SEC 1: Elliptic Curve Cryptography

ly a finite field consists of a finite set of objects called field elements together with the description of two operations addition and multiplication that can be performed on pairs of field elements. These operations must possess certain properties. It turns out that there is a finite field containing q field elements if and only if q is a power of a prime number, and furthermore that in fact for each such q t ere is precisely one finite field. The finite field containingq elements is denoted by Fq. Here only two types of finite fields Fq are used — finite fields F p with q= p, p an odd prime which are called prime finite fields, and finite fields F2m with q= 2m for somem 1 which are called characteristic 2 finite fields. It is necessary to describe these fields concretely in order to precisely specify cryptographic schemes based on ECC. Section 2.1.1 describes prime finite fields and Section 2.1.2 describes characteristic 2 finite fields. 2.1.1 The Finite FieldF p The finite fieldF p is the prime finite field containingp elements. Although there is only one prime finite field F p for each odd primep, there are many different ways to represent the elements of F p. Here the elements of F p should be represented by the set of integers: f0;1; : : : ; p 1g with addition and multiplication defined as follows: Addition: If a;b2 F p, thena+b= r in F p, wherer 2 [0; p 1] is the remainder when the integer a+b is divided byp. This is known as addition modulo p and writtena+b r (modp). Multiplication: If a;b2 F p, thena:b= s in F p, wheres2 [0; p 1] is the remainder when the integer ab is divided byp. This is known as multiplication modulo p and writtena:b s (modp). Page 4 SEC 1: Elliptic Curve Cryptography Ver. 0.5 Addition and multiplication inF p can be calculated efficiently using standard algorithms for ordinary integer arithmetic. In this representation of F p, the additive identity or zero element is the integer 0, and the multiplicative identity is the integer 1. It is convenient to define subtraction and division of field elements just as it is convenient to define subtraction and division of integers. To do so, the additive inverse (or negative) and multiplicative inverse of a field element must be described: Additive inverse: Ifa2 F p, then the additive inverse ( a) of a in F p is the unique solution to the equationa+x 0 (modp). Multiplicative inverse: Ifa2 F p, a 6= 0, then the multiplicative inverse a 1 of a in F p is the unique solution to the equation a:x 1 (modp). Additive inverses and multiplicative inverses in F p can be calculated efficiently. Multiplicative inverses are calculated using the extended Euclidean algorithm. Division and subtraction are defined in terms of additive and multiplicative inverses: a b mod p is a+( b) mod p anda=b mod p is a:(b 1) mod p. Here the prime finite fields F p used should have: dlog2 pe 2 f112;128;160;192;224;256;384;521g: This restriction is designed to facilitate interoperability, while enabling implementers to deploy implementations which are efficient in terms of computation and communication since p is aligned with word size, and which are capable of furnishing all commonly required security levels. Inclusion of dlog2 pe= 521 instead of dlog2 pe= 512 is an anomaly chosen to align this document with other standards efforts in particular with the U.S. government’s recommended elliptic curve domain parameters [67]. 2.1.2 The Finite FieldF2m The finite fieldF2m is the characteristic 2 finite field containing 2 m elements. Although there is only one characteristic 2 finite field F2m for each power 2 m of 2 with m 1, there are many different ways to represent the elements of F2m. Here the elements of F2m should be represented by the set of binary polynomials of degree m 1 or less: fam 1x +am 2x 2+ +a1x+a0 : ai 2 f0;1gg with addition and multiplication defined in terms of an irreducible binary polynomial f (x) of degreem, known as the reduction polynomial, as follows: Addition: If a= am 1x 1+ +a0, b= bm 1x 1+ +b0 2 F2m, thena+b= r in F2m, where r = rm 1x 1+ + r0 with ri ai +bi (mod 2). Multiplication: If a = am 1x 1+ +a0, b = bm 1x 1+ +b0 2 F2m, thena:b= s in F2m, wheres= sm 1x 1+ +s0 is the remainder when the polynomial ab is divided by f (x) with all coefficient arithmetic performed modulo 2. 