SEC2(Draft)Ver.2.0 - PDF document

SEC2(Draft)Ver.2.0 Contents1Introduction 1 1.1Overview.......................................... 1 1.2Compliance........................................ 1 1.3DocumentEvolution................................... 1 1.4IntellectualProperty................................... 1 1.5Organization....................................... 1 2RecommendedEllipticCurveDomainParametersoverFp 3 2.1PropertiesofEllipticCurveDomainParametersoverFp............... 3 2.2Recommended192-bitEllipticCurveDomainParametersoverFp.......... 6 2.2.1RecommendedParameterssecp192k1...................... 6 2.2.2RecommendedParameterssecp192r1...................... 6 2.3Recommended224-bitEllipticCurveDomainParametersoverFp.......... 7 2.3.1RecommendedParameterssecp224k1...................... 7 2.3.2RecommendedParameterssecp224r1...................... 8 2.4Recommended256-bitEllipticCurveDomainParametersoverFp.......... 9 2.4.1RecommendedParameterssecp256k1...................... 9 2.4.2RecommendedParameterssecp256r1...................... 9 2.5Recommended384-bitEllipticCurveDomainParametersoverFp.......... 10 2.5.1RecommendedParameterssecp384r1...................... 10 2.6Recommended521-bitEllipticCurveDomainParametersoverFp.......... 11 2.6.1RecommendedParameterssecp521r1...................... 11 3RecommendedEllipticCurveDomainParametersoverF2m 13 3.1PropertiesofEllipticCurveDomainParametersoverF2m............... 13 3.2Recommended163-bitEllipticCurveDomainParametersoverF2m......... 17 3.2.1RecommendedParameterssect163k1...................... 17 3.2.2RecommendedParameterssect163r1...................... 17 3.2.3RecommendedParameterssect163r2...................... 18 3.3Recommended233-bitEllipticCurveDomainParametersoverF2m......... 19 3.3.1RecommendedParameterssect233k1...................... 19 3.3.2RecommendedParameterssect233r1...................... 19 ContentsPageiof iii SEC2(Draft)Ver.2.0 ListofTables1PropertiesofRecommendedEllipticCurveDomainParametersoverFp....... 4 2StatusofRecommendedEllipticCurveDomainParametersoverFp......... 5 3RepresentationsofF2m.................................. 14 4PropertiesofRecommendedEllipticCurveDomainParametersoverF2m...... 15 5StatusofRecommendedEllipticCurveDomainParametersoverF2m........ 16 ListofTablesPageiiiof iii 1.5OrganizationSEC2(Draft)Ver.2.0 Themainbodyofthedocumentfocusesonthespecicationofrecommendedellipticcurvedomainparameters.Section 2 describesrecommendedellipticcurvedomainparametersoverFp,andSection 3 describesrecommendedellipticcurvedomainparametersoverF2m.Theappendicestothedocumentprovideadditionalrelevantmaterial.Appendix A providesref-erenceASN.1syntaxforimplementationstousetoidentifytheparameters.Appendix B liststhereferencescitedinthedocument. Page2of 33 x1Introduction SEC2(Draft)Ver.2.0 2RecommendedEllipticCurveDomainParametersoverFpThissectionspeciestheellipticcurvedomainparametersoverFprecommendedinthisdocument.Thesectionisorganizedasfollows.FirstSection 2.1 describesrelevantpropertiesoftherec-ommendedparametersoverFp.ThenSection 2.2 speciesrecommended192-bitellipticcurvedomainparametersoverFp,Section 2.3 speciesrecommended224-bitellipticcurvedomainpa-rametersoverFp,Section 2.4 speciesrecommended256-bitellipticcurvedomainparametersoverFp,Section 2.5 speciesrecommended384-bitellipticcurvedomainparametersoverFp,Section 2.6 speciesrecommended521-bitellipticcurvedomainparametersoverFp,2.1PropertiesofEllipticCurveDomainParametersoverFpFollowingSEC1[ SEC1 ],ellipticcurvedomainparametersoverFpareasextuple:T=(p;a;b;G;n;h)consistingofanintegerpspecifyingtheniteeldFp,twoelementsa;b2FpspecifyinganellipticcurveE(Fp)denedbytheequation:E:y2x3+a:x+b(modp);abasepointG=(xG;yG)onE(Fp),aprimenwhichistheorderofG,andanintegerhwhichisthecofactorh=#E(Fp)=n.Whenellipticcurvedomainparametersarespeciedinthisdocument,eachcomponentofthissex-tupleisrepresentedasanoctetstringconvertedusingtheconventionsspeciedinSEC1[ SEC1 ].AgainfollowingSEC1[ SEC1 ],ellipticcurvedomainparametersoverFpmusthave:dlog2pe2f192;224;256;384;521g:Thisrestrictionisdesignedtoencourageinteroperabilitywhileallowingimplementerstosup-plycommonlyrequiredsecuritylevels|recallthatellipticcurvedomainparametersoverFpwithdlog2pe=2tsupplyapproximatelytbitsofsecurity|meaningthatsolvingthelogarithmproblemontheassociatedellipticcurveisbelievedtotakeapproximately2toperations.HererecommendedellipticcurvedomainparametersaresuppliedateachofthesizesallowedinSEC1.AlltherecommendedellipticcurvedomainparametersoverFpusespecialformprimesfortheireldorderp.Thesespecialformprimesfacilitateespeciallyecientimplementationslikethosedescribedin[ Nat99 ].RecommendedellipticcurvedomainparametersoverFpwhichuserandomprimesfortheireldorderpmaybeaddedlaterifcommercialdemandforsuchparametersincreases.TheellipticcurvedomainparametersoverFpsuppliedateachsecurityleveltypicallyconsistofexamplesoftwodierenttypesofparameters|onetypebeingparametersassociatedwithaKoblitzcurveandtheothertypebeingparameterschosenveriablyatrandom|althoughonlyveriablyrandomparametersaresuppliedatexportstrengthandatextremelyhighstrength. x2RecommendedEllipticCurveDomainParametersoverFpPage3of 33 2.1PropertiesofEllipticCurveDomainParametersoverFpSEC2(Draft)Ver.2.0 ParametersassociatedwithaKoblitzcurveadmitespeciallyecientimplementation.ThenameKoblitzcurveisbest-knownwhenusedtodescribebinaryanomalouscurvesoverF2mwhichhavea;b2f0;1g[ Kob92 ].HereitisgeneralizedtoreferalsotocurvesoverFpwhichpossessanecientlycomputableendomorphism[ GLV01 ].TherecommendedparametersassociatedwithaKoblitzcurvewerechosenbyrepeatedlyselectingparametersadmittinganecientlycomputableendomorphismuntilaprimeordercurvewasfound.Veriablyrandomparametersoersomeadditionalconservativefeatures.TheseparametersarechosenfromaseedusingSHA-1asspeciedinANSIX9.62[ X9.62 ].Thisprocessensuresthattheparameterscannotbepredetermined.Theparametersarethereforeextremelyunlikelytobesusceptibletofuturespecial-purposeattacks,andnotrapdoorscanhavebeenplacedintheparametersduringtheirgeneration.Whenellipticcurvedomainparametersarechosenveriablyatrandom,theseedSusedtogeneratetheparametersmayoptionallybestoredalongwiththeparameterssothatuserscanverifytheparameterswerechosenveriablyatrandom.Hereveriablyrandomparametershavebeenchoseneithersothattheassociatedellipticcurvehasprimeorder,orsothatscalarmultiplicationofpointsontheassociatedellipticcurvecanbeacceleratedusingMontgomery'smethod[ Mon87 ].Therecommendedveriablyrandomparameterswerechosenbyrepeatedlyselectingarandomseedandcountingthenumberofpointsonthecorrespondingcurveuntilappropriateparameterswerefound.Typicallytheparameterswerechosensothata=p�3becausesuchparametersadmitecientimplementation.Foragivenp,approximatelyhalftheisomorphismclassesofellipticcurvesoverFpcontainacurvewitha=p�3.SeeSEC1[ SEC1 ]forfurtherguidanceontheselectionofellipticcurvedomainparametersoverFp. Parameters Section Strength Size RSA/DSA Koblitzorran-dom secp192k1 2.2.1 96 192 1536 k secp192r1 2.2.2 96 192 1536 r secp224k1 2.3.1 112 224 2048 k secp224r1 2.3.2 112 224 2048 r secp256k1 2.4.1 128 256 3072 k secp256r1 2.4.2 128 