<?xmlversion="1.0" encoding="US-ASCII"?> <!-- XML2RFC offers an include feature described in the XML2RFC README file. That syntax, however, contradicts the DTD requirements to have <reference> elements within the <references> element, so an XML parser is likely to find your XML file invalid. It may be possible that XML2RFC will change their DTD so that the XML file remains valid when their style of include is used. In the meantime therefore, we use an alternative valid-XML approach to includes, which unfortunately require that define your includes at the beginning of the file. Since the biggest benefit of includes is for references, this requires that your references be defined in ENTITY clauses here before being "included" and cited elsewhere in the file. -->version='1.0' encoding='utf-8'?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ <!ENTITY rfc2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml"> <!ENTITY rfc4181 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4181.xml"> <!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY rfc2578 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2578.xml"> <!ENTITY rfc2579 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2579.xml"> <!ENTITY rfc2580 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2580.xml"> <!ENTITY rfc8422 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8422.xml"> <!ENTITY rfc7027 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7027.xml"> <!ENTITY rfc7027 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8446.xml"> ]> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc compact="no"?> <?rfc subcompact="no"?> <?rfc strict="no"?> <?rfc rfcedstyle="yes"?> <!-- This template is for authors of IETF specifications containing MIB modules. This template can be used as a starting point to produce specifications that comply with the Operations & Management Area guidelines for MIB module documents. --> <!-- Throughout this template, the marker "<xref target='TODO' />" is used to indicate an element or text that requires replacement or removal. --> <!-- Intellectual Property section --> <!-- The Intellectual Property section will be generated automatically by XML2RFC, based on the ipr attribute in the rfc element. --> <!-- <xref target='TODO' />For Internet-drafts, indicate which intellectual property notice to use per the rules of RFC3978. Specify this in the ipr attribute. The value can be: full3978 - noModification3978 - noDerivatives3978 - <xref target='TODO' /> Specify the category attribute per RFC2026 options are info, std, bcp, or exp. <xref target='TODO' /> if this document updates an RFC, specify the RFC in the "updates" attribute -->"rfc2629-xhtml.ent"> <rfc number="8734" xmlns:xi="http://www.w3.org/2001/XInclude" category="info" ipr="trust200902" docName="draft-bruckert-brainpool-for-tls13-07">obsoletes="" updates="" submissionType="independent" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 2.34.0 --> <front> <title abbrev="ECC Brainpool Curves for TLS1.3">ECC1.3">Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS) Version 1.3</title><!-- see RFC2223 for guidelines regarding author names --><seriesInfo name="RFC" value="8734" /> <author fullname="Leonie Bruckert"initials="L.B."initials="L." surname="Bruckert"> <organization>secunet Security Networks</organization> <address> <postal> <street>Ammonstr. 74</street><city>01067 Dresden</city><city>Dresden</city> <code>01067</code> <country>Germany</country> </postal> <phone>+49 201 5454 3819</phone> <email>leonie.bruckert@secunet.com</email> </address> </author> <author fullname="Johannes Merkle"initials="J.M."initials="J." surname="Merkle"> <organization>secunet Security Networks</organization> <address> <postal> <street>Mergenthaler Allee 77</street><city>65760 Eschborn</city><city>Eschborn</city> <code>65760</code> <country>Germany</country> </postal> <phone>+49 201 5454 3091</phone> <email>johannes.merkle@secunet.com</email> </address> </author> <author fullname="Manfred Lochter"initials="M.L."initials="M." surname="Lochter"> <organization>BSI</organization> <address> <postal> <street>Postfach 200363</street><city>53133 Bonn</city><city>Bonn</city> <code>53133</code> <country>Germany</country> </postal> <phone>+49 228 9582 5643</phone> <email>manfred.lochter@bsi.bund.de</email> </address> </author><!