590e 6724 0bfcf97f 2b6f7c81 f4af7ff2 afad014c 935d1f9a b1a7b270 80b2638c 6725 53984542, 6727 with the same representation conventions. 6729 Q.3.2. Example of ECDSA with Wei25519 and SHAKE128 6731 d 50032130580855419870069268521079636534051105694026315073511374709 6732 23129445444 6734 (=0x0b0fb7de 7b857528 c16cc691 f91acb6a e6f83700 c2257210 6735 d9ce4a66 540f5c44). 6737 xQ 49674872575618115649605301860097524739691386255387989689284412105 6738 715250815836 6740 (=0x6dd2fb44 ebc47199 0558875c 338b32a0 01c04e5e 54b0239f 6741 931ba404 43fee35c). 6743 yQ 19668752079014976246249662506722644231308019872013845936101364656 6744 882653051514 6746 (=0x2b7c1e81 e0d7311a 7e73c581 ac8d7478 f5d8402e a25ecf03 6747 2fcf49b3 ebe3ba7a). 6749 k 67458228593538039868031175183537823353427877783158546151245140204 6750 51058711301 6752 (=0x0eea001c 69e39d65 a93a736f 51dab17d 3c89d712 67b95dba 6753 28f43e6c 6d73fb05). 6755 xR 22710793528316744414502819712682283876956423576126122262984645007 6756 656889457787 6758 (=0x3235da86 6c184868 db1060f4 c57414ba f9dd8bbf af94eb8e 6759 65a26fa8 146d9c7b). 6761 yR 48228386115947942380117850340406514077008333836380715701663219971 6762 594920954196 6764 (=0x6aa04c98 30a51d5a 226fc67b 6ec00aa4 66eae465 432825e3 6765 c8da192d 330c8954). 6767 r 99977679631995777258326002355330115438507449798639944497879219280 6768 0526704820 6769 (=0x0235da86 6c184868 db1060f4 c57414ba bb409e23 c6ae150b 6770 5d6b4658 fd8c20b4). 6772 1/k 16237902548817115200666748510759761693156732885271500846541777492 6773 82633956147 6775 (=0x03970860 022244d0 1cee5f2e 973372d7 2000b51d 2d75731c 6776 0e27428a 7e723b33). 6778 m "example ECDSA w/ Wei25519 and SHAKE128" 6780 (=0x6578 616d706c 65204543 44534120 772f2057 65693235 35313920 6781 616e6420 5348414b 45313238). 6783 E 37558481186175098606278970911021056916472038320089875122503537502 6784 754552388537 6786 (=0x530958d6 432ba571 6a20fd9b d3592234 943da1d6 57f55f07 6787 2ab01860 3f9f9bb9). 6789 e 46948101482718873257848713638776321145590047900112343903129421878 6790 44319048567 6792 (=0x0a612b1a c86574ae 2d441fb3 7a6b2446 9287b43a cafeabe0 6793 e556030c 07f3f377). 6795 s 60979034974035506260645462098255401877898928730177415844489376261 6796 15704732698 6798 (=0x0d7b4a83 96b37670 d6ef4ac7 6ce69d43 a65859de 4ecbe649 6799 f56a7a1f 7fb5bc1a). 6801 The ECDSA signature (r,s) can be represented uniquely as the 64-octet 6802 string 6804 0x0235da86 6c184868 db1060f4 c57414ba bb409e23 c6ae150b 5d6b4658 6805 fd8c20b4 6807 0d7b4a83 96b37670 d6ef4ac7 6ce69d43 a65859de 4ecbe649 f56a7a1f 6808 7fb5bc1a, 6810 where this string is the right-concatenation of the integers r and s, 6811 each represented as fixed-size octet string in tight MSB/msb-order 6812 using the ZnE2OS mapping of Appendix I.6. Since an ECDSA signature 6813 (r, s) is valid only if the ECDSA signature (r,-s) is, one can 6814 alternatively use the representation 6815 0x0235da86 6c184868 db1060f4 c57414ba bb409e23 c6ae150b 5d6b4658 6816 fd8c20b4 6818 0284b57c 694c898f 2910b538 931962bc 6e86a000 542bb68c 62a7e8fa 6819 dd4017d3, 6821 with the same representation conventions. 