Add to collection(s) Add to saved
  1. Math
  2. Algebra

P1363-3-A_D1_v0.2 - IEEE-SA

1
2
3
4
5
6
7
8
9
IEEE P1363.3™/D2
Draft Standard for Identity-based
Public-key Cryptography Using
Pairings
Annex A (informative)
Number-Theoretic Background
Prepared by the P1363 Working Group of the
10
Microprocessor Standards Committee
11
12
13
14
Copyright © <year> by the Institute of Electrical and Electronics Engineers, Inc.
Three Park Avenue
New York, New York 10016-5997, USA
15
16
17
18
19
20
21
22
23
24
25
26
This document is an unapproved draft of a proposed IEEE Standard. As such, this document is subject to
change. USE AT YOUR OWN RISK! Because this is an unapproved draft, this document must not be
utilized for any conformance/compliance purposes. Permission is hereby granted for IEEE Standards
Committee participants to reproduce this document for purposes of international standardization
consideration. Prior to adoption of this document, in whole or in part, by another standards development
organization, permission must first be obtained from the IEEE Standards Activities Department
(stds.ipr@ieee.org). Other entities seeking permission to reproduce this document, in whole or in part, must
also obtain permission from the IEEE Standards Activities Department.
All rights reserved.
IEEE Standards Activities Department
445 Hoes Lane
Piscataway, NJ 08854, USA
1
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
6
7
8
Abstract: This standard specifies common identity-based public-key cryptographic techniques that use
pairings, including mathematical primitives for secret value (key) derivation, public-key encryption, and
digital signatures, and cryptographic schemes based on those primitives. It also specifies related
cryptographic parameters, public keys and private keys. The purpose of this standard is to provide a
reference for specifications of a variety of techniques from which applications may select.
Keywords: Public-key cryptography, encryption, identity-based encryption, pairing-based encryption,
pairing-based cryptography.
9

