rfc8734xml2.original.xml   rfc8734.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version='1.0' encoding='utf-8'?>
<!--
XML2RFC offers an include feature described in the XML2RFC README
file. That syntax, however, contradicts the DTD requirements to
have <reference> elements within the <references> element, so an
XML parser is likely to find your XML file invalid. It may be
possible that XML2RFC will change their DTD so that the XML file
remains valid when their style of include is used.
In the meantime therefore, we use an alternative valid-XML approach
to includes, which unfortunately require that define your includes
at the beginning of the file. Since the biggest benefit of includes
is for references, this requires that your references be defined in
ENTITY clauses here before being "included" and cited elsewhere in
the file.
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2629.xml">
<!ENTITY rfc4181 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4181.xml">
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2119.xml">
<!ENTITY rfc2578 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2578.xml">
<!ENTITY rfc2579 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2579.xml">
<!ENTITY rfc2580 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2580.xml">
<!ENTITY rfc8422 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8422.xml">
<!ENTITY rfc7027 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7027.xml">
<!ENTITY rfc7027 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8446.xml">
]> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc compact="no"?>
<?rfc subcompact="no"?>
<?rfc strict="no"?>
<?rfc rfcedstyle="yes"?>
<!--
This template is for authors of IETF specifications containing MIB
modules. This template can be used as a starting point to produce
specifications that comply with the Operations &amp; Management Area
guidelines for MIB module documents.
<!--
Throughout this template, the marker "<xref target='TODO' />" is used to indic
ate an
element or text that requires replacement or removal.
<!-- Intellectual Property section -->
<!--
The Intellectual Property section will be generated automatically by
XML2RFC, based on the ipr attribute in the rfc element.
<!--
<xref target='TODO' />For Internet-drafts, indicate which intellectual property <rfc number="8734" xmlns:xi="http://www.w3.org/2001/XInclude" category="info"
notice ipr="trust200902" docName="draft-bruckert-brainpool-for-tls13-07"
to use per the rules of RFC3978. obsoletes="" updates="" submissionType="independent" xml:lang="en"
Specify this in the ipr attribute. The value can be: tocInclude="true" sortRefs="true" symRefs="true" version="3">
full3978 -
noModification3978 -
noDerivatives3978 -
<xref target='TODO' /> Specify the category attribute per RFC2026
options are info, std, bcp, or exp.
<xref target='TODO' /> if this document updates an RFC, specify the RFC in the
"updates" attribute
<rfc category="info" ipr="trust200902" docName="draft-bruckert-brainpool-for-tls 13-07" > <!-- xml2rfc v2v3 conversion 2.34.0 -->
<front> <front>
<title abbrev="ECC Brainpool Curves for TLS 1.3">Elliptic Curve
Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS) Versi
on 1.3</title>
<seriesInfo name="RFC" value="8734" />
<title abbrev="ECC Brainpool Curves for TLS 1.3">ECC Brainpool Curves for Tr <author fullname="Leonie Bruckert" initials="L." surname="Bruckert">
ansport Layer Security (TLS) Version 1.3</title>
<!-- see RFC2223 for guidelines regarding author names -->
<author fullname="Leonie Bruckert" initials="L.B."
surname="Bruckert">
<organization>secunet Security Networks</organization> <organization>secunet Security Networks</organization>
<address> <address>
<postal> <postal>
<street>Ammonstr. 74</street> <street>Ammonstr. 74</street>
<city>Dresden</city>
<city>01067 Dresden</city> <code>01067</code>
<country>Germany</country> <country>Germany</country>
</postal> </postal>
<phone>+49 201 5454 3819</phone> <phone>+49 201 5454 3819</phone>
<email>leonie.bruckert@secunet.com</email> <email>leonie.bruckert@secunet.com</email>
</address> </address>
</author> </author>
<author fullname="Johannes Merkle" initials="J." surname="Merkle">
<author fullname="Johannes Merkle" initials="J.M."
surname="Merkle">
<organization>secunet Security Networks</organization> <organization>secunet Security Networks</organization>
<address> <address>
<postal> <postal>
<street>Mergenthaler Allee 77</street> <street>Mergenthaler Allee 77</street>
<city>Eschborn</city>
<city>65760 Eschborn</city> <code>65760</code>
<country>Germany</country> <country>Germany</country>
</postal> </postal>
<phone>+49 201 5454 3091</phone> <phone>+49 201 5454 3091</phone>
<email>johannes.merkle@secunet.com</email> <email>johannes.merkle@secunet.com</email>
</address> </address>
</author> </author>
<author fullname="Manfred Lochter" initials="M." surname="Lochter">
<author fullname="Manfred Lochter" initials="M.L."