6823 Q.3.3. Example of ECDSA with Wei448 and SHAKE256 6825 d 83773921833883065724152755040779926324701042667680137762329241115 6826 92597160376444120699241862910141955866217224630560765595890572227 6827 9690 6829 (=0x1d818b12 92af6ef4 3f0ed657 b55d2ab7 a0cd1e64 516414d1 6830 d32ea610 dd6dddbe af65bc96 df648e6d fac1b907 6588b37e 984d5860 6831 7390970a). 6833 xQ 40351504322781497250899987383866753965468971276834772118588405333 6834 77140867939355980788573436893357369201402928958042617224896092079 6835 46142 6837 (=0x8e1f426a 4a1af133 ff970fe2 76693c7a eaa78786 361b1cfe 6838 4ccbd786 e020ba9a 0bf65a1d 5d9a128a f85c63a2 79a00139 7aca56db 6839 15341b9e). 6841 yQ 55735504615964066386264989698774850924544182484936624265048483231 6842 35693859362627880184586282439234602798023594054611737412667543758 6843 11547 6845 (=0xc44e5e0f 2c254d23 1dc082db 77175e8c fd37793c 22ebe200 6846 77905a5f 750b3c9f 4a95d4d5 4e1a1e54 d2d31689 4249252d 0c8b1c45 6847 1c1481db). 6849 k 56463034235306169014882307562036113095966844917631298686749571574 6850 22895909756933115614724351575144190884397720504249121444938140865 6851 3424 6853 (=0x13e308f8 2f7eb169 78a86240 a2087c59 38ad954c 5a725311 6854 00e2738b 93f87064 06846d1b 0348c213 5cd8f9db 21cbf970 6b70fa40 6855 29364070). 6857 xR 46421117529223435940590399200091023258880155395346929342228475577 6858 87411917154572694868891187346300643187653728654052509827159201295 6859 60118 6860 (=0xa37ff9a3 9734a3dc 9ccf72b7 cb3b8e5e 20d4e1f1 655c973a 6861 c72e4aa4 6f139529 84b1cd37 2524bf09 c4e38684 5c88cc79 e8e19242 6862 42398e36). 6864 yR 48450878695819342796480063527087959345962966106444727188216313803 6865 37436540801561730584163096514114057681225129685101546366763700225 6866 61560 6868 (=0xaaa6202c df8711b2 6e5a8802 6c5d86b3 2f320d89 8f48a809 6869 40818982 bb74e0cc 7b884f20 aad090fb 90c4c93f fd84ed56 c03451d8 6870 84fc7718). 6872 r 10079181314443091413124208805690796541198087360981026328153965618 6873 84491837923780980544976081512453123921447854472219263731684084102 6874 60560 6876 (=0x237ff9a3 9734a3dc 9ccf72b7 cb3b8e5e 20d4e1f1 655c973a 6877 c72e4aa5 757f4d55 fc1416a3 c77851e9 820a019f 40fdadcf a1f00d1c 6878 eb890450). 6880 1/k 13511362508598651506450197334516130806445911047753884276726477993 6881 82054003440714897722657048821186399503939251111689038388764827779 6882 24830 6884 (=0x2f96a107 4a355722 1f20fd90 aed12db3 83b3c32f 593079f4 6885 779e2942 3ad2b5e6 0ea15bdc a57e5827 04ed1f09 e42b8352 68428208 6886 502444de). 6888 m "example ECDSA w/ Wei448 and SHAKE256" 6890 (=0x6578616d 706c6520 45434453 4120772f 20576569 34343820 6891 616e6420 5348414b 45323536). 6893 E 70518111636481318756745253634149479528712660170653218748970032198 6894 09200302878838207999610865248047293428251821985248449616335015355 6895 074462070358583196774165 6897 (=0x86a488f3 62da4be6 147ef640 34ad43ca 3fde6613 456cc034 6898 55555f34 c34778b9 02f05145 62e2113c f4894daf 4446bb10 636b43df 6899 fa5e2434 b1262bee 420fef15). 