Good afternoon, dear colleagues,

=C2=A0

Currently the proposed draft on elliptic curves generation methods does not explicitl= y consider curves with security more than 256 bits.

=C2=A0

In Russia we have had a similar lack of 512-bit curves (both twisted Edwards ones and curves with groups of prime order), so we at CryptoPro (Russian cryptograph= ic software company) proposed three of them to our Technical Committee for Standardization =C2=ABCryptography and Security Mechanisms=C2=BB (http://tc26.ru/en/).

=C2=A0

In 2014 after a deep discussion with colleagues these curves were standardized for usage with Russian national digital signature standard (GOST R 34.10-2012).=

=C2=A0

For example, the twisted Edwards 512-bit curve is defined over the field GF(p), where p is equal to 2^512 =E2=80=93 569, p =3D 3 (mod 4).

p =3D 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF= FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7

d =3D 0x9E4F5D8C017D8D9F13A5CF3CDF5BFE4DAB402D54198E31EBDE28A0621050439CA6B39E0A5= 15C06B304E2CE43E79E369E91A0CFC2BC2A22B4CA302DBB33EE7550

e =3D 0x1

m =3D 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF26336E919= 41AAC0130CEA7FD451D40B323B6A79E9DA6849A5188F3BD1FC08FB4

q =3D 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC98CDBA46= 506AB004C33A9FF5147502CC8EDA9E7A769A12694623CEF47F023ED

u(P) =3D 0x12

v(P) =3D 0x469AF79D1FB1F5E16B99592B77A01E2A0FDFB0D01794368D9A56117F7B38669522DD4B650= CF789EEBF068C5D139732F0905622C04B2BAAE7600303EE73001A3D

a =3D 0xDC9203E514A721875485A529D2C722FB187BC8980EB866644DE41C68E143064546E861C0E= 2C9EDD92ADE71F46FCF50FF2AD97F951FDA9F2A2EB6546F39689BD3

b =3D 0xB4C4EE28CEBC6C2C8AC12952CF37F16AC7EFB6A9F69F4B57FFDA2E4F0DE5ADE038CBC2FFF= 719D2C18DE0284B8BFEF3B52B8CC7A5F5BF0A3C8D2319A5312557E1

x(P) =3D 0xE2E31EDFC23DE7BDEBE241CE593EF5DE2295B7A9CBAEF021D385F7074CEA043AA27272A7A= E602BF2A7B9033DB9ED3610C6FB85487EAE97AAC5BC7928C1950148

y(P) =3D 0xF5CE40D95B5EB899ABBCCFF5911CB8577939804D6527378B8C108C3D2090FF9BE18E2D33E= 3021ED2EF32D85822423B6304F726AA854BAE07D0396E9A9ADDC40F

(The following notation is used for Edwards curve coefficients: eu^2 + v^2 =3D 1= + du^2v^2, while the corresponding Weierstrass curve has form y^2 =3D x^3 + a= x +b. We denote the total number of points on the curve as m and prime subgroup o= rder as q. We denote base point as P; x(P), y(P) and u(P), v(P) are respectively base point coordinates in Weierstrass and twisted Edwards form.)

=C2=A0

p and q are prime. The curve has been examined to be secure against MOV-attacks (thus i= t can be believed to be DDH-secure) and to satisfy CM-security requirements. Twisted curve security has also been studied: twisted curve points group or= der has a prime factor of: 0x40000000000000000000000000000000000000000000000000= 000000000000003673245b9af954ffb3cc5600aeb8afd33712561858965ed96b9dc310b80fd= af7, while the other factor is equal to 4.

=C2=A0

The curve can be used both for digital signatures and for Diffie-Hellman key agreemen= t.

=C2=A0

The curve parameters have been generated using random nonce W in such way that e =3D = 1, d =3D hash(W), where hash() is Russian national standard GOST R 34.11-2012 hash function (also known as =E2=80=9CStreebog=E2=80=9D, https://www.streebog.net/en/). The seed value W is equal to:

W =3D 1F BB 79 69 B9 1B 3E A0 81 17 FB 10 74 BF BF 55 49 DD 66 07 63 F6 A5 AF 09 57 77 = 5B 66 4C B1 13 CF CB 91 C4 A7 7D 27 98 06 BC F2 4A 56 77 F2 5E AF FE C6 67 76 = 70 2E E2 C7 AA 84 16 07 50 DA 1D D1 50 AE D2 8C 30 26 AC 7E D6 D1 9B 97 AC 2C = B5 82 7C 00 03 18 47 13 53 5B FA 65 24 B3 E4 60 83,

=C2=A0

GOST R 34.11-2012 (Streebog) implementation can be found at https://github.com/okazymyrov/stribog, for example.

=C2=A0

The base point has been selected as a point with the smallest u-coordinate, satisfyi= ng curve equation and having order equal to q.

=C2=A0

Also we have an agreed (with Russian cryptographic community, including experts fro= m other Russian companies, scientific community and governmental authorities) version of curve generation methods; if you consider it interesting, we cou= ld prepare an English translation in a couple of days.

=C2=A0

= Best regards,

= Stanislav V. Smyshlyaev, Ph.D.,

= Head of Information Security Department,

= CryptoPro LLC