Transcription of SEC 2: Recommended Elliptic Curve Domain Parameters
1 Standards for Efficient CryptographySEC 2: Recommended Elliptic Curve Domain ParametersCerticom ResearchContact: Daniel R. L. Brown 27, 2010 Version 2010 Certicom to copy this document is granted provided it is identified as Standards for EfficientCryptography 2 (SEC 2) , in all material mentioning or referencing 2 (Draft) Ver. Overview .. Compliance .. Document Evolution .. Intellectual Property .. Organization ..12 Recommended Elliptic Curve Domain Parameters Properties of Elliptic Curve Domain Parameters overFp.. Recommended 192-bit Elliptic Curve Domain Parameters overFp.. Recommended Parameters secp192k1 .. Recommended Parameters secp192r1 .. Recommended 224-bit Elliptic Curve Domain Parameters overFp.. Recommended Parameters secp224k1 .. Recommended Parameters secp224r1 .. Recommended 256-bit Elliptic Curve Domain Parameters overFp.
2 Recommended Parameters secp256k1 .. Recommended Parameters secp256r1 .. Recommended 384-bit Elliptic Curve Domain Parameters overFp.. Recommended Parameters secp384r1 .. Recommended 521-bit Elliptic Curve Domain Parameters overFp.. Recommended Parameters secp521r1 ..113 Recommended Elliptic Curve Domain Parameters Properties of Elliptic Curve Domain Parameters overF2m.. Recommended 163-bit Elliptic Curve Domain Parameters overF2m.. Recommended Parameters sect163k1 .. Recommended Parameters sect163r1 .. Recommended Parameters sect163r2 .. Recommended 233-bit Elliptic Curve Domain Parameters overF2m.. Recommended Parameters sect233k1 .. Recommended Parameters sect233r1 ..19 ContentsPage i ofiiiSEC 2 (Draft) Ver. Recommended 239-bit Elliptic Curve Domain Parameters overF2m.. Recommended Parameters sect239k1 .. Recommended 283-bit Elliptic Curve Domain Parameters overF2m.
3 Recommended Parameters sect283k1 .. Recommended Parameters sect283r1 .. Recommended 409-bit Elliptic Curve Domain Parameters overF2m.. Recommended Parameters sect409k1 .. Recommended Parameters sect409r1 .. Recommended 571-bit Elliptic Curve Domain Parameters overF2m.. Recommended Parameters sect571k1 .. Recommended Parameters sect571r1 ..26A Syntax for Elliptic Curve Domain Parameters .. Object Identifiers for Recommended Parameters .. OIDs for Recommended Parameters overFp.. OIDs for Recommended Parameters overF2m.. The Information Object SetSECGC urveNames..30B References33 Page ii ofiiiContentsSEC 2 (Draft) Ver. of Tables1 Properties of Recommended Elliptic Curve Domain Parameters overFp..42 Status of Recommended Elliptic Curve Domain Parameters overFp..53 Representations ofF2m..144 Properties of Recommended Elliptic Curve Domain Parameters overF2m.
4 155 Status of Recommended Elliptic Curve Domain Parameters overF2m..16 List of TablesPage iii ofiiiSEC 2 (Draft) Ver. OverviewThis document lists example Elliptic Curve Domain Parameters at commonly required security levelsfor use by implementers of SEC 1 [SEC 1] and other ECC standards like ANSI [ ], [ ], and IEEE 1363 [1363] and IEEE 1363a [1363A].It is strongly Recommended that implementers select Parameters from among the Parameters listedin this document when they deploy ECC-based products in order to encourage the deployment ofinteroperable ECC-based ComplianceImplementations may claim compliance with the Recommended Parameters specified in this docu-ment provided some subset of the Recommended Parameters is used by the cryptographic schemesbased on Elliptic Curve cryptography included in the is envisioned that implementations choosing to comply with this document will typically choosealso to comply with its companion document, SEC 1 [SEC 1].
5 It is intended to make a validation system available so that implementors can check compliancewith this document see the SECG website, , for further Document EvolutionThis document will be reviewed every five years to ensure it remains up to date with cryptographicadvances. The next scheduled review will therefore take place in February intermittent reviews may also be performed from time-to-time as deemed necessary bythe Standards for Efficient Cryptography Intellectual PropertyThe reader s attention is called to the possibility that compliance with this document may requireuse of an invention covered by patent rights. By publication of this document, no position is takenwith respect to the validity of this claim or of any patent rights in connection therewith. Thepatent holder(s) may have filed with the SECG a statement of willingness to grant a license underthese rights on fair, reasonable and nondiscriminatory terms and conditions to applicants desiringto obtain such a license.