-- <xref target='TODO' />: month and day will be generated automatically by XML2RFC; be sure the year is current. --><dateyear="2019" /> <workgroup></workgroup> <keyword>TLS, Ellipticmonth="February" year="2020"/> <workgroup/> <keyword>TLS</keyword> <keyword>Elliptic Curve Cryptography</keyword> <abstract><t>ECC<t>Elliptic Curve Cryptography (ECC) Brainpool curves were an option for authentication and key exchange in the Transport Layer Security (TLS) protocol version1.2,1.2 but were deprecated by the IETF for use with TLS version 1.3 because they had little usage. However, these curves have not been shown to have significant cryptographical weaknesses, and there is some interest in using several of these curves in TLS 1.3.</t> <t>This document provides the necessary protocol mechanisms for using ECC Brainpool curves in TLS 1.3. This approach is not endorsed by the IETF.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t><xreftarget='RFC5639' />target="RFC5639" format="default"/> specifies a new set of elliptic curve groups over finite prime fields for use in cryptographic applications. These groups, denoted as ECC Brainpool curves, were generated in a verifiablypseudo-randompseudorandom way and comply with the security requirements of relevant standards from ISO <xreftarget='ISO1' /> <xref target='ISO2' />,target="ISO1" format="default"/><xref target="ISO2" format="default"/>, ANSI <xreftarget='ANSI1' />,target="ANSI1" format="default"/>, NIST <xreftarget='FIPS' />,target="FIPS" format="default"/>, andSecGSECG <xreftarget='SEC2' />.target="SEC2" format="default"/>. </t> <t><xreftarget='RFC8422' />target="RFC8422" format="default"/> defines the usage of elliptic curves for authentication and key agreement in TLS 1.2 and earlier versions, and <xreftarget='RFC7027' />target="RFC7027" format="default"/> defines the usage of the ECC Brainpool curves for authentication and key exchange in TLS. The latter is applicable to TLS 1.2 and earlierversions,versions but not to TLS1.3 that1.3, which deprecates the ECC BrainpoolCurvecurve IDs defined in <xreftarget='RFC7027' />target="RFC7027" format="default"/> due to the lack of widespreaddeploymentdeployment. However, there is some interest in using these curves in TLS 1.3.</t> <t>The negotiation of ECC BrainpoolCurvescurves for key exchange in TLS1.31.3, according to <xreftarget='RFC8446' />target="RFC8446" format="default"/>, requires the definition and assignment of additional NamedGroup IDs. This document provides the necessary definition and assignment of additional SignatureScheme IDs for using three ECC BrainpoolCurvescurves from <xreftarget='RFC5639' />.</t>target="RFC5639" format="default"/>.</t> <t>This approach is not endorsed by the IETF. Implementers and deployers need to be aware of the strengths and weaknesses of all security mechanisms that they use.</t> </section> <sectiontitle="Requirements Terminology"> <t>Thenumbered="true" toc="default"> <name>Requirements Terminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inRFC 2119BCP 14 <xreftarget='RFC2119' />.target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> <section anchor="Main"title="Brainpoolnumbered="true" toc="default"> <name>Brainpool NamedGroupTypes">Types</name> <t>According to <xreftarget='RFC8446' />,target="RFC8446" format="default"/>, the"supported_groups""supported_groups" extension is used for the negotiation of Diffie-Hellman groups and elliptic curve groups for key exchange during a handshake starting a new TLS session. This document adds new named groups for three elliptic curves defined in <xreftarget='RFC5639' />target="RFC5639" format="default"/> to the"supported_groups" extension"supported_groups" extension, as follows.