Technical ReportPDF Available

Specification of Curve Selection and Supported Curve Parameters in MSR ECCLib

Authors:
Joppe W. Bos at NXP Semiconductors
Joppe W. Bos
Craig Costello
Craig Costello
Craig Costello
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Patrick Longa at Microsoft
Patrick Longa
Michael Naehrig at Microsoft
Michael Naehrig
Download full-text PDF
Read full-text
Download citation

Abstract

This document explains the details of the curve generation algorithms and provides the parameters for the NUMS (Nothing Up My Sleeve) curves. These curves are supported in the MSR Elliptic Curve Cryptography Library (MSR ECCLib).
Content uploaded by Patrick Longa
Author content
All content in this area was uploaded by Patrick Longa on Sep 19, 2015
Content may be subject to copyright.
Specification of Curve Selection and
Supported Curve Parameters in MSR ECCLib
Joppe W. Bos1, Craig Costello2, Patrick Longa2, and Michael Naehrig2
1NXP Semiconductors
2Microsoft Research
This document explains the details of the curve generation algorithms and provides the
parameters for the NUMS (Nothing Up My Sleeve) curves, which are supported in the MSR
Elliptic Curve Cryptography Library (a.k.a. MSR ECCLib). For more details on curve selec-
tion and curve properties, see [1] and [2].
1 Notation
The following notation is used in this document.
sDenotes the target security level in bits, here s∈ {128,192,256}.
pDenotes a prime number.
cA positive integer used in the representation of the prime pas p= 22sc.
FpThe finite field with pelements.
bAn element in the finite field Fp,b6=±2.
EbThe elliptic curve Eb/Fp:y2=x33x+bin short Weierstrass form,
defined over Fpby the parameter b6=±2.
rbThe prime order rb= #Eb(Fp) of the group of Fp-rational points on Eb.
tbThe trace of Frobenius tb=p+ 1 rbof Eb.
r0
bThe prime order r0
b= #E0
b(Fp) = p+ 1 + tbof the group of Fp-rational
points on the quadratic twist E0
b.
dAn element in the finite field Fp,d /∈ {1,0}.
EdThe elliptic curve Ed/Fp:x2+y2= 1 + dx2y2in Edwards form, defined
over Fpby the parameter d /∈ {0,1}.
rdThe prime subgroup order such that 4rd= #Ed(Fp) is the order of the
group of Fp-rational points on Ed.
tdThe trace of Frobenius td=p+ 1 4rdof Ed.
r0
dThe prime subgroup order such that 4r0
d= #E0
d(Fp) = p+1+tdis the
order of the group of Fp-rational points on the quadratic twist E0
d.
PA generator point defined over Fpeither of prime order rbon the Weier-
strass curve Eb, or of prime order rdon the Edwards curve Ed.
X(P) The x-coordinate of the elliptic curve point P.
Y(P) The y-coordinate of the elliptic curve point P.
2 Joppe W. Bos, Craig Costello, Patrick Longa, and Michael Naehrig
2 Selection of the prime p.
For each given security level s∈ {128,192,256}, a prime pis selected as a pseudo-Mersenne
prime of the form p= 22scfor a positive integer c. Each prime is determined by the smallest
positive integer csuch that p= 22scis prime. For the three values of sabove, the resulting
primes satisfy p3 (mod 4).
3 Selection of Weierstrass curves Eb
Given a security level s∈ {128,192,256}and a corresponding prime p= 22scselected
according to Section 2, the elliptic curve Ebin short Weierstrass form is determined by the
element bFp,b6=±2 with smallest absolute value (when represented as an integer in the
interval [(p1)/2,(p1)/2]) such that both group orders rband r0
bare prime and rb< r0
b.
4 Selection of Edwards curves Ed
Given a security level s∈ {128,192,256}and a corresponding prime p= 22scselected
according to Section 2, the elliptic curve Edin Edwards form is determined by the element
dFp,d /∈ {0,1}with smallest absolute value (when represented as an integer in the interval
[(p1)/2,(p1)/2]) such that both subgroup orders rdand r0
dare prime.
