Cryptography Reference
In-Depth Information
may be in either decimal or hexadecimal format and that may contain, in addition,
the cofactor
h
at the end (but
h
will not be used by the function). The function checks
that the following conditions are satisfied: (i)
p
is a (probable) prime greater than
3, (ii)
a
,
b
and
p
define an elliptic curve
E
(
F
p
)
, (iii)
[
x
G
,
y
G
]∈
E
(
F
p
)
,(iv)
n
is
(probably) prime, (v)
n
is the order of
G
=[
x
G
,
y
G
]
in the group
E
(
F
p
)
, and (vi)
the embedding degree is
100. The output is either an error message in case any of
these conditions does not hold or a message informing that the parameters are valid.
> ECDomainTest := proc(domain::list)
local dom, p, a, b, G, n, E;
dom := stringposint
∼∼
(domain);
p := dom[1];
a := dom[2];
b := dom[3];
G := dom[4];
n := dom[5];
ifp<5ornotisprime(p) then
error "%1 must be a prime >3",p
end if;
E := EllipticCurve(a, b, p);
if not IsEllipticPoint(G, E) then
error "%1 is not a point on the curve",G
end if;
if not isprime(n) then
error "%1 is not prime",n
end if;
if EllipticMult(n, G, E) <> 0 then
error "%1 does not have order %2",G,n
end if;
if member(0, Power
∼
(p, [$1 .. 99]) mod n -
∼
1) then
error "embedding degree less than 100"
end if;
printf("Valid parameters")
end proc:
≥
Example 11.25
Let us consider theECdomain parameters contained in [75, D.1.2.3],
where an elliptic curve, called P-256, is defined over a prime field, as well as a base
point whose order is a 256-bit prime. This curve was already used in several of our
Examples, including 11.10 and 11.24. The parameters are the following (note that
some of them are in decimal and others in hexadecimal format but our functions will
accept both):
> p256 := 2ˆ256-2ˆ224+2ˆ192+2ˆ96-1:
a:=-3:
b := "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b":
G := ["6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
"4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"]:
oP256 := 11579208921035624876269744694940757352999695522413576034242225906106851\
2044369:
The notation used differs slightly from the generic notation for EC domain para-
meters but we use it because it was already used in previous examples. Specifically,
p
256 is the parameter generically denoted
p
, and
oP
256 is the parameter generically
denoted
n
. The full set of EC domain parameters corresponding to these values is
then:
> dp256 := [p256, a, b, G, oP256, 1]:
