A.2 Elliptic curves

In the FIPS 186-2 standard, NIST recommended 15 elliptic curves of varying security levels for U.S. federal government use. The curves are of three types:

(i)random elliptic curves over a prime field F p;

(ii)random elliptic curves over a binary field F2m ; and

(iii)Koblitz elliptic curves over a binary field F2m .

Their parameters are listed in §A.2.1, §A.2.2 and §A.2.3, respectively.

In the tables that follow, integers and polynomials are sometimes represented as hexadecimal strings. For example, “0x1BB5” is the hexadecimal representation of the integer 7093. The coefficients of the binary polynomial z13 + z11 + z5 + z2 + z + 1 form a binary string “10100000100111” which has hexadecimal representation “0x2827”.

A.2.1 Random elliptic curves over F p

Table A.3 lists domain parameters for the five NIST-recommended randomly chosen elliptic curves over prime fields F p. The primes p were specially chosen to allow for very fast reduction of integers modulo p (see §2.2.6). The selection a = −3 for the coefficient in the elliptic curve equation was made so that elliptic curve points represented in Jacobian projective coordinates could be added using one fewer field multiplication (see §3.2.2). The following parameters are given for each curve:

p The order of the prime field F p.

S The seed selected to randomly generate the coefficients of the elliptic curve using Algorithm 4.17.

r The output of SHA-1 in Algorithm 4.17.

a, b The coefficients of the elliptic curve y2 = x3 + ax + b satisfying r b2 ≡ a3 (mod p).

n The (prime) order of the base point P. h The cofactor.

x, y The x and y coordinates of P.

A.2.2 Random elliptic curves over F2m

Table A.4 lists domain parameters for the five NIST-recommended randomly chosen elliptic curves over binary fields F2m . The extension degrees m are prime and were selected so that there exists a Koblitz curve over F2m having almost-prime group order (see §A.2.3). Algorithm 4.19 was used to generate the coefficient b of an elliptic curve over F2m from the seed S. The output b of the algorithm was interpreted as an element of F2m represented with respect to the Gaussian normal basis specified in FIPS 186-2. A change-of-basis matrix was then used to transform b to a polynomial basis representation—see FIPS 186-2 for more details. The following parameters are given for each curve:

m The extension degree of the binary field F2m . f (z) The reduction polynomial of degree m.

SThe seed selected to randomly generate the coefficients of the elliptic curve.

A.2.3 Koblitz elliptic curves over F2m

Table A.5 lists domain parameters for the five NIST-recommended Koblitz curves over binary fields. The binary fields F2m are the same as for the random curves in §A.2.2. Koblitz curves were selected because point multiplication can be performed faster than for the random curves (see §3.4). The following parameters are given for each curve:

m The extension degree of the binary field F2m . f (z) The reduction polynomial of degree m.

a, b The coefficients of the elliptic curve y2 + x y = x3 + ax2 + b. n The (prime) order of the base point P.

h The cofactor.

x, y The x and y coordinates of P.

Table A.5. NIST-recommended Koblitz curves over binary fields.

This page intentionally left blank

APPENDIX B

ECC Standards

Cryptographic standards are important for two reasons: (i) to facilitate the widespread use of cryptographically sound and well-specified techniques; and (ii) to promote interoperability between different implementations. Interoperability is encouraged by completely specifying the steps of the cryptographic schemes and the formats for shared data such as domain parameters, keys and exchanged messages, and by limiting the number of options available to the implementor.

This section describes the salient features of selected standards and draft standards that describe elliptic curve mechanisms for signatures, encryption, and key establishment. A summary is provided in Table B.1. Electronic copies of the standards can be obtained online from the web sites listed in Table B.2. It should be noted that many of these standards are updated periodically. Readers should consult the web sites for the latest drafts.

American National Standards Institute (ANSI) The ANSI X9F subcommittee of the ANSI X9 committee develops information security standards for the financial services industry. Two elliptic curve standards have been completed: ANSI X9.62 which specifies the ECDSA (§4.4.1), and ANSI X9.63 which specifies numerous elliptic curve key agreement and key transport protocols including STS (§4.6.1), ECMQV (§4.6.2), and ECIES (§4.5.1). The objective of these standards is to achieve a high degree of security and interoperability. The underlying finite field is restricted to being a prime field F p or a binary field F2m . The elements of F2m may be represented using a polynomial basis or a normal basis over F2. If a polynomial basis is desired, then the reduction polynomial must be an irreducible trinomial, if one exists, and an irreducible pentanomial otherwise. To facilitate interoperability, a specific reduction polynomial is recommended for each field F2m ; these polynomials of degree m, where 2 ≤ m ≤ 600, are listed in Tables A.1 and A.2. If a normal basis is desired, a specific Gaussian normal

basis is mandated. The primary security requirement is that the order n of the base point P should be greater than 2160. The only hash function employed is SHA-1; however, it is anticipated that ANSI X9.62 and X9.63 will be updated in the coming years to allow for hash functions of varying output lengths.