10
The Institute of Electrical and Electronics Engineers, Inc.
3 Park Avenue, New York, NY 10016-5997, USA
Copyright © 200X by the Institute of Electrical and Electronics Engineers, Inc.
All rights reserved. Published XX Month XXXX. Printed in the United States of America.
IEEE is a registered trademark in the U.S. Patent & Trademark Office, owned by the Institute of Electrical and Electronics
Engineers, Incorporated.
PDF: ISBN 978-0-XXXX-XXXX-X STDXXXX
Print: ISBN 978-0-XXXX-XXXX-X STDPDXXXX
No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission
of the publisher.
2
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
CONTENTS
2
No table of contents entries found.
3
A.1.
4
A.1.1.
5
Modular reduction
6
7
8
Modular arithmetic is based on a fixed integer m > 1 called the modulus. The fundamental operation is
reduction modulo m. To reduce an integer a modulo m, one divides a by m and takes the remainder r. This
operation is written
9
r := a mod m.
Integer and Modular Arithmetic: Overview
Modular arithmetic
10
The remainder must satisfy 0  r < m.
11
Examples:
11 mod 8 = 3
7 mod 9 = 7
–2 mod 11 = 9
12 mod 12 = 0
12
13
14
15
16
Congruences
17
18
Two integers a and b are said to be congruent modulo m if they have the same result upon reduction
modulo m. This relationship is written
19
a  b (mod m).
20
Two integers are congruent modulo m if and only if their difference is divisible by m.
21
Example:
11  19 (mod 8).
22
23
If r = a mod m, then r  a (mod m).
24
If a0  b0 (mod m) and a1  b1 (mod m), then
a0 + a1  b0 + b1 (mod m)
a0 – a1  b0 – b1 (mod m)
a0a1  b0b1 (mod m).
25
26
27
28
Integers modulo m
29
30
The integers modulo m are the possible results of reduction modulo m. Thus the set of integers modulo m
is
31
Zm = {0, 1, …, m – 1}.
3
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
One performs addition, subtraction, and multiplication on the set Zm by performing the corresponding
integer operation and reducing the result modulo m. For example, in Z7
3
4
5
3=6+4
5=1–3
6 = 4  5.
6
Modular exponentiation
7
8
9
If v is a positive integer and g is an integer modulo m, then modular exponentiation is the operation of
computing gv mod m (also written exp (g, v) mod m). Section A.2.1 contains an efficient method for
modular exponentiation.
10
G.C.D.'s and L.C.M.'s
11
12
13
If m and h are integers, the greatest common divisor (or G.C.D.) is the largest positive integer d dividing
both m and h. If d = 1, then m and h are said to be relatively prime (or coprime). Section A.2.2 contains an
efficient method for computing the G.C.D.
14
15
The least common multiple (or L.C.M.) is the smallest positive integer l divisible by both m and h. The
G.C.D. and L.C.M. are related by
16
GCD (h, m)  LCM (h, m) = hm
17
(for h and m positive), so that the L.C.M. is easily computed if the G.C.D. is known.
18
Modular division
19
20
21
The multiplicative inverse of h modulo m is the integer k modulo m such that hk  1 (mod m). The
multiplicative inverse of h is commonly written h–1 (mod m). It exists if h is relatively prime to m and not
otherwise.
22
23
If g and h are integers modulo m, and h is relatively prime to m, then the modular quotient g/h modulo m is
the integer gh–1 mod m. If c is the modular quotient, then c satisfies g  hc (mod m).
24
25
The process of finding the modular quotient is called modular division. Section A.2.2 contains an efficient
method for modular division.
26
A.1.2.
27
The field GF (p)
28
In the case in which m equals a prime p, the set Zp forms a prime finite field and is denoted GF (p).
29
30
In the finite field GF (p), modular division is possible for any denominator other than 0. The set of nonzero
elements of GF (p) is denoted GF (p)*.
31
Orders
32
33
The order of an element c of GF (p)* is the smallest positive integer v such that cv  1 (mod p). The order
always exists and divides p – 1. If k and l are integers, then ck  cl (mod p) if and only if k  l (mod v).
Prime finite fields
4
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
Generators
2
3
4
5
If v divides p – 1, then there exists an element of GF (p)* having order v. In particular, there always exists
an element g of order p – 1 in GF (p)*. Such an element is called a generator for GF (p)* because every
element of GF (p)* is some power of g. In number-theoretic language, g is also called a primitive root for
p.
6
Exponentiation and discrete logarithms
7
Suppose that the element g of GF (p)* has order v. Then an element h of GF (p)* satisfies
h  g l (mod p)
8
9
10
for some l if and only if h v  1 (mod p). The exponent l is called the discrete logarithm of h (with respect
to the base g). The discrete logarithm is an integer modulo v.
11
A.1.3.
12
The Legendre symbol
13
If p > 2 is prime, and a is any integer, then the Legendre symbol 
14
then 
15
16
(Despite the similarity in notation, a Legendre symbol should not be confused with a rational fraction; the
distinction must be made from the context.)
17
Algorithms for computing Legendre symbol are given in A.2.3.
18
Square roots modulo a prime
19
20
Let p be an odd prime, and let g be an integer with 0  g < p. A square root modulo p of g is an integer z
with 0  z < p and
21
z 2  g (mod p).
Modular Square Roots
 a
 is defined as follows. If p divides a,
 p
 a
 a
 = 0. If p does not divide a, then   equals 1 if a is a square modulo p and –1 otherwise.
 p
 p
 g
.
 p
22
The number of square roots modulo p of g is 1+J, where J is the Jacobi symbol 
23
24
If g = 0, then there is one square root modulo p, namely z = 0. If g  0, then g has either 0 or 2 square roots
modulo p. If z is one square root, then the other is p – z.
25
A procedure for computing square roots modulo a prime is given in A.2.5.
26
A.2.
27
A.2.1.
28
Modular exponentiation can be performed efficiently by the binary method outlined below.
Integer and Modular Arithmetic: Algorithms
Modular Exponentiation
5
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
Input: a positive integer v, a modulus m, and an integer g modulo m.
2
3
4
5
6
7
8
9
Output: gv mod m.
1.
2.
3.
4.
Let v = vrvr–1...v1v0 be the binary representation of v, where the most significant bit vr of v is 1.
Set x  g.
For i from r – 1 downto 0 do
3.1 Set x  x2 mod m.
3.2 If vi = 1 then set x  gx mod m.
Output x.
10
11
There are several modifications that improve the performance of this algorithm. These methods are
summarized in [Gor98].
12
A.2.2.
13
14
The following algorithm computes efficiently the G.C.D. d of m and h. If m and h are relatively prime, the
algorithm also finds the quotient g/h modulo m.
15
16
Input: an integer m > 1 and integers g and h > 0. (If only the G.C.D. of m and h is desired, no input g is
required.)
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Output: the G.C.D. d of m and h and, if d = 1, the integer c with 0 < c < m and c  g/h (mod m).
34
35
If m is prime, the quotient exists provided that h  0 (mod m), and can be found efficiently using
exponentiation via
36
c := g hm–2 mod m.
1.
2.
3.
4.
5.
6.
7.
8.
The Extended Euclidean Algorithm
If h = 1 then output d := 1 and c := g and stop.
Set r0  m.
Set r1  h mod m.
Set s0  0.
Set s1  g mod m.
While r1 > 0
6.1 Set q   r0 / r1.
6.2 Set r2  r0 – qr1 mod m
6.3 Set s2  s0 – qs1 mod m
6.4 Set r0  r1
Set r1  r2
Set s0  s1
Set s1  s2
Output d : = r0.
If r0 = 1 then output c := s0
37
A.2.3.
Evaluating Legendre Symbols
38
The following algorithm efficiently computes the Legendre symbol.
39
Input: an integer a and a prime p.
40
Output: the Legendre symbol
a
  .
 p
6
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
1.
2.
3.
Set x  a, y  p, L  1
While y > 1
2.1 Set x  (x mod y)
2.2 If x > y/2 then
2.2.1 Set x  y – x.
2.2.2 If y  3(mod 4) then set L  –L
2.3 If x = 0 then set x  1, y  0, L  0
2.4 While 4 divides x
2.4.1 Set x  x/4
2.5 If 2 divides x then
2.5.1 Set x  x/2.
2.5.2 If y   3 (mod 8) then set L –L
2.6 If x  3 (mod 4) and y  3 (mod 4) then set L  –L
2.7 Switch x and y
Output L
The Legendre symbol can also be found efficiently using exponentiation via
 a
  := a (p – 1)/2 mod p.
 p
18
19
20
A.2.4.
Generating Lucas Sequences
21
Let P and Q be nonzero integers. The Lucas sequence Vk for P, Q is defined by
[I think we can probably remove this section]
22
V0 = 2, V1 = P, and Vk = PVk–1 – QVk–2 for k  2.
23
24
25
This recursion is adequate for computing Vk for small values of k. For large k, one can compute Vk modulo
an odd integer n > 2 using the following algorithm (see [JQ96]). The algorithm also computes the quantity
Q k/2 mod n; this quantity will be useful in the application given in A.2.5.
26
Input: an odd integer n > 2, integers P and Q, and a positive integer k.
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Output: Vk mod n and Q k/2 mod n.
1.
2.
3.
4.
Set v0  2, v1  P, q0  1, q1  1
Let k = kr kr–1...k1 k0 be the binary representation of k, where the leftmost bit kr of k is 1.
For i from r downto 0 do
3.1 Set q0  q0 q1 mod n
3.2 If ki = 1 then set
q1  q0 Q mod n
v0  v0 v1 – P q0 mod n
v1  v12 – 2 q1 mod n
else set
q1  q 0
v1  v0 v1 – P q0 mod n
v0  v02 – 2 q0 mod n
Output v0 and q0.
7
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
A.2.5.
2
The following algorithm computes a square root z modulo p of g  0.
3
Input: an odd prime p, and an integer g with 0 < g < p.
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Finding Square Roots Modulo a Prime
Output: a square root modulo p of g if one exists. (In Case III, the message “no square roots exist” is
returned if none exists.)
I.
II.
III
p  3 (mod 4), that is p = 4k + 3 for some positive integer k. (See [Leh69].)
1.
Compute (via A.2.1) and output z := g k + 1 mod p.
p  5 (mod 8), that is p = 8k + 5 for some positive integer k. (See [Atk92].)
1.
Compute  := (2g)k mod p via A.2.1
2.
Compute i := 2g 2 mod p
3.
Compute and output z := g (i – 1) mod p
p  1 (mod 8). (See [Leh69].)
1.
Set Q  g.
2.
Generate a value P with 0 < P < p not already chosen.
3.
Compute via A.2.4 the quantities
V := V(p+1)/2 mod p
4.
5.
6.
7.
and
Q0 := Q (p–1)/4 mod p.
Set z  V / 2 mod p.
If (z 2 mod p) = g then output z and stop.
If 1 < Q0 < p – 1 then output the message “no square roots exist” and stop.
Go to Step 2.
23
NOTES
24
25
26
1—To perform the modular division of an integer V by 2 (needed in Step 4 of case III), one can simply divide by 2 the
integer V or V + p (whichever is even). (The integer division by 2 can be accomplished by shifting the binary
expansion of the dividend by one bit.)
27
28
2—As written, the algorithm for Case III works for all p  1 (mod 4), although it is less efficient than the algorithm for
Case II when p  5 (mod 8).
29
30
31
32
3—In Case III, a given choice of P will produce a solution if and only if P 2 – 4Q is not a quadratic residue modulo p.
If P is chosen at random, the probability of this is at least 1/2. Thus only a few values of P will be required. It may
therefore be possible to speed up the process by restricting to very small values of P and implementing the
multiplications by P in A.2.4 by repeated addition.
33
34
35
4—In cases I and II, the algorithm produces a solution z provided that one exists. If it is unknown whether a solution
exists, then the output z should be checked by comparing w := z 2 mod p with g. If w = g, then z is a solution; otherwise
no solutions exist. In case III, the algorithm performs the determination of whether or not a solution exists.
36
37
A.2.6.
38
39
40
If r > 2 and a < 2r is a positive integer congruent to 1 modulo 8, then there is a unique positive integer b
less than 2r–2 such that b2  a (mod 2r). The number b can be computed efficiently using the following
algorithm. The binary representations of the integers a, b, h are denoted as
Finding Square Roots Modulo a Power of 2
[Can we remove this section?]
8
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
a = ar–1...a1a0,
b = br–1...b1b0,
h = hr–1...h1h0.
1
2
3
4
Input: an integer r > 2, and a positive integer a  1 (mod 8) less than 2r.
5
6
7
8
9
10
11
12
13
14
15
16
Output: the positive integer b less than 2r–2 such that b2  a (mod 2r).
17
A.2.7.
18
19
Let p be a prime and let g satisfy 1 < g < p. The following algorithm determines the order of g modulo p
when the factorization of p-1 is known.
20
Input: a prime p and an integer g with 1 < g < p.
21
22
23
Output: the order d of g modulo p.
1.
Factor
24
25
26
27
2.
For all divisors d of p-1
For all primes pi | d
28
A.2.8.
29
30
Let p be a prime and let T divide p – 1. The following algorithm generates an element of GF (p) of order T
when the factorization of p-1 is known.
31
Input: a prime p and an integer T dividing p – 1.
32
33
34
35
36
37
Output: an integer u having order T modulo p.
1.
2.
3.
4.
5.
Set h  1.
Set b  1.
For j from 2 to r – 2 do
If hj+1  aj+1 then
Set bj  1.
If 2j < r
then h  (h + 2j+1b – 22j) mod 2 r.
else h  (h + 2j+1b) mod 2 r.
If br–2 = 1 then set b  2r–1 – b.
Output b.
Computing the Order of a Given Integer Modulo a Prime
p  1   piei
i
If gd ≡ 1 (mod p) and
Output d.
1.
2.
3.
4.
g d / pi ≠ 1 (mod p)
Constructing an Integer of a Given Order Modulo a Prime
Generate a random integer g between 1 and p.
Compute via A.2.7 the order d of g modulo p.
If T does not divide d then go to Step 1.
Output u := gd/T mod p.
9
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
A.3.
Extension Fields: Overview
2
A.3.1.
3
4
5
6
7
A finite field (or Galois field) is a set with finitely many elements in which the usual algebraic operations
(addition, subtraction, multiplication, division by nonzero elements) are possible, and in which the usual
algebraic laws (commutative, associative, distributive) hold. The order of a finite field is the number of
elements it contains. If q > 1 is an integer, then a finite field of order q exists if q is a prime power and not
otherwise.
8
9
10
11
12
The finite field of a given order is unique, in the sense that any two fields of order q display identical
algebraic structure. Nevertheless, there are often many ways to represent a field. It is traditional to denote
the finite field of order q by Fq or GF (q); this Standard uses the latter notation for typographical reasons.
It should be borne in mind that the expressions “the field GF (q)” and “the field of order q” usually imply a
choice of field representation.
13
In pairing based cryptography one makes use of GF(pn) for various n and p.
14
A.3.2.
15
16
17
A polynomial over GF (q) is a polynomial with coefficients in GF (q). Addition and multiplication of
polynomials over GF (q) are defined as usual in polynomial arithmetic, except that the operations on the
coefficients are performed in GF (q).
18
19
20
A polynomial over the prime field GF (p) is commonly called a polynomial modulo p. Addition and
multiplication are the same as for polynomials with integer coefficients, except that the coefficients of the
results are reduced modulo p.
21
Example: Over the prime field GF (7),
Finite Fields
Polynomials over Finite Fields
(t 2 + 4t + 5) + (t 3 + t + 3) = t 3 + t 2 + 5t + 1
(t 2 + 3t + 4) (t + 4) = t 3 + 2t + 2.
22
23
24
A binary polynomial is a polynomial modulo 2.
25
Example: Over the field GF (2),
26
27
(t 3 + 1) + (t 3 + t) = t + 1
(t 2 + t + 1) (t +1) = t 3 + 1.
28
29
30
A polynomial over GF (q) is reducible if it is the product of two smaller degree polynomials over GF (q);
otherwise it is irreducible. For instance, the above examples show that t 3 + 2t + 2 is reducible over GF (7)
and that the binary polynomial t 3 + 1 is reducible.
31
32
33
Every nonzero polynomial over GF (q) has a unique representation as the product of powers of irreducible
polynomials. (This result is analogous to the fact that every positive integer has a unique representation as
the product of powers of prime numbers.) The degree-1 factors correspond to the roots of the polynomial.
34
Polynomial congruences
35
36
37
38
Modular reduction and congruences can be defined among polynomials over GF (q), in analogy to the
definitions for integers given in A.1.1. To reduce a polynomial a (t) modulo a nonconstant polynomial
m (t), one divides a (t) by m (t) by long division of polynomials and takes the remainder r (t). This
operation is written
10
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
r (t) := a (t) mod m (t).
1
2
The remainder r (t) must either equal 0 or have degree smaller than that of m (t).
3
If m (t) = t – c for some element c of GF (q), then a (t) mod m (t) is just the constant a (c).
4
5
Two polynomials a (t) and b (t) are said to be congruent modulo m (t) if they have the same result upon
reduction modulo m (t). This relationship is written
6
a (t)  b (t) (mod m(t)).
7
8
9
10
One can define addition, multiplication, and exponentiation of polynomials (to integral powers) modulo
m (t), analogously to how they are defined for integer congruences in A.1.1. In the case of a prime field
GF (p), each of these operations involves both reduction of the polynomials modulo m (t) and reduction of
the coefficients modulo p.
11
A.3.3.
12
13
If m is a positive integer, the extension field GF (pm) consists of the pm possible m-tuples of integers modulo
p. Thus, for example,
14
GF (23) = {000, 001, 010, 011, 100, 101, 110, 111}.
15
GF (32) = {00, 01, 02, 10, 11, 12, 20, 21, 22}.
Extension Fields
16
17
The integer m is called the degree of the field.
18
Addition
19
20
For m > 1, addition of two elements is implemented by component-wise addition modulo p. Thus, for
example in GF(25) we have,
21
(11001) + (10100) = (01101)
22
and in GF(32) we have,
(01) + (22) = (20)
23
24
Multiplication
25
26
27
There is more than one way to implement multiplication in GF (pm). To specify a multiplication rule, one
chooses a basis representation for the field. The basis representation is a rule for interpreting each m-tuple;
the multiplication rule follows from this interpretation.
28
For the purposes of this standard we focus on polynomial basis representations.
29
A.3.4.
30
31
32
In a polynomial basis representation, each element of GF (pm) is represented by a different polynomial
modulo p of degree less than m. More explicitly, the tuple (am-1 … a2 a1 a0) is taken to represent the binary
polynomial
Polynomial Basis Representations