6 Additional details may be obtained from the patent holder and from theSECG website, OrganizationThis document is organized as follows. 1 IntroductionPage 1 OrganizationSEC 2 (Draft) Ver. main body of the document focuses on the specification of Recommended Elliptic Curve domainparameters. Section2describes Recommended Elliptic Curve Domain Parameters overFp, andSection3describes Recommended Elliptic Curve Domain Parameters appendices to the document provide additional relevant material. AppendixAprovides ref-erence syntax for implementations to use to identify the Parameters . AppendixBlists thereferences cited in the 2 of33 1 IntroductionSEC 2 (Draft) Ver. Recommended Elliptic Curve Domain Parameters overFpThis section specifies the Elliptic Curve Domain Parameters overFprecommended in this section is organized as follows. First relevant properties of the rec-ommended Parameters overFp.
7 Then Recommended 192-bit Elliptic curvedomain Parameters overFp, Recommended 224-bit Elliptic Curve Domain pa-rameters overFp, Recommended 256-bit Elliptic Curve Domain Parameters overFp, Recommended 384-bit Elliptic Curve Domain Parameters overFp, Recommended 521-bit Elliptic Curve Domain Parameters overFp, Properties of Elliptic Curve Domain Parameters overFpFollowing SEC 1 [SEC 1], Elliptic Curve Domain Parameters overFpare a sextuple:T= (p,a,b,G,n,h)consisting of an integerpspecifying the finite fieldFp, two elementsa,b Fpspecifying an ellipticcurveE(Fp) defined by the equation:E:y2 x3+ +b(modp),a base pointG= (xG,yG) onE(Fp), a primenwhich is the order ofG, and an integerhwhich isthe cofactorh= #E(Fp) Elliptic Curve Domain Parameters are specified in this document, each component of this sex-tuple is represented as an octet string converted using the conventions specified in SEC 1 [SEC 1].
8 Again following SEC 1 [SEC 1], Elliptic Curve Domain Parameters overFpmust have:dlog2pe {192,224,256,384,521}.This restriction is designed to encourage interoperability while allowing implementers to sup-ply commonly required security levels recall that Elliptic Curve Domain Parameters overFpwithdlog2pe= 2tsupply approximatelytbits of security meaning that solving the logarithm problemon the associated Elliptic Curve is believed to take approximately Recommended Elliptic Curve Domain Parameters are supplied at each of the sizes allowed inSEC the Recommended Elliptic Curve Domain Parameters overFpuse special form primes for their fieldorderp. These special form primes facilitate especially efficient implementations like those describedin [Nat99]. Recommended Elliptic Curve Domain Parameters overFpwhich use random primes fortheir field orderpmay be added later if commercial demand for such Parameters Elliptic Curve Domain Parameters overFpsupplied at each security level typically consist ofexamples of two different types of Parameters one type being Parameters associated with a Koblitzcurve and the other type being Parameters chosen verifiably at random although only verifiablyrandom Parameters are supplied at export strength and at extremely high strength.
9 2 Recommended Elliptic Curve Domain Parameters overFpPage 3 Properties of Elliptic Curve Domain Parameters overFpSEC 2 (Draft) Ver. associated with a Koblitz Curve admit especially efficient implementation. The nameKoblitz Curve is best-known when used to describe binary anomalous curves overF2mwhich havea,b {0,1}[Kob92]. Here it is generalized to refer also to curves overFpwhich possess anefficiently computable endomorphism [GLV01]. The Recommended Parameters associated with aKoblitz Curve were chosen by repeatedly selecting Parameters admitting an efficiently computableendomorphism until a prime order Curve was random Parameters offer some additional conservative features. These Parameters arechosen from a seed using SHA-1 as specified in ANSI [ ]. This process ensures thatthe Parameters cannot be predetermined. The Parameters are therefore extremely unlikely tobe susceptible to future special-purpose attacks, and no trapdoors can have been placed in theparameters during their generation.
10 When Elliptic Curve Domain Parameters are chosen verifiablyat random, the seedSused to generate the Parameters may optionally be stored along with theparameters so that users can verify the Parameters were chosen verifiably at verifiably random Parameters have been chosen either so that the associated Elliptic curvehas prime order, or so that scalar multiplication of points on the associated Elliptic Curve can beaccelerated using Montgomery s method [Mon87]. The Recommended verifiably random parameterswere chosen by repeatedly selecting a random seed and counting the number of points on thecorresponding Curve until appropriate Parameters were found. Typically the Parameters werechosen so thata=p 3 because such Parameters admit efficient implementation. For a givenp,approximately half the isomorphism classes of Elliptic curves overFpcontain a Curve witha=p SEC 1 [SEC 1] for further guidance on the selection of Elliptic Curve Domain Parameters 1: Properties of Recommended Elliptic Curve Domain Parameters overFpThe Recommended Elliptic Curve Domain Parameters overFphave been given nicknames to enablethem to be easily identified.
