idnits 2.17.00 (12 Aug 2021) /tmp/idnits36483/draft-turner-thecurve25519function-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 29, 2014) is 2852 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 178 -- Looks like a reference, but probably isn't: '31' on line 179 -- Looks like a reference, but probably isn't: '1' on line 112 -- Looks like a reference, but probably isn't: '2' on line 112 -- Looks like a reference, but probably isn't: '32' on line 177 Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Ladd 3 Internet-Draft Grad Student UC Berkley 4 Intended status: Informational R. Salz 5 Expires: January 30, 2015 Akamai 6 S. Turner 7 IECA, Inc. 8 July 29, 2014 10 The Curve25519 Function 11 draft-turner-thecurve25519function-00 13 Abstract 15 This document specifies the Curve25519 function, an ECDH (Elliptic- 16 Curve Diffie-Hellman) key-agreement scheme for use in cryptographic 17 applications. It was designed with performance and security in mind. 18 This document is based on information in the public domain. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on January 30, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 1. Introduction 54 This document specifies the Curve25519 function, an ECDH (Elliptic- 55 curve Diffie-Hellman) key-agreement scheme for use in cryptographic 56 applications. It was designed with performance and security in mind. 57 This document is based on information in the public domain. 59 This document provides a stable reference for the Curve25519 function 60 [Curve25519] to which other specifications may refer when defining 61 their use of Curve25519 This document does not specify the use of 62 Curve25519 in any other specific protocol, such as TLS (Transport 63 Layer Security) or IPsec (Internet Protocol Security). This document 64 specifies how to use Curve25519 for key exchange; it does not specify 65 how to use Curve25519 for use with digital signatures. This document 66 defines the algorithm, expected "wire format," and provides some 67 implementation guidance to avoid known side-channel exposures. 69 Readers are assumed to be familiar with the concepts of elliptic 70 curves, modular arithmetic, group operations, and finite fields 71 [RFC6090] as well as rings [Curve25519]. 73 1.1. Terminology 75 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 76 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 77 document are to be interpreted as described in [RFC2119]. 79 2. Notation and Definitions 81 The following notation and definitions are used in this document 82 (notation is to the left of the ":"): 84 A: A value used in the elliptic-curve equation E. 86 E: An elliptic-curve equation. 88 p: A prime. 90 GF(p): The field with p elements. 92 mod: An abbreviation for modulo. 94 _#: Subscript notation, where # is a number or letter 96 =: Denotes equal to. 98 ^: Denotes exponentiation. 100 +, -, *, /: Denotes addition, subtraction, multiplication, and 101 division. 103 Note that all operations are performed mod p. 105 3. The Curve25519 Function 107 Let p=2^255-19. Let E be the elliptic curve with the equation 108 y^2=x^3+486662*x^2+x over GF(p). 110 Each element x of GF(p) has a unique little-endian representation as 111 32 bytes s[0] ... s[31], such that 112 s[0]+256_s[1]+256^2_s[2]+...+256^31*s[31] is congruent to x modulo p, 113 and s[31] is minimal. Implementations MUST only produce points in 114 this form, and MUST mask the high bit of byte 31 to zero on receiving 115 a point. The high bit is, following convention, 0x80. 117 Let X denote the projection map from a point (x,y) on E, to x, 118 extended so that X of the point at infinity is zero. X is surjective 119 onto GF(p) if the y coordinate takes on values in GF(p) and in a 120 quadratic extension of GF(p). 122 Then Curve25519(s, X(Q))=X(sQ) is a function defined for all elements 123 of GF(p). The remainder of this document describes how to compute 124 this function quickly and securely, and use it in a Diffie-Hellman 125 scheme. 127 4. Implementing Curve25519 129 Let s be a 255 bits long integer, where s=sum s_i2^i with s_i in 130 {0,1}. 132 Computing Curve25519(s, x) is done by the following procedure, taken 133 from [Curve25519] based on formulas from [Mont]. All calculations 134 are done over GF(p), i.e., they are performed modulo p. The 135 parameter a24 is a24 = (486662 - 2)/4 = 121665. 