</t><figure> <artwork><![CDATA[<sourcecode type="tls-presentation"><![CDATA[ enum { brainpoolP256r1tls13(31), brainpoolP384r1tls13(32), brainpoolP512r1tls13(33) } NamedGroup;]]></artwork> </figure>]]></sourcecode> <t>The encoding ofECDHEEphemeral Elliptic Curve Diffie-Hellman (ECDHE) parameters for sec256r1, secp384r1, andsecp521r1secp521r1, as defined insection 4.2.8.2 of<xreftarget='RFC8446' />target="RFC8446" sectionFormat="of" section="4.2.8.2"/>, also applies to this document. </t> <t>Test vectors for a Diffie-Hellman key exchange using these elliptic curves are provided in <xreftarget='test_vectors' />.</t>target="test_vectors" format="default"/>.</t> </section> <section anchor="Main2"title="Brainpoolnumbered="true" toc="default"> <name>Brainpool SignatureSchemeTypes">Types</name> <t>According to <xreftarget='RFC8446' />,target="RFC8446" format="default"/>, the name space SignatureScheme is used for the negotiation of elliptic curve groups for authentication via the "signature_algorithms" extension. Besides, it is required to specify the hash function that is used to hash the message before signing. This document adds new SignatureScheme types for three elliptic curves defined in <xreftarget='RFC5639' />target="RFC5639" format="default"/>, as follows.</t><figure> <artwork><![CDATA[<sourcecode type="tls-presentation"><![CDATA[ enum { ecdsa_brainpoolP256r1tls13_sha256(0x081A), ecdsa_brainpoolP384r1tls13_sha384(0x081B), ecdsa_brainpoolP512r1tls13_sha512(0x081C) } SignatureScheme;]]></artwork> </figure>]]></sourcecode> </section> <sectiontitle="IANA Considerations"> <t> IANA is requested to updatenumbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA has updated the references for the ECC Brainpool curves listed in theTransport Layer Security (TLS) Parameters registry"TLS Supported Groups" <xreftarget='IANA-TLS' />target="IANA-TLS" format="default"/> subregistry of the "Transport Layer Security (TLS) Parameters" registry to refer to this document. </t><texttable anchor='namedGroups'> <preamble></preamble> <ttcol align='center'>Value</ttcol> <ttcol align='center'>Description</ttcol> <ttcol align='center'>DTLS-OK</ttcol> <ttcol align='center'>Recommended</ttcol> <ttcol align='center'>Reference</ttcol> <c>31</c> <c>brainpoolP256r1tls13</c> <c>Y</c> <c>N</c> <c>This doc</c> <c>32</c> <c>brainpoolP384r1tls13</c> <c>Y</c> <c>N</c> <c>This doc</c> <c>33</c> <c>brainpoolP512r1tls13</c> <c>Y</c> <c>N</c> <c>This doc</c> <postamble></postamble> </texttable> <t> IANA is requested to update<table anchor="namedGroups" align="left"> <thead> <tr> <th align="center">Value</th> <th align="center">Description</th> <th align="center">DTLS-OK</th> <th align="center">Recommended</th> <th align="center">Reference</th> </tr> </thead> <tbody> <tr> <td align="center">31</td> <td align="center">brainpoolP256r1tls13</td> <td align="center">Y</td> <td align="center">N</td> <td align="center">RFC 8734</td> </tr> <tr> <td align="center">32</td> <td align="center">brainpoolP384r1tls13</td> <td align="center">Y</td> <td align="center">N</td> <td align="center">RFC 8734</td> </tr> <tr> <td align="center">33</td> <td align="center">brainpoolP512r1tls13</td> <td align="center">Y</td> <td align="center">N</td> <td align="center">RFC 8734</td> </tr> </tbody> </table> <t>IANA has updated the references for the ECC Brainpool curves in theTransport"TLS SignatureScheme" subregistry <xref target="IANA-TLS" format="default"/> of the "Transport Layer Security (TLS)ParametersParameters" registry"TLS SignatureScheme" <xref target='IANA-TLS' />to refer to thisdocument. </t> <texttable anchor='SignatureSchemes'> <preamble></preamble> <ttcol align='center'>Value</ttcol> <ttcol align='center' width='30%'>Description</ttcol> <ttcol align='center'>DTLS-OK</ttcol> <ttcol align='center'>Recommended</ttcol> <ttcol align='center'>Reference</ttcol> <c>0x081A</c> <c>ecdsa_brainpoolP256r1tls13_sha256</c> <c>Y</c> <c>N</c> <c>This doc </c> <c>0x081B</c> <c>ecdsa_brainpoolP384r1tls13_sha384</c> <c>Y</c> <c>N</c> <c>This doc </c> <c>0x081C</c> <c>ecdsa_brainpoolP512r1tls13_sha512</c> <c>Y</c> <c>N</c> <c>This doc </c> <postamble></postamble> </texttable>document.