Certicom ECC Challenge Elliptic Curves over F2m

3.1 Elliptic curves over F₂m - format and examples

3.1.1 The finite field F₂m
3.1.2 Elliptic curves over F₂m
3.1.3 Format for challenge parameters (the F₂m case)
3.2.4 Random elliptic curves and points (the F₂m case)

3.1.1 The finite field F₂m

There are many ways to represent the elements of a finite field with 2^m elements. The particular method used in this challenge is called a polynomial basis representation. Let

f(x) = x^m + f_m_-1x^m^-1 + f_m_-2x^m^-2 + ... + f₂x² + f₁x + f₀

(where f_i {0,1} for i = 0, 1, ..., m-1) be an irreducible polynomial of degree m over F₂ . That is, f(x) cannot be factored as a product of two polynomials over F₂, each of degree less than m. The polynomial f(x) is called the reduction polynomial.

The finite field F₂m is comprised of all polynomials over F₂ of degree less than m:

F₂m = {a_m_-1x^m^-1 + a_m_-2x^m^-2+ . . . + a₁x + a₀ :a_i {0,1}}.

The field element a_m_-1x^m^-1 + a_m_-2x^m^-2+ . . . + a₁x + a₀ is usually denoted by the binary string (a_m_-1 a_m_-2 ... a₁ a₀) of length m, so that

F₂m = {(a_m_-1 a_m_-2 ... a₁ a₀) : a_i {0,1}}.

Thus the elements of F₂m can be represented by the set of all binary strings of length m. The multiplicative identity element (1) is represented by the bit string (00 . . . 01), while the zero element is represented by the bit string of all 0's.

The following arithmetic operations are defined on the elements of F₂m:

Addition: If a = (a_m_-1 a_m_-2 ... a₁ a₀) and b = (b_m_-1 b_m_-2 ... b₁ b₀) are elements of F₂m, then a + b = c = (c_m_-1 c_m_-2 ... c₁ c₀) where c_i = (a_i + b_i) mod 2. That is, field addition is performed bitwise.
Multiplication: If a = (a_m_-1 a_m_-2 ... a₁ a₀) and b = (b_m_-1 b_m_-2 ... b₁ b₀) are elements of F₂m, then a ^. b = r = (r_m_-1 r_m_-2 ... r₁ r₀) where the polynomial r_m_-1x^m^-1 + r_m_-2x^m^-2 + ... + r₁x + r₀is the remainder when the polynomial

(a_m_-1x^m^-1 + a_m_-2x^m^-2+ . . . + a₁x + a₀) ^. (b_m_-1x^m^-1 + b_m_-2x^m^-2+ . . . + b₁x + b₀)

is divided by f(x) over F₂.

Inversion: If a is a non-zero element in F₂m, the inverse of a, denoted a^-1, is the unique element c F₂m for which a ^.c = 1.

Example (The finite field F₂4)

Let f(x) = x⁴ + x + 1 be the reduction polynomial. Then the elements of F₂4 are:

(0000) (1000) (0100) (1100) (0010) (1010) (0110) (1110)
(0001) (1001) (0101) (1101) (0011) (1011) (0111) (1111)

Examples of the arithmetic operations in F₂4 are:

(1101) + (1001) = (0100).

(1101) ^.(1001) = (1111).

(1101)^-1 = (0100)

3.1.2 Elliptic curves over F₂m

A (non-supersingular) elliptic curve E(F₂m) over F₂m defined by the parameters a, b F₂m , b 0, is the set of all solutions (x, y), x, y F₂m , to the equation

y² + xy = x³ + ax² + b,

together with an extra point O, the point at infinity. The set of points E(F₂m) forms a group with the following addition rules:

1. O + O = O .

2. (x, y) + O = O + (x, y) = (x, y) for all (x, y) E(F₂m).