256 3072 r secp384r1 2.5.1 192 384 7680 r secp521r1 2.6.1 256 521 15360 r Table1:PropertiesofRecommendedEllipticCurveDomainParametersoverFp TherecommendedellipticcurvedomainparametersoverFphavebeengivennicknamestoenablethemtobeeasilyidentied.Thenicknameswerechosenasfollows.Eachnamebeginswithsectodenote`StandardsforEcientCryptography',followedbyaptodenoteparametersover Page4of 33 x2RecommendedEllipticCurveDomainParametersoverFp SEC2(Draft)Ver.2.02.3Recommended224-bitEllipticCurveDomainParametersoverFp p=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF=2192�264�1ThecurveE:y2=x3+ax+boverFpisdenedby:a=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFCb=64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1EwaschosenveriablyatrandomasspeciedinANSIX9.62[ X9.62 ]fromtheseed:S=3045AE6FC8422F64ED579528D38120EAE12196D5ThebasepointGincompressedformis:G=03188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012andinuncompressedformis:G=04188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF101207192B95FFC8DA78631011ED6B24CDD573F977A11E794811FinallytheordernofGandthecofactorare:n=FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831h=012.3Recommended224-bitEllipticCurveDomainParametersoverFpThissectionspeciesthetworecommended224-bitellipticcurvedomainparametersoverFpinthisdocument:parameterssecp224k1associatedwithaKoblitzcurve,andveriablyrandomparameterssecp224r1.Section 2.3.1 speciestheellipticcurvedomainparameterssecp224k1,andSection 2.3.2 speciestheellipticcurvedomainparameterssecp224r1.2.3.1RecommendedParameterssecp224k1TheellipticcurvedomainparametersoverFpassociatedwithaKoblitzcurvesecp224k1arespeciedbythesextupleT=(p;a;b;G;n;h)wheretheniteeldFpisdenedby:p=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D=2224�232�212�211�29�27�24�2�1ThecurveE:y2=x3+ax+boverFpisdenedby:a=00000000000000000000000000000000000000000000000000000000b=00000000000000000000000000000000000000000000000000000005ThebasepointGincompressedformis: x2RecommendedEllipticCurveDomainParametersoverFpPage7of 33 2.3Recommended224-bitEllipticCurveDomainParametersoverFpSEC2(Draft)Ver.2.0 G=03A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45Candinuncompressedformis:G=04A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5FinallytheordernofGandthecofactorare:n=010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7h=012.3.2RecommendedParameterssecp224r1TheveriablyrandomellipticcurvedomainparametersoverFpsecp224r1arespeciedbythesextupleT=(p;a;b;G;n;h)wheretheniteeldFpisdenedby:p=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001=2224�296+1ThecurveE:y2=x3+ax+boverFpisdenedby:a=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFEb=B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4EwaschosenveriablyatrandomasspeciedinANSIX9.62[ X9.62 ]fromtheseed:S=BD71344799D5C7FCDC45B59FA3B9AB8F6A948BC5ThebasepointGincompressedformis:G=02B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21andinuncompressedformis:G=04B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34FinallytheordernofGandthecofactorare:n=FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3Dh=01 Page8of 33 x2RecommendedEllipticCurveDomainParametersoverFp SEC2(Draft)Ver.2.02.6Recommended521-bitEllipticCurveDomainParametersoverFp p=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF=2384�2128�296+232�1ThecurveE:y2=x3+ax+boverFpisdenedby:a=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFCb=B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEFEwaschosenveriablyatrandomasspeciedinANSIX9.62[ X9.62 ]fromtheseed:S=A335926AA319A27A1D00896A6773A4827ACDAC73ThebasepointGincompressedformis:G=03AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7andinuncompressedformis:G=04AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB73617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5FFinallytheordernofGandthecofactorare:n=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973h=012.6Recommended521-bitEllipticCurveDomainParametersoverFpThissectionspeciestherecommended521-bitellipticcurvedomainparametersoverFpinthisdocument:veriablyrandomparameterssecp521r1.Section 2.6.1 speciestheellipticcurvedomainparameterssecp521r1.2.6.1RecommendedParameterssecp521r1TheveriablyrandomellipticcurvedomainparametersoverFpsecp521r1arespeciedbythesextupleT=(p;a;b;G;n;h)wheretheniteeldFpisdenedby: x2RecommendedEllipticCurveDomainParametersoverFpPage11of 33 3.2Recommended163-bitEllipticCurveDomainParametersoverF2mSEC2(Draft)Ver.2.0 S=24B7B137C8A14D696E6768756151756FD0DA2E5CHoweverforhistoricalreasonsthemethodusedtogenerateEfromSdiersslightlyfromthemethoddescribedinANSIX9.62[ X9.62 ].SpecicallythecoecientbproducedfromSisthereverseofthecoecientthatwouldhavebeenproducedbythemethoddescribedinANSIX9.62.ThebasepointGincompressedformis:G=030369979697AB43897789566789567F787A7876A654andinuncompressedformis:G=040369979697AB43897789566789567F787A7876A65400435EDB42EFAFB2989D51FEFCE3C80988F41FF883FinallytheordernofGandthecofactorare:n=03FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279Bh=023.2.3RecommendedParameterssect163r2TheveriablyrandomellipticcurvedomainparametersoverF2msect163r2arespeciedbytheseptupleT=(m;f(x);a;b;G;n;h)wherem=163andtherepresentationofF2163isdenedby:f(x)=x163+x7+x6+x3+1ThecurveE:y2+xy=x3+ax2+boverF2misdenedby:a=000000000000000000000000000000000000000001b=020A601907B8C953CA1481EB10512F78744A3205FDEwaschosenveriablyatrandomfromtheseed:S=85E25BFE5C86226CDB12016F7553F9D0E693A268EwasselectedfromSasspeciedinANSIX9.62[ X9.62 ]innormalbasisrepresentationandconvertedintopolynomialbasisrepresentation.ThebasepointGincompressedformis:G=0303F0EBA16286A2D57EA0991168D4994637E8343E36andinuncompressedformis:G=0403F0EBA16286A2D57EA0991168D4994637E8343E3600D51FBC6C71A0094FA2CDD545B11C5C0C797324F1FinallytheordernofGandthecofactorare:n=040000000000000000000292FE77E70C12A4234C33h=02 Page18of 33 x3RecommendedEllipticCurveDomainParametersoverF2m SEC2(Draft)Ver.2.03.3Recommended233-bitEllipticCurveDomainParametersoverF2m 3.3Recommended233-bitEllipticCurveDomainParametersoverF2mThissectionspeciesthetworecommended233-bitellipticcurvedomainparametersoverF2minthisdocument:parameterssect233k1associatedwithaKoblitzcurve,andveriablyrandomparameterssect233r1.Section 3.3.1 speciestheellipticcurvedomainparameterssect233k1,andSection 3.3.2 speciestheellipticcurvedomainparameterssect233r1.3.3.1RecommendedParameterssect233k1TheellipticcurvedomainparametersoverF2massociatedwithaKoblitzcurvesect233k1arespeciedbytheseptupleT=(m;f(x);a;b;G;n;h)wherem=233andtherepresentationofF2233isdenedby:f(x)=x233+x74+1ThecurveE:y2+xy=x3+ax2+boverF2misdenedby:a=000000000000000000000000000000000000000000000000000000000000b=000000000000000000000000000000000000000000000000000000000001ThebasepointGincompressedformis:G=02017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126andinuncompressedformis:G=04017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD612601DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3FinallytheordernofGandthecofactorare:n=8000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDFh=043.3.2RecommendedParameterssect233r1TheveriablyrandomellipticcurvedomainparametersoverF2msect233r1arespeciedbytheseptupleT=(m;f(x);a;b;G;n;h)wherem=233andtherepresentationofF2233isdenedby:f(x)=x233+x74+1 