</t> <table anchor="SignatureSchemes" align="left"> <thead> <tr> <th align="center">Value</th> <th align="center">Description</th> <th align="center">Recommended</th> <th align="center">Reference</th> </tr> </thead> <tbody> <tr> <td align="center">0x081A</td> <td align="center">ecdsa_brainpoolP256r1tls13_sha256</td> <td align="center">N</td> <td align="center">RFC 8734</td> </tr> <tr> <td align="center">0x081B</td> <td align="center">ecdsa_brainpoolP384r1tls13_sha384</td> <td align="center">N</td> <td align="center">RFC 8734</td> </tr> <tr> <td align="center">0x081C</td> <td align="center">ecdsa_brainpoolP512r1tls13_sha512</td> <td align="center">N</td> <td align="center">RFC 8734</td> </tr> </tbody> </table> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>The security considerations of <xreftarget='RFC8446' />target="RFC8446" format="default"/> apply accordingly. </t> <t>The confidentiality,authenticityauthenticity, and integrity of the TLS communication is limited by the weakest cryptographic primitive applied. In order to achieve a maximum security level when using one of the elliptic curves from <xreftarget='namedGroups' />target="namedGroups" format="default"/> for key exchangeand / orand/or one of the signature algorithms from <xreftarget='SignatureSchemes' />target="SignatureSchemes" format="default"/> for authentication in TLS,the key derivation function, theparameters of other deployed cryptographic schemes should be chosen at commensurate strengths, for example, according to the recommendations of <xref target="NIST800-57" format="default"/> and <xref target="RFC5639" format="default"/>. In particular, this applies to (a) the key derivation function, (b) the algorithms and keylengthslength of symmetric encryption and messageauthentication as well asauthentication, and (c) the algorithm, bit length and hash functionusedfor signaturegeneration should be chosen at commensurate strengths, for example according to the recommendations of <xref target="NIST800-57"/> and <xref target="RFC5639"/>.generation. Furthermore, the private Diffie-Hellman keys should be generated from a random keystream with a length equal to the length of the order of the group E(GF(p)) defined in <xreftarget='RFC5639'/>.target="RFC5639" format="default"/>. The value of the private Diffie-Hellman keys should be less than the order of the group E(GF(p)).</t> <t>When using ECDHE key agreement with the curves brainpoolP256r1tls13,brainpoolP384r1tls13brainpoolP384r1tls13, or brainpoolP512r1tls13, the peersMUST<bcp14>MUST</bcp14> validate each other's public value Q by ensuring that the point is a valid point on the elliptic curve. If this check is not conducted, an attacker can force the key exchange into a small subgroup, and the resulting shared secret can be guessed with significantly less effort. </t> <t>Implementations of elliptic curve cryptography for TLS may be susceptible to side-channel attacks. Particular care should be taken for implementations that internally transform curve points to points on the corresponding "twisted curve", using the map (x',y') = (x*Z^2, y*Z^3) with the coefficient Z specified for that curve in <xreftarget='RFC5639' />,target="RFC5639" format="default"/>, in order to take advantage of ananefficient arithmetic based on the twisted curve's special parameters (A =-3): although the twisted curve itself offers the same level of security as the corresponding random curve (through mathematical equivalence), arithmetic based on small curve parameters may be harder to protect against side-channel attacks. General guidance on resistence of elliptic curve cryptography implementations against side-channel-attacks is given in <xref target='BSI1' /> and <xref target="HMV"/>.</t> </section> <!-- The Author's Addresses section will be generated automatically by XML2RFC from the front information --> </middle> <back> <!-- References Section --> <!