11
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
am–1 tm–1 + … + a2t 2 + a1t + a0.
1
2
The polynomial basis is the set
B = {t m–1, …, t2, t, 1}.
3
4
The addition of m-tuples, as defined in A.3.3, corresponds to addition of polynomials modulo p.
5
6
7
Multiplication is defined in terms of an irreducible binary polynomial f(t) of degree m, called the field
polynomial for the representation. The product of two elements is simply the product of the corresponding
polynomials, reduced modulo f(t).
8
9
10
There is a polynomial basis representation for GF (pm) corresponding to each irreducible polynomial f(t)
modulo p of degree m. Irreducible polynomials modulo p exist of every degree. Roughly speaking, every
one out of m polynomials modulo p of degree m is irreducible.
11
A.3.5.
12
Exponentiation
13
14
If k is a positive integer and  is an element of GF (pm), then exponentiation is the operation of computing
 k. Section A.4.3 contains an efficient method for exponentiation.
15
Division
16
If  and   0 are elements of the field GF (pm), then the quotient  / is the element  such that  = .
17
18
In the finite field GF (pm), modular division is possible for any denominator other than 0. The set of
nonzero elements of GF (pm) is denoted GF (pm)*.
19
Section A.4.4 contains an efficient method for division.
20
Orders
21
22
The order of an element  of GF (pm)* is the smallest positive integer v such that  v = 1. The order always
exists and divides pm – 1. If k and l are integers, then  k =  l in GF (pm) if and only if k  l (mod v).
23
Generators
24
25
26
If v divides pm – 1, then there exists an element of GF (pm)* having order v. In particular, there always
exists an element  of order pm – 1 in GF (pm)*. Such an element is called a generator for GF (pm)* because
every element of GF (pm)* is some power of .
27
Exponentiation and discrete logarithms
28
29
30
Suppose that the element  of GF (pm)* has order v. Then an element  of GF (pm)* satisfies  =  l for
some l if and only if  v = 1. The exponent l is called the discrete logarithm of  (with respect to the base
). The discrete logarithm is an integer modulo v.
31
Field extensions
32
33
Given two extensions K = GF (pn) and L = GF (pm), L is an extension of K if and only if n | m. For pairing
based cryptography we often require that K be embedded in the extension L. This is defined in A.5.6.
Extension Fields (cont'd)
12
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
A.4.
Extension Fields: Algorithms
2
3
The following algorithms perform operations in a finite field GF (pm) having pm elements. The elements of
GF (pm) are represented by a polynomial basis modulo the irreducible polynomial f (t).
4
5
A.4.1.
6
A.4.2.
7
Exponentiation can be performed efficiently by the binary method outlined below.
8
Input: a positive integer k, a field GF (pm) and a field element .
Squaring and Square Roots
[Include an analogue of A.2.5 here]
Exponentiation
9
10
11
12
13
14
15
16
Output:  k.
17
18
There are several modifications that improve the performance of this algorithm. These methods are
summarized in [Gor98].
19
A.4.3.
20
21
22
The quotient  / can be computed directly (i.e. in one step by an algorithm with inputs  and ), or
indirectly (by computing the multiplicative inverse  –1 and then multiplying it by ). The common method
of performing division in a finite field GF (pm) is the indirect method using,
23
The Extended Euclidean Algorithm.
24
Input: two polynomials f(x), g(x)  0 over GF (pm).
25
26
27
28
29
30
31
32
33
34
Output: d(x) = GCD (f(x), g(x)), s(x), t(x) satisfying s(x)f(x)+t(x)g(x) = d(x)
35
36
This algorithm produces the t(x), the multiplicative inversion of g(x) modulo f(x). By  f(x) / g(x) is meant
the quotient upon polynomial division, dropping any remainder.
1.
2.
3.
4.
1.
2.
3.
4.
Let k = kr kr–1 ... k1 k0 be the binary representation of k, where the most significant bit kr of k is 1.
Set x  .
For i from r – 1 downto 0 do
3.1 Set x  x2.
3.2 If ki = 1 then set x   x.
Output x.
Division
Set s1(x)  1, s2(x)  0, t1(x)  1, t2(x)  0
While g(x)  0
2.1 Set q(x)  f(t) / g(t), r(x)  f(x) – g(x)q(x).
2.2 Set s(x)  s2(x) – q(x)s1(x), t(x)  t2(x) – q(x)t1(x)
2.3 Set f(x)  g(x), g(x)  r(x)
2.4 Set s2(x)  s1(x), s1(x)  s(x), t2(x)  t1(x), t1(x)  t(x)
Set d(x)  f(x), s(x)  s2(x) , t(x)  t2(x).
Output d(x), s(x), t(x)
13
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
A.4.4.
Trace in Binary Field Extension
2
If  is an element of GF (2m), the trace of  is
2
m–1
Tr() =  + 2 + 2 + ... + 2 .
3
4
The value of Tr () is 0 for half the elements of GF (2m), and 1 for the other half.
5
The trace can be computed efficiently as follows.
6
7
8
9
10
11
The basic algorithm inputs GF (2m) and outputs T = Tr ().
12
If many traces are to be computed with respect to a fixed polynomial basis
1.
2.
3.
Set T .
For i from 1 to m – 1 do
2.1 T  T 2 +.
Output T.
{t m–1, …, t, 1},
13
14
then it is more efficient to compute and store the element
 = (m–1…10)
15
16
where each coordinate
j = Tr (t j)
17
18
is computed via the basic algorithm. Subsequent traces can be computed via
Tr () =   ,
19
20
where the “dot product” of the bit strings is given by bitwise AND (or bitwise multiplication).
21
A.4.5.
22
If m is odd, the half-trace of   GF (2m) is
Half-Trace in Binary Fields
2
4
m–1
HfTr () = + 2 + 2 + ... + 2 .
23
24
25
26
27
28
29
30
The following algorithm inputs GF (2m) and outputs H = HfTr ()
31
A.4.6.
32
If  is an element of GF (2m), then the equation
1.
2.
3.
Set H .
For i from 1 to (m – 1) /2 do
2.1 H  H 2.
2.2 H  H 2 +.
Output H.
Solving Quadratic Equations over GF (2m)
14
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
z2 + z = 
2
3
has 2 – 2T solutions over GF (2m), where T = Tr (). Thus, there are either 0 or 2 solutions. If z is one
solution, then the other solution is z + 1. In the case  = 0, the solutions are 0 and 1.
4
The following algorithms compute a solution if one exists.
5
6
Input: a field GF (2m) along with a polynomial or normal basis for representing its elements; an element 
 0.
7
Output: an element z for which z 2 + z = , if such an element exists.
8
9
10
11
12
13
14
15
16
If m is odd, then compute z := half-trace of  via A.4.6. For m even, proceed as follows.
17
18
19
If the latter algorithm is to be used repeatedly for the same field, and memory is available, then it is more
efficient to precompute and store  and the values of w. Any element of trace 1 will serve as , and the
values of w depend only on  and not on 
20
21
22
The above algorithm produces a solution z provided that one exists. If it is unknown whether a solution
exists, then the output z should be checked by comparing  := z2 + z with . If  = , then z is a solution;
otherwise no solutions exist.
23
A.5.
24
25
The computations below can take place either over a prime field (having a prime number p of elements) or
over a binary field (having 2m elements).
26
A.5.1.
27
28
29
30
If f(t) and g(t)  0 are two polynomials with coefficients in the field GF (q), then there is a unique monic
polynomial d(t) of largest degree which divides both f(t) and g(t). The polynomial d(t) is called the greatest
common divisor or G.C.D. of f(t) and g(t). The following algorithm computes the G.C.D. of two
polynomials.
31
Input: a finite field GF (q) and two polynomials f(t), g(t)  0 over GF (q).
32
33
34
35
36
37
38
39
40
Output: d(t) = GCD( f(t), g(t)).
1.
2.
3.
4.
5.
1.
2.
3.
4.
Choose random   GF (2m)
Set z  0 and w .
For i from 1 to m – 1 do
3.1 Set z  z2 + w 2.
3.2 Set w  w2 + .
If w = 0 then go to Step 1
Output z.
Polynomials over a Finite Field
G.C.D.'s over a Finite Field
Set a(t)  f(t), b(t)  g(t).
While b(t)  0
2.1 Set c(t)  the remainder when a(t) is divided by b(t).
2.2 Set a(t)  b(t).
2.3 Set b(t)  c(t).
Set   the leading coefficient of a(t).
Set d(t)   –1 a(t).
15
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
5.
Output d(t).
2
A.5.2.
3
4
5
Let f(t) be a polynomial with coefficients in the field GF (p), and suppose that f(t) factors into distinct
irreducible polynomials of degree d. (This is the special case needed in A.14.) The following algorithm
finds a random degree-d factor of f(t) efficiently.
6
7
Input: a prime p > 2, a positive integer d, and a polynomial f(t) which factors modulo p into distinct
irreducible polynomials of degree d.
Factoring Polynomials over GF (p) (Special Case)
8
9
10
11
12
13
14
15
16
17
18
Output: a random degree-d factor of f(t).
19
A.5.3.
20
21
22
Let f(t) be a polynomial with coefficients in the field GF (2), and suppose that f(t) factors into distinct
irreducible polynomials of degree d. (This is the special case needed in A.14.) The following algorithm
finds a random degree-d factor of f(t) efficiently.
23
24
Input: a positive integer d, and a polynomial f(t) which factors modulo 2 into distinct irreducible
polynomials of degree d.
25
26
27
28
29
30
31
32
33
34
35
36
Output: a random degree-d factor of f(t).
37
A.5.4.
38
39
If f(t) is a polynomial with coefficients in the field GF (2r), then f(t) can be tested efficiently for
irreducibility using the following algorithm.
40
Input: a polynomial f(t) with coefficients in GF (2r).
41
42
Output: the message “True” if f(t) is irreducible; the message “False” otherwise.
1.
2.
Set g(t)  f(t).
While deg(g) > d
2.1 Choose u(t)  a random monic polynomial of degree 2d – 1.
2.2 Compute via A.5.1
( p d 1)/ 2
3.
1.
2.
3.
c(t) := u( t )
mod g(t).
2.3 Set h(t)  GCD(c(t) – 1, g(t)).
2.4 If h(t) is constant or deg(g) = deg(h) then go to Step 2.1.
2.5 If 2 deg(h) > deg(g) then set g(t)  g(t) / h(t); else g(t)  h(t).
Output g(t).
Factoring Polynomials over GF (2) (Special Case)
Set g(t)  f(t).
While deg(g) > d
2.1 Choose u(t)  a random monic polynomial of degree 2d – 1.
2.2 Set c(t)  u(t).
2.3 For i from 1 to d – 1 do
2.3.1 c(t)  c(t)2 + u(t) mod g(t).
2.4 Compute h(t) := GCD(c(t), g(t)) via A.5.2.
2.5 If h(t) is constant or deg(g) = deg(h) then go to Step 2.1.
2.6 If 2 deg(h) > deg(g) then set g(t)  g(t) / h(t); else g(t)  h(t).
Output g(t).
Checking Polynomials over GF (2r) for Irreducibility
16
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
6
7
8
9
1.
2.
3.
3.
Set d  degree of f(t).
Set u(t)  t.
For i from 1 to d/2 do
3.1 For j from 1 to r do
Set u(t)  u(t)2 mod f(t)
Next j
3.2 Set g(t)  GCD(u(t) + t, f(t)).
3.3 If g(t)  1 then output “False” and stop.
Output “True.”
10
A.5.5.
11
12
If f(t) is an irreducible polynomial modulo 2 of degree d dividing m, then f(t) has d distinct roots in the field
GF (2m). A random root can be found efficiently using the following algorithm.
13
Input: an irreducible polynomial modulo 2 of degree d, and a field GF (2m), where d divides m.
14
15
16
17
18
19
20
21
22
23
24
25
Output: a random root of f(t) in GF (2m).
26
A.5.6.
27
Given a field F = GF (pd), the following algorithm embeds F into an extension field K = GF (pde).
28
29
Input: integers d and e; a polynomial basis B for F = GF (pd) with field polynomial f(t); a polynomial
basis for K = GF (pde).
30
31
32
33
34
Output: an embedding of F into K; that is a function taking each   F to a corresponding element  of
K.
1.
2.
3.
1.
2.
Finding a Root in GF (2m) of an Irreducible Binary Polynomial
Set g(t)  f(t) (g(t) is a polynomial over GF (2m)).
While deg(g) > 1
2.1 Choose random u  GF (2m).
2.2 Set c(t)  ut.
2.3 For i from 1 to m – 1 do
2.3.1 c(t)  c(t)2 + ut mod g(t).
2.4 Set h(t)  GCD(c(t), g(t)).
2.5 If h(t) is constant or deg(g) = deg(h) then go to Step 2.1.
2.6 If 2 deg(h) > deg(g) then set g(t)  g(t) / h(t); else g(t)  h(t).
Output g(0).
Embedding in an Extension Field
Compute via A.5.5 a root   K of f(t).
Output
35
 := am–1  m–1 + … + a2 2 + a1 + a0,
36
37
where (am–1 … a1 a0) is the m-tuple representing  with respect to B.
38
A.6.
Elliptic Curves: Overview
39
A.6.1.
40
41
A plane curve is defined to be the set of points satisfying an equation F (x, y) = 0. The simplest plane
curves are lines (whose defining equation has degree 1 in x and y) and conic sections (degree 2 in x and y).
Introduction
17
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
The next simplest are the cubic curves (degree 3). These include elliptic curves, so called because they
arose historically from the problem of computing the circumference of an ellipse. This Standard restricts its
attention to cubic plane curves, although other representations could be defined. The coefficients of such a
curve must satisfy a side condition to guarantee the mathematical property of nonsingularity. The side
condition is given below for each family of curves.)
6
7
8
9
10
11
An elliptic curve is a non-singular (smooth) algebraic curve of genus one with a defined point. The set of
points on an elliptic curve is topologically equivalent to a torus - a surface with one hole in it – and,
simplistically, the number of holes in a surface is the definition of the term genus. Elliptic curves should
strictly be written as a pair (E, O) where E is the curve and O the defined point. However, O is invariably
taken to be the point at infinity and the elliptic curve is often simply referred to as E. (Note: see [Sil86] for
a mathematically precise definition of “elliptic curve.”)
12
13
14
In cryptography, the elliptic curves of interest are those defined over finite fields. That is, the coefficients
of the defining equation F (x, y) = 0 are elements of GF (q), and the points on the curve are of the form P =
(x, y), where x and y are elements of GF (q). Examples are given below.
15
The Weierstrass equation
16
17
18
19
There are several kinds of defining equations for elliptic curves, but the most common are the Weierstrass
equations.
—
For the finite fields GF (pm) with p > 3, the Weierstrass equation for ordinary curves is
y 2 = x 3 + ax + b
20
21
22
23
where a and b are integers modulo p for which 4a 3 + 27b 2  0 (mod p).
—
For the binary finite fields GF (2m), the Weierstrass equation for ordinary curves is
y 2 + xy = x 3 + ax 2 + b
24
25
where a and b are elements of GF (2m) with b  0.
26
[NB. Include the SS forms here]
27
28
29
30
Given a Weierstrass equation, the elliptic curve E consists of the solutions (x, y) over GF (q) to the defining
equation, along with an additional element called the point at infinity (denoted O). The points other than O
are called finite points. The number of points on E (including O) is called the order of E and is denoted by
#E (GF (q)).
31
Example: Let E be the curve
y 2 = x 3 + 10 x + 5
32
33
34
over the field GF (13). Then the points on E are
{O, (1,4), (1,9), (3,6), (3,7), (8,5), (8,8), (10,0), (11,4), (11,9)}.
35
Thus the order of E is #E (GF (13)) = 10.
36
Example: Let E be the curve
37
y 2 + xy = x 3 + (t + 1) x 2 + 1
18
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
over the field GF (23) given by the polynomial basis with field polynomial t 3 + t + 1 = 0. Then the points
on E are
3
4
5
6
{O, ((000), (001)),
((010), (100)), ((010), (110)), ((011), (100)), ((011), (111)),
((100), (001)), ((100), (101)), ((101), (010)), ((101), (111)),
((110), (000)), ((110), (110)), ((111), (001)), ((111), (110))}.
7
Thus the order of E is #E (GF (23)) = 14.
8
For more information on elliptic curve cryptography, see [e.g. Blake, Seroussi & Smart?].
9
10
11
12
13
Pairings
The primitives defined in the body of this standard use the general concept of a pairing. Here, we define a
pairing e as a bilinear map between elements of two finite, cyclic, additive groups, G1 and G2 to a third
finite, cyclic group GT defined multiplicatively. Both of G1 and G2 are of prime order r, as is GT.
Notationally, we have:
e:G1 × G2  GT
14
15
16
17
where the bilinear property is such that
For all P, P’  G1 and all Q, Q’  G2, e(P + P’,Q) = e(P,Q)e(P’,Q) and e(P,Q + Q’) = e(P,Q) e(P,Q’)
We also impose the condition that the map be non-degenerate, i.e:
18
For all 0 ≠ P  G1 there exists Q  G2 such that e(P,Q) ≠ 1 and
19
For all 0 ≠ Q  G2 there exists P  G1 such that e(P,Q) ≠ 1
20
21
For cryptographic use, the groups G1 and G2 over which the pairings are defined are sub-groups of points
on an elliptic curve.
22
23
24
25
Elliptic curves fall into two general categories: supersingular curves and ordinary curves. The former are
curves where the kernel of the ‘multiplication by p’ map (where p is the characteristic of K) is trivial.
Supersingular curves were the first to be considered for use in pairing-based cryptography because they
possess maps (non F_q-rational endomorphisms) that prove useful in constructing the Tate pairing.
26
27
28
29
30
31
32
33
34
The first pairing-based cryptosystems used the Weil and Tate pairings on supersingular curves. Further
research in pairing-based cryptography has led to a range of suitable pairings and families of curves. Apart
from super-singular curves, all the curve families are of ordinary curves. The primary factors that dictate
which pairing and curve to use are the efficiency of computations and the security level. As with most
cryptography, increasing levels of security can be obtained by increasing the size of the field over which
the operations are defined, but not all curve-pairing combinations have the same relationship between
security and efficiency. To give some guidance for the best choices, section ?? suggests some appropriate
system parameters for different levels of security and section ?? suggests appropriate combinations of
pairings and curves.
35
36
Twists
37
For a field K, if char (K) ≠ 2,3 we define quadratic, quartic and sextic twists of E(K) as follows. Let
E: y 2 = x 3 + Ax + B
19
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
Case 1: if A, B ≠ 0, there are Quadratic Twists only and D giving
2
3
E': y 2 = x 3 + D2Ax +D3B
Case 2: if B = 0, there are Quartic Twists only and D giving
4
5
E': y 2 = x 3 + DAx
Case 2: if A = 0, there are Sextic Twists only and D giving
6
E': y 2 = x 3 + DB
7
A.6.2.
Operations on Elliptic Curves
8
9
10
There is an addition operation on the points of an elliptic curve which possesses the algebraic properties of
ordinary addition (e.g. commutativity and associativity). This operation can be described geometrically as
follows.
11
Define the inverse of the point P = (x, y) to be
 ( x, y ) if p  3