2 Mathematical Foundations Page 5 Addition and multiplication inF2m can be calculated efficiently using standard algorithms for ordinary integer and polynomial arithmetic. In this representation of F2m, the additive identity or zero element is the polynomial 0, and the multiplicative identity is the polynomial 1. Again it is convenient to define subtraction and division of field elements. To do so the additive inverse (or negative) and multiplicative inverse of a field element must be described: Additive inverse: Ifa2 F2m, then the additive inverse ( a) of a in F2m is the unique solution to the equationa+x= 0 in F2m. Multiplicative inverse: Ifa 2 F2m, a 6= 0, then the multiplicative inverse a 1 of a in F2m is the unique solution to the equation a:x= 1 in F2m. Additive inverses and multiplicative inverses in F2m can be calculated efficiently using the extended Euclidean algorithm. Division and subtraction are defined in terms of additive and multiplicative inverses: a b in F2m is a+( b) in F2m anda=b in F2m is a:(b 1) in F2m. Here the characteristic 2 finite fields F2m used should have: m2 f113;131;163;193;233;239;283;409;571g and addition and multiplication in F2m should be performed using one of the irreducible binary polynomials of degreem in Table 1. As before this restriction is designed to facilitate interoperability while enabling implementers to deploy efficient implementations capable of meeting common security requirements. Field Reduction Polynomial(s) F2113 f (x) = x 113+x9+1 F2131 f (x) = x 131+x8+x3+x2+1 F2163 f (x) = x 163+x7+x6+x3+1 F2193 f (x) = x 193+x15+1 F2233 f (x) = x 233+x74+1 F2239 f (x) = x 239+x36+1 orx239+x158+1 F2283 f (x) = x 283+x12+x7+x5+1 F2409 f (x) = x 409+x87+1 F2571 f (x) = x 571+x10+x5+x2+1 Table 1: Representations of F2m Page 6 SEC 1: Elliptic Curve Cryptography Ver. 0.5 The rule used to pick acceptable m’s was: in each interval between integers in the set: f112;128;160;192;224;256;384;512;1024g; if such anmexists, select the smallest primein the interval with the property that there exists a Koblitz curve whose order is 2 or 4 times a prime over F2m; otherwise simply select the smallest primein the interval. (A Koblitz curve is an elliptic curve over F2m with a;b2 f0;1g.) The inclusion ofm= 239 is an anomaly chosen since it has already been widely used in practice. The inclusion of m= 283 instead of m= 277 is an anomaly chosen to align this document with other standards efforts in particular with the U.S. government’s recommended elliptic curve domain parameters [67]. Composite m was avoided to align this specification with other standards efforts and to address concerns expressed by some experts about the security of elliptic curves defined over F2m with m composite see, for example, [32]. The rule used to pick acceptable reduction polynomials was: if a degree m binary irreducible trinomial: f (x) = xm+xk+1 with m> k 1 exists, use the irreducible trinomial with k as small as possible; otherwise use the degree m binary irreducible pentanomial: f (x) = xm+xk3 +xk2 +xk1 +1 with m> k3 > k2 > k1 1 with (1) k3 as small as possible, (2) k2 as small as possible given k3, and (3)k1 as small as possible givenk3 andk2. These polynomials enable efficient calculation of field operations. The second reduction polynomial atm= 239 is an anomaly chosen since it has been widely deployed. 2.2 Elliptic Curves An elliptic curve overFq is defined in terms of the solutions to an equation in Fq. The form of the equation defining an elliptic curve over Fq differs depending on whether the field is a prime finite field or a characteristic 2 finite field. Section 2.2.1 describes elliptic curves over prime finite fields, and Section 2.2.2 describes elliptic curves over characteristic 2 finite fields. 2.2.1 Elliptic Curves overF p Let F p be a prime finite field so that p is an odd prime number, and let a;b2 F p satisfy 4:a3+27:b2 6 0 (modp). Then an elliptic curveE(F p) overF p defined by the parameters a;b2 F p consists of the set of solutions or pointsP= (x;y) for x;y2 F p to the equation: y2 x3+a:x+b (modp) together with an extra point O called the point at infinity. The equation y2 x3 +a:x+b (modp) is called the defining equation of E(F p). For a given pointP= (xP;yP), xP is called thex-coordinate ofP, andyP is called they-coordinate ofP. 2 Mathematical Foundations Page 7 The number of points on E(F p) is denoted by # E(F p). The Hasse Theorem states that: p+1 2pp #E(F p) p+1+2pp: It is possible to define an addition rule to add points on E. The addition rule is specified as follows: 1. Rule to add the point at infinity to itself:

[1]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[2]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[3]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[4]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[5]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[6]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[7]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[8]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[9]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[10]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[11]  Ueli Maurer,et al.  Diffie-Hellman Oracles , 1996, CRYPTO.