National Institute of Standards and Technology (NIST) NIST is a non-regulatory federal agency within the U.S. Commerce Department’s Technology Administration. Included in its mission is the development of security-related Federal Information Processing Standards (FIPS) intended for use by U.S. federal government departments. The FIPS standards widely adopted and depolyed around the world include the Data Encryption Standard (DES: FIPS 46), the Secure Hash Algorithms (SHA-1, SHA-256, SHA-384 and SHA-512: FIPS 180-2 [138]), the Advanced Encryption Standard (AES: FIPS 197 [141]), and Hash-based Message Authentication Code (HMAC: FIPS 198 [142]). FIPS 186-2, also known as the Digital Signature Standard (DSS), specifies the RSA, DSA and ECDSA signature schemes. ECDSA is specified simply by reference to ANSI X9.62 with a recommendation to use the 15 elliptic curves listed in §A.2.1, §A.2.2 and §A.2.3. NIST is in the process of developing a recommendation [342] for elliptic curve key establishment schemes that will include a selection of protocols from ANSI X9.63.

Institute of Electrical and Electronics Engineers (IEEE) The IEEE P1363 working group is developing a suite of standards for public-key cryptography. The scope of P1363 is very broad and includes schemes based on the intractability of integer factorization, discrete logarithm in finite fields, elliptic curve discrete logarithms, and lattice-based schemes. The 1363-2000 standard includes elliptic curve signature schemes (ECDSA and an elliptic curve analogue of a signature scheme due to Nyberg and Rueppel), and elliptic curve key agreement schemes (ECMQV and variants of elliptic curve Diffie-Hellman (ECDH)). It differs fundamentally from the ANSI standards and FIPS 186-2 in that there are no mandated minimum security requirements and there is an abundance of options. Its primary purpose, therefore, is to serve as a reference for specifications of a variety of cryptographic protocols from which other standards and applications can select. The 1363-2000 standard restricts the underlying finite field to be a prime field F p or a binary field F2m . The P1363a draft standard is an addendum to 1363-2000. It contains specifications of ECIES and the Pintsov-Vanstone signature scheme providing message recovery, and allows for extension fields F pm of odd characteristic including optimal extension fields (see §2.4).

International Organization for Standardization (ISO) ISO and the International Electrotechnical Commission (IEC) jointly develop cryptographic standards within the SC 27 subcommittee. ISO/IEC 15946 is a suite of elliptic curve cryptographic standards that specifies signature schemes (including ECDSA and EC-KCDSA), key establishment schemes (including ECMQV and STS), and digital signature schemes providing message recovery. ISO/IEC 18033-2 provides detailed descriptions and se-

270 B. ECC Standards

curity analyses of various public-key encryption schemes including ECIES-KEM and PSEC-KEM.

Standards for Efficient Cryptography Group (SECG) SECG is a consortium of companies formed to address potential interoperability problems with cryptographic standards. SEC 1 specifies ECDSA, ECIES, ECDH and ECMQV, and attempts to be compatible with all ANSI, NIST, IEEE and ISO/IEC elliptic curve standards. Some specific elliptic curves, including the 15 NIST elliptic curves, are listed in SEC 2.

New European Schemes for Signatures, Integrity and Encryption (NESSIE) The NESSIE project was funded by the European Union’s Fifth Framework Programme. Its main objective was to assess and select various symmetric-key primitives (block ciphers, stream ciphers, hash functions, message authentication codes) and public-key primitives (public-key encryption, signature and identification schemes). The elliptic curve schemes selected were ECDSA and the key transport protocols PSEC-KEM and ACE-KEM.

Cryptographic Research and Evaluation Committee (CRYPTREC) The Inform- ation-technology Promotion Agency (IPA) in Japan formed the CRYPTREC committee for the purpose of evaluating cryptographic protocols for securing the Japanese government’s electronic business. Numerous symmetric-key and public-key primitives are being evaluated, including ECDSA, ECIES, PSEC-KEM and ECDH.