 P  ( x, x  y ) if q = 2m and E is ordinary
 ( x, c  y )

if q = 2m and E is supersingular
12
13
14
Then the sum P + Q of the points P and Q is the point R with the property that P, Q, and –R lie on a
common line.
15
The point at infinity
16
The point at infinity O plays a role analogous to that of the number 0 in ordinary addition. Thus
P + O = P,
P + (– P) = O
17
18
19
for all points P.
20
Full addition
21
22
23
24
25
When implementing the formulae for elliptic curve addition, it is necessary to distinguish between doubling
(adding a point to itself) and adding two distinct points that are not inverses of each other, because the
formulae are different in the two cases. Besides this, there are also the special cases involving O. By full
addition is meant choosing and implementing the appropriate formula for the given pair of points.
Algorithms for full addition are given in A.10.1, A.10.2 and A.10.8.
26
Scalar multiplication
27
28
29
30
Elliptic curve points can be added but not multiplied. It is, however, possible to perform scalar
multiplication, which is another name for repeated addition of the same point. If n is a positive integer and
P a point on an elliptic curve, the scalar multiple nP is the result of adding n copies of P. Thus, for
example, 5P = P + P + P + P + P.
31
The notion of scalar multiplication can be extended to zero and the negative integers via
32
0P = O,
(–n) P = n (–P).
20
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
A.6.3.
Elliptic Curve Cryptography (ECC)
2
Orders
3
4
5
The order of a point P on an elliptic curve is the smallest positive integer r such that rP = O. The order
always exists and divides the order of the curve #E(GF (q)). If k and l are integers, then kP = lP if and only
if k  l (mod r).
6
Elliptic curve discrete logarithms
7
8
9
10
Suppose that the point G on E has prime order r where r 2 does not divide the order of the curve
#E(GF (q)). Then a point P satisfies P = lG for some l if and only if rP = O. The coefficient l is called the
elliptic curve discrete logarithm of P (with respect to the base point G). The elliptic curve discrete
logarithm is an integer modulo r.
11
EC-based cryptography
12
13
14
15
16
Suppose that the base point G on E has order r as described in the preceding paragraph. Then a key pair
can the defined as follows.
17
18
19
20
21
It is necessary to compute an elliptic curve discrete logarithm in order to derive a private key from its
corresponding public key. For this reason, public-key cryptography based on key pairs of this type relies
for its security on the difficulty of the elliptic curve discrete logarithm problem. Thus it is an example of
EC-based cryptography. The difficulty of the elliptic curve discrete logarithm problem is discussed in
Annex D.4.2.
22
A.6.4.
23
24
25
26
The discrete logarithm problem in finite fields GF (q)* and the elliptic curve discrete logarithm are in some
sense the same abstract problem in two different settings. As a result, the primitives and schemes of DL
and EC based cryptography are closely analogous to each other. The following table makes these analogies
explicit.
—
—
The private key s is an integer modulo r.
The corresponding public key W is a point on E defined by W := sG.
Analogies with DL
DL
EC
Setting
GF (q)*
curve E over GF (q)
Basic operation
multiplication in GF (q)
addition of points
Main operation
exponentiation
scalar multiplication
Base element
generator g
base point G
Base element order
prime r
prime r
Private key
s (integer modulo r)
s (integer modulo r)
Public key
w (element of GF (q))
W (point on E)
21
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
Curve Orders
1
A.6.5.
2
3
4
5
6
The most difficult part of generating EC parameters is finding a base point of prime order. Generating such
a point requires knowledge of the curve order n = #E(GF (q)). Since r must divide n, one has the following
problem: given a field F = GF (q), find an elliptic curve defined over F whose order is divisible by a
sufficiently large prime r. (Note that “sufficiently large” is defined in terms of the desired security; see
Annex A.9.3 and D.4.2.) This section discusses this problem.
7
8
Basic facts
—
If n is the order of an elliptic curve over GF (q), then the Hasse bound is
q–2
9
10
11
12
13
14
15
16
17
18
19
20
21
22
q + 1  n  q + 2 q + 1.
Thus the order of an elliptic curve over GF (q) is approximately q.
—
—
—
If q is a prime p, let n be the order of the curve y 2 = x 3 + ax + b, where a and b are both nonzero.
Then if   0, the order of the curve y 2 = x 3 + a 2x + b 3 is n if  is a square modulo p and 2p + 2 –
n otherwise. (This fact allows one to replace a given curve by one with the same order and
satisfying some extra condition, such as a = p – 3 which will be used in A.10.4.) In the case b = 0,
there are four possible orders; in the case a = 0, there are six. (The formulae for these orders can be
found in Step 6 of A.14.2.3.)
If q = 2m, let n be the order of the curve y 2 + xy = x 3 + ax 2 + b, where a and b are both nonzero.
Then if   0, the order of the curve y 2 + xy = x 3 + (a + ) x 2 + b is n if  has trace 0 and 2m+1 + 2 –
n otherwise (see Annex A.4.5). (This fact allows one to replace a given curve by one with the same
order and satisfying some extra condition, such as a = 0 which will be used in A.10.7.)
If q = 2m, then the curves y 2 + xy = x 3 + ax 2 + b and y 2 + xy = x 3 + a 2 x 2 + b 2 have the same order.
23
Near primality
24
25
26
27
28
Given a trial division bound lmax, the positive integer k is called smooth if every prime divisor of k is at
most lmax. Given large positive integers rmin and rmax, u is called nearly prime if u = kr for some prime r in
the interval rmin  r  r max and some smooth integer k. (The requirement that k be smooth is omitted in
most definitions of near primality. It is included here to guarantee that there exists an efficient algorithm to
check for near primality.) In the case in which a prime order curve is desired, the bound lmax is set to 1.
29
30
31
32
NOTE—since all elliptic curves over GF (q) have order at most umax = q + 2
33
A.6.6.
34
35
This section discusses the issues involved in choosing representations for points on elliptic curves, for
purposes of internal computation and for external communication.
36
Affine coordinates
37
38
39
40
41
A finite point on E is specified by two elements x, y in GF (q) satisfying the defining equation for E. These
are called the affine coordinates for the point. The point at infinity O has no affine coordinates. For
purposes of internal computation, it is most convenient to represent O by a pair of coordinates (x, y) not on
E. For q = 2 m, the simplest choice is O = (0,0). For q = pm, one chooses O = (0, 0) unless b = 0, in which
case O = (0, 1).
q
+ 1, then rmax should be no greater
than umax. (If no maximum is desired, e.g., as in draft ANSI X9.62 [ANS98e], then one takes rmax  umax.) Moreover,
if rmin is close to umax, then there will be a small number of possible curves to choose from, so that finding a suitable
one will be more difficult. If a prime-order curve is desired, a convenient choice is rmin = q +
q.
Representation of Points
22
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
Coordinate compression
2
3
4
The affine coordinates of a point require 2ml bits to store and transmit where q itself requires l bits to
represent it. This is far more than is needed, however. For purposes of external communication, therefore,
it can be advantageous to compress one or both of the coordinates.
5
6
7
8
9
10
11
The y coordinate can always be compressed. The compressed y coordinate, denoted ~
y , is a single bit,
defined as follows.
12
NOTES
13
1—Algorithms for decompressing coordinates are given in A.12.8 through A.12.10.
14
15
2—There are many other possible ways to compress coordinates; the methods given here are the ones that have
appeared in the literature (see [Men95], [Ser98]).
16
Projective coordinates
17
18
19
If division within GF (q) is relatively expensive, then it may pay to keep track of numerators and
denominators separately. In this way, one can replace division by  with multiplication of the denominator
by . This is accomplished by the projective coordinates X, Y , and Z, given by
—
if q is a power of an odd prime, then ~
y := y mod 2, where y is interpreted as a positive integer less
than q. Put another way, ~
y is the rightmost bit of y.
—
if q is a power of 2, then ~
y is the rightmost bit of the field element y x –1 (except when x = 0, in
which case ~
y := 0).
x
20
21
X
Y
,y 3.
2
Z
Z
The projective coordinates of a point are not unique because
(X, Y, Z) = ( 2X,  3Y,  Z)
22
23
for every nonzero   GF (q).
24
The projective coordinates of the point at infinity are (  2,  3, 0), where   .
25
26
Other kinds of projective coordinates exist, but the ones given here provide the fastest arithmetic on elliptic
curves. (See [CC87].)
27
28
The formulae above provide the method for converting a finite point from projective coordinates to affine.
To convert from affine to projective, one proceeds as follows.
29
X  x, Y  y, Z  1.
30
31
32
Projective coordinates are well suited for internal computation, but not for external communication since
they require so many bits. They are more common over GF (p) since division tends to be more expensive
there.
23
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
A.7.
Elliptic Curves: Algorithms
2
A.7.1.
3
The following algorithm implements a full addition (on a curve modulo p) in terms of affine coordinates.
4
5
Input: a field K = GF(pn) for p > 3; coefficients a, b for an elliptic curve E: y
points P0 = (x0, y0) and P1 = (x1, y1) on E.
Full Addition and Subtraction (prime case)
2
= x 3 + ax + b over K;
6
7
8
9
10
11
12
13
14
15
16
17
18
Output: the point P2 := P0 + P1.
19
The above algorithm requires 3 or 4 modular multiplications and a modular inversion.
20
To subtract the point P = (x, y), one adds the point –P = (x, –y).
21
A.7.2.
22
23
The following algorithm implements a full addition (on a curve over GF (2m)) in terms of affine
coordinates.
24
25
Input: a field GF (2m); coefficients a, b for an elliptic curve E: y
points P0 = (x0, y0) and P1 = (x1, y1) on E.
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Output: the point P2 := P0 + P1.
41
The above algorithm requires 2 general multiplications, a squaring, and a multiplicative inversion.
4.
5.
If P0 = O then output P2  P1 and stop
If P1 = O then output P2  P0 and stop
If x0  x1 then
3.1 set   (y0 – y1) / (x0 – x1) mod p
3.2 go to step 7
If y0  y1 then output P2  O and stop
If y1 = 0 then output P2  O and stop
6
Set   (3 x12 + a) / (2y1) mod p
7.
8.
9.
Set x2   2 – x0 – x1 mod p
Set y2  (x1 – x2)  – y1 mod p
Output P2  (x2, y2)
1.
2.
3.
1.
2.
3.
4.
5.
6.
7.
8.
Full Addition and Subtraction (binary case)
2
+ xy = x 3 + ax 2 + b over GF (2m);
If P0 = O, then output P2  P1 and stop
If P1 = O, then output P2  P0 and stop
If x0  x1 then
3.1 set   (y0 + y1) / (x0 + x1)
3.2 set x2  a +  2 +  + x0 + x1
3.3 go to step 7
If y0  y1 then output P2  O and stop
If x1 = 0 then output P2  O and stop
Set
6.1   x1 + y1 / x1
6.2 x2  a +  2 + 
y2  (x1 + x2)  + x2 + y1
P2  (x2, y2)
24
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
To subtract the point P = (x, y), one adds the point –P = (x, x + y).
2
3
4
A.7.3.
5
6
7
A.7.4.
8
A.7.5.
9
Scalar multiplication can be performed efficiently by the addition-subtraction method outlined below.
Full Addition and Subtraction (supersingular curves in
Characteristic 2)
[TBA]
Full Addition and Subtraction (supersingular curves in
Characteristic 3)
[TBA]
Elliptic Scalar Multiplication
10
Input: an integer n and an elliptic curve point P.
11
12
13
14
15
16
17
18
19
20
21
22
Output: the elliptic curve point nP.
23
24
There are several modifications that improve the performance of this algorithm. These methods are
summarized in [Gor98].
25
A.7.6.
26
The projective form of the doubling formula on the curve y 2 = x 3 + ax + b over GF(pm) for p > 3 is
1.
2.
3.
4.
5.
6.
7.
29
30
31
32
33
34
35
Projective Elliptic Doubling (prime case)
2 (X1, Y1, Z1) = (X2, Y2, Z2),
27
28
If n = 0 then output O and stop.
If n < 0 the set Q  (–P) and k  (–n), else set Q  P and k  n.
Let hl hl–1 ...h1 h0 be the binary representation of 3k, where the most significant bit hl is 1.
Let kl kl–1...k1 k0 be the binary representation of k.
Set S  Q.
For i from l – 1 downto 1 do
Set S  2S.
If hi = 1 and ki = 0 then compute S  S + Q via A.10.1 or A.10.2.
If hi = 0 and ki = 1 then compute S  S – Q via A.10.1 or A.10.2.
Output S.
where
M = 3 X 12 + a Z14 ,
Z2 = 2Y1Z1,
S = 4X1 Y12 ,
X2 = M 2 – 2S,
T = 8 Y14 ,
Y2 = M (S – X2) – T.
The algorithm Double given below performs these calculations.
25
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
Input: a modulus p; the coefficients a and b defining a curve E modulo p; projective coordinates (X1, Y1,
Z1) for a point P1 on E.
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Output: projective coordinates (X2, Y2, Z2) for the point P2 = 2P1.
45
46
47
This algorithm requires 10 field multiplications and 5 temporary variables. If a is small enough that
multiplication by a can be done by repeated addition, only 9 field multiplications are required. If a = p – 3,
then only 8 field multiplications are required (see [CC87]). The proportion of elliptic curves modulo p that
1.
2.
3.
4.
5.
T1  X1
T2  Y1
T3  Z1
If T2 = 0 or T3 = 0 then output (1, 1, 0) and stop.
If a = p – 3 then
T4  T32
T5  T1 – T4
T4  T1 + T4
T5  T4  T5
T4  3  T5
=M
else
T4  a
T5  T32
T5  T52
T5  T4  T5
6.
7.
T4  T12
T4  3  T4
T4  T4 + T5
=M
T3  T2  T3
T3  2  T3
= Z2
8.
9.
10.
T2  T22
T5  T1  T2
T5  4  T5
=S
11.
T1  T42
T1  T1 – 2  T5
= X2
12.
13.
14.
15.
16.
17.
18.
19.
20.
T2  T22
T2  8  T2
=T
T5  T5 – T1
T5  T4  T5
T2  T5 – T2
= Y2
X2  T1
Y2  T2
Z2  T3
26
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
can be rescaled so that a = p – 3 is about 1/4 if p  1 (mod 4) and about 1/2 if p  3 (mod 4). (See Annex
A.9.5, Basic Facts.)
3
A.7.7.
4
The projective form of the adding formula on the curve y 2 = x 3 + ax + b over GF(pm) for p > 3, is
Projective Elliptic Addition (prime case)
(X0, Y0, Z0) + (X1, Y1, Z1) = (X2, Y2, Z2),
5
6
where
U0 = X0 Z12 ,
7
8
9
10
11
12
13
14
15
16
17
18
S0 = Y0 Z13 ,
U1 = X1 Z 02 ,
S1 = Y1 Z 03 ,
W = U0 – U1,
R = S 0 – S 1,
T = U0 + U1,
M = S0 + S1,
Z2 = Z0Z1W,
X2 = R 2 – TW 2,
V = TW 2 – 2X2,
2Y2 = VR – MW 3.
19
The algorithm Add given below performs these calculations.
20
21
Input: a modulus p; the coefficients a and b defining a curve E modulo p; projective coordinates (X0, Y0,
Z0) and (X1, Y1, Z1) for points P0 and P1 on E, where Z0 and Z1 are nonzero.
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1, unless P0 = P1. In this case, the
triplet (0, 0, 0) is returned. (The triplet (0, 0, 0) is not a valid projective point on the curve, but rather a
marker indicating that routine Double should be used.)
1.
2.
3.
4.
5.
6.
T1  X0
T2  Y0
T3  Z0
T4  X1
T5  Y1
If Z1  1 then
T6  Z1
= U0 (if Z1 = 1)
= S0 (if Z1 = 1)
T7  T62
T1  T1  T7
T7  T6  T7
T2  T2  T7
7.
T7 
8.
9.
10.
11.
12.
13.
T4  T4  T7
T7  T3  T7
T5  T5  T7
T4  T1 – T4
T5  T2 – T5
If T4 = 0 then
= U0 (if Z1  1)
= S0 (if Z1  1)
T32
= U1
= S1
=W
=R
27
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
17.
If T5 = 0 then output (0,0,0) and stop
else output (1, 1, 0) and stop
T1  2  T1 – T4
T2  2  T2 – T5
If Z1  1 then
T3  T3  T6
T3  T3  T4
18.
19.
20.
T7 
T4  T4  T7
T7  T1  T7
21.
22.
23.
24.
25.
26.
27.
T1  T52
T1  T1 – T7
T7  T7 – 2  T1
T5  T5  T7
T4  T2  T4
T2  T5 – T4
T2  T2 / 2
= Y2
X2  T1
Y2  T2
Z2  T3
14.
15.
16.
28.
29.
30.
=T
=M
= Z2
T42
= X2
=V
22
NOTE—the modular division by 2 in Step 27 can be carried out in the same way as in A.2.4.
23
24
25
This algorithm requires 16 field multiplications and 7 temporary variables. In the case Z1 = 1, only 11 field
multiplications and 6 temporary variables are required. (This is the case of interest for elliptic scalar
multiplication.)
26
A.7.8.
27
28
The projective form of the doubling formula on the curve y 2 + xy = x 3 + ax 2 + b over GF (2m) uses, not the
coefficient b, but rather the field element
c :=
29
30
33
34
35
36
m 2
b2 ,
computed from b by m – 2 squarings. (Thus b = c 4.) The formula is
2 (X1, Y1, Z1) = (X2, Y2, Z2),
31
32
Projective Elliptic Doubling (binary case)
where
Z2 = X1 Z12 ,
X2 = (X1 + c Z12 )4,
U = Z2 + X 12 + Y1Z1,
Y2 = X 14 Z2 + UX2.
37
The algorithm Double given below performs these calculations.
38
39
Input: a field of 2m elements; the field elements a and c specifying a curve E over GF (2m); projective
coordinates (X1, Y1, Z1) for a point P1 on E.
28
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Output: projective coordinates (X2, Y2, Z2) for the point P2 = 2P1.
26
This algorithm requires 5 field squarings, 5 general field multiplications, and 4 temporary variables.
27
A.7.9.
28
The projective form of the adding formula on the curve y 2 + xy = x 3 + ax2 + b over GF (2m) is
1.
2.
3.
4.
5.
6.
T1  X1
T2  Y1
T3  Z1
T4  c
If T1 = 0 or T3 = 0 then output (1, 1, 0) and stop.
T2  T2  T3
7.
8.
9.
10.
11.
T3  T32
T4  T3  T4
T3  T1  T3
T2  T2 + T3
T4  T1 + T4
12.
T4  T42
13.
T4  T42
14.
T1 
15.
16.
T2  T1 + T2
T2  T2  T4
17.
18.
19.
20.
21.
22.
23.
T1  T12
T1  T1  T3
T2  T1 + T2
T1  T4
X2  T1
Y2  T2
Z2  T3
31
32
33
34
35
36
37
38
39
40
41
42
= X2
T12
=U
= Y2
Projective Elliptic Addition (binary case)
(X0, Y0, Z0) + (X1, Y1, Z1) = (X2, Y2, Z2),
29
30
= Z2
where
U0 = X0 Z12 ,
S0 = Y0 Z13 ,
U1 = X1 Z 02 ,
W = U0 + U1,
S1 = Y1 Z 03 ,
R = S 0 + S 1,
L = Z0 W
V = RX1 + LY1,
Z2 = LZ1,
T = R + Z2,
X2 = a Z 22 + TR + W 3,
Y2 = TX2 + VL 2.
29
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
The algorithm Add given below performs these calculations.
2
3
Input: a field of 2m elements; the field elements a and b defining a curve E over GF (2m); projective
coordinates (X0, Y0, Z0) and (X1, Y1, Z1) for points P0 and P1 on E, where Z0 and Z1 are nonzero.
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1, unless P0 = P1. In this case, the
triplet (0, 0, 0) is returned. (The triplet (0, 0, 0) is not a valid projective point on the curve, but rather a
marker indicating that routine Double should be used.)
1.
2.
3.
4.
5.
6.
7.
T1  X0
T2  Y0
T3  Z0
T4  X1
T5  Y1
If a  0 then
T9  a
If Z1  1 then
T6  Z1
= U0 (if Z1 = 1)
= S0 (if Z1 = 1)
T7  T62
T1  T1  T7
T7  T6  T7
T2  T2  T7
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
= S0 (if Z1  1)
T7  T32
T8  T4  T7
T1  T1 + T8
T7  T3  T7
T8  T5  T7
T2  T2 + T8
If T1 = 0 then
If T2 = 0 then output (0, 0, 0) and stop
else output (1, 1, 0) and stop
T4  T2  T4
T3  T1  T3
1)
T5  T3  T5
T4  T4 + T5
= U1
=W
= S1
=R
= L (= Z2 if Z1 =
=V
T5 
T7  T4  T5
If Z1  1 then
T3  T3  T6
T4  T2 + T3
T2  T2  T4
T32
25.
26.
T5  T12
T1  T1  T5
If a  0 then
27.
28.
T8  T32
T9  T8  T9
T1  T1 + T9
T1  T1 + T2
T4  T1  T4
24.
= U0 (if Z1  1)
= Z2 (if Z1  1)
=T
= X2
30
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
T2  T4 + T7
X2  T1
Y2  T2
Z2  T3
1
2
3
4
29.
30.
31.
32.
5
6
7
8
This algorithm requires 5 field squarings, 15 general field multiplications and 9 temporary variables. If
a = 0, then only 4 field squarings, 14 general field multiplications and 8 temporary variables are required.
(About half of the elliptic curves over GF (2m) can be rescaled so that a = 0. They are precisely the curves
with order divisible by 4. See Annex A.9.5, Basic Facts.)
9
10
11
In the case Z1 = 1, only 4 field squarings, 11 general field multiplications, and 8 temporary variables are
required. If also a = 0, then only 3 field squarings, 10 general field multiplications, and 7 temporary
variables are required. (These are the cases of interest for elliptic scalar multiplication.)
12
A.7.10.
13
The following algorithm FullAdd implements a full addition in terms of projective coordinates.
14
15
Input: a field of q elements; the field elements a and b defining a curve E over GF (q); projective
coordinates (X0, Y0, Z0) and (X1, Y1, Z1) for points P0 and P1 on E.
16
17
18
19
20
21
22
Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1.
23
An elliptic subtraction is implemented as follows:
1.
2.
3.
4.
5.
Projective Full Addition and Subtraction
If Z0 = 0 then output (X2, Y2, Z2)  (X1, Y1, Z1) and stop.
If Z1 = 0 then output (X2, Y2, Z2)  (X0, Y0, Z0) and stop.
Set (X2, Y2, Z2)  Add[(X0, Y0, Z0), (X1, Y1, Z1)].
If (X2, Y2, Z2) = (0, 0, 0) then set (X2, Y2, Z2)  Double[(X1, Y1, Z1)]
Output (X2, Y2, Z2).
Subtract[(X0, Y0, Z0), (X1, Y1, Z1)] = FullAdd[(X0, Y0, Z0), (X1, U, Z1)]
24
25
= Y2
where
  Y1 mod p if q  p
if q  2 m
 X 1 Z1  Y1
U= 
26
27
A.7.11.
28
Input: an integer n and an elliptic curve point P = (X, Y, Z).
29
30
31
32
33
34
35
36
37
38
39
Output: the elliptic curve point nP = (X*, Y*, Z*).
1.
2.
3.
4.
Projective Elliptic Scalar Multiplication
If n = 0 or Z = 0 then output (1, 1, 0) and stop.
Set
2.1 X*  X
2.2 Z*  Z
2.3 Z1  1
If n < 0 then go to Step 6
Set
4.1 k  n
4.2 Y*  Y
31
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
6
7
8
9
10
11
5.
6.
7.
8.
9.
10.
11.
12
13
There are several modifications that improve the performance of this algorithm. These methods are
summarized in [Gor98].
14
A.7.12.
15
The following algorithm recovers the y coordinate of an elliptic curve point from its compressed form.
16
17
Input: a prime number p, an elliptic curve E defined over K = GF(pm) for p > 3, the x coordinate of a point
(x, y) on E, and the compressed representation ~
y of the y coordinate.
18
19
20
21
22
23
24
25
Output: the y coordinate of the point.
26
27
NOTE—when implementing the algorithm from A.2.5, the existence of modular square roots should be checked.
Otherwise, a value may be returned even if no modular square roots exist.
28
A.7.13.
29
The following algorithm recovers the y coordinate of an elliptic curve point from its compressed form.
30
31
Input: a field GF (2m), an elliptic curve E defined over GF (2m), the x coordinate of a point (x, y) on E, and
y of the y coordinate.
the compressed representation ~
32
33
34
35
36
37
38
39
40
41
Output: the y coordinate of the point.
12.
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
7.
Go to Step 8
Set k  (–n)
If q = p then set Y*  –Y (mod p); else set Y*  XZ +Y
If Z* = 1 then set X1  X*, Y1  Y*; else set X1  X* / (Z*)2, Y1  Y* / (Z*)3
Let hl hl–1 ...h1 h0 be the binary representation of 3k, where the most significant bit hl is 1.
Let kl kl–1...k1 k0 be the binary representation of k.
For i from l – 1 downto 1 do
11.1 Set (X*, Y*, Z*)  Double[(X*, Y*, Z*)].
11.2 If hi = 1 and ki = 0 then set (X*, Y*, Z*)  FullAdd[(X*, Y*, Z*), (X1, Y1, Z1)].
11.3 If hi = 0 and ki = 1 then set (X*, Y*, Z*)  Subtract[(X*, Y*, Z*), (X1, Y1, Z1)].
Output (X*, Y*, Z*).
Decompression of y Coordinates (prime case)
Compute g := x3 + ax + b over K
Find a square root z of g modulo p via A.4.1. If the output of A.4.1 is “no square roots exist,” then
return an error message and stop.
z be the rightmost bit of z (in other words, z mod 2).
Let ~
~
y then y  z, else y  p – z.
If z = ~
Output y.
Decompression of y Coordinates (binary case)
If x = 0 then compute y := b via A.4.1 and go to Step 7.
Compute the field element  := x3 + ax2 + b in GF (2m)
Compute the element  :=  (x2)–1 via A.4.4
Find a field element z such that z2 + z =  via A.4.7. If the output of A.4.7 is “no solutions exist,”
then return an error message and stop.
z be the rightmost bit of z
Let ~
z + ~y ) x
Compute y := (z + ~
Output y.
32
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
NOTES
2
3
1—When implementing the algorithm from A.4.7, the existence of solutions to the quadratic equation should be
checked. Otherwise, a value may be returned even if no solutions exist.
4
5
2—If both coordinates are compressed, the x coordinate must be decompressed first and then the y coordinate. (See
Annex A.12.10.)
6
A.8.
7
A.8.1.
8
9
The following algorithm provides an efficient method for finding a random point (other than O) on a given
elliptic curve over the finite field GF (p).
Functions for Elliptic Curve Parameter and Key Generation
Finding a Random Point on an Elliptic Curve (prime case)
10
Input: a field K = GF(pm) where p > 3 and the parameters a, b of an elliptic curve E over K.
11
12
13
14
15
16
17
18
19
Output: a randomly generated point (other than O) on E.
1.
2.
3.
4.
5.
Choose random x  K.
Set   x3 + ax + b.
If  = 0 then output (x, 0) and stop.
Apply the appropriate technique from A.4.1 to find a square root modulo p of  or determine that
none exist.
If the result of Step 4 indicates that no square roots exist, then go to Step 1. Otherwise the output of
Step 4 is an element  with 0 <  < p such that
 2  .
20
21
22
23
6.
7.
24
A.8.2.
25
26
The following algorithm provides an efficient method for finding a random point (other than O) on a given
elliptic curve over the finite field GF (2m).
27
Input: a field GF (2m) and the parameters a, b of an elliptic curve E over GF (2m).
28
29
30
31
32
33
34
35
36
37
38
39
40
Output: a randomly generated point (other than O) on E.
Generate a random bit  and set y  (–1)  .
Output (x, y).
Finding a Random Point on an Elliptic Curve (binary case)
1.
Choose random x in GF (2m).
2.
3.
4.
5.
6.
If x = 0 then output (0, b2 ) and stop.
Set   x3 + ax2 + b.
If  = 0 then output (x, 0) and stop.
Set   x – 2 .
Apply the appropriate technique from A.4.7 to find an element z for which z2 + z =  or determine
that none exist.
If the result of Step 6 indicates that no solutions exist, then go to Step 1. Otherwise the output of
Step 6 is a solution z.
Generate a random bit  and set y  (z + ) x.
Output (x, y).
7.
8.
9.
m–1
33
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
A.8.3.
Finding a Point of Large Prime Order
2
3
4
If the order #E(GF (q)) = u of an elliptic curve E is nearly prime, the following algorithm efficiently
produces a random point on E whose order is the large prime factor r of u = kr. (See Annex A.9.5 for the
definition of nearly prime.)
5
Input: a prime r, a positive integer k not divisible by r, and an elliptic curve E over the field GF (q).
6
7
8
9
10
11
12
13
Output: if #E(GF (q)) = kr, a point G on E of order r. If not, the message “wrong order.”
14
A.8.4.
15
16
If d is “small” (i.e. it is feasible to perform 2 d arithmetic operations), then the order of the curve y2 + xy = x3
+ ax2 + b over GF (2d) can be calculated directly as follows. Let
17
 = (–1) Tr (a).
18
1.
2.
3.
4.
5.
6.
Generate a random point P (not O) on E via A.11.1 or A.11.2.
Set G  kP.
If G = O then go to Step 1.
Set Q  rG.
If Q  O then output “wrong order” and stop.
Output G.
Curve Orders over Small Binary Fields
For each nonzero x  GF (2d), let
 (x) = Tr (x + b/x2).
19
20
Then
#E(GF (2d)) = 2d + 1 + 
21
 ( 1)
(x)
.
x 0
22
A.8.5.
23
24
Given the order of an elliptic curve E over a finite field GF (2d), the following algorithm computes the
order of E over the extension field GF (2de).
25
26
Input: positive integers d and e, an elliptic curve E defined over GF (2d), and the order w of E over
GF (2d).
27
28
29
30
31
32
Output: the order u of E over GF (2de).
33
A.8.6.
34
35
The algorithms of A.11.4 and A.11.5 allow construction of elliptic curves with known orders over GF (2m),
provided that m is divisible by an integer d that is small enough for A.11.4. The following algorithm finds
1.
2.
3.
4.
Curve Orders over Extension Fields
Set P  2d + 1 – w and Q  2d.
Compute via A.2.4 the Lucas sequence element Ve.
Compute u := 2de + 1 – Ve.
Output u.
Curve Orders via Subfields
34
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
such curves with nearly prime orders when such exist. (See Annex A.9.5 for the definition of nearly
prime.)
3
4
Input: a field GF (2m); a subfield GF (2d) for some (small) d dividing m; lower and upper bounds rmin and
rmax for the base point order.
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Output: elements a, b  GF (2m) specifying an elliptic curve E, along with the nearly prime order n =
#E(GF (2m)), if one exists; otherwise, the message “no such curve.”
23
NOTE—It follows from the Basic Facts of A.9.5 that any a0 can be chosen at any time in Step 1.
24
A.9.
25
The following computations are necessary for the complex multiplication technique described in A.14.
26
A.9.1.
27
A reduced symmetric matrix is one of the form
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Select elements a0, b0  GF (2d) such that b0 has not already been selected. (If all of the b0’s have
already been tried, then output the message “no such curve” and stop.) Let E be the elliptic curve y2
+ xy = x3 + a0 x2 + b0.
Compute the order w = #E(GF (2d)) via A.11.4.
Compute the order u = #E(GF (2m)) via A.11.5.
Test u for near-primality via A.15.5.
If u is nearly prime, then set   0 and n  u and go to Step 9.
Set u = 2m+1 + 2 – u.
Test u for near-primality via A.15.5.
If u is nearly prime, then set   1 and n  u, else go to Step 1.
Find the elements a1, b1  GF (2m) corresponding to a0 and b0 via A.5.7.
If  = 0 then set   0. If  = 1 and m is odd, then set   1. Otherwise, find an element  
GF (2m) of trace 1 by trial and error using A.4.5.
Set a  a1 +  and b  b1
Output n, a, b.
Class Group Calculations
Overview
 A B