surname="Lochter">
<organization>BSI</organization> <organization>BSI</organization>
<address> <address>
<postal> <postal>
<street>Postfach 200363</street> <street>Postfach 200363</street>
<city>Bonn</city>
<city>53133 Bonn</city> <code>53133</code>
<country>Germany</country> <country>Germany</country>
</postal> </postal>
<phone>+49 228 9582 5643</phone> <phone>+49 228 9582 5643</phone>
<email>manfred.lochter@bsi.bund.de</email> <email>manfred.lochter@bsi.bund.de</email>
</address> </address>
</author> </author>
<date month="February" year="2020"/>
<!-- <xref target='TODO' />: month and day will be generated automatically b <workgroup/>
y XML2RFC; <keyword>TLS</keyword>
be sure the year is current. <keyword>Elliptic Curve Cryptography</keyword>
<date year="2019" />
<workgroup></workgroup>
<keyword>TLS, Elliptic Curve Cryptography</keyword>
<abstract> <abstract>
<t>ECC Brainpool curves were an option for authentication and key exchange i <t>Elliptic Curve Cryptography (ECC) Brainpool curves were an option
n the Transport Layer Security (TLS) protocol version 1.2, but were deprecated b for authentication and key
y the IETF for use with TLS version 1.3 because they had little usage. However, exchange in the Transport Layer Security (TLS) protocol version 1.2 but
these curves have not been shown to have significant cryptographical weaknesses, were deprecated by the IETF for use with TLS version 1.3 because they
and there is some interest in using several of these curves in TLS 1.3.</t> had little usage. However, these curves have not been shown to have
<t>This document provides the necessary protocol mechanisms for using ECC Br significant cryptographical weaknesses, and there is some interest in
ainpool curves in TLS 1.3. This approach is not endorsed by the IETF.</t> using several of these curves in TLS 1.3.</t>
</abstract>
<t>This document provides the necessary protocol mechanisms for using
ECC Brainpool curves in TLS 1.3. This approach is not endorsed by the
IETF.</t>
</abstract>
</front> </front>
<middle> <middle>
<section title="Introduction"> <section numbered="true" toc="default">
<name>Introduction</name>
<t><xref target='RFC5639' /> specifies a new set of elliptic curve groups ove <t><xref target="RFC5639" format="default"/> specifies a new set of
r finite prime fields for use in cryptographic applications. These groups, denot elliptic curve groups over finite prime fields for use in cryptographic
ed as ECC Brainpool curves, were generated in a verifiably pseudo-random way and applications. These groups, denoted as ECC Brainpool curves, were
comply with the security requirements of relevant standards from ISO <xref targ generated in a verifiably pseudorandom way and comply with the security
et='ISO1' /> <xref target='ISO2' />, ANSI <xref target='ANSI1' />, NIST <xref ta requirements of relevant standards from ISO <xref target="ISO1"
rget='FIPS' />, and SecG <xref target='SEC2' />. </t> format="default"/><xref target="ISO2" format="default"/>, ANSI <xref
target="ANSI1" format="default"/>, NIST <xref target="FIPS"
<t><xref target='RFC8422' /> defines the usage of elliptic curves for authent format="default"/>, and SECG <xref target="SEC2" format="default"/>. </t>
ication and key agreement in TLS 1.2 and earlier versions, and <xref target='RFC
7027' /> defines the usage of the ECC Brainpool curves for authentication and ke
y exchange in TLS. The latter is applicable to TLS 1.2 and earlier versions, but
not to TLS 1.3 that deprecates the ECC Brainpool Curve IDs defined in <xref tar
get='RFC7027' /> due to the lack of widespread deployment However, there is some
interest in using these curves in TLS 1.3.</t>
<t>The negotiation of ECC Brainpool Curves for key exchange in TLS 1.3 accord
ing to <xref target='RFC8446' /> requires the definition and assignment of addit
ional NamedGroup IDs. This document provides the necessary definition and assign
ment of additional SignatureScheme IDs for using three ECC Brainpool Curves from
<xref target='RFC5639' />.</t>
<t>This approach is not endorsed by the IETF. Implementers and deployers need
to be aware of the strengths and weaknesses of all security mechanisms that the
y use.</t>
</section>
<section title="Requirements Terminology">
<t>The key words &quot;MUST&quot;, &quot;MUST NOT&quot;, &quot;REQUIRED&quot;, <t><xref target="RFC8422" format="default"/> defines the usage of
&quot;SHALL&quot;, &quot;SHALL NOT&quot;, &quot;SHOULD&quot;, &quot;SHOULD NOT& elliptic curves for authentication and key agreement in TLS 1.2 and
quot;, &quot;RECOMMENDED&quot;, &quot;MAY&quot;, and &quot;OPTIONAL&quot; in thi earlier versions, and <xref target="RFC7027" format="default"/> defines
s document are to be interpreted as described in RFC 2119 <xref target='RFC2119' the usage of the ECC Brainpool curves for authentication and key
/>. </t> exchange in TLS. The latter is applicable to TLS 1.2 and earlier
</section> versions but not to TLS 1.3, which deprecates the ECC Brainpool curve IDs
defined in <xref target="RFC7027" format="default"/> due to the lack of widespre
ad deployment. However, there is some interest in using these curves in TLS 1.3.
</t>
<section anchor="Main" title="Brainpool NamedGroup Types"> <t>The negotiation of ECC Brainpool curves for key exchange in TLS 1.3, ac cording to <xref target="RFC8446" format="default"/>, requires the definition an d assignment of additional NamedGroup IDs. This document provides the necessary definition and assignment of additional SignatureScheme IDs for using three ECC Brainpool curves from <xref target="RFC5639" format="default"/>.</t>
<t>According to <xref target='RFC8446' />, the &quot;supported_groups&quot; exte <t>This approach is not endorsed by the IETF. Implementers and deployers n
nsion is used for the negotiation of Diffie-Hellman groups and elliptic curve gr eed to be aware of the strengths and weaknesses of all security mechanisms that
oups for key exchange during a handshake starting a new TLS session. This docume they use.</t>
nt adds new named groups for three elliptic curves defined in <xref target='RFC5 </section>
639' /> to the &quot;supported_groups&quot; extension as follows.</t> <section numbered="true" toc="default">
<name>Requirements Terminology</name>
<t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are
to be interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/>
<xref target="RFC8174"/> when, and only when, they appear in all capitals,
as shown here.
