Cryptography Reference
In-Depth Information
An EC scheme makes use of a set of
domain parameters
which specify, at least,
an elliptic curve
E
defined over a finite field
F
q
, a base point
G
∈
(
F
q
)
E
and its
order. We are going to consider the case in which
q
=
p
is prime and to describe the
domain parameters over the prime field
F
p
according to the specification in the SEC
1 standard by the Standards for Efficient Cryptography Group (SECG) [173].
11.4.1.1 Domain Parameters
EC domain parameters over
F
p
are a sextuple:
T
=
(
p
,
a
,
b
,
G
,
n
,
h
)
consisting of the following items:
•
Aprime
p
that specifies the prime field
F
p
.
with equation
y
2
•
Two elements
a
,
b
∈ F
p
that define the elliptic curve
E
(
F
p
)
=
x
3
+
ax
+
b
.
•
=
(
x
G
,
y
G
)
∈
(
F
p
)
A base point
G
E
, given by its affine coordinates
x
G
,
y
G
.
•
(
F
p
)
Aprime
n
which is the order of
G
in the group
E
.
•
The cofactor
h
=|
E
(
F
p
)
|
/
n
.
These parameters are chosen so that they satisfy the constraints we havementioned
in order to make the ECDLP hard in the subgroup
. Thus the curve
should not be anomalous and it is recommended that the embedding degree should
be
G
of
E
(
F
p
)
100 to resist the MOV and FR attacks. In [173] the prime
p
is selected such that,
for a given security level in bits
t
≥
(which approximately
corresponds to the key length of a symmetric scheme of comparable strength as in
Table
11.1
):
∈{
80
,
112
,
128
,
192
,
256
}
⎧
⎨
⎩
192 if
t
=
80
,
log
2
p
=
2
t
if 80
<
t
<
256
,
521 if
t
=
256
.
2
t
/
8
and, in practice,
In the same reference the cofactor
h
is required to be
≤
it is often
h
=
1 which means that
E
(
F
p
)
has prime order
n
. In [173] there is the
additional requirement that
n
1 should have a large prime factor in
order to prevent some recent exponential attacks that, anyway, are very unlikely to
be feasible in practice.
−
1 and
n
+
11.4.1.2 Domain Parameter Generation
There are several methods to generate elliptic curve domain parameters of a given
strength. The first step is to generate the finite field over which the curve is going to
be defined and then the curve itself must be generated. There are methods (based on
'complex multiplication') that allow one to specify the order first and then to generate