S 
 B C
28
29
30
31
32
33
where the integers A, B, C satisfy the following conditions:
34
The matrix S will be abbreviated as [A, B, C] when typographically convenient.
35
36
The determinant D := AC – B 2 of S will be assumed throughout this section to be positive and squarefree
(i.e., containing no square factors).
37
38
Given D, the class group H (D) is the set of all reduced symmetric matrices of determinant D. The class
number h(D) is the number of matrices in H(D).
i)
ii)
iii)
GCD (A, 2B, C) = 1,
|2B|  A  C,
If either A = |2B| or A = C, then B  0.
35
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
The class group is used to construct the reduced class polynomial. This is a polynomial wD (t) with integer
coefficients of degree h (D). The reduced class polynomial is used in A.14 to construct elliptic curves with
known orders.
4
A.9.2.
5
6
The following algorithm produces a list of the reduced symmetric matrices of a given determinant D. See
[Bue89].
7
Input: a squarefree determinant D > 0.
8
9
10
11
12
13
14
15
16
17
18
Class Group and Class Number
Output: the class group H (D).
1.
2.
Let s be the largest integer less than
For B from 0 to s do
D/3.
List the positive divisors A1, …, Ar of D + B 2 that satisfy 2B  A 
For i from 1 to r do
2.2.1 Set C  (D + B 2) / Ai
2.2.2 If GCD (Ai, 2B, C) = 1 then
list [Ai, B, C].
if 0 < 2B < Ai < C then list [Ai, – B, C].
Output list.
2.1
2.2
3.
19
20
21
22
23
24
25
Example: D = 71. The values of B that need to be checked are 0  B < 5.
26
Thus the class group is
—
—
—
—
—
B = 0 gives A = 1, leading to [1,0,71].
B = 1 gives A = 2,3,4,6,8, leading to [3, 1,24] and [8, 1,9].
B = 2 gives A = 5, leading to [5, 2, 15].
B = 3 gives A = 8, but no reduced matrices.
B = 4 gives no divisors A in the right range.
H (71) = {[1,0,71], [3, 1,24], [8, 1,9], [5, 2, 15]} .
27
28
and the class number is h (71) = 7.
29
A.9.3.
30
Let
Reduced Class Polynomials
 (1)  z

F(z) = 1 +
31
j
( 3 j 2  j )/ 2
 z (3 j
2
 j )/ 2
j 1
= 1 – z – z2 + z5 + z7 – z12 – z15 + ...
32
33
and
  D  Bi 
 .
A


 = exp 
34
35

Let
36
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
D  B2 .
ƒ0(A, B, C) =  –1/24 F(–) / F( 2),
ƒ1(A, B, C) =  –1/24 F() / F( 2),
1
2
3
4
ƒ2(A, B, C) =
2  1/12F( 4) / F( 2).
NOTE—since
||  e
5
3/ 2
 0.0658287 ,
6
the series F (z) used in computing the numbers ƒJ(A, B, C) converges as quickly as a power series in
7
If [A, B, C] is a matrix of determinant D, then its class invariant is
G
C(A, B, C) = (N  –BL 2–I/6 (ƒJ (A, B, C))K) ,
8
9
where:
10
G = GCD(D,3),
11
3
0

I
2
6
12
13
e 
if D  1,2,6,7 (mod 8),
if D  3 (mod 8) and D  0 (mod 3),
if D  3 (mod 8) and D  0 (mod 3),
if D  5 (mod 8),
0

J  1
2

for AC odd,
2

K  1
4

if D  1,2,6 (mod 8),
for C even,
for A even,
if D  3,7 (mod 8),
if D  5 (mod 8),
14
15
 A  C  A2 C

2
 A  2C  AC
L
2
 A  C  5 AC
 A  C  AC 2
if AC odd or D  5 (mod 8) and C even,
if D  1,2,3,6,7 (mod 8) and C even,
if D  3 (mod 8) and A even,
if D  1,2,5,6,7 (mod 8) and A even,
( 1)( A 1)/ 8

M
( C 2 1)/ 8

( 1)
2
16
if A odd,
if A even,
37
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
3/ 2
.
1





N  M


 M



1
or D  3 (mod 8) and AC odd
or D  7 (mod 8) and AC even,
if D  1,2,6 (mod 8)
or D  7 (mod 8) and AC odd,
if D  3 (mod 8) and AC even,
= e  iK/24.
2
3
4
if D  5 (mod 8)
If [A1, B1, C1], ..., [Ah ,Bh ,Ch] are the reduced symmetric matrices of (positive squarefree) determinant D,
then the reduced class polynomial for D is
h
wD(t) =
5
 (t  C( A , B , C )) .
j
j 1
j
j
6
The reduced class polynomial has integer coefficients.
7
8
9
NOTE—The above computations must be performed with sufficient accuracy to identify each coefficient of the
polynomial wD (t). Since each such coefficient is an integer, this means that the error incurred in calculating each
coefficient should be less than 1/2.
10
Example.
11
w71(t)=

1

f0 1,0,71 
t 


2
12



e  i / 8
e i / 8
t 
f1  31
, ,24   t 
f1  3,1,24 



2
2
13
 e 23i / 24
  e 23i / 24

f2  8,1,9   t 
f2  8,1,9 
t 



2
2
14
 e 5i /12
  e5i /12

t

f
5
,
2
,
15
f0  5,2,15 
  t 

0



2
2
15
16
17
18
=
(t – 2.13060682983889533005591468688942503...)
(t – (0.95969178530567025250797047645507504...) +
(0.34916071001269654799855316293926907...) i)
(t – (0.95969178530567025250797047645507504...) –
38
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
(0.34916071001269654799855316293926907...) i)
1
(t + (0.7561356880400178905356401098531772...) +
2
(0.0737508631630889005240764944567675...) i)
3
(t + (0.7561356880400178905356401098531772...) –
4
(0.0737508631630889005240764944567675...) i)
5
(t + (0.2688595121851000270002877100466102...) –
6
(0.84108577401329800103648634224905292...) i)
7
(t + (0.2688595121851000270002877100466102...) +
8
(0. 84108577401329800103648634224905292...) i)
9
t 7 – 2t 6 – t 5 + t 4 + t 3 + t 2 – t – 1.
10
=
11
A.10. Complex Multiplication
12
A.10.1.
13
If E is a non-supersingular elliptic curve over GF (q) of order u, then
Overview
Z = 4q – (q + 1 – u)2
14
15
is positive by the Hasse bound (see Annex A.9.5). Thus there is a unique factorization
16
Z = DV 2
17
18
where D is squarefree (i.e. contains no square factors). Thus, for each non-supersingular elliptic curve over
GF (q) of order u, there exists a unique squarefree positive integer D such that
19
(*)
4q = W 2 + DV 2,
20
(**)
u=q+1W
21
for some W and V.
22
23
It is said that E has complex multiplication by D (or, more properly, by
discriminant for q.
24
25
26
27
If one knows D for a given curve E, one can compute its order via (*) and (**). As will be demonstrated
below, one can construct the curves with CM by small D. Therefore one can obtain curves whose orders u
satisfy (*) and (**) for small D. The near-primes are plentiful enough that one can find curves of nearly
prime order with small enough D to construct.
28
29
30
31
Over GF (p), the CM technique is also called the Atkin-Morain method (see [Mor91]); over GF (2m), it is
also called the Lay-Zimmer method (see [LZ94]). Although it is possible (over GF (p)) to choose the order
first and then the field, it is preferable to choose the field first since there are fields in which the arithmetic
is especially efficient.
 D ). D is called a CM
39
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
6
There are two basic steps involved: finding an appropriate order, and constructing a curve having that
order. More precisely, one begins by choosing the field size q, the minimum point order rmin, and trial
division bound lmax. Given those quantities, D is called appropriate if there exists an elliptic curve over
GF (q) with CM by D and having nearly prime order.
7
8
9
10
Find an appropriate D. When one is found, record D, the large prime r, and the positive integer k
such that u = kr is the nearly prime curve order.
Step 1 (A.14.2 and A.14.3, Finding a Nearly Prime Order):
Step 2 (A.14.4 and A.14.5, Constructing a Curve and Point):
Given D, k and r, construct an elliptic curve over GF (q) and a point of order r.
11
12
A.10.2.
Finding a Nearly Prime Order over GF (p)
13
Congruence Conditions
14
15
A squarefree positive integer D can be a CM discriminant for p only if it satisfies the following congruence
conditions. Let

K  

16
17
18
19
20
21
22
—
—
—
—
—
23
Thus the possible squarefree D's are as follows:
24
If K = 1, then
25
26
27
28
29
30
31
32
33


2
p 1 
.
rmin 

If p  3 (mod 8), then D  2, 3, or 7 (mod 8).
If p  5 (mod 8), then D is odd.
If p  7 (mod 8), then D  3, 6, or 7 (mod 8).
If K = 1, then D  3 (mod 8).
If K = 2 or 3, then D  7 (mod 8).
D = 3, 11, 19, 35, 43, 51, 59, 67, 83, 91, 107, 115, ….
If p  1 (mod 8) and K = 2 or 3, then
D = 1, 2, 3, 5, 6, 10, 11, 13, 14, 17, 19, 21, ….
If p  1 (mod 8) and K  4, then
D = 1, 2, 3, 5, 6, 7, 10, 11, 13, 14, 15, 17, ….
If p  3 (mod 8) and K = 2 or 3, then
D = 2, 3, 10, 11, 19, 26, 34, 35, 42, 43, 51, 58, ….
If p  3 (mod 8) and K  4, then
D = 2, 3, 7, 10, 11, 15, 19, 23, 26, 31, 34, 35, ….
40
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
If p  5 (mod 8) and K = 2 or 3, then
D = 1, 3, 5, 11, 13, 17, 19, 21, 29, 33, 35, 37, ….
2
3
If p  5 (mod 8) and K  4, then
D = 1, 3, 5, 7, 11, 13, 15, 17, 19, 21, 23, 29, ….
4
5
If p  7 (mod 8) and K = 2 or 3, then
D = 3, 6, 11, 14, 19, 22, 30, 35, 38, 43, 46, 51, ….
6
7
If p  7 (mod 8) and K  4, then
D = 3, 6, 7, 11, 14, 15, 19, 22, 23, 30, 31, 35, ….
8
9
Testing for CM Discriminants (prime case)
10
Input: a prime p and a squarefree positive integer D satisfying the congruence conditions from A.14.2.1.
11
Output: if D is a CM discriminant for p, an integer W such that
12
4p = W 2 + DV 2
13
14
15
16
17
18
19
20
for some V. [In the cases D = 1 or 3, the output also includes V.] If not, the message “not a CM
discriminant.”
3.
Apply the appropriate technique from A.2.5 to find a square root modulo p of –D or determine that
none exist.
If the result of Step 1 indicates that no square roots exist, then output “not a CM discriminant” and
stop. Otherwise, the output of Step 1 is an integer B modulo p.
Let A  p and C  (B 2 + D) / p.
21
4.
Let S  
22
5.
Until |2B|  A  C, repeat the following steps.
1.
2.
 A B
 1
 and U    .
 B C
 0
 B 1
   .
C 2
23
5.1
Let 
24
5.2
Let T  
25
26
27
28
5.3 Replace U by T –1U.
5.4 Replace S by T t S T, where T t denotes the transpose of T.
If D = 11 and A = 3, let   0 and repeat 5.2, 5.3, 5.4.
Let X and Y be the entries of U. That is,
6.
7.
 X
U  .
Y
29
30
31
32
33
 0  1
.
1  
8.
9.
10.
If D = 1 or 3 then output W  2X and V  2Y and stop.
If A = 1 then output W  2X and stop.
If A = 4 then output W  4X + BY and stop.
41
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
11.
2
Finding a Nearly Prime Order (prime case)
3
Input: a prime p, a trial division bound lmax, and lower and upper bounds rmin and rmax for base point order.
4
5
6
7
8
Output: a squarefree positive integer D, a prime r in the interval rmin  r  rmax, and a smooth integer k
such that u = kr is the order of an elliptic curve modulo p with complex multiplication by D.
1.
Choose a squarefree positive integer D, not already chosen, satisfying the congruence conditions of
A.14.2.1.
9
2.
Compute via A.2.3 the Jacobi symbol J = 
10
3.
List the odd primes l dividing D.
11
4.
For each l, compute via A.2.3 the Jacobi symbol J = 
12
13
14
15
5.
Test via A.14.2.2 whether D is a CM discriminant for p. If the result is “not a CM discriminant,” go
to Step 1. (Otherwise, the result is the integer W, along with V if D = 1 or 3.)
Compile a list of the possible orders, as follows.
—
If D = 1, the orders are
6.
Output “not a CM discriminant.”
  D
 . If J = –1 then go to Step 1.
 p 


p + 1  W, p + 1  V.
16
17
18
—
If D = 3, the orders are
p + 1  W, p + 1  (W + 3V)/2, p + 1  (W – 3V)/2.
19
20
21
22
23
7.
8.
24
Example: Let p = 2192 – 264 – 1. Then
—
Otherwise, the orders are p + 1  W.
Test each order for near-primality via A.15.5. If any order is nearly prime, output (D, k, r) and stop.
Go to Step 1.
p = 4X 2 – 2XY +
25
26
1 D 2
Y
and
4
p + 1 – (4X – Y) = r
where D = 235,
X = –31037252937617930835957687234,
Y = 5905046152393184521033305113,
27
28
29
p
 . If J = –1 for some l, then go to Step 1.
l
and r is the prime
r = 6277101735386680763835789423337720473986773608255189015329.
30
31
Thus there is a curve modulo p of order r having complex multiplication by D.
32
A.10.3.
33
Testing for CM Discriminants (binary case)
34
Input: a field degree d and a squarefree positive integer D  7 (mod 8).
Finding a Nearly Prime Order over GF (2m)
42
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
Output: if D is a CM discriminant for 2 d, an odd integer W such that
2 d+2 = W 2 + DV 2,
2
3
4
5
6
7
for some odd V. If not, the message “not a CM discriminant.”
1.
2.
Compute via A.2.6 an integer B such that B 2  –D (mod 2d+2).
Let A  2d+2 and C  (B 2 + D) / 2d+2 (Note: the variables A and C will remain positive throughout
the algorithm.)
8
3.
Let S  
9
4.
Until |2B|  A  C, repeat the following steps.
 A B
 1
 and U    .
 B C
 0
B
1
    .
C 2
10
4.1
Let
11
4.2
Let T  
12
13
14
4.3 Replace U by T –1U.
4.4 Replace S by T t S T, where T t denotes the transpose of T.
Let X and Y be the entries of U. That is,
5.
 0  1

1  
 X
U  .
Y
15
16
17
18
19
6.
7.
8.
20
Finding a Nearly Prime Order (binary case)
21
22
Input: a field degree d, a trial division bound lmax, and lower and upper bounds rmin and rmax for base point
order.
23
24
25
26
27
28
29
30
31
32
33
34
Output: a squarefree positive integer D, a prime r in the interval rmin  r  rmax, and a smooth integer k
such that u = kr is the order of an elliptic curve over GF (2d) with complex multiplication by D.
35
Example: Let q = 2155. Then
36
37
1.
2.
3.
4.
5.
6.
7.
8.
If A = 1, then output W  X and stop.
If A = 4 and Y is even, then output W  (4X + BY) / 2 and stop.
Output “not a CM discriminant.”
Choose a squarefree positive integer D  7 (mod 8), not already chosen.
Compute H  the class group for D via A.13.2.
Set h  the number of elements in H.
If d does not divide h, then go to Step 1.
Test via A.14.3.1 whether D is a CM discriminant for 2d. If the result is “not a CM discriminant,” go
to Step 1. (Otherwise, the result is the integer W.)
The possible orders are 2d + 1  W.
Test each order for near-primality via A.15.5. If any order is nearly prime, output (D, k, r) and stop.
Go to Step 1.
4q = X 2 + DY 2 and q + 1 – X = 4r
where D = 942679, X = 229529878683046820398181, Y = –371360755031779037497, and r is the prime
43
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
r = 11417981541647679048466230373126290329356873447.
1
2
Thus there is a curve over GF (q) of order 4r having complex multiplication by D.
3
A.10.4.
4
Constructing a Curve with Prescribed CM (prime case)
5
6
7
8
Given a prime p and a CM discriminant D, the following technique produces an elliptic curve y2  x3 + a0 x
+ b0 (mod p) with CM by D. (Note that there are at least two possible orders among curves with CM by D.
The curve constructed here will have the proper CM, but not necessarily the desired order. This curve will
be replaced in A.14.4.2 by one of the desired order.)
9
For nine values of D, the coefficients of E can be written down at once:
Constructing a Curve and Point (prime case)
D
a0
b0
1
1
0
2
–30
56
3
0
1
7
–35
98
11
–264
1694
19
–152
722
43
–3440
77658
67
–29480
1948226
163
–8697680
9873093538
10
For other values of D, the following algorithm may be used.
11
Input: a prime modulus p and a CM discriminant D > 3for p.
12
Output: a0 and b0 such that the elliptic curve
y 2  x 3 + a0x + b0 (mod p)
13
14
15
16
17
18
19
20
21
22
has CM by D.
1.
2.
3.
Compute w(t)  wD(t) mod p via A.13.3.
Let W be the output from A.14.2.2.
If W is even, then use A.5.3 with d = 1 to compute a linear factor t – s of wD(t) modulo p. Let
V := (–1)D 2 4I/K s 24/(GK) mod p,
where G, I and K are as in A.13.3. Finally, let
a0 := –3(V + 64)(V + 16) mod p,
b0 := 2(V + 64)2 (V – 8) mod p.
44
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4.
If W is odd, then use A.5.3 with d = 3 to find a cubic factor g (t) of wD(t) modulo p. Perform the
following computations, in which the coefficients of the polynomials are integers modulo p.
4
  t 24 mod g( t ) if 3 | D,
V ( t ):  
8
 256t mod g( t ) if 3 | D,
5
6
a1(t) := –3(V(t) + 64) (V(t) + 256) mod g(t),
b1(t) := 2(V(t) + 64)2 (V(t) – 512) mod g(t),
7
8
a3(t) := a1(t)3 mod g(t),
b2(t) := b1(t)2 mod g(t).
9
10
Now let  be a nonzero coefficient from a3(t), and let  be the corresponding coefficient from b2(t).
Finally, let
11
12
13
14
a0 :=  mod p,
b0 :=  2 mod p.
5.
15
Example: If D = 235, then
Output (a0, b0).
wD (t) = t 6 – 10 t 5 + 22 t 4 – 24 t 3 + 16 t 2 – 4 t + 4.
16
17
If p = 2192 – 264 – 1, then
wD (t)  (t 3 – (5 + )t 2 + (1 – )t – 2) (t 3 – (5 – )t 2 + (1 + )t – 2) (mod p),
18
19
20
where  = 1254098248316315745658220082226751383299177953632927607231.
coefficients are
a0 = –2089023816294079213892272128,
b0 = –36750495627461354054044457602630966837248.
21
22
23
Thus the curve y 2  x 3 + a0x + b0 modulo p has CM by D = 235.
24
Choosing the Curve and Point (prime case)
25
Input: EC parameters p, k, and r, and coefficients a0, b0 produced by A.14.4.1.
26
27
28
29
30
31
32
Output: a curve E modulo p and a point G on E of order r, or a message “wrong order.”
1.
2.
3.
Select an integer  with 0 <  < p.
If D = 1 then set a  a0 mod p and b  0.
If D = 3 then set a  0 and b  b0 mod p.
Otherwise, set a  a0 2 mod p and b  b0 3 mod p.
Look for a point G of order r on the curve
y2  x3 + ax + b (mod p)
33
34
35
36
The resulting
via A.11.3.
4.
If the output of A.11.3 is “wrong order” then output the message “wrong order” and stop.
45
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
5.
Output the coefficients a, b and the point G.
2
3
4
5
6
7
8
9
10
11
12
13
14
15
The method of selecting  in the first step of this algorithm depends on the kind of coefficients desired.
Two examples follow.
16
A.10.5.
17
Constructing a Curve with Prescribed CM (binary case)
18
Input: a field GF (2m), a CM discriminant D for 2m, and the desired curve order u.
19
Output: a and b such that the elliptic curve
—
—
If D  1 or 3, and it is desired that a = –3 (see Annex A.10.4), then take  to be a solution of the
congruence a0 2  –3 (mod p), provided one exists. If one does not exist, or if this choice of  leads
to the message “wrong order,” then select another curve as follows. If p  3 (mod 4) and the result
was “wrong order,” then choose p –  in place of ; the result leads to a curve with a = –3 and the
right order. If no solution  exists, or if p  1 (mod 4), then repeat A.14.4.1 with another root of the
reduced class polynomial. The proportion of roots leading to a curve with a = –3 and the right order
is roughly one-half if p  3 (mod 4), and one-quarter if p  1 (mod 4).
If there is no restriction on the coefficients, then choose  at random. If the output is the message
“wrong order,” then repeat the algorithm until a set of parameters a, b G is obtained. This will
happen for half the values of , unless D = 1 (one-quarter of the values) or D = 3 (one-sixth of the
values).
Constructing a Curve and Point (binary case)
y2 + xy = x3 + ax2 + b
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
over GF (2m) has order u.
36
Example: If D = 942679, then
37
38
39
40
41
42
43
44
45
wD(t)  1 + t 2 + t 6 + t 10 + t 12 + t 13 + t 16 + t 17 + t 20 + t 22 + t 24 + t 27 + t 30 + t 33 + t 35 + t 36 + t 37 + t 41 + t 42 +
t 43 + t 45 + t 49 + t 51 + t 54 + t 56 + t 57 + t 59 + t 61 + t 65 + t 67 + t 68 + t 69 + t 70 + t 71 + t 72 + t 74 + t 75 + t 76 + t 82 +
t 83 + t 87 + t 91 + t 93 + t 96 + t 99 + t 100 + t 101 + t 102 + t 103 + t 106 + t 108 + t 109 + t 110 + t 114 + t 117 + t 119 + t 121 +
t 123 + t 125 + t 126 + t 128 + t 129 + t 130 + t 133 + t 134 + t 140 + t 141 + t 145 + t 146 + t 147 + t 148 + t 150 + t 152 + t 154 +
t 155 + t 157 + t 158 + t 160 + t 161 + t 166 + t 167 + t 171 + t 172 + t 175 + t 176 + t 179 + t 180 + t 185 + t 186 + t 189 + t 190 +
t 191 + t 192 + t 195 + t 200 + t 201 + t 207 + t 208 + t 209 + t 210 + t 211 + t 219 + t 221 + t 223 + t 225 + t 228 + t 233 + t 234 +
t 235 + t 237 + t 238 + t 239 + t 241 + t 242 + t 244 + t 245 + t 248 + t 249 + t 250 + t 252 + t 253 + t 255 + t 257 + t 260 + t 262 +
t 263 + t 264 + t 272 + t 273 + t 274 + t 276 + t 281 + t 284 + t 287 + t 288 + t 289 + t 290 + t 292 + t 297 + t 299 + t 300 + t 301 +
t 302 + t 304 + t 305 + t 306 + t 309 + t 311 + t 312 + t 313 + t 314 + t 317 + t 318 + t 320 + t 322 + t 323 + t 325 + t 327 + t 328 +
1.
2.
3.
4.
5.
6.
7.
Compute w (t)  wD(t) mod 2 via A.13.3.
Use A.14.3.1 to find the smallest divisor d of m greater than (log2 D) – 2 such that D is a CM
discriminant for 2d.
Compute p (t) := a degree d factor modulo 2 of w (t). (If d = h, then p (t) is just w (t) itself. If d < h,
p(t) is found via A.5.4.)
Compute  := a root in GF (2m) of p (t) = 0 via A.5.6.
If 3 divides D
then set b  
else set b   3
If u is divisible by 4, then set a  0
else if m is odd, then set a  1
else generate (by trial and error using A.4.5) a random element a  GF (2m) of trace 1.
Output (a, b).
46
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
6
7
8
9
t 329 + t 333 + t 335 + t 340 + t 341 + t 344 + t 345 + t 346 + t 351 + t 353 + t 354 + t 355 + t 357 + t 358 + t 359 + t 360 + t 365 +
t 366 + t 368 + t 371 + t 372 + t 373 + t 376 + t 377 + t 379 + t 382 + t 383 + t 387 + t 388 + t 389 + t 392 + t 395 + t 398 + t 401 +
t 403 + t 406 + t 407 + t 408 + t 409 + t 410 + t 411 + t 416 + t 417 + t 421 + t 422 + t 423 + t 424 + t 425 + t 426 + t 429 + t 430 +
t 438 + t 439 + t 440 + t 441 + t 442 + t 443 + t 447 + t 448 + t 450 + t 451 + t 452 + t 453 + t 454 + t 456 + t 458 + t 459 + t 460 +
t 462 + t 464 + t 465 + t 466 + t 467 + t 471 + t 473 + t 475 + t 476 + t 481 + t 482 + t 483 + t 484 + t 486 + t 487 + t 488 + t 491 +
t 492 + t 495 + t 496 + t 498 + t 501 + t 503 + t 505 + t 507 + t 510 + t 512 + t 518 + t 519 + t 529 + t 531 + t 533 + t 536 + t 539 +
t 540 + t 541 + t 543 + t 545 + t 546 + t 547 + t 548 + t 550 + t 552 + t 555 + t 556 + t 557 + t 558 + t 559 + t 560 + t 563 + t 565 +
t 566 + t 568 + t 580 + t 585 + t 588 + t 589 + t 591 + t 592 + t 593 + t 596 + t 597 + t 602 + t 604 + t 606 + t 610 + t 616 + t 620
(mod 2).
10
This polynomial factors into 4 irreducibles over GF (2), each of degree 155. One of these is
11
12
13
14
p(t) = 1 + t + t 2 + t 6 + t 9 + t 10 + t 11 + t 13 + t 14 + t 15 + t 16 + t 18 + t 19 + t 22 + t 23 + t 26 + t 27 + t 29 + t 31 + t 49 +
t 50 + t 51 + t 54 + t 55 + t 60 + t 61 + t 62 + t 64 + t 66 + t 70 + t 72 + t 74 + t 75 + t 80 + t 82 + t 85 + t 86 + t 88 + t 89 + t 91 +
t 93 + t 97 + t 101 + t 103 + t 104 + t 111 + t 115 + t 116 + t 117 + t 118 + t 120 + t 121 + t 123 + t 124 + t 126 + t 127 + t 128 + t 129
+ t 130 + t 131 + t 132 + t 134 + t 136 + t 137 + t 138 + t 139 + t 140 + t 143 + t 145 + t 154 + t 155.
15
If t is a root of p(t), then the curve
y 2+xy = x 3 + t 3
16
17
over GF (2155) has order 4r, where r is the prime
r = 11417981541647679048466230373126290329356873447.
18
19
Choosing the Curve and Point (binary case)
20
Input: a field size GF (2m), an appropriate D, the corresponding k and r from A.14.3.2.
21
22
23
24
25
Output: a curve E over GF (2m) and a point G on E of order r.
26
27
A.11. Pairing-Friendly Elliptic Curves
1.
2.
3.
Compute a and b via A.14.5.1 with u = kr.
Find a point G of order r via A.11.3.
Output the coefficients a, b and the point G.
The general equation of an elliptic curve is
28
29
y2 + a1xy +a3y = x3 +a2x2 +a4x + a6
If we let p denote the characteristic of K, the equation can be simplified for different values of p. If p > 3
y2 = x3 + ax + b, where 4a3 + 27b2 ≠ 0.
30
31
If E is supersingular and p = 3
y2 = x3 + ax + b, where b ≠ 0.
32
33
If E is supersingular and p = 2
34
y2 + cy = x3 + ax + b, where c ≠ 0.
35
36
To be useful for pairing-based cryptography a notion of ‘pairing-friendly’ curves has become established
and this may be formalized by the following conditions. First we define the embedding degree of E with
47
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
respect to r be defined as the smallest integer k such that r | qk – 1. Then an elliptic curve is pairing-friendly
if:
3
There is a prime r | #E (GF (q)) such that r > q
4
k < log2(r) /8
5
6
7
8
9
A.11.1.
Curve Families
All the curves we consider are defined over a finite field K = GF (q). For cryptographic use we also need a
suitable subgroup of E(K) of size r. If #E(K) is the order of the group of points of E lying in K, the trace t
of E/K is t = q + 1 - #E(K). Note that r | #E(K) and for h = #E(K) / r we define GT to be the subgroup of
order r of GF(ph).
10
11
The search for, and analysis of, pairing-friendly curves has led to a grouping of curves into families, which
can often be described by equations in the parameters t, r, and q.
12
13
If k is the embedding degree of E, we let  be the size of the maximal twist of E, which we denote E'. Note
that  | k so we define the degree of the twist to be d = k/.
14
Curves may then be classified as follows:
15
E1 = E(GF(p))
16
E2 = E(GF(pk))
17
E3 = E'(GF(pd))
18
Note that for E2, r | pk – 1 and for E3, r | #E'(GF(pd))
19
20
A.11.2.
21
22
Super-Singular Curves with Embedding Degree 2
23
E1: y2 + y = x3 +x where s is even and Tr  ≠ 0
24
E2: y2 + y = x3 where s is odd.
25
In fields of prime characteristic q = p > 3 supersingular curves with k = 2 can be defined by:
26
If q ≡ 3 (mod 4), y2 = x3 + ax, where –a  (GF× (q))2 [define]
27
If q ≡ 5 (mod 6), y2 = x3 + b
28
If q ≡ 1 (mod 12), curves may be computed by:
29
Input: q
30
Output: An elliptic curve E parameterized in integers m and c
Super-Singular Curves
Supersingular curves have embedding degree k  {1, 2, 3, 4, 6}. Those with k = 1 are not pairing-friendly
In fields GF (2s) or GF (3s) of characteristic 2 or 3, curves with k = 2 are of the form
48
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
1)
Find D, the smallest prime such that D ≡3 (mod 4) and (-D / q) = -1
2
2)
Compute HD of Q ((-D)) using algm [ref. Cohen]
3
4
5
3)
Compute aj  GF (q) of HD (mod q)
4)
Set m = j / (1728 – j)
5)
Return E: y2 = x3 + 3mc2x + 2mc3 for any c
6
7
Super-Singular Curves with Embedding Degree 3
8
E: y2 = x3 +  where  is a non-cubic polynomial in x.
9
For s = 2 and p ≡ 2 (mod 3) the curves are parameterized by t, r, and s
Supersingular curves with embedding degree 3 over fields GF (ps) of characteristic p > 3 are of the form
10
t(x) = -3x + 1,
r(x) = 9x2 – 3x + 1.
q(x) = (3x – 1)2
t(x) = 3x - 1,
r(x) = 9x2 – 3x + 3,
q(x) = (3x – 1)2
11
or
12
Supersingular curves with embedding degree 3 over fields GF (2s) of characteristic 2 are of the form
13
E: y2 + (j)y = x3 +  where j  {1,2},  is a non-cube in x and  = 0 or Tr (-2j) = 1 for j  {1,2}.
14
15
16
Super-Singular Curves with Embedding Degree 4
17
E1: y2 + y = x3 + x and E2: y2 + y = x3 + x + 1
18
For E1 some suitable values for s are 283 and 557 [Check these and use and algm, if possible]
19
20
For E2 some suitable values for s are 163, 239, 241, 283, 353, 367 and 457 [Can we define an algm to find
these?]
21
22
Super-Singular Curves with Embedding Degree 6
23
E: y2 = x3 – x  d where d  GF (q) with “Tr_Fq/Fs d = 1” [define]
24
For y2 = x3 – x -1 some suitable values for s are 163, 193, 239, 317 and 353
25
26
27
A.11.3.
28
Input: k = 3, 4, or 6, a maximal cofactor cmax, and the maximum discriminant Dmax
29
Output: GF(q), and elliptic curve E such that |E(GF(q))| = cl where c ≤ cmax and l is prime
30
There are only two forms of supersingular curve with k = 4 and they only exist over field of characteristic
2.
Supersingular curves with k = 6 only exist over fields of characteristic 3, i.e. GF (3s) and have the form
MNT Curves
The Miyaji, Nakabayashi and Takano (MNT) technique for finding ordinary pairing-friendly curves relies
on the complex multiplication technique (ref.)
1.
λ ← -2k/2 + 4
49
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2.
For c from 1 to cmax do
2
i.
For c' from 1 to 4c – 1 do
3
a.
nk ← λc + c'
4
b.
m ← 4c – c'
5
c.
fk ← nk2 – m2
6
d.
for squarefree D = 1 to Dmax do
7
1.
r ← c'mD
8
2.
for each solution of y2 – rv2 = fk do
9
i.
t ← (y – nk)/m + 1
10
ii.
l ← Φk(t – 1) / c'
11
iii.
q ← cl + t – 1
12
iv.
if tℤ, l is prime and q is prime,
13
v.
return q, and E computed by (ref A13.4 (modified?), using p = q, t, D)
14
3.
return ‘fail’
15
16
A.11.4.
Cocks-Pinch Curves
17
Output: GF(q), and elliptic curve E
Input: k, D squarefree
D
 1
 r 
18
1.
Choose a prime r such that k | r – 1 and 
19
2.
Find z a kth root of unity in (ℤ/rℤ)×
20
3.
t' ← z + 1
21
4.
y' ← (t'-2)/(-D) (mod r)
22
5.
Choose t  ℤ such that t ≡ t' (mod r)'
23
6.
Choose y  ℤ such that y ≡ y' (mod r)'
24
7.
q ← (t2 + Dy2)/4
25
8.
if q is prime and an integer and D ≤ 1012, construct E by (ref A13.4 (modified?), using p = q, D)
50
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
A.11.5.
BN Curves
Barreto Naehrig Curves are of the form E: y2 = x3+b, parameterised by
3
r(x) = 36x4 - 36x3 + 18x2 - 6x + 1
4
q(x) = 36x4 - 36x3 + 24x2 - 6x + 1
5
t(x) = 6x2 + 1
6
7
where r and q are both prime. For such curves, k = 12. To find a BN curve, choose random values for x
until r and q are both prime then choose b  GF(q) such that #E(GF(p)) = r.
8
A.11.6.
KSS Curves
9
10
11
12
A.12. Pairings
13
14
15
A.12.1.
16
17
Type 1 (E Supersingular)
18
19
Type 2 (E Ordinary)
20
G2 = a subgroup of E2 of order r
21
Note that G2 ≠ G1 nor an image of a subgroup of E3.
22
23
Type 3 (E Ordinary)
24
G2 = a subgroup of E3 of order r
25
26
A.12.2.
27
All pairing algorithms defined here are based on the Miller algorithm [ref]. Optimizations, e.g. for specific
curves, are usually not listed; these may be applied as appropriate provided the resulting algorithm
produces identical results to the one given.
Pairing Types
Pairings may be classified into 3 different types according to the curve types (see A.11.1) they are defined
upon. In all cases there is a map ζ:G2 → E2 and the Miller loop is always applied to ζ(Q).
G1 = G2 = a subgroup of E1 of order r
G1 = a subgroup of E1 of order r
G1 = a subgroup of E1 of order r
The Miller Loop
The Miller Loop is a function,
fQ',t(P)
28
where P  G1, Q' = ζ(Q)  E2.
29
The basic algorithm is as follows:
51
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
[Nb. It is probably worth defining a general line function and restricting ourselves to even k, we may
also wish to refine the basic Miller function below, e.g. to reflect the more common implantation in
Tate algorithms etc.]
4
Input: a prime t > 2; a curve E; finite points Q', P on E with tQ' = tP = O , a line function lA,B(V).
5
6
7
8
9
10
11
12
13
14
15
16
17
Output: the Miller function fQ',t(P).
18
A.12.3.
19
The Weil pairing is a function of pairs P, Q of points on an elliptic curve E. It is defined as [check]
1.
2.
3.
4.
5.
6.
7.
where 2 | k and P, Q have order r
Given three points (x0, y0), (x1, y1), (u, v) on E, define the function g ((x0, y0), (x1, y1), (u, v)) by
u  x1
if x0  x1 and y0   y1
 2
if x0  x1 and y0  y1
(3x1  a )( u  x1 )  2 y1( v  y1 )
( x  x )v  ( y  y )u  ( x y  x y ) if x  x
0
1
0 1
1 0
0
1
 0 1
if E is the curve y2 = x3 + ax + b over GF (p), and
26
u  x1
if x 0  x1 and y 0  x1  y1
 3
2
if x 0  x1 and y 0  y1
 x1  ( x1  y1 )u  x1v
( x  x )v  ( y  y )u  ( x y  x y ) if x  x
1
0
1
0 1
1 0
0
1
 0
27
31
32
( p k 1) / r
Let t > 2 be prime, and let P and Q be points on E with tP = tQ = O. The following procedure computes the
Weil pairing.
25
28
29
30
The Weil Pairing
 f p ,r (Q' ) 