137 Let x_1 = 1 138 x_2 = 1 139 z_2 = 0 140 x_3 = x 141 z_3 = 1 142 For t = 254 to 0: 143 Do constant time conditional swap of: 144 (x_2, z_2) and (x_3, z_3) if s_t is set 145 A = x_2 + z_2 146 AA = A^2 147 B = x_2 - z_2 148 BB = B^2 149 E = AA - BB 150 C = x_3 + z_3 151 D = x_3 - z_3 152 DA = D * A 153 CB = C * B 154 x_3 = (DA + CB)^2 155 z_3 = x_1 * (DA - CB)^2 156 x_2 = AA * BB 157 z_2 = E * (AA + a24 * E) 158 Do constant time conditional swap of: 159 (x_2, z_2) and (x_3, z_3) if s_t is set 160 Return x_2*(z_2^(p-1)) 162 In implementing this procedure, due to the existence of side-channels 163 in commodity hardware, it is vital that the pattern of memory 164 accesses and jumps not depend on the bits of s. It is also essential 165 that the arithmetic used not leak information about words. 167 To compute the conditional swap in constant time (independent of s_t) 168 use dummy = s_t*(x_2-x_3) x_2 = x_2 - dummy x_3 = x_3 + dummy where 169 s_t is 1 or 0, or dummy = s_t & (x_2 XOR x_3) x_2 = x_2 XOR x_3 x_3 = 170 x_3 XOR x_2 where s_t is regarded as the all-1 word of 255 bits. The 171 latter version is more efficient on most architectures. 173 5. Use of the Curve25519 function 175 The Curve25519 function can be used in an ECDH protocol as follows: 177 Alice takes 32 random bytes in s[0] to s[32]. She masks the lower 178 three bits of s[0] and the top bit of s[31] to zero and sets the 179 second top most bit of s[31] to 1. This means that s is of the form 180 2^254+8*{0,1, ...., 2^(251)-1} as a little-endian integer. 182 Alice then transmits K_A = Curve25519(s, 9) to Bob, where 9 is the 183 number 9. As a sequence of 32 bytes, t, the representation of 9 is 184 t[0]=9, and the remaining bytes are all zero. The natural wire- 185 format representation of the value is in little-endian byte order. 187 Bob picks a random g, and computes K_B = Curve25519(g, 9) similarly, 188 and transmits it to Alice. 190 Alice computes Curve25519(s, Curve25519(g, 9)); Bob computes 191 Curve25519(g, Curve25519(s, 9)) using their secret values and the 192 received input. 194 Both of them now share K=Curve25519(s, Curve25519(g, 195 9))=Curve25519(g, Curve25519(s, 9)) as a shared secret. Alice and 196 Bob use a key-derivation function, such as hashing K, to compute a 197 shared secret. 199 6. Test Vectors 201 The following test vectors are taken from [NaCl]: 203 Alice's public key: 205 0x8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a 207 Alice's secret key 209 0x77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a 211 Bob's public key: 213 0xde9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f 215 Bob's secret key: 217 0x5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb 219 Shared secret: 221 0x4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742 223 7. Security Considerations 225 Curve25519 meets all standard assumptions on DH and DLP difficulty. 227 In addition, Curve25519 is twist secure: the co-factor of the curve 228 is 8, that of the twist is 4. Protocols that require contributory 229 behavior must ban outputs K_A =0, K_B = 0 or K = 0. 231 Curve25519 is designed to enable very high performance software 232 implementations, thus reducing the cost of highly secure cryptography 233 to a point where it can be used more widely. 235 8. IANA Considerations 237 None. 239 9. Acknowledgements 241 We would like to thank Tanja Lange (Technische Universiteit 242 Eindhoven) for her review and comments. 244 10. References 246 10.1. Normative References 248 [Curve25519] 249 Bernstein, D., "Curve25519 - new Diffie-Hellman speed 250 records", April 2006, 251 . 254 [Mont] Montgomery, P., "Speeding the Pollard and elliptic curve 255 methods of factorization", 1983, 256 . 259 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 260 Requirement Levels", BCP 14, RFC 2119, March 1997. 262 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 263 Curve Cryptography Algorithms", RFC 6090, February 2011. 265 10.2. Informative References 267 [NaCl] Bernstein, D., "Cryptography in NaCl", 2013, 268 . 270 Authors' Addresses 272 Watson Ladd 273 Grad Student UC Berkley 275 Email: watsonbladd@gmail.com 276 Rich Salz 277 Akamai 279 Email: rsalz@akamai.com 281 Sean Turner 282 IECA, Inc. 283 Suite 106 284 Fairfax, VA 22031 285 USA 287 Phone: +1-703-628-3180 288 Email: turners@ieca.com