-- Section 4.7f of <xref target='RFC2223bis' /> specifies the requirements for the references sections. In particular, there MUST be separate lists of normative and informative references, each in a separate section. The style SHOULD follow that of recently published RFCs. The standard MIB boilerplate available at http://www.ops.ietf.org/mib-boilerplate.html includes lists of normative and informative references that MUST appear in all IETF specifications that contain MIB modules. If items from other MIB modules appear in an IMPORTS statement in the Definitions section, then the specifications containing those MIB modules MUST be included in the list of normative references. When items are imported from an IANA-maintained MIB module the corresponding normative reference SHALL point to the on-line version of that MIB module. It is the policy of the RFC Editor that all references must be cited in the text; such citations MUST appear in the overview section where documents containing imported definitions (other those already mentioned in the MIB boilerplate) are required to be mentioned (cf. Section 3.2). In general, each normative reference SHOULD point to the most recent version of the specification in question. --> <references title="Normative References"> <reference anchor="IANA-TLS" target="http://www.iana.org/assignments/tls-parameters/tls-parameters.xml"> <front> <title>Transport Layer Security (TLS) Parameters</title> <author> <organization>Internet Assigned Numbers Authority</organization> </author> <date month="" year=""/> </front> </reference> <reference anchor='RFC2119'> <front> <title abbrev='RFC Key Words'>Key words for use in RFCs to Indicate Requirement Levels</title> <author initials='S.' surname='Bradner' fullname='Scott Bradner'> <organization>Harvard University</organization> <address> <postal> <street>1350 Mass. Ave.</street> <street>Cambridge</street> <street>MA 02138</street></postal> <phone>- +1 617 495 3864</phone> <email>sob@harvard.edu</email></address></author> <date year='1997' month='March' /> <area>General</area> <keyword>keyword</keyword> </front> <seriesInfo name='BCP' value='14' /> <seriesInfo name='RFC' value='2119' /> <format type='TXT' octets='4723' target='http://www.rfc-editor.org/rfc/rfc2119.txt' /> <format type='HTML' octets='17491' target='http://xml.resource.org/public/rfc/html/rfc2119.html' /> <format type='XML' octets='5777' target='http://xml.resource.org/public/rfc/xml/rfc2119.xml' /> </reference> <reference anchor='RFC5639'> <front> <title>Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation</title> <author initials='M.' surname='Lochter' fullname='M. Lochter'> <organization /></author> <author initials='J.' surname='Merkle' fullname='J. Merkle'> <organization /></author> <date year='2010' month='March' /> <abstract> <t>This memo proposes several elliptic curve domain parameters over finite prime fields for use in cryptographic applications. The domain parameters are consistent with the relevant international standards, and can be used in X.509 certificates and certificate revocation lists (CRLs), for Internet Key Exchange (IKE), Transport Layer Security (TLS), XML signatures, and all applications or protocols based on the cryptographic message syntax (CMS). This document is not an Internet Standards Track specification; it is published for informational purposes.</t></abstract></front> <seriesInfo name='RFC' value='5639' /> <format type='TXT' octets='50566' target='http://www.rfc-editor.org/rfc/rfc5639.txt' /> </reference> <reference anchor="RFC8422" target="https://www.rfc-editor.org/info/rfc8422"> <front> <title>Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier</title> <author initials="Y." surname="Nir" fullname="Y. Nir"> <organization/></author> <author initials="S." surname="Josefsson" fullname="S. Josefsson"> <organization/></author> <author initials="M." surname="Pegourie-Gonnard" fullname="M. Pegourie-Gonnard"> <organization/></author> <date year="2018" month="August"/> <abstract> <t>This document describes key exchange algorithms based on Elliptic Curve Cryptography (ECC) for the Transport Layer Security (TLS) protocol. In particular, it specifies the use of Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards-curve Digital Signature Algorithm (EdDSA) as authentication mechanisms.</t><t>This document obsoletes RFC 4492.