e( P, Q)  
 f ( P) 
 Q ',r

20
21
22
23
24
Set A  Q', B  Q', f  1, n  t.
Set n  n / 2.
Set f  lB,B (P) n  f.
Set B  2B.
If n is odd then
5.1 If n = 1
then f  lA,-A (P)  f
else f  lA,B (P)  f.
5.2 Set A  A + B.
If n > 1 then go to Step 2.
Output f.
if E is the curve y2 + xy = x3 + ax2 + b over GF (2m).
—
Given points A, B, C on E, let
lA,B (C):= g(A, B, C) / g(A + B, – A – B, C).
52
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
3
4
5
—
Given points R and S on E, let
j (R, S) := fR,l (S) / fS,l (R) from A.12.2.
—
Given points P and Q on E with lP = lQ = O, the Weil pairing <P, Q> is computed as follows:
Choose random points T, U on E and let
V = P + T,
6
7
W = Q + U.
Then
<P, Q> = j (T, U) j (U, V) j (V, W) j (W, T).
8
9
10
If, in evaluating <P, Q>, one encounters g((x0, y0), (x1, y1), (u, v)) = 0, then the calculation fails. In this
(unlikely) event, repeat the calculation with newly chosen T and U.
11
12
In the case t = 2, the Weil pairing is easily computed as follows: <P, Q> equals 1 if P = Q and –1
otherwise.
13
Define <P, O> =1 for all points P.
14
15
A.12.4.
Tate
The (reduced) Tate Pairing is defined as:
e: E(GF(p))[r] × E’(GF(pε)[r]  GF*(pk)[r]
16
such that e( P, Q)  f P ,r (Q' )
17
( p k 1) / r
18
The line function l used in the construction of the Tate pairing algorithm is
19
Input A, B  E(GF(p))[r], Q  E(GF(pk))[r]
20
Output: lA,B(Q)
21
22
23
24
25
26
27
1)
If A = -B,
Return Qx – Ax
2)
If A = B,
Set λ = 3Ax2 / 2Ay
3)
Else
Set λ = (By – Ay) / (Bx – Ax)
4)
Return λ(Qx – Ax) + Ay - Qy
28
[Proposal: Define this generally in terms of the Miller loop and a generic line function]
29
The Tate pairing may then be computed by the following:
30
Input: P  E(GF(p))[r], Q  E’(GF(pε)[r], k the k-th cyclotomic polynomial
31
Output: e(P,Q)
53
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
1
2
1)
Set T  P, f  1
2)
Let s = r – 1
3
3)
Loop for i = (lg(s)) – 1 down to 0
4
i.
Set f  f.2lT,T(Q)
5
6
ii.
Set T  2T
iii.
If si (the ith bit, 0-relative, of s) = 1 then,
7
a.
Set f  f.lT,P(Q)
8
9
10
b.
Set T  T + P
4)
End loop
11
5)
Set
f f
12
6)
Set
f  f ( p 1) / k ( p )
13
7)
Set
f  f k ( p ) / r
14
8)
Return f
iv.
End if
p 1

15
16
A.12.5.
Eta
17
A.12.6.
18
19
The Ate pairing may be computed by reversing the roles of P and Q in the Tate pairing, giving the
following:
[TBA]
Ate
e( P, Q)  f Q ',t 1 ( P) ( p
20
k
1) / r
where t is the trace of E/K
21
[Proposal: Define this generally in terms of the Miller loop and a generic line function]
22
Input: P  E(GF(pε))[r], Q  E(GF(p)[r], k the k-th cyclotomic polynomial
23
Output: e(P,Q)
24
25
1)
Set T  P, f  1
2)
Let s = t – 1
26
3)
Loop for i = (lg(s)) – 1 down to 0
27
v.
Set f  f.2lT,T(Q)
28
29
vi.
Set T  2T
vii.
If si (the ith bit, 0-relative, of s) = 1 then,
30
a.
Set f  f.lT,P(Q)
54
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
Set T  T + P
1
2
3
4)
End loop
4
5)
Set
f f
5
6)
Set
f  f ( p 1) / k ( p )
6
7)
Set
f  f k ( p ) / r
7
8
8)
Return f
b.
viii.
End if
p 1

9
10
A.12.7.
R-Ate
11
A.13. Choosing a Curve and Pairing
12
13
A.13.1.
14
A.13.2.
[TBA]
Recommended Security Parameters
Discuss rho and k and present results / suggestions in a table
Pairing
Curve-Pairing Compatibility
Curve Family
Super-Singular
MNT
CP
BN
KSS
Weil




?
Tate




?
Eta




?
Ate


?

?
R-Ate

?
?


15
16
55
Copyright © <year> IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
Related documents
Sample Exam #1
Sample Exam #1
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
MOONEY N66ET SPECS
MOONEY N66ET SPECS
Variables Assessment
Variables Assessment
sma 2203 number theory
sma 2203 number theory
Exercise-skr5200
Exercise-skr5200
docx - Laney College
docx - Laney College
exam2-review
exam2-review
INSTRUCTIONAL POLICY - Tennessee School for the Blind
INSTRUCTIONAL POLICY - Tennessee School for the Blind
Lecture 8
Lecture 8
Download