Specification of Curve Selection and Supported Curve Parameters in MSR ECCLib 3
5 Curve parameters for short Weierstrass curves.
The following curves in short Weierstrass form y2=x33x+bover Fpwere generated
according to Section 3.
Curve ID: numsp256d1, prime p= 2256
189
p:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF43
b:0x25581
rb:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE43C8275EA265C6020AB20294751A825
X(P) : 0xBC9ED6B65AAADB61297A95A04F42CB0983579B0903D4C73ABC52EE1EB21AACB1
Y(P) : 0xD08FC0F13399B6A673448BF77E04E035C955C3D115310FBB80B5B9CB2184DE9F
cofactor : 0x01
Curve ID: numsp384d1, prime p= 2384
317
p:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3
b:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFF77BB
rb:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD61EAF1EEB5D6881
BEDA9D3D4C37E27A604D81F67B0E61B9
X(P) : 0x757956F0B16F181C4880CA224105F1A60225C1CDFB81F9F4F3BD291B2A6CC742
522EED100F61C47BEB9CBA042098152A
Y(P) : 0xACDEE368E19B8E38D7E33D300584CF7EB0046977F87F739CB920837D121A837E
BCD6B4DBBFF4AD265C74B8EC66180716
cofactor : 0x01
Curve ID: numsp512d1, prime p= 2512
569
p:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7
b:0x1D99B
rb:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
5B3CA4FB94E7831B4FC258ED97D0BDC63B568B36607CD243CE153F390433555D
X(P) : 0x3AC03447141D0A93DA2B7002A03D3B5298CAD83BB501F6854506E0C25306D9F9
5021A151076B359E93794286255615831D5D60137D6F5DE2DC8287958CABAE57
Y(P) : 0x943A54CA29AD56B3CE0EEEDC63EBB1004B97DBDEABBCBB8C8F4B260C7BD14F14
A28415DA8B0EEDE9C121A840B25A5602CF2B5C1E4CFD0FE923A08760383527A6
cofactor : 0x01
4 Joppe W. Bos, Craig Costello, Patrick Longa, and Michael Naehrig
6 Curve parameters for Edwards curves.
The following curves in Edwards form x2+y2= 1 + dx2y2over Fpwere generated according
to Section 4.
Curve ID: numsp256t1, prime p= 2256
189
p:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF43
d:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC355
rd:0x4000000000000000000000000000000041955AA52F59439B1A47B190EEDD4AF5
X(P) : 0x8A7514FB6AEA237DCD1E3D5F69209BD60C398A0EE3083586A0DEC0902EED13DA
Y(P) : 0x44D53E9FD9D925C7CE9665D9A64B8010715F61D810856ED32FA616E7798A89E6
cofactor : 0x04
Curve ID: numsp384t1, prime p= 2384
317
p:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3
d:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFD19F
rd:0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2471A1CB46BE1CF
61E4555AAB35C87920B9DCC4E6A3897D
X(P) : 0x61B111FB45A9266CC0B6A2129AE55DB5B30BF446E5BE4C005763FFA8F3316340
6FF292B16545941350D540E46C206BDE
Y(P) : 0x82983E67B9A6EEB08738B1A423B10DD716AD8274F1425F56830F98F7F645964B
0072B0F946EC48DC9D8D03E1F0729392
cofactor : 0x04
Curve ID: numsp512t1, prime p= 2512
569
p:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7
d:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFECBEF
rd:0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
B4F0636D2FCF91BA9E3FD8C970B686F52A4605786DEFECFF67468CF51BEED46D
X(P) : 0xDF8E316D128DB69C7A18CB7888D3C5332FD1E79F4DC4A38227A17EBE273B8147
4621C14EEE46730F78BDC992568904AD0FE525427CC4F015C5B9AB2999EC57FE
Y(P) : 0x6D09BFF39D49CA7198B0F577A82A256EE476F726D8259D22A92B6B95909E8341
20CA53F2E9963562601A06862AECC1FD0266D38A9BF1D01F326DDEC0C1E2F5E1
cofactor : 0x04
References
1. Joppe W. Bos, Craig Costello, Patrick Longa, and Michael Naehrig. Selecting elliptic curves
for cryptography: An efficiency and security analysis. J. Cryptographic Engineering, 2015.
http://dx.doi.org/10.1007/s13389-015-0097-y.