</t></abstract></front> <seriesInfo name="RFC" value="8422"/> <seriesInfo name="DOI" value="10.17487/RFC8422"/> </reference> <reference anchor="RFC7027" target="https://www.rfc-editor.org/info/rfc7027"> <front> <title>Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)</title> <author initials="J." surname="Merkle" fullname="J. Merkle"><organization/></author> <author initials="M." surname="Lochter" fullname="M. Lochter"><organization/></author> <date year="2013" month="October"/> <abstract> <t>This document specifies-3). Although theusetwisted curve itself offers the same level ofseveral Elliptic Curve Cryptography (ECC) Brainpool curves for authentication and key exchange insecurity as theTransport Layer Security (TLS) protocol.</t></abstract></front> <seriesInfo name="RFC" value="7027"/> <seriesInfo name="DOI" value="10.17487/RFC7027"/></reference>corresponding random curve (through mathematical equivalence), arithmetic based on small curve parameters may be harder to protect against side-channel attacks. General guidance on resistance of elliptic curve cryptography implementations against side-channel attacks is given in <xref target="BSI1" format="default"/> and <xref target="HMV" format="default"/>.</t> </section> </middle> <back> <references> <name>References</name> <references> <name>Normative References</name> <referenceanchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446">anchor="IANA-TLS" target="https://www.iana.org/assignments/tls-parameters"> <front><title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author initials="E." surname="Rescorla" fullname="E. Rescorla"><organization/></author> <date year="2018" month="August"/> <abstract><t>This document specifies version 1.3 of the Transport<title>Transport Layer Security (TLS)protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t><t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t></abstract></front> <seriesInfo name="RFC" value="8446"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/></reference>Parameters</title> <author> <organization>IANA</organization> </author> </front> </reference> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5639.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8422.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7027.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> </references><references title="Informative References"><references> <name>Informative References</name> <reference anchor="ANSI1"> <front> <title> Public Key Cryptography For The Financial Services Industry:Thethe Elliptic Curve Digital Signature Algorithm (ECDSA) </title> <seriesInfo name="ANSI" value="X9.62"/> <author> <organization>American National Standards Institute</organization> </author> <datemonth=""month="November" year="2005"/> </front><seriesInfo name="ANSI" value="X9.62"/></reference> <reference anchor="BSI1"> <front> <title>Minimum Requirements for Evaluating Side-Channel Attack Resistance of Elliptic Curve Implementations </title> <author> <organization>Bundesamt fuer Sicherheit in der Informationstechnik</organization> </author> <date month="July" year="2011"/> </front> </reference> <reference anchor="FIPS"> <front> <title>Digital Signature Standard (DSS)</title> <author> <organization>National Institute of Standards and Technology</organization> </author> <datemonth="December" year="1998" />month="July" year="2013"/> </front> <seriesInfo name="FIPS" value="PUB186-2" />186-4"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/> </reference> <reference anchor="HMV"> <front> <title> Guide to Elliptic Curve Cryptography </title> <seriesInfo name="Springer" value="Verlag"/> <author initials="D" surname="Hankerson"> <organization> </organization> </author> <author initials="A" surname="Menezes"> <organization> </organization> </author> <author initials="S" surname="Vanstone"> <organization> </organization> </author> <date month="" year="2004"/> </front><seriesInfo name="Springer" value="Verlag"/></reference> <reference anchor="ISO1"> <front> <title> Information Technology - Security Techniques - Digital Signatures with Appendix - Part 3: Discrete Logarithm Based Mechanisms </title> <seriesInfo name="ISO/IEC" value="14888-3"/> <author> <organization>International Organization for Standardization </organization> </author> <datemonth="" year="2006"/>month="November" year="2018"/> </front><seriesInfo