</t>
</section>
<section anchor="Main" numbered="true" toc="default">
<name>Brainpool NamedGroup Types</name>
<t>According to <xref target="RFC8446" format="default"/>, the
"supported_groups" extension is used for the negotiation of
Diffie-Hellman groups and elliptic curve groups for key exchange during
a handshake starting a new TLS session. This document adds new named
groups for three elliptic curves defined in <xref target="RFC5639"
format="default"/> to the "supported_groups" extension, as follows.</t>
<figure> <sourcecode type="tls-presentation"><![CDATA[
<artwork><![CDATA[
enum { enum {
brainpoolP256r1tls13(31), brainpoolP256r1tls13(31),
brainpoolP384r1tls13(32), brainpoolP384r1tls13(32),
brainpoolP512r1tls13(33) brainpoolP512r1tls13(33)
} NamedGroup; } NamedGroup;
]]></artwork> ]]></sourcecode>
</figure> <t>The encoding of Ephemeral Elliptic Curve Diffie-Hellman (ECDHE)
parameters for sec256r1, secp384r1, and
<t>The encoding of ECDHE parameters for sec256r1, secp384r1, and secp521r1 as de secp521r1, as defined in <xref target="RFC8446"
fined in section 4.2.8.2 of <xref target='RFC8446' /> also applies to this docum sectionFormat="of" section="4.2.8.2"/>, also applies to this document. </t
ent. </t> >
<t>Test vectors for a Diffie-Hellman key exchange using these elliptic curves ar <t>Test vectors for a Diffie-Hellman key exchange using these elliptic
e provided in <xref target='test_vectors' />.</t> curves are provided in <xref target="test_vectors"
</section> format="default"/>.</t>
</section>
<section anchor="Main2" title="Brainpool SignatureScheme Types">
<t>According to <xref target='RFC8446' />, the name space SignatureScheme is use
d for the negotiation of elliptic curve groups for authentication via the "signa
ture_algorithms" extension. Besides, it is required to specify the hash function
that is used to hash the message before signing. This document adds new Signatu
reScheme types for three elliptic curves defined in <xref target='RFC5639' /> as
follows.</t>
<figure> <section anchor="Main2" numbered="true" toc="default">
<artwork><![CDATA[ <name>Brainpool SignatureScheme Types</name>
<t>According to <xref target="RFC8446" format="default"/>, the name space
SignatureScheme is used for the negotiation of elliptic curve groups for authent
ication via the "signature_algorithms" extension. Besides, it is required to spe
cify the hash function that is used to hash the message before signing. This doc
ument adds new SignatureScheme types for three elliptic curves defined in <xref
target="RFC5639" format="default"/>, as follows.</t>
<sourcecode type="tls-presentation"><![CDATA[
enum { enum {
ecdsa_brainpoolP256r1tls13_sha256(0x081A), ecdsa_brainpoolP256r1tls13_sha256(0x081A),
ecdsa_brainpoolP384r1tls13_sha384(0x081B), ecdsa_brainpoolP384r1tls13_sha384(0x081B),
ecdsa_brainpoolP512r1tls13_sha512(0x081C) ecdsa_brainpoolP512r1tls13_sha512(0x081C)
} SignatureScheme; } SignatureScheme;
]]></artwork> ]]></sourcecode>
</figure> </section>
<section numbered="true" toc="default">
</section> <name>IANA Considerations</name>
<t>IANA has updated the references for the ECC Brainpool
<section title="IANA Considerations"> curves listed in the "TLS Supported Groups" <xref target="IANA-TLS"
<t> IANA is requested to update the references for the ECC Brainpool curves format="default"/> subregistry of the "Transport Layer Security (TLS)
listed in the Transport Layer Security Parameters" registry to refer to this document. </t>
(TLS) Parameters registry "TLS Supported Groups" <xref target='IANA-TLS' /> to t
his document. </t>
<texttable anchor='namedGroups'>
<preamble></preamble>
<ttcol align='center'>Value</ttcol>
<ttcol align='center'>Description</ttcol>
<ttcol align='center'>DTLS-OK</ttcol>
<ttcol align='center'>Recommended</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>31</c>
<c>brainpoolP256r1tls13</c>
<c>Y</c>
<c>N</c>
<c>This doc</c>
<c>32</c>
<c>brainpoolP384r1tls13</c>
<c>Y</c>
<c>N</c>
<c>This doc</c>
<c>33</c>
<c>brainpoolP512r1tls13</c>
<c>Y</c>
<c>N</c>
<c>This doc</c>
<postamble></postamble>
</texttable>
<t> IANA is requested to update the references for the ECC Brainpool curves i
n the Transport Layer Security
(TLS) Parameters registry "TLS SignatureScheme" <xref target='IANA-TLS' /> to th
is document. </t>
<texttable anchor='SignatureSchemes'>
<preamble></preamble>
<ttcol align='center'>Value</ttcol>
<ttcol align='center' width='30%'>Description</ttcol>
<ttcol align='center'>DTLS-OK</ttcol>
<ttcol align='center'>Recommended</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>0x081A</c>
<c>ecdsa_brainpoolP256r1tls13_sha256</c>
<c>Y</c>
<c>N</c>
<c>This doc </c>
<c>0x081B</c>
<c>ecdsa_brainpoolP384r1tls13_sha384</c>
<c>Y</c>
<c>N</c>
<c>This doc </c>
<c>0x081C</c>
<c>ecdsa_brainpoolP512r1tls13_sha512</c>
<c>Y</c>
<c>N</c>
<c>This doc </c>
<postamble></postamble>
</texttable>
</section> <table anchor="namedGroups" align="left">
<thead>
<tr>
<th align="center">Value</th>
<th align="center">Description</th>
<th align="center">DTLS-OK</th>
<th align="center">Recommended</th>
<th align="center">Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td align="center">31</td>
<td align="center">brainpoolP256r1tls13</td>
<td align="center">Y</td>
<td align="center">N</td>
<td align="center">RFC 8734</td>
</tr>
<tr>
<td align="center">32</td>
<td align="center">brainpoolP384r1tls13</td>
<td align="center">Y</td>
<td align="center">N</td>
<td align="center">RFC 8734</td>
</tr>
<tr>
<td align="center">33</td>
<td align="center">brainpoolP512r1tls13</td>
<td align="center">Y</td>
<td align="center">N</td>
<td align="center">RFC 8734</td>
</tr>
</tbody>
</table>
<section anchor="Security" title="Security Considerations"> <t>IANA has updated the references for the ECC Brainpool curves in the
<t>The security considerations of <xref target='RFC8446' /> apply accordingly "TLS SignatureScheme" subregistry <xref target="IANA-TLS"
. </t> format="default"/> of the "Transport Layer Security
<t>The confidentiality, authenticity and integrity of the TLS communication (TLS) Parameters" registry to refer to this document.</t>