3. (x, y) + (x, x + y) = O for all (x, y) E(F₂m) (i.e., the negative of the point (x, y) is -(x, y) = (x, x + y)).

4. (Rule for adding two distinct points that are not inverses of each other)

Let P = (x₁, y₁) E(F₂m) and Q = (x₂, y₂) E(F₂m) be two points such that x₁ x₂. Then P + Q = (x₃, y₃), where

x₃ = ² + + x₁ + x₂ + a,

y₃ = (x₁ + x₃) + x₃ + y₁, and

= ( y₂+ y₁) / (x₂ + x₁).

5. (Rule for doubling a point)

Let P = (x₁, y₁) E(F₂m) be a point with x₁ 0. (If x₁ = 0, then P = -P and so 2P = O.) Then 2P = (x₃, y₃), where

x₃ = ² + + a,

y₃= x₁²+ ( + 1)x₃, and

= x₁ + ( y₁ / x₁) .

Example (An elliptic curve over F₂4)

Consider the finite field F₂4 defined by the reduction polynomial f(x) = x⁴ + x + 1.
y² + xy = x³ + (0011)x² + (0001) is an equation for an elliptic curve E over F₂4. Here a = (0011) and b = (0001). The solutions over F₂4 to this equation are:

(0000,0001) (0001,1100) (0001,1101) (1000,0101) (1000,1101)
(0110,1000) (0110,1110) (1100,0101) (1100,1001) (1010,0111)
(1010,1101) (0111,0010) (0111,0101) (1111,0000) (1111,1111)

E(F₂4) has 16 points, including the point at infinity O . The following are examples of the addition law:

(1100, 0101) + (1000, 1101) = (0001, 1101).

2(1100, 0101) = (0111, 0101).

3.1.3 Format for challenge parameters (the F₂m case)

This subsection describes the conventions used for representing the challenge parameters for elliptic curves over F₂m. Two types of elliptic curves over F₂m are included in the challenge: random curves and Koblitz curves.

Koblitz curves over F₂m are special types of elliptic curves E defined over F₂ which have exactly 2 points in E(F₂). They were first proposed for use in elliptic curve cryptography by Koblitz [Koblitz2]; see also [Solinas].

Apart from the -fold speed-up that can be obtained with the improved parallelized rho method (see Section 2.2), there have not been any mathematical discoveries to date to suggest that the ECDLP for randomly generated elliptic curves is any easier or harder than the ECDLP for Koblitz curves.

Challenge parameters (random curves)

m - the order of the finite field is 2^m .
f(x) - the reduction polynomial which defines the polynomial basis representation of F₂m.
seedE - the seed that was used to generate the parameters a and b (see Algorithm 1 in Section 3.1.4).
a, b - the field elements which define the elliptic curve E : y² + xy = x³ + ax² + b.
seedP - the seed that was used to generate the point P (see Algorithm 3 in Section 3.1.4).
x_P , y_P - the x- and y-coordinates of the base point P.
n - the order of the point P; n is a prime number.
h - the co-factor h (the number of points in E(F₂m) divided by n).
seedQ - the seed that was used to generate the point Q (see Algorithm 3 in Section 3.1.4).
x_Q , y_Q- the x- and y-coordinates of the public key point Q.

Challenge parameters (Koblitz curves)

m - the order of the finite field is 2^m .
f(x) - the reduction polynomial which defines the polynomial basis representation of F₂m.
a, b - the field elements which define the elliptic curve E : y² + xy = x³ + ax² + b.
seedP - the seed that was used to generate the point P (see Algorithm 3 in Section 3.1.4).
x_P , y_P - the x- and y-coordinates of the base point P.
n - the order of the point P; n is a prime number.
h - the co-factor h (the number of points in E(F₂m) divided by n).
seedQ - the seed that was used to generate the point Q (see Algorithm 3 in Section 3.1.4).
x_Q , y_Q- the x- and y-coordinates of the public key point Q.

