Re: [Cfrg] Consensus and a way forward

["Lochter, Manfred" <manfred.lochter@bsi.bund.de>]

+1



__________ ursprüngliche Nachricht __________

Von:		Joppe Bos <joppe.bos@nxp.com>
Datum:	Donnerstag, 27. November 2014, 07:17:32
An:		"b@b3k.us" <b@b3k.us>, "cfrg@irtf.org" <cfrg@irtf.org>
Kopie:	
Betr.:	Re: [Cfrg] Consensus and a way forward

> This draft presents algorithms to “generate domain parameters at any
> security level for modern (twisted) Edwards curves” given as input prime.
> In the Test Vectors section curves defined over primes of a special shape
> are given. Please note that one can also use this draft to select curves
> which are defined over primes which do not have a special shape: something
> which has been requested by different people on this list. I hope that we
> will use this draft to (also) select curves over primes which do not have a
> special shape to accommodate all the needs in the cryptographic (and wider
> security) community.
>
> Best regards,
>
> Joppe
>
>
>
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Benjamin Black
> Sent: Thursday, November 27, 2014 5:25 AM
> To: cfrg@irtf.org
> Subject: [Cfrg] Consensus and a way forward
>
>
>
> All,
>
>
>
> Over the past couple of weeks we have been working with Adam Langley to see
> if we could find a compromise with which we could all live. I'm pleased to
> say we have been successful in accommodating our respective performance and
> trustworthy generation concerns, and I hope the resulting proposal will be
> attractive to others, as well. The generation procedure is document in a
> draft I've just posted that can be found at
> http://www.ietf.org/id/draft-black-rpgecc-00.txt .
>
>
>
> The simplest summary is that we have combined the prime preferred by Adam
> and others at the 128-bit security level with the rigid parameter
> generation we view as essential for producing the most trustworthy curves.
> We have used the generation procedure to produce a new twisted Edwards
> curve based on 2^255 - 19 and a new Edwards curve based on 2^384 - 317.
> These new curves are given as test vectors in the draft, and are also given
> below.
>
>
>
> These 2 curves are sufficient for meeting the request from TLS. However, if
> there is strong interest in a 3rd curve for the 256-bit security level, the
> generation procedure​​ gives the same curve with p =2^521 - 1 as several
> teams produced.
>
>
>
>
>
> b
>
>
>
> --
>
>
>
> 2^255 - 19
>
>
>
>    p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>          FFFFFFFFFFED
>
>    d = 0x15E93
>
>    r = 0x2000000000000000000000000000000016241E6093B2CE59B6B9
>
>          8FD8849FAF35
>
> x(P) = 0x3B7C1D83A0EF56F1355A0B5471E42537C26115EDE4C948391714
>
>          C0F582AA22E2
>
> y(P) = 0x775BE0DEC362A16E78EFFE0FF4E35DA7E17B31DC1611475CB4BE
>
>          1DA9A3E5A819
>
>    h = 0x4
>
>
>
>
>
> 2^384 - 317
>
>
>
>      p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>            FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3
>
>      d = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>            FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD19F
>
>      r = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2471A1
>
>            CB46BE1CF61E4555AAB35C87920B9DCC4E6A3897D
>
>   x(P) = 0x61B111FB45A9266CC0B6A2129AE55DB5B30BF446E5BE4C005763FFA
>
>            8F33163406FF292B16545941350D540E46C206BDE
>
>   y(P) = 0x82983E67B9A6EEB08738B1A423B10DD716AD8274F1425F56830F98F
>
>            7F645964B0072B0F946EC48DC9D8D03E1F0729392
>
>      h = 0x4

-- 
Lochter, Manfred
--------------------------------------------
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Referat K21
Godesberger Allee 185 -189
53175 Bonn

Postfach 20 03 63
53133 Bonn

Telefon: +49 (0)228 99 9582 5643
Telefax: +49 (0)228 99 10 9582 5643
E-Mail: manfred.lochter@bsi.bund.de
Internet:
www.bsi.bund.de
www.bsi-fuer-buerger.de