is limited by the weakest cryptographic primitive applied. In order to achieve a
maximum security level when using one of the elliptic curves from <xref target=
'namedGroups' /> for key exchange and / or one of the signature algorithms from
<xref target='SignatureSchemes' /> for authentication in TLS, the key derivation
function, the algorithms and key lengths of symmetric encryption and message au
thentication as well as the algorithm, bit length and hash function used for sig
nature generation should be chosen at commensurate strengths, for example accord
ing to the recommendations of <xref target="NIST800-57"/> and <xref target="RFC5
639"/>. Furthermore, the private Diffie-Hellman keys should be generated from a
random keystream with a length equal to the length of the order of the group E(G
F(p)) defined in <xref target='RFC5639'/>. The value of the private Diffie-Hellm
an keys should be less than the order of the group E(GF(p)).</t>
<t>When using ECDHE key agreement with the curves brainpoolP256r1tls13, b <table anchor="SignatureSchemes" align="left">
rainpoolP384r1tls13 or brainpoolP512r1tls13, the peers MUST validate each other' <thead>
s public value Q by ensuring that the point is a valid point on the elliptic cur <tr>
ve. If this check is not conducted, an attacker can force the key exchange into <th align="center">Value</th>
a small subgroup, and the resulting shared secret can be guessed with significan <th align="center">Description</th>
tly less effort. </t> <th align="center">Recommended</th>
<th align="center">Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td align="center">0x081A</td>
<td align="center">ecdsa_brainpoolP256r1tls13_sha256</td>
<td align="center">N</td>
<td align="center">RFC 8734</td>
</tr>
<tr>
<td align="center">0x081B</td>
<td align="center">ecdsa_brainpoolP384r1tls13_sha384</td>
<td align="center">N</td>
<td align="center">RFC 8734</td>
</tr>
<tr>
<td align="center">0x081C</td>
<td align="center">ecdsa_brainpoolP512r1tls13_sha512</td>
<td align="center">N</td>
<td align="center">RFC 8734</td>
</tr>
</tbody>
</table>
<t>Implementations of elliptic curve cryptography for TLS may be suscepti </section>
ble to side-channel attacks. Particular care should be taken for implementations <section anchor="Security" numbered="true" toc="default">
that internally transform curve points to points on the corresponding "twisted <name>Security Considerations</name>
curve", using the map (x',y') = (x*Z^2, y*Z^3) with the coefficient Z specified <t>The security considerations of <xref target="RFC8446" format="default"/
for that curve in <xref target='RFC5639' />, in order to take advantage of an an > apply accordingly. </t>
efficient arithmetic based on the twisted curve's special parameters (A = -3):
although the twisted curve itself offers the same level of security as the corre
sponding random curve (through mathematical equivalence), arithmetic based on sm
all curve parameters may be harder to protect against side-channel attacks. Gene
ral guidance on resistence of elliptic curve cryptography implementations agains
t side-channel-attacks is given in <xref target='BSI1' /> and <xref target="HMV"
/>.</t>
</section> <t>The confidentiality, authenticity, and integrity of the TLS
communication is limited by the weakest cryptographic primitive
applied.
In order to achieve a maximum security level when using one of the elliptic
curves from <xref target="namedGroups" format="default"/> for key exchange
and/or one of the signature algorithms from <xref target="SignatureSchemes"
format="default"/> for authentication in TLS, parameters of other deployed
cryptographic schemes should be chosen at commensurate strengths, for example,
according to the recommendations of <xref target="NIST800-57"
format="default"/> and <xref target="RFC5639" format="default"/>. In
particular, this applies to (a) the key derivation function, (b) the
algorithms and key length of symmetric encryption and message authentication,
and (c) the algorithm, bit length and hash function for signature generation.
Furthermore, the private
Diffie-Hellman keys should be generated from a random keystream with a
length equal to the length of the order of the group E(GF(p)) defined in
<xref target="RFC5639" format="default"/>. The value of the private
Diffie-Hellman keys should be less than the order of the group
E(GF(p)).</t>
<!-- The Author's Addresses section will be generated automatically by XML2R <t>When using ECDHE key agreement with the curves brainpoolP256r1tls13,
FC from the front information --> brainpoolP384r1tls13, or brainpoolP512r1tls13, the peers
<bcp14>MUST</bcp14> validate each other's public value Q by ensuring
that the point is a valid point on the elliptic curve. If this check is
not conducted, an attacker can force the key exchange into a small
subgroup, and the resulting shared secret can be guessed with
significantly less effort. </t>
<t>Implementations of elliptic curve cryptography for TLS may be
susceptible to side-channel attacks. Particular care should be taken for
implementations that internally transform curve points to points on the
corresponding "twisted curve", using the map (x',y') = (x*Z^2, y*Z^3)
with the coefficient Z specified for that curve in <xref
target="RFC5639" format="default"/>, in order to take advantage of an
efficient arithmetic based on the twisted curve's special parameters (A
= -3). Although the twisted curve itself offers the same level of
security as the corresponding random curve (through mathematical
equivalence), arithmetic based on small curve parameters may be harder
to protect against side-channel attacks. General guidance on resistance
of elliptic curve cryptography implementations against side-channel attack
s is given in <xref target="BSI1" format="default"/> and <xref target="HMV" form
at="default"/>.</t>
</section>
</middle> </middle>
<back> <back>
<!-- References Section --> <references>
<!-- Section 4.7f of <xref target='RFC2223bis' /> specifies the requirements
for the
references sections. In particular, there MUST be separate lists of
normative and informative references, each in a separate section.
The style SHOULD follow that of recently published RFCs.
The standard MIB boilerplate available at
http://www.ops.ietf.org/mib-boilerplate.html includes lists of
normative and informative references that MUST appear in all IETF
specifications that contain MIB modules. If items from other MIB
modules appear in an IMPORTS statement in the Definitions section,
then the specifications containing those MIB modules MUST be included
in the list of normative references. When items are imported from an
IANA-maintained MIB module the corresponding normative reference
SHALL point to the on-line version of that MIB module. It is the
policy of the RFC Editor that all references must be cited in the
text; such citations MUST appear in the overview section where
documents containing imported definitions (other those already
mentioned in the MIB boilerplate) are required to be mentioned (cf.
Section 3.2).
In general, each normative reference SHOULD point to the most recent
version of the specification in question.
<references title="Normative References">
<reference anchor="IANA-TLS" target="http://www.iana.org/assignments/tls-paramet
ers/tls-parameters.xml">
<front>
<title>Transport Layer Security (TLS) Parameters</title>
<author>
<organization>Internet Assigned Numbers Authority</organization>
</author>
<date month="" year=""/>
</front>
</reference>
<reference anchor='RFC2119'>
<front>
<title abbrev='RFC Key Words'>Key words for use in RFCs to Indicate Requirement
Levels</title>
<author initials='S.' surname='Bradner' fullname='Scott Bradner'>
<organization>Harvard University</organization>
<address>
<postal>
<street>1350 Mass. Ave.</street>
<street>Cambridge</street>
<street>MA 02138</street></postal>
<phone>- +1 617 495 3864</phone>
<email>sob@harvard.edu</email></address></author>
<date year='1997' month='March' />
<area>General</area>
<keyword>keyword</keyword>
</front>
<seriesInfo name='BCP' value='14' />
<seriesInfo name='RFC' value='2119' />
<format type='TXT' octets='4723' target='http://www.rfc-editor.org/rfc/rfc2119.t
xt' />
<format type='HTML' octets='17491' target='http://xml.resource.org/public/rfc/ht
ml/rfc2119.html' />
<format type='XML' octets='5777' target='http://xml.resource.org/public/rfc/xml/
rfc2119.xml' />
</reference>
<reference anchor='RFC5639'>
<front>
<title>Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Gen
eration</title>
<author initials='M.' surname='Lochter' fullname='M. Lochter'>
<organization /></author>
<author initials='J.' surname='Merkle' fullname='J. Merkle'>
<organization /></author>
<date year='2010' month='March' />
<abstract>
<t>This memo proposes several elliptic curve domain parameters over finite prime
fields for use in cryptographic applications. The domain parameters are consis
tent with the relevant international standards, and can be used in X.509 certifi
cates and certificate revocation lists (CRLs), for Internet Key Exchange (IKE),
Transport Layer Security (TLS), XML signatures, and all applications or protocol
s based on the cryptographic message syntax (CMS). This document is not an Inte
rnet Standards Track specification; it is published for informational purposes.<
/t></abstract></front>
<seriesInfo name='RFC' value='5639' />
<format type='TXT' octets='50566' target='http://www.rfc-editor.org/rfc/rfc5639.
txt' />
</reference>
<reference anchor="RFC8422" target="https://www.rfc-editor.org/info/rfc8422">
<front>
<title>Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Secur
ity (TLS) Versions 1.2 and Earlier</title>
<author initials="Y." surname="Nir" fullname="Y. Nir">
<organization/></author>
<author initials="S." surname="Josefsson" fullname="S. Josefsson">
<organization/></author>
<author initials="M." surname="Pegourie-Gonnard" fullname="M. Pegourie-Gonnard">
<organization/></author>
<date year="2018" month="August"/>
<abstract>
<t>This document describes key exchange algorithms based on Elliptic Curve Crypt
ography (ECC) for the Transport Layer Security (TLS) protocol. In particular, i
t specifies the use of Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key agree
ment in a TLS handshake and the use of the Elliptic Curve Digital Signature Algo
rithm (ECDSA) and Edwards-curve Digital Signature Algorithm (EdDSA) as authentic
ation mechanisms.</t><t>This document obsoletes RFC 4492.</t></abstract></front>
<seriesInfo name="RFC" value="8422"/>
<seriesInfo name="DOI" value="10.17487/RFC8422"/>
</reference>
<reference anchor="RFC7027" target="https://www.rfc-editor.org/info/rfc7027">
<front>
<title>Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Se
curity (TLS)</title>
<author initials="J." surname="Merkle" fullname="J. Merkle"><organization/></aut
hor>
<author initials="M." surname="Lochter" fullname="M. Lochter"><organization/></a
uthor>
<date year="2013" month="October"/>
<abstract>
<t>This document specifies the use of several Elliptic Curve Cryptography (ECC)
Brainpool curves for authentication and key exchange in the Transport Layer Secu
rity (TLS) protocol.</t></abstract></front>
<seriesInfo name="RFC" value="7027"/>
<seriesInfo name="DOI" value="10.17487/RFC7027"/></reference>
<reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
<author initials="E." surname="Rescorla" fullname="E. Rescorla"><organization/><
