4. Recommended Curves (推荐曲线)

4. Recommended Curves (推荐曲线)

4.1. Curve25519

对于约128位安全级别, 推荐使用素数 2^255 - 19, 以在各种架构上获得良好性能。在 2^250 和 2^521 之间, 具有小 s 的形式为 2^c-s 的素数很少, 而且其他系数选择在性能上没有竞争力。该素数与 1 mod 4 同余, 附录A中的推导过程得到以下蒙哥马利曲线 v^2 = u^3 + A*u^2 + u, 称为 "curve25519":

p  2^255 - 19

A  486662

order  2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed

cofactor  8

U(P)  9

V(P)  14781619447589544791020593568409986887264606134616475288964881837755586237401

基点是 u = 9, v = 14781619447589544791020593568409986887264606134616475288964881837755586237401。

该曲线双有理等价于扭曲爱德华兹曲线 -x^2 + y^2 = 1 + dx^2y^2, 称为 "edwards25519", 其中:

p  2^255 - 19

d  37095705934669439343138083508754565189542113879843219016388785533085940283555

order  2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed

cofactor  8

X(P)  15112221349535400772501151409588531511454012693041857206046113283949847762202

Y(P)  46316835694926478169428394003475163141307993866256225615783033603165251855960

双有理映射为:

(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)
(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))

这里定义的蒙哥马利曲线等于 [curve25519] 中定义的曲线, 等价的扭曲爱德华兹曲线等于 [ed25519] 中定义的曲线。

4.2. Curve448

对于约224位安全级别, 推荐使用素数 2^448 - 2^224 - 1, 以在各种架构上获得良好性能。该素数与 3 mod 4 同余, 附录A中的推导过程得到以下蒙哥马利曲线, 称为 "curve448":

p  2^448 - 2^224 - 1

A  156326

order  2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d

cofactor  4

U(P)  5

V(P)  35529392678556817526412750206378333480897639938771427183188089843516908878696741000293267376586455091014274714726810583898559029060636262

该曲线双有理等价于爱德华兹曲线 x^2 + y^2 = 1 + dx^2y^2, 其中:

p  2^448 - 2^224 - 1

d  61197585074452917616042322096555331754321969687101662632896893641508786004263647489178559928366602041476867897998937814706546281554501017

order  2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d

cofactor  4

X(P)  34539749303972951637400860415053741026665526007518329021640697028164569507367234443048178738443158358375934063322170839158342404178892412456700732

Y(P)  36341936214780344527466190394400226717682068034365903014074509959030616408336538634319819184933827296504444223092181868052674900918271809009182718

双有理映射为:

(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)
(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))

这两条曲线还与以下爱德华兹曲线 x^2 + y^2 = 1 + dx^2y^2 是4同源的, 称为 "edwards448", 其中:

p  2^448 - 2^224 - 1

d  -39081

order  2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d

cofactor  4

X(P)  22458004029592430018760433409989603624678964163256413424612546168695041546740690902919286935795328257803207514644617367460263524771022458004029592430018760433409989603624678964163256413424612546168695041546740690902919286935795328257803207514644617367460263524771

Y(P)  29881921007848149267601793044393067343754404015408024209592824137233150618983587600353687865541878478473398230323350346250053154506250053154506250053154506250053154506283266

蒙哥马利曲线与该爱德华兹曲线之间的4同源映射为:

(u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
(x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
          -(u^5 - 2*u^3 - 4*u*v^2 + u)/(u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))

这里定义的曲线 edwards448 也称为 "Goldilocks", 等于 [goldilocks] 中定义的曲线。