[12]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[13]  R. A. Rueppel,et al.  Message recovery for signature schemes based on the discrete logarithm problem , 1994, EUROCRYPT.

[14]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[15]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[16]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[17]  D. Jungnickel Finite fields : structure and arithmetics , 1993 .

[18]  Neal Koblitz,et al.  CM-Curves with Good Cryptographic Properties , 1991, CRYPTO.

[19]  Donald Byron Johnson,et al.  Formal Security Proofs for a Signature Scheme with Partial Message Recovery , 2001, CT-RSA.

[20]  Mihir Bellare,et al.  DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem , 1999, IACR Cryptol. ePrint Arch..

[21]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[22]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[23]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[24]  Paul C. van Oorschot,et al.  On Diffie-Hellman Key Agreement with Short Exponents , 1996, EUROCRYPT.

[25]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[26]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[27]  Scott A. Vanstone,et al.  Postal Revenue Collection in the Digital Age , 2000, Financial Cryptography.

[28]  Steven D. Galbraith,et al.  A Cryptographic Application of Weil Descent , 1999, IMACC.

[29]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[30]  Alfred Menezes,et al.  The State of Elliptic Curve Cryptography , 2000, Des. Codes Cryptogr..

[31]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[32]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[33]  Bruce Schneier,et al.  Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists , 1996 .

[34]  Alfred Menezes,et al.  Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol , 1999, Public Key Cryptography.

[35]  R. Gallant,et al.  Improving the Parallelized Pollard Lambda Search on Binary Anomalous Curves , 1998 .

[36]  R. McEliece Finite Fields for Computer Scientists and Engineers , 1986 .

[37]  Rainer A. Rueppel,et al.  Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem , 1994, EUROCRYPT.

[38]  Ralph Howard,et al.  Data encryption standard , 1987 .

[39]  Ronald L. Rivest,et al.  Responses to NIST's proposal , 1992, CACM.

[40]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[41]  Thomas Beth,et al.  Arithmetic Operations in GF(2 m ). , 1993 .

[42]  Rainer A. Rueppel,et al.  A new signature scheme based on the DSA giving message recovery , 1993, CCS '93.

[43]  Tim Polk,et al.  Internet X.509 Public Key Infrastructure Representation of Elliptic Curve Digital Signature Algorithm (ECDSA) Keys and Signatures in Internet X.509 Public Key Infrastructure Certificates , 1999 .

[44]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[45]  Mihir Bellare,et al.  "Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case , 1997, CRYPTO.

[46]  Donald E. Knuth The Art of Computer Programming 2 / Seminumerical Algorithms , 1971 .

[47]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[48]  N. Koblitz A Course in Number Theory and Cryptography , 1987 .

[49]  Gordon B. Agnew,et al.  An Implementation of Elliptic Curve Cryptosystems Over F2155 , 1993, IEEE J. Sel. Areas Commun..

[50]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[51]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[52]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[53]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[54]  Rudolf Lide,et al.  Finite fields , 1983 .

[55]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[56]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[57]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[58]  Paul C. van Oorschot,et al.  Parallel collision search with application to hash functions and discrete logarithms , 1994, CCS '94.

[59]  Serge Vaudenay,et al.  Hidden Collisions on DSS , 1996, CRYPTO.

[60]  Horst G. Zimmer,et al.  Constructing elliptic curves with given group order over large finite fields , 1994, ANTS.

[61]  Mihir Bellare,et al.  Minimizing the use of random oracles in authenticated encryption schemes , 1997, ICICS.

[62]  Richard J. Lipton,et al.  Algorithms for Black-Box Fields and their Application to Cryptography (Extended Abstract) , 1996, CRYPTO.

[63]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[64]  Eric Hughes,et al.  Protocol Failures Related to Order of Encryption and Signature , 1998, ACISP.