Internet Draft                                                   W. Ladd
<draft-ladd-safecurves-00.txt>                              Grad Student
Category: Informational                                      UC Berkeley
Expires 9 July 2014                                        5 January 2014

              Addition Elliptic Curves for IETF protocols
                     <draft-ladd-safecurves-00.txt>

Status of this Memo

   Distribution of this memo is unlimited.

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on date.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.   

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Abstract          

   This internet draft contains curves whose Jacobians are groups over
 


Ladd, Watson              Expires 9 July 2014                   [Page 1]

Internet Draft              ladd-safecurves               8 January 2014


   which the Decisional Diffie-Hellman problem is hard, and which have
   implementation advantages.














































 


Ladd, Watson              Expires 9 July 2014                   [Page 2]

Internet Draft              ladd-safecurves               8 January 2014


Table of Contents

   1. Introduction ....................................................3
   2. The curves .......................................................

1. Introduction

   This document contains a set of elliptic curves over prime fields
   with many security advantages.

2. The Curves

   Each curve is given by an equation and a basepoint, together with an
   order. All curves are elliptic. Validation information is given at
   [SAFECURVES]. The names given in this document indicate the family.

   Curve25519 is a curve over GF(2^255-19), formula y^2=x^3+486662x^2+x,
   basepoint (9, 147816194475895447910205935684099868872646
   06134616475288964881837755586237401), order 2^252 +
   27742317777372353535851937790883648493.

   E-382 is a curve over GF(2^382-15), formula x^2+y^2=1-6725254x^2y^2,
   basepoint (3914921414754292646847594472454013487047
   137431784830634731377862923477302047857640522480241
   298429278603678181725699, 17), order 2^380 -
   1030303207694556153926491950732314247062623204330168346855

   M-383 is a curve over GF(2^383-187), forumla y^2=x^3+2065150x^2+x,
   basepoint (12,
   473762340189175399766054630037590257683961716725770372563038
   9791524463565757299203154901655432096558642117242906494), order 2^380
   + 166236275931373516105219794935542153308039234455761613271

   Curve383187 is a curve over GF(2^383-187), formula
   y^2=x^3+229969x^2+x, basepoint (5,
   4759238150142744228328102229734187233490253962521130945928672202
   662038422584867624507245060283757321006861735839455), order 2^380 +
   356080847217269887368687156533236720299699248977882517025

   Curve3617 is a curve over GF(2^414-17), formula x^2+y^2=1+3617x^2y^2,
   basepoint
   (17319886477121189177719202498822615443556957307604340815256226
   171904769976866975908866528699294134494857887698432266169206165, 34),
   order 2^411 -
   33364140863755142520810177694098385178984727200411208589594759

   M-511 is a curve over GF(2^511-187), formula y^2 = x^3+530438x^2+x,
   basepoint (5,
 


Ladd, Watson              Expires 9 July 2014                   [Page 3]

Internet Draft              ladd-safecurves               8 January 2014


   25004106455650724233689811491392132522115686851736085900709792642
   48275228603899706950518127817176591878667784247582124505430745177
   116625808811349787373477), order 2^508 +
   107247547596357476240445315140681218420707566274348330289655408
   08827675062043

3. Security Considerations

   This entire document discusses methods of implementing cryptography
   securely. The time for an attacker to break the DLP on these curves
   is the square root of the group order with the best known attacks.

   Curves of Edwards form are best when addition is required, those of
   Montgomery form make excellent candidates for Diffie-Hellman key
   agrement on the Kummer surface. Explicit formulas are in the
   Explicit-Formula Database [EFD].

4. IANA Considerations

   IANA should maintain a registry of these curves, calling them
   safecurve-XXXX where XXX is the curve identifier.

5. References

   [SAFECURVES] safecurves.cr.yp.to

   [EFD] http://www.hyperelliptic.org/EFD/g1p/index.html

Author Addresses
   Watson Ladd
   watsonbladd@gmail.com
   Berkeley, CA



















Ladd, Watson              Expires 9 July 2014                   [Page 4]