6901 e 95569862294810470138539721873942452276898897320233558414699702549 6902 60123138804500061287999759232209252819044656295606728178066107449 6903 5757 6905 (=0x21a9223c d8b692f9 851fbd90 0d2b50f2 8ff79984 d15b300d 6906 155557cd 30d1de2e 40bc1451 58b8844f 3d22536b d111aec4 18dad0f7 6907 fe97890d). 6909 s 15256839162738057100463520332129958798673106244466764276882516437 6910 65316731861037119394561858696609193031230290965981228906529672536 6911 92957 6913 (=0x35bc73be 7e3fd7a1 de9fdb4f be96cbcd 0bb9beec f8286d04 6914 026f3440 d6e68e25 9916ea2b c4407e9a 83ecf91a 8473c1a1 cda742d0 6915 dab5d21d). 6917 The ECDSA signature (r,s) can be represented uniquely as the 6918 112-octet string 6920 0x237ff9a3 9734a3dc 9ccf72b7 cb3b8e5e 20d4e1f1 655c973a c72e4aa5 6921 757f4d55 fc1416a3 c77851e9 820a019f 40fdadcf a1f00d1c eb890450 6923 35bc73be 7e3fd7a1 de9fdb4f be96cbcd 0bb9beec f8286d04 026f3440 6924 d6e68e25 9916ea2b c4407e9a 83ecf91a 8473c1a1 cda742d0 dab5d21d, 6926 where this string is the right-concatenation of the integers r and s, 6927 each represented as fixed-size octet string in tight MSB/msb-order 6928 using the ZnE2OS mapping of Appendix I.6. Since an ECDSA signature 6929 (r, s) is valid only if the ECDSA signature (r,-s) is, one can 6930 alternatively use the representation 6932 0x237ff9a3 9734a3dc 9ccf72b7 cb3b8e5e 20d4e1f1 655c973a c72e4aa5 6933 757f4d55 fc1416a3 c77851e9 820a019f 40fdadcf a1f00d1c eb890450 6935 0a438c41 81c0285e 216024b0 41693432 f4464113 07d792fb fd90cbbe 6936 a5e395c4 2b37f11d ea95b7f5 9d7fc958 0951cdb3 55d17fc1 d0a272d6, 6938 with the same representation conventions. 6940 Q.3.4. Example of ECDSA with P-256 and SHA-256 6942 d 64502400493437371358766275827725703314178640739253280897215993954 6943 599262549170 6945 (=0x8e9b109e 719098bf 980487df 1f5d77e9 cb29606e bed2263b 6946 5f57c213 df84f4b2). 6948 xQ 57807358241436249728379122087876380298924820027722995515715270765 6949 240753673285 6951 (=0x7fcdce27 70f6c45d 4183cbee 6fdb4b7b 58073335 7be9ef13 6952 bacf6e3c 7bd15445). 6954 yQ 90436541859143682268950424386863654389577770182238183823381687388 6955 274600502701 6956 (=0xc7f144cd 1bbd9b7e 872cdfed b9eeb9f4 b3695d6e a90b24ad 6957 8a462328 8588e5ad). 6959 k 10917316901614856459075743461503453401956315994436627614714069472 6960 2195121475236 6962 (=0xf15dd2ec 0c1f92a1 0b60543c 20ccc85a 6bc502fc c8d1fa0f 6963 cc4e0efd 7e5b8ea4). 6965 xR 67018809247931167566425050558236675606398890455759429072257638117 6966 88903589477 6968 (=0x0ed12153 79636c48 3c2f7f15 5807d402 a3b22803 3af97c7e 6969 17819ac3 169ea665). 6971 yR 83689992559222976435347984539787632719385922964918301228608860125 6972 842192869397 6974 (=0xb906db6f 843c3944 597cf51b b804f66b f66690df 75f9e046 6975 d5d4f548 870a2815). 6977 r 67018809247931167566425050558236675606398890455759429072257638117 6978 88903589477 6980 (=0x0ed12153 79636c48 3c2f7f15 5807d402 a3b22803 3af97c7e 6981 17819ac3 169ea665). 6983 1/k 11325557121201586890872285956108022533871237299549226886458455251 6984 7263129747627 6986 (=0xfa6461b5 646b7d69 893c8e10 96376336 078815e5 9c225d70 6987 f677307c 653ea0ab). 