/author>
<date year="2018" month="August"/>
<abstract><t>This document specifies version 1.3 of the Transport Layer Security
(TLS) protocol. TLS allows client/server applications to communicate over the
Internet in a way that is designed to prevent eavesdropping, tampering, and mess
age forgery.</t><t>This document updates RFCs 5705 and 6066, and obsoletes RFCs
5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2
implementations.</t></abstract></front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/></reference>
</references>
<references title="Informative References">
<reference anchor="ANSI1"> <name>References</name>
<front> <references>
<title> <name>Normative References</name>
Public Key Cryptography For The Financial Services Industry: The Elliptic <reference anchor="IANA-TLS" target="https://www.iana.org/assignments/tl
Curve Digital Signature Algorithm (ECDSA) s-parameters">
</title> <front>
<author> <title>Transport Layer Security (TLS) Parameters</title>
<organization>American National Standards Institute</organization> <author>
</author> <organization>IANA</organization>
<date month="" year="2005"/> </author>
</front> </front>
<seriesInfo name="ANSI" value="X9.62"/> </reference>
</reference> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.5639.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.8422.xml"/>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
7027.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.8446.xml"/>
</references>
<references>
<name>Informative References</name>
<reference anchor="ANSI1">
<front>
<title>
Public Key Cryptography For The Financial Services Industry: the Elliptic
Curve Digital Signature Algorithm (ECDSA)
</title>
<seriesInfo name="ANSI" value="X9.62"/>
<author>
<organization>American National Standards Institute</organization>
</author>
<date month="November" year="2005"/>
</front>
</reference>
<reference anchor="BSI1"> <reference anchor="BSI1">
<front> <front>
<title>Minimum Requirements for Evaluating Side-Channel Attack Resistance <title>Minimum Requirements for Evaluating Side-Channel Attack Resis
of Elliptic Curve Implementations tance of Elliptic Curve Implementations
</title> </title>
<author> <author>
<organization>Bundesamt fuer Sicherheit in der Informationstechnik</organi <organization>Bundesamt fuer Sicherheit in der Informationstechnik
zation> </organization>
</author> </author>
<date month="July" year="2011"/> <date month="July" year="2011"/>
</front> </front>
</reference> </reference>
<reference anchor="FIPS"> <reference anchor="FIPS">
<front> <front>
<title>Digital Signature Standard (DSS)</title> <title>Digital Signature Standard (DSS)</title>
<author> <author>
<organization>National Institute of Standards and Technology</organization <organization>National Institute of Standards and Technology</orga
> nization>
</author> </author>
<date month="December" year="1998" /> <date month="July" year="2013"/>
</front> </front>
<seriesInfo name="FIPS" value="PUB 186-2" /> <seriesInfo name="FIPS" value="PUB 186-4"/>
</reference> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/>
</reference>
<reference anchor="HMV"> <reference anchor="HMV">
<front> <front>
<title> <title>
Guide to Elliptic Curve Cryptography Guide to Elliptic Curve Cryptography
</title> </title>
<author initials="D" surname="Hankerson"> <seriesInfo name="Springer" value="Verlag"/>
<organization> <author initials="D" surname="Hankerson">
</organization> <organization>
</author> </organization>
<author initials="A" surname="Menezes"> </author>
<organization> <author initials="A" surname="Menezes">
</organization> <organization>
</author> </organization>
<author initials="S" surname="Vanstone"> </author>
<organization> <author initials="S" surname="Vanstone">
</organization> <organization>
</author> </organization>
<date month="" year="2004"/> </author>
</front> <date month="" year="2004"/>
<seriesInfo name="Springer" value="Verlag"/> </front>
</reference> </reference>
<reference anchor="ISO1"> <reference anchor="ISO1">
<front> <front>
<title> <title>
Information Technology - Security Techniques - Digital Signatures with App endix - Part 3: Discrete Logarithm Based Mechanisms Information Technology - Security Techniques - Digital Signatures with App endix - Part 3: Discrete Logarithm Based Mechanisms
</title> </title>
<author> <seriesInfo name="ISO/IEC" value="14888-3"/>
<organization>International Organization for Standardization </organi <author>
zation> <organization>International Organization for Standardization
</author> </organization>
<date month="" year="2006"/> </author>
</front> <date month="November" year="2018"/>
<seriesInfo name="ISO/IEC" value="14888-3"/> </front>
</reference> </reference>
<reference anchor="ISO2"> <reference anchor="ISO2">
<front> <front>
<title> <title>
Information Technology - Security Techniques - Cryptographic Techniques Ba Information Technology - Security techniques - Cryptographic techniques ba
sed on Elliptic Curves - Part 2: Digital signatures sed on elliptic curves - Part 2: Digital signatures
</title> </title>
<author> <author>
<organization>International Organization for Standardization </organi <organization>International Organization for Standardization
zation> </organization>