name="ISO/IEC" value="14888-3"/></reference> <reference anchor="ISO2"> <front> <title> Information Technology - SecurityTechniquestechniques - CryptographicTechniques Basedtechniques based onElliptic Curveselliptic curves - Part 2: Digital signatures </title> <author> <organization>International Organization for Standardization </organization> </author> <datemonth=""month="December" year="2002"/> </front> <seriesInfo name="ISO/IEC"value="15946-2"/>value="15946-2:2002"/> </reference> <reference anchor="NIST800-57"> <front> <title> Recommendation for Key Management - Part 1: General (Revised) </title> <author> <organization>National Institute of Standards and Technology</organization> </author> <date month="January" year="2016"/> </front> <seriesInfo name="NIST Special Publication" value="800-57"/> <seriesInfo name="DOI" value="10.6028/NIST.SP.800-57ptlr4"/> </reference> <reference anchor="SEC1"> <front> <title> SEC1: Elliptic Curve Cryptography </title> <author><organization>Certicom Research<organization>Standards for Efficient Cryptography Group </organization> </author> <datemonth="September" year="2000"/>month="May" year="2019"/> </front><seriesInfo name="Standards for Efficient Cryptography (SEC)" value="1"/></reference> <reference anchor="SEC2"> <front> <title> SEC 2: Recommended Elliptic Curve Domain Parameters </title> <author><organization>Certicom Research<organization>Standards for Efficient Cryptography Group </organization> </author> <datemonth="September" year="2000"/>month="January" year="2010"/> </front><seriesInfo name="Standards for Efficient Cryptography (SEC)" value="2"/></reference> </references> </references> <section anchor="test_vectors"title="Test Vectors">numbered="true" toc="default"> <name>Test Vectors</name> <t>This non-normative Appendix provides some test vectorsfor example(for example, Diffie-Hellman key exchanges using each of the curves defined in <xref target="namedGroups"/> . In all of the following sections theformat="default"/>). The following notation isused: <list> <t> d_A:used in all of the subsequent sections: </t> <dl newline="false" indent="7" spacing="normal"> <dt>d_A:</dt><dd>the secret key of party A</t> <t> x_qA: the</dd> <dt>x_qA:</dt><dd>the x-coordinate of the public key of party A</t> <t> y_qA: the</dd> <dt>y_qA:</dt><dd>the y-coordinate of the public key of party A</t> <t> d_B: the</dd> <dt>d_B:</dt><dd>the secret key of party B</t> <t> x_qB: the</dd> <dt>x_qB:</dt><dd>the x-coordinate of the public key of party B</t> <t> y_qB: the</dd> <dt>y_qB:</dt><dd>the y-coordinate of the public key of party B</t> <t> x_Z: the</dd> <dt>x_Z:</dt><dd>the x-coordinate of the shared secret that results from completion of the Diffie-Hellman computation,i.e.i.e., the hex representation of thepre-master secret</t> <t> y_Z: thepremaster secret</dd> <dt>y_Z:</dt><dd>the y-coordinate of the shared secret that results from completion of the Diffie-Hellman computation</t> </list></dd> </dl> <t> The field elements x_qA, y_qA, x_qB, y_qB, x_Z, and y_Z are represented as hexadecimal values using the FieldElement-to-OctetString conversion method specified in <xreftarget='SEC1' />.target="SEC1" format="default"/>. </t> <sectiontitle="256 Bit Curve">numbered="true" toc="default"> <name>256-Bit Curve</name> <t>Curve brainpoolP256r1<list> <t>dA</t> <sourcecode type="test-vectors"><![CDATA[ dA = 81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D</t> <t>x_qAx_qA = 44106E913F92BC02A1705D9953A8414DB95E1AAA49E81D9E85F929A8E3100BE5</t> <t>y_qAy_qA = 8AB4846F11CACCB73CE49CBDD120F5A900A69FD32C272223F789EF10EB089BDC</t> <t>dBdB = 55E40BC41E37E3E2AD25C3C6654511FFA8474A91A0032087593852D3E7D76BD3</t> <t>x_qBx_qB = 8D2D688C6CF93E1160AD04CC4429117DC2C41825E1E9FCA0ADDD34E6F1B39F7B</t> <t>y_qBy_qB = 990C57520812BE512641E47034832106BC7D3E8DD0E4C7F1136D7006547CEC6A</t> <t>x_Zx_Z = 89AFC39D41D3B327814B80940B042590F96556EC91E6AE7939BCE31F3A18BF2B</t> <t>y_Zy_Z = 49C27868F4ECA2179BFD7D59B1E3BF34C1DBDE61AE12931648F43E59632504DE</t> </list></t>]]></sourcecode> </section> <sectiontitle="384 Bit Curve">numbered="true" toc="default"> <name>384-Bit Curve</name> <t>Curve brainpoolP384r1<list> <t>dA = 1E20F5E048A5886F1F157C74E91BDE2B98C8B52D58E5003D57053FC4B0BD65D6F15EB5D1EE1610DF870795143627D042 </t> <t>x_qA = 68B665DD91C195800650CDD363C625F4E742E8134667B767B1B476793588F885AB698C852D4A6E77A252D6380FCAF068 </t> <t>y_qA = 55BC91A39C9EC01DEE36017B7D673A931236D2F1F5C83942D049E3FA20607493E0D038FF2FD30C2AB67D15C85F7FAA59</t><t>dB<sourcecode type="test-vectors"><![CDATA[ dA = 1E20F5E048A5886F1F157C74E91BDE2B98C8B52D58E5003D57053FC4B0BD6 5D6F15EB5D1EE1610DF870795143627D042 x_qA = 68B665DD91C195800650CDD363C625F4E742E8134667B767B1B47679358 8F885AB698C852D4A6E77A252D6380FCAF068 y_qA = 55BC91A39C9EC01DEE36017B7D673A931236D2F1F5C83942D049E3FA206 07493E0D038FF2FD30C2AB67D15C85F7FAA59 dB = 032640BC6003C59260F7250C3DB58CE647F98E1260ACCE4ACDA3DD869F74E 01F8BA5E0324309DB6A9831497ABAC96670 x_qB = 4D44326F269A597A5B58BBA565DA5556ED7FD9A8A9EB76C25F46DB69D19 DC8CE6AD18E404B15738B2086DF37E71D1EB4 y_qB = 62D692136DE56CBE93BF5FA3188EF58BC8A3A0EC6C1E151A21038A42E91 85329B5B275903D192F8D4E1F32FE9CC78C48 x_Z =032640BC6003C59260F7250C3DB58CE647F98E1260ACCE4ACDA3DD869F74E01F8BA5E0324309DB6A9831497ABAC96670 </t> <t>x_qB = 4D44326F269A597A5B58BBA565DA5556ED7FD9A8A9EB76C25F46DB69D19DC8CE6AD18E404B15738B2086DF37E71D1EB4 </t> <t>y_qB = 62D692136DE56CBE93BF5FA3188EF58BC8A3A0EC6C1E151A21038A42E9185329B5B275903D192F8D4E1F32FE9CC78C48 </t> <t>x_Z = 0BD9D3A7EA0B3D519D09D8E48D0785FB744A6B355E6304BC51C229FBBCE239BBADF6403715C35D4FB2A5444F575D4F42 </t> <t>y_Z0BD9D3A7EA0B3D519D09D8E48D0785FB744A6B355E6304BC51C229FBBCE2 39BBADF6403715C35D4FB2A5444F575D4F42 y_Z =0DF213417EBE4D8E40A5F76F66C56470C489A3478D146DECF6DF0D94BAE9E598157290F8756066975F1DB34B2324B7BD </t> </list></t>0DF213417EBE4D8E40A5F76F66C56470C489A3478D146DECF6DF0D94BAE9 E598157290F8756066975F1DB34B2324B7BD ]]></sourcecode> </section> <sectiontitle="512 Bit Curve">numbered="true" toc="default"> <name>512-Bit Curve</name> <t>Curve brainpoolP512r1<list> <t>dA = 16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87BD59B09E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD57665422 </t> <t>x_qA = 0A420517E406AAC0ACDCE90FCD71487718D3B953EFD7FBEC5F7F27E28C6149999397E91E029E06457DB2D3E640668B392C2A7E737A7F0BF04436D11640FD09FD </t> <t>y_qA = 72E6882E8DB28AAD36237CD25D580DB23783961C8DC52DFA2EC138AD472A0FCEF3887CF62B623B2A87DE5C588301EA3E5FC269B373B60724F5E82A6AD147FDE7 </t> <t>dB = 230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D12CFABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429</t><t>x_qB = 9D45F66DE5D67E2E6DB6E93A59CE0BB48106097FF78A081DE781CDB31FCE8CCBAAEA8DD4320C4119F1E9CD437A2EAB3731FA9668AB268D871DEDA55A5473199F </t> <t>y_qB = 2FDC313095BCDD5FB3A91636F07A959C8E86B5636A1E930E8396049CB481961D365CC11453A06C719835475B12CB52FC3C383BCE35E27EF194512B71876285FA </t> <t>x_Z = A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F </t> <t>y_Z<sourcecode type="test-vectors"><![CDATA[ dA = 16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87B D59B09E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD5766542 2 x_qA = 0A420517E406AAC0ACDCE90FCD71487718D3B953EFD7FBEC5F7F27E28C6 149999397E91E029E06457DB2D3E640668B392C2A7E737A7F0BF04436D11640FD0 9FD y_qA = 72E6882E8DB28AAD36237CD25D580DB23783961C8DC52DFA2EC138AD472 A0FCEF3887CF62B623B2A87DE5C588301EA3E5FC269B373B60724F5E82A6AD147F DE7 dB = 230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D1 2CFABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B2542 9 x_qB = 9D45F66DE5D67E2E6DB6E93A59CE0BB48106097FF78A081DE781CDB31FC E8CCBAAEA8DD4320C4119F1E9CD437A2EAB3731FA9668AB268D871DEDA55A54731 99F y_qB = 2FDC313095BCDD5FB3A91636F07A959C8E86B5636A1E930E8396049CB48 1961D365CC11453A06C719835475B12CB52FC3C383BCE35E27EF194512B7187628 5FA x_Z = A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF322624 4B76D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD 1F y_Z =7DB71C3DEF63212841C463E881BDCF055523BD368240E6C3143BD8DEF8B3B3223B95E0F53082FF5E412F4222537A43DF1C6D25729DDB51620A832BE6A26680A2 </t> </list></t>7DB71C3DEF63212841C463E881BDCF055523BD368240E6C3143BD8DEF8B3 B3223B95E0F53082FF5E412F4222537A43DF1C6D25729DDB51620A832BE6A26680 A2 ]]></sourcecode> </section> </section> </back> </rfc>