6989 m "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODA 6990 sDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ" 6992 (=0x65794a 68624763 694f694a 46557a49 314e694a 392e6579 4a706333 6993 4d694f69 4a716232 55694c41 304b4943 4a6c6548 41694f6a 457a4d44 6994 41344d54 6b7a4f44 41734451 6f67496d 68306448 41364c79 396c6547 6995 46746347 786c4c6d 4e766253 39706331 39796232 3930496a 7030636e 6996 566c6651). 6998 E 15276956252456799293212411937089506709811039436516676830575291628 6999 425946659374 7001 (=0x21c67368 f436577f 447f8051 62ca13b8 0d046a3f e467247e 7002 65ea477a a750fa2e). 7004 e 15276956252456799293212411937089506709811039436516676830575291628 7005 425946659374 7007 (=0x21c67368 f436577f 447f8051 62ca13b8 0d046a3f e467247e 7008 65ea477a a750fa2e). 7010 s 89123353657093021477366684784932901580138243670089627582817239001 7011 914975409365 7013 (=0xc50a07d3 8c3c70e5 d8f12daf 084a5480 a66590c5 f293509a 7014 8f3f7f8a 83a354d5). 7016 The ECDSA signature (r,s) can be represented uniquely as the 64-octet 7017 string 7019 0x0ed12153 79636c48 3c2f7f15 5807d402 a3b22803 3af97c7e 17819ac3 7020 169ea665 7022 c50a07d3 8c3c70e5 d8f12daf 084a5480 a66590c5 f293509a 8f3f7f8a 7023 83a354d5, 7025 where this string is the right-concatenation of the integers r and s, 7026 each represented as fixed-size octet string in tight MSB/msb-order 7027 using the ZnE2OS mapping of Appendix I.6. Since an ECDSA signature 7028 (r, s) is valid only if the ECDSA signature (r,-s) is, one can 7029 alternatively use the representation 7031 0x0ed12153 79636c48 3c2f7f15 5807d402 a3b22803 3af97c7e 17819ac3 7032 169ea665 7034 3af5f82b 73c38f1b 270ed250 f7b5ab7f 168169e7 b4844dea 647a4b38 7035 78bfd07c, 7037 with the same representation conventions. 7039 NOTE: The example above corresponds to the JSON Web Signature example 7040 of Appendix A.3 of [RFC7515], where the base64url encoding of the 7041 public-private key pair (d, Q:=d*G) above is given by 7043 d "jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI"; 7045 xQ "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU"; 7047 yQ "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", 7049 where the base64url encoding of the ECDSA signature (r,s) is given by 7050 "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx- 7051 F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q", 7053 and where the base64url encoding of the alternative ECDSA signature 7054 (r,-s) is given by 7056 "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx- 7057 F4GawxaepmU69fgrc8OPGycO0lD3tat_FoFp57SETepkeks4eL_QfA". 7059 Here, the JSON Web Signature is represented as the string m.sig, 7060 where the message field m and the signature field sig are separated 7061 by the "." symbol, where m assumes the value in our example and where 7062 the signature assumes the base64url encoding of one of the ECDSA 7063 signatures (r,s) or (r,-s), as indicated above. For precise details 7064 regarding JWS encodings, we refer to [RFC7515]. 7066 Author's Address 7068 Rene Struik 7069 Struik Security Consultancy 7071 Email: rstruik.ext@gmail.com