</author> </author>
<date month="" year="2002"/> <date month="December" year="2002"/>
</front> </front>
<seriesInfo name="ISO/IEC" value="15946-2"/> <seriesInfo name="ISO/IEC" value="15946-2:2002"/>
</reference> </reference>
<reference anchor="NIST800-57"> <reference anchor="NIST800-57">
<front> <front>
<title> <title>
Recommendation for Key Management - Part 1: General (Revised) Recommendation for Key Management - Part 1: General (Revised)
</title> </title>
<author> <author>
<organization>National Institute of Standards and Technology</organization <organization>National Institute of Standards and Technology</orga
> nization>
</author> </author>
<date month="January" year="2016"/> <date month="January" year="2016"/>
</front> </front>
<seriesInfo name="NIST Special Publication" value="800-57"/> <seriesInfo name="NIST Special Publication" value="800-57"/>
</reference> <seriesInfo name="DOI" value="10.6028/NIST.SP.800-57ptlr4"/>
</reference>
<reference anchor="SEC1">
<front>
<title>
Elliptic Curve Cryptography
</title>
<author>
<organization>Certicom Research
</organization>
</author>
<date month="September" year="2000"/>
</front>
<seriesInfo name="Standards for Efficient Cryptography (SEC)" value="1"/>
</reference>
<reference anchor="SEC2"> <reference anchor="SEC1">
<front> <front>
<title> <title>
Recommended Elliptic Curve Domain Parameters SEC1: Elliptic Curve Cryptography
</title> </title>
<author> <author>
<organization>Certicom Research <organization>Standards for Efficient Cryptography Group
</organization> </organization>
</author> </author>
<date month="September" year="2000"/> <date month="May" year="2019"/>
</front> </front>
<seriesInfo name="Standards for Efficient Cryptography (SEC)" value="2"/> </reference>
</reference>
<reference anchor="SEC2">
<front>
<title>
SEC 2: Recommended Elliptic Curve Domain Parameters
</title>
<author>
<organization>Standards for Efficient Cryptography Group
</organization>
</author>
<date month="January" year="2010"/>
</front>
</reference>
</references>
</references> </references>
<section anchor="test_vectors" title="Test Vectors"> <section anchor="test_vectors" numbered="true" toc="default">
<name>Test Vectors</name>
<t>This non-normative Appendix provides some test vectors for example Diffie <t>This non-normative Appendix provides some test vectors (for example, Di
-Hellman ffie-Hellman
key exchanges using each of the curves defined in <xref target="namedGroups" key exchanges using each of the curves defined in <xref
/> . In all target="namedGroups" format="default"/>). The following notation is used in a
of the following sections the following notation is used: ll
<list> of the subsequent sections:
</t>
<t> d_A: the secret key of party A </t>
<t> x_qA: the x-coordinate of the public key of party A </t>
<t> y_qA: the y-coordinate of the public key of party A </t> <dl newline="false" indent="7" spacing="normal">
<dt>d_A:</dt><dd>the secret key of party A </dd>
<dt>x_qA:</dt><dd>the x-coordinate of the public key of party A </dd>
<dt>y_qA:</dt><dd>the y-coordinate of the public key of party A </dd>
<dt>d_B:</dt><dd>the secret key of party B </dd>
<dt>x_qB:</dt><dd>the x-coordinate of the public key of party B </dd>
<dt>y_qB:</dt><dd>the y-coordinate of the public key of party B </dd>
<dt>x_Z:</dt><dd>the x-coordinate of the shared secret that results from
completion of the Diffie-Hellman computation, i.e., the hex representation
of the premaster secret</dd>
<dt>y_Z:</dt><dd>the y-coordinate of the shared secret that results from
completion of the Diffie-Hellman computation </dd>
</dl>
<t> d_B: the secret key of party B </t> <t>
The field elements x_qA, y_qA, x_qB, y_qB, x_Z, and y_Z are represented as hexad
ecimal values using the FieldElement-to-OctetString conversion method specified
in <xref target="SEC1" format="default"/>.
</t>
<t> x_qB: the x-coordinate of the public key of party B </t> <section numbered="true" toc="default">
<name>256-Bit Curve</name>
<t>Curve brainpoolP256r1
</t>
<t> y_qB: the y-coordinate of the public key of party B </t> <sourcecode type="test-vectors"><![CDATA[
dA =
81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D
<t> x_Z: the x-coordinate of the shared secret that results from x_qA =
completion of the Diffie-Hellman computation, i.e. the hex representation 44106E913F92BC02A1705D9953A8414DB95E1AAA49E81D9E85F929A8E3100BE5
of the pre-master secret</t>
<t> y_Z: the y-coordinate of the shared secret that results from y_qA =
completion of the Diffie-Hellman computation </t> 8AB4846F11CACCB73CE49CBDD120F5A900A69FD32C272223F789EF10EB089BDC
</list>
The field elements x_qA, y_qA, x_qB, y_qB, x_Z, y_Z are represented as hexadecim
al values using the FieldElement-to-OctetString conversion method specified in <
xref target='SEC1' />.
</t>
<section title="256 Bit Curve"> dB =
55E40BC41E37E3E2AD25C3C6654511FFA8474A91A0032087593852D3E7D76BD3
<t>Curve brainpoolP256r1 x_qB =
<list> 8D2D688C6CF93E1160AD04CC4429117DC2C41825E1E9FCA0ADDD34E6F1B39F7B
<t>dA = 81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D <
/t>
<t>x_qA = 44106E913F92BC02A1705D9953A8414DB95E1AAA49E81D9E85F929A8E3100BE5 < y_qB =
/t> 990C57520812BE512641E47034832106BC7D3E8DD0E4C7F1136D7006547CEC6A