x3RecommendedEllipticCurveDomainParametersoverF2mPage19of 33 3.4Recommended239-bitEllipticCurveDomainParametersoverF2mSEC2(Draft)Ver.2.0 ThecurveE:y2+xy=x3+ax2+boverF2misdenedby:a=000000000000000000000000000000000000000000000000000000000001b=0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90ADEwaschosenveriablyatrandomfromtheseed:S=74D59FF07F6B413D0EA14B344B20A2DB049B50C3EwasselectedfromSasspeciedinANSIX9.62[ X9.62 ]innormalbasisrepresentationandconvertedintopolynomialbasisrepresentation.ThebasepointGincompressedformis:G=0300FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558Bandinuncompressedformis:G=0400FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052FinallytheordernofGandthecofactorare:n=01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7h=023.4Recommended239-bitEllipticCurveDomainParametersoverF2mThissectionspeciestherecommended239-bitellipticcurvedomainparametersoverF2minthisdocument:parameterssect239k1associatedwithaKoblitzcurve.Section 3.4.1 speciestheellipticcurvedomainparameterssect239k1.3.4.1RecommendedParameterssect239k1TheellipticcurvedomainparametersoverF2massociatedwithaKoblitzcurvesect239k1arespeciedbytheseptupleT=(m;f(x);a;b;G;n;h)wherem=239andtherepresentationofF2239isdenedby:f(x)=x239+x158+1ThecurveE:y2+xy=x3+ax2+boverF2misdenedby: Page20of 33 x3RecommendedEllipticCurveDomainParametersoverF2m 3.5Recommended283-bitEllipticCurveDomainParametersoverF2mSEC2(Draft)Ver.2.0 ThebasepointGincompressedformis:G=020503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836andinuncompressedformis:G=040503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC245849283601CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259FinallytheordernofGandthecofactorare:n=01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61h=043.5.2RecommendedParameterssect283r1TheveriablyrandomellipticcurvedomainparametersoverF2msect283r1arespeciedbytheseptupleT=(m;f(x);a;b;G;n;h)wherem=283andtherepresentationofF2283isdenedby:f(x)=x283+x12+x7+x5+1ThecurveE:y2+xy=x3+ax2+boverF2misdenedby:a=000000000000000000000000000000000000000000000000000000000000000000000001b=027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5Ewaschosenveriablyatrandomfromtheseed:S=77E2B07370EB0F832A6DD5B62DFC88CD06BB84BEEwasselectedfromSasspeciedinANSIX9.62[ X9.62 ]innormalbasisrepresentationandconvertedintopolynomialbasisrepresentation.ThebasepointGincompressedformis:G=0305F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053andinuncompressedformis:G=0405F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B1205303676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4 Page22of 33 x3RecommendedEllipticCurveDomainParametersoverF2m 3.6Recommended409-bitEllipticCurveDomainParametersoverF2mSEC2(Draft)Ver.2.0 n=7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCFh=043.6.2RecommendedParameterssect409r1TheveriablyrandomellipticcurvedomainparametersoverF2msect409r1arespeciedbytheseptupleT=(m;f(x);a;b;G;n;h)wherem=409andtherepresentationofF2409isdenedby:f(x)=x409+x87+1ThecurveE:y2+xy=x3+ax2+boverF2misdenedby:a=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b=0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545FEwaschosenveriablyatrandomfromtheseed:S=4099B5A457F9D69F79213D094C4BCD4D4262210BEwasselectedfromSasspeciedinANSIX9.62[ X9.62 ]innormalbasisrepresentationandconvertedintopolynomialbasisrepresentation.ThebasepointGincompressedformis:G=03015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7andinuncompressedformis:G=04015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A70061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706FinallytheordernofGandthecofactorare:n=010000000000000000000000000000000000000000000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173h=02 Page24of 33 x3RecommendedEllipticCurveDomainParametersoverF2m 3.7Recommended571-bitEllipticCurveDomainParametersoverF2mSEC2(Draft)Ver.2.0 n=020000000000000000000000000000000000000000000000000000000000000000000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001h=043.7.2RecommendedParameterssect571r1TheveriablyrandomellipticcurvedomainparametersoverF2msect571r1arespeciedbytheseptupleT=(m;f(x);a;b;G;n;h)wherem=571andtherepresentationofF2571isdenedby:f(x)=x571+x10+x5+x2+1ThecurveE:y2+xy=x3+ax2+boverF2misdenedby:a=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b=02F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727AEwaschosenveriablyatrandomfromtheseed:S=2AA058F73A0E33AB486B0F610410C53A7F132310EwasselectedfromSasspeciedinANSIX9.62[ X9.62 ]innormalbasisrepresentationandconvertedintopolynomialbasisrepresentation.ThebasepointGincompressedformis:G=030303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19andinuncompressedformis:G=040303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15BFinallytheordernofGandthecofactorare: Page26of 33 x3RecommendedEllipticCurveDomainParametersoverF2m SEC2(Draft)Ver.2.0 AASN.1SyntaxThissectiondiscussestherepresentationofellipticcurvedomainparametersusingASN.1syntaxandspeciesASN.1objectidentiersfortheellipticcurvedomainparametersrecommendedinthisdocument.A.1SyntaxforEllipticCurveDomainParametersThereareanumberofwaysofrepresentingellipticcurvedomainparametersusingASN.1syntax.ThefollowingsyntaxisrecommendedinSEC1[ SEC1 ]foruseinX.509certicatesandelsewhere(following[ RFC3279 ]).Parameters { CURVES:IOSet } ::=CHOICE { ecParametersECParameters,namedCurveCURVES.&id( { IOSet } ),implicitCANULL } where  ecParametersoftypeECParametersindicatesthatthefullellipticcurvedomainparametersaregiven,  namedCurveoftypeCURVESindicatesthatanamedcurvefromthesetdelimitedbyCurveNamesistobeused,and  implicitCAoftypeNULLindicatesthatthecurveisknownimplicitly,thatis,theactualcurveisknowntobothpartiesbyothermeans.Thefollowingsyntaxisthenusedtodescribeexplicitrepresentationsofellipticcurvedomainparameters,ifneedbe.ECParameters::=SEQUENCE { versionINTEGER { ecpVer1(1) } (ecpVer1),fieldIDFieldID { { FieldTypes } } ,curveCurve,baseECPoint,orderINTEGER,cofactorINTEGEROPTIONAL,... } SeeSEC1[ SEC1 ]formoredetailsontheexplicitrepresentationofellipticcurvedomainparam-eters. Page28of 33 xAASN.1Syntax SEC2(Draft)Ver.2.0A.2ObjectIdentiersforRecommendedParameters A.2ObjectIdentiersforRecommendedParametersThissectionspeciesobjectidentiersfortheellipticcurvedomainparametersrecommendedinthisdocument.Theseobjectidentiersmaybeused,forexample,torepresentparametersusingthenamedCurvesyntaxdescribedintheprevioussection.Parametersthathavenotpreviouslybeenassignedobjectidentiersappearinthetreewhoserootisdesignatedbytheobjectidentiercerticom-arc.Ithasthefollowingvalue.certicom-arcOBJECTIDENTIFIER::= { iso(1)identified-organization(3)certicom(132) } ParametersthataregivenasexamplesinANSIX9.62[ X9.62 ]appearinthetreewhoserootisdesignatedbytheobjectidentieransi-X9-62.Ithasthefollowingvalue.ansi-X9-62OBJECTIDENTIFIER::= { iso(1)member-body(2)us(840)10045 } ThevaluesoftheobjectidentiersofparametersgiveninANSIX9.62areduplicatedhereforconvenience.Toreducetheencodedlengths,theparametersundercerticom-arcappearjustbelowthemainnode.TheobjectidentierellipticCurverepresentstherootofthetreecontainingallsuchparametersinthisdocumentandhasthefollowingvalue.ellipticCurveOBJECTIDENTIFIER::= { certicom-arccurve(0) } Theactualparametersappearimmediatelybelowthis;theirobjectidentiersmaybefoundinthefollowingsections.Section A.2.1 speciesobjectidentiersfortheparametersoverFp,andSection A.2.2 speciesobjectidentiersfortheparametersoverF2m.A.2.1OIDsforRecommendedParametersoverFpTheobjectidentiersfortherecommendedparametersoverFphavethefollowingvalues.Thenamesoftheidentiersagreewiththenicknamesgiventotheparametersinthisdocument.InANSIX9.62[ X9.62 ],thecurvesecp192r1isdesignatedprime192v1,andthecurvesecp256r1isdesignatedprime256v1.----Curvesoverprime-orderfields:--secp192k1OBJECTIDENTIFIER::= { ellipticCurve31 } secp192r1OBJECTIDENTIFIER::= { ansi-X9-62curves(3)prime(1)1 } secp224k1OBJECTIDENTIFIER::= { ellipticCurve32 } secp224r1OBJECTIDENTIFIER::= { ellipticCurve33 } xAASN.1SyntaxPage29of 33 ReferencesSEC2(Draft)Ver.2.0 BReferences [1363] InstituteofElectricalandElectronicsEngineers.SpecicationsforPublic-KeyCryp-tography,IEEEStandard1363-2000,Aug.2000. http://standards.ieee.org/catalog/olis/busarch.html . [1363A] |||.SpecicationsforPublic-KeyCryptography|Amendment1:AdditionalTechniques,IEEEStandard1363A-2004,Oct.2004. http://standards.ieee.org/catalog/olis/busarch.html . [Fin99] FinancialServicesTechnologyConsortium.FinancialServicesMarkupLanguage,Aug.1999.WorkingDraft. [Int06] D.R.L.Brown.AdditionalECCGroupsForIKEandIKEv2.Inter-netEngineeringTaskForce,Oct.2006.Expired. http://tools.ietf.org/html/draft-ietf-ipsec-ike-ecc-groups-10 . [Nat99] NationalInstituteofStandardsandTechnology.RecommendedEllipticCurvesforFederalGovernmentUse,Jul.1999. csrc.nist.gov/encryption . [RFC3279] L.Bassham,R.HousleyandW.Polk.RFC3279:AlgorithmsandIdentiersfortheInternetX.509PublicKeyInfrastructureCerticateandCerticateRevocationList(CRL)Prole.InternetEngineeringTaskForce,Apr.2002. www.ietf/rfc/rfc3279.txt . [SEC1] StandardsforEcientCryptographyGroup.SEC1:EllipticCurveCryptography,Mar.2009.Version2.0. http://www.secg.org/download/aid-780/sec1-v2.pdf . [WTLS] WirelessApplicationForum.WAPWTLS:WirelessApplicationProtocolWirelessTransportLayerSecuritySpecication,Feb.1999. [X9.62] AmericanNationalStandardsInstitute.PublicKeyCryptographyfortheFinan-cialServicesIndustry:TheEllipticCurveDigitalSignatureAlgorithm(ECDSA),AmericanNationalStandardX9.62-2005,2005. http://webstore.ansi.org/ansidocstore . [X9.63] |||.Public-KeyCryptographyfortheFinancialServicesIndustry:KeyAgreementandKeyTransportUsingEllipticCurveCryptography,AmericanNationalStandardX9.63-2001,2001. http://webstore.ansi.org/ansidocstore . [GLV01] R.P.Gallant,R.J.LambertandS.A.Vanstone.Fasterpointmultiplicationonellipticcurveswithecientendomorphisms.InJ.Kilian(ed.),AdvancesinCryptology|CRYPTO2001,LectureNotesinComputerScience2139,pp.190{200.InternationalAssociationforCryptologicResearch,Springer,2001. [Kob92] N.Koblitz.CM-curveswithgoodcryptographicproperties.InJ.Feigenbaum(ed.),AdvancesinCryptology|CRYPTO'91,LectureNotesinComputerScience576,pp.279{287.InternationalAssociationforCryptologicResearch,Springer,1992. Page32of 33 xReferences SEC2(Draft)Ver.2.0References [Mon87] P.Montgomery.Speedingthepollardandellipticcurvemethodsoffactorization.MathematicsofComputation,48:243{264,1987. xReferencesPage33of 33