2. Craig Costello, Patrick Longa, and Michael Naehrig. A brief discussion on selecting new elliptic curves.
Technical Report MSR-TR-2015-46, June 2015.
... We instantiate the random oracle with the hash function SHA-256. For improved performance, we implement the Naor-Pinkas OT protocol over the 256-bit elliptic curve group numsp256d1 from [BCLN14]. We use the MSR-ECC [BCLN14] library for the implementation of the underlying elliptic curve operations. ...
... For improved performance, we implement the Naor-Pinkas OT protocol over the 256-bit elliptic curve group numsp256d1 from [BCLN14]. We use the MSR-ECC [BCLN14] library for the implementation of the underlying elliptic curve operations. The 256-bit curve provides 128 bits of security. ...
Privacy-Preserving Shortest Path Computation
Article
  • Jan 2016
Navigation is one of the most popular cloud computing services. But in virtually all cloud-based navigation systems, the client must reveal her location and destination to the cloud service provider in order to learn the fastest route. In this work, we present a cryptographic protocol for navigation on city streets that provides privacy for both the client's location and the service provider's routing data. Our key ingredient is a novel method for compressing the next-hop routing matrices in networks such as city street maps. Applying our compression method to the map of Los Angeles, for example, we achieve over tenfold reduction in the representation size. In conjunction with other cryptographic techniques, this compressed representation results in an efficient protocol suitable for fully-private real-time navigation on city streets. We demonstrate the practicality of our protocol by benchmarking it on real street map data for major cities such as San Francisco and Washington, D.C.
View
... Our implementation is written in C++. For the additively homomorphic encryption scheme in our protocols, we use the exponential variant of the ElGamal encryption scheme [26, §2.5] (based on the DDH assumption [13]), and implement it using the MSR-ECC library [14,15]. In the semi-honest protocol, we instantiated the 1-out-of-n OT with the Naor-Pinkas OT [56], and implemented it using the the OT library of Asharov et al. [4]. ...
Privately Evaluating Decision Trees and Random Forests
Article
Full-text available
  • Feb 2016
Decision trees and random forests are common classifiers with widespread use. In this paper, we develop two protocols for privately evaluating decision trees and random forests. We operate in the standard two-party setting where the server holds a model (either a tree or a forest), and the client holds an input (a feature vector). At the conclusion of the protocol, the client learns only the model’s output on its input and a few generic parameters concerning the model; the server learns nothing. The first protocol we develop provides security against semi-honest adversaries. We then give an extension of the semi-honest protocol that is robust against malicious adversaries. We implement both protocols and show that both variants are able to process trees with several hundred decision nodes in just a few seconds and a modest amount of bandwidth. Compared to previous semi-honest protocols for private decision tree evaluation, we demonstrate a tenfold improvement in computation and bandwidth.
View
A brief discussion on selecting new elliptic curves
Technical Report
Full-text available
  • Jun 2015
This position paper summarizes our perspectives on the selection of next-generation elliptic curves for standardization. It also contains generation algorithms intended as a foundation for choosing elliptic curves for cryptography in a simple, consistent and rigid way.
View
Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis
Article
Full-text available
  • Jan 2015
We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomery-friendly and pseudo-Mersenne primes allows us to consider more possibilities which improves the overall eciency of base eld arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved eciency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constant-time, exception-free scalar multiplications , thereby oering high practical security in cryptographic applications. Our implementation shows that variable-base scalar multiplication on the new Weierstrass curves at the 128-bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a dierent curve model and sacrice a few bits of security, we present a collection of twisted Edwards curves with particularly ecient arithmetic that are up to 1.43, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128-, 192-and 256-bit security levels, respectively. Finally, we discuss how these curves behave in a real world protocol by considering dierent scalar multiplication scenarios in the transport layer security (TLS) protocol.
View