<t>y_qA = 8AB4846F11CACCB73CE49CBDD120F5A900A69FD32C272223F789EF10EB089BDC <
/t>
<t>dB = 55E40BC41E37E3E2AD25C3C6654511FFA8474A91A0032087593852D3E7D76BD3 < x_Z =
/t> 89AFC39D41D3B327814B80940B042590F96556EC91E6AE7939BCE31F3A18BF2B
<t>x_qB = 8D2D688C6CF93E1160AD04CC4429117DC2C41825E1E9FCA0ADDD34E6F1B39F7B < y_Z =
/t> 49C27868F4ECA2179BFD7D59B1E3BF34C1DBDE61AE12931648F43E59632504DE
<t>y_qB = 990C57520812BE512641E47034832106BC7D3E8DD0E4C7F1136D7006547CEC6A < ]]></sourcecode>
/t>
<t>x_Z = 89AFC39D41D3B327814B80940B042590F96556EC91E6AE7939BCE31F3A18BF2B < </section>
/t> <section numbered="true" toc="default">
<t>y_Z = 49C27868F4ECA2179BFD7D59B1E3BF34C1DBDE61AE12931648F43E59632504DE <name>384-Bit Curve</name>
</t> <t>Curve brainpoolP384r1
</list></t> </t>
</section> <sourcecode type="test-vectors"><![CDATA[
dA = 1E20F5E048A5886F1F157C74E91BDE2B98C8B52D58E5003D57053FC4B0BD6
5D6F15EB5D1EE1610DF870795143627D042
<section title="384 Bit Curve"> x_qA = 68B665DD91C195800650CDD363C625F4E742E8134667B767B1B47679358
8F885AB698C852D4A6E77A252D6380FCAF068
<t>Curve brainpoolP384r1 y_qA = 55BC91A39C9EC01DEE36017B7D673A931236D2F1F5C83942D049E3FA206
<list> 07493E0D038FF2FD30C2AB67D15C85F7FAA59
<t>dA = 1E20F5E048A5886F1F157C74E91BDE2B98C8B52D58E5003D57053FC4B0BD65D6F1
5EB5D1EE1610DF870795143627D042 </t>
<t>x_qA = 68B665DD91C195800650CDD363C625F4E742E8134667B767B1B476793588F885AB dB = 032640BC6003C59260F7250C3DB58CE647F98E1260ACCE4ACDA3DD869F74E
698C852D4A6E77A252D6380FCAF068 </t> 01F8BA5E0324309DB6A9831497ABAC96670
<t>y_qA = 55BC91A39C9EC01DEE36017B7D673A931236D2F1F5C83942D049E3FA20607493E0
D038FF2FD30C2AB67D15C85F7FAA59 </t>
<t>dB = 032640BC6003C59260F7250C3DB58CE647F98E1260ACCE4ACDA3DD869F74E01F8B x_qB = 4D44326F269A597A5B58BBA565DA5556ED7FD9A8A9EB76C25F46DB69D19
A5E0324309DB6A9831497ABAC96670 </t> DC8CE6AD18E404B15738B2086DF37E71D1EB4
<t>x_qB = 4D44326F269A597A5B58BBA565DA5556ED7FD9A8A9EB76C25F46DB69D19DC8CE6A y_qB = 62D692136DE56CBE93BF5FA3188EF58BC8A3A0EC6C1E151A21038A42E91
D18E404B15738B2086DF37E71D1EB4 </t> 85329B5B275903D192F8D4E1F32FE9CC78C48
<t>y_qB = 62D692136DE56CBE93BF5FA3188EF58BC8A3A0EC6C1E151A21038A42E9185329B5
B275903D192F8D4E1F32FE9CC78C48 </t>
<t>x_Z = 0BD9D3A7EA0B3D519D09D8E48D0785FB744A6B355E6304BC51C229FBBCE239BBADF x_Z = 0BD9D3A7EA0B3D519D09D8E48D0785FB744A6B355E6304BC51C229FBBCE2
6403715C35D4FB2A5444F575D4F42 </t> 39BBADF6403715C35D4FB2A5444F575D4F42
<t>y_Z = 0DF213417EBE4D8E40A5F76F66C56470C489A3478D146DECF6DF0D94BAE9E598157
290F8756066975F1DB34B2324B7BD </t>
</list></t>
</section> y_Z = 0DF213417EBE4D8E40A5F76F66C56470C489A3478D146DECF6DF0D94BAE9
E598157290F8756066975F1DB34B2324B7BD
]]></sourcecode>
<section title="512 Bit Curve"> </section>
<section numbered="true" toc="default">
<name>512-Bit Curve</name>
<t>Curve brainpoolP512r1
</t>
<sourcecode type="test-vectors"><![CDATA[
dA = 16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87B
D59B09E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD5766542
2
<t>Curve brainpoolP512r1 x_qA = 0A420517E406AAC0ACDCE90FCD71487718D3B953EFD7FBEC5F7F27E28C6
<list> 149999397E91E029E06457DB2D3E640668B392C2A7E737A7F0BF04436D11640FD0
<t>dA = 16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87BD59B0 9FD
9E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD57665422 </t>
<t>x_qA = 0A420517E406AAC0ACDCE90FCD71487718D3B953EFD7FBEC5F7F27E28C61499993 y_qA = 72E6882E8DB28AAD36237CD25D580DB23783961C8DC52DFA2EC138AD472
97E91E029E06457DB2D3E640668B392C2A7E737A7F0BF04436D11640FD09FD </t> A0FCEF3887CF62B623B2A87DE5C588301EA3E5FC269B373B60724F5E82A6AD147F
<t>y_qA = 72E6882E8DB28AAD36237CD25D580DB23783961C8DC52DFA2EC138AD472A0FCEF3 DE7
887CF62B623B2A87DE5C588301EA3E5FC269B373B60724F5E82A6AD147FDE7 </t>
<t>dB = 230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D12CFAB dB = 230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D1
BC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429 </t> 2CFABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B2542
9
<t>x_qB = 9D45F66DE5D67E2E6DB6E93A59CE0BB48106097FF78A081DE781CDB31FCE8CCBAA x_qB = 9D45F66DE5D67E2E6DB6E93A59CE0BB48106097FF78A081DE781CDB31FC
EA8DD4320C4119F1E9CD437A2EAB3731FA9668AB268D871DEDA55A5473199F </t> E8CCBAAEA8DD4320C4119F1E9CD437A2EAB3731FA9668AB268D871DEDA55A54731
<t>y_qB = 2FDC313095BCDD5FB3A91636F07A959C8E86B5636A1E930E8396049CB481961D36 99F
5CC11453A06C719835475B12CB52FC3C383BCE35E27EF194512B71876285FA </t>
<t>x_Z = A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76D3 y_qB = 2FDC313095BCDD5FB3A91636F07A959C8E86B5636A1E930E8396049CB48
6403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F </t> 1961D365CC11453A06C719835475B12CB52FC3C383BCE35E27EF194512B7187628
<t>y_Z = 7DB71C3DEF63212841C463E881BDCF055523BD368240E6C3143BD8DEF8B3B3223B 5FA
95E0F53082FF5E412F4222537A43DF1C6D25729DDB51620A832BE6A26680A2 </t>
</list></t>
</section> x_Z = A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF322624
4B76D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD
1F
</section> y_Z = 7DB71C3DEF63212841C463E881BDCF055523BD368240E6C3143BD8DEF8B3
B3223B95E0F53082FF5E412F4222537A43DF1C6D25729DDB51620A832BE6A26680
A2
]]></sourcecode>
</section>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 83 change blocks. 
642 lines changed or deleted 476 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/