Data formats

Integers are represented in hexadecimal, the rightmost bit being the least significant bit. Example: The decimal integer 123456789 is represented in hexadecimal as 075BCD15.
Field elements (of F₂m) are represented in hexadecimal, padded with 0's on the left. Example: Suppose m = 23. The field element a= x²² + x²¹ + x¹⁹ + x¹⁷ + x⁵ +1 is represented in binary as (11010100000000000100001), or in hexadecimal as 006A0021.
Seeds for generating random elliptic curves and random elliptic curve points (see Section 3.1.4) are 160-bit strings and are represented in hexadecimal.

3.1.4 Random elliptic curves and points (the F₂m case)

This subsection describes the method that is used for verifiably selecting elliptic curves and points at random. The defining parameters of the elliptic curve or point are defined to be outputs of the one-way hash function SHA-1 (as specified in FIPS 180-1 [SHA-1]). The input seed to SHA-1 then serves as proof (under the assumption that SHA-1 cannot be inverted) that the elliptic curve or point were indeed generated at random.
The following notation is used: s = (m - 1) / 160 and h = m - 160 ^. s.

Algorithm 1: Generating a random elliptic curve over F₂m

Input: A field size q = 2^m .
Output: A 160-bit bit string seedE and field elements a, b F₂m which define an elliptic curve E over F₂m.

1. Choose an arbitrary bit string seedE of length 160 bits.

2. Compute H = SHA-1(seedE), and let b₀ denote the bit string of length h bits obtained by taking the h rightmost bits of H.

3. For i from 1 to s do:
Compute b_i = SHA-1((seedE + i) mod 2¹⁶⁰ ).

4. Let b be the field element obtained by the concatenation of b₀ , b₁ , ... , b_s as follows:

b = b₀ b₁ . . . b_s.

5. If b = 0 then go to step 1.

6. Let a be an arbitrary element of F₂m.
(Note: For a fixed b there are only two essentially different choices for a -- other values of a give rise to isomorphic elliptic curves. Hence the choice of a is essentially without loss of generality.)

7. The elliptic curve chosen over F₂m is

E: y² + xy = x³ + ax² + b.

8. Output(seedE, a, b).

Algorithm 2: Verifying that an elliptic curve was randomly generated

Input: A field size q = 2^m, a bit string seedE of length 160 bits, and field elements a, b F₂m which define an elliptic curve E: y² + xy = x³ + ax² + b over F₂m.
Output: Acceptance or rejection that E was randomly generated using Algorithm 1.

1. Compute H = SHA-1(seedE), and let b₀ denote the bit string of length h bits obtained by taking the h rightmost bits of H.

2. For i from 1 to s do:
Compute b_i = SHA-1((seedE + i) mod 2¹⁶⁰).

3. Let b' be the field element obtained by the concatenation of b₀ , b₁ , ... , b_s as follows:

b' = b₀ b₁ ... b_s.

4. If b = b' then accept; otherwise reject.

Algorithm 3: Generating a random elliptic curve point

Input: Field elements a, b F₂m which define an elliptic curve E: y² + xy = x³ + ax² + b over F₂m. The order of E(F₂m) is n ^. h, where n is a prime.
Output: A bit string seedP, a field element y_U, and a point P E(F₂m) of order n.

1. Choose an arbitrary bit string seedP of length 160 bits.

2. Compute H = SHA-1(seedP), and let x₀ denote the bit string of length h bits obtained by taking the h rightmost bits of H.

3. For i from 1 to s do:
Compute x_i = SHA-1((seedP + i) mod 2¹⁶⁰ ).

4. Let x_U be the field element obtained by the concatenation of x₀ , x₁ , ... , x_s as follows:

x_U = x₀ x₁ ... x_s.

5. If the equation y² + x_Uy = x_U³ + ax_U² + b does not have a solution y F₂m, then go to step 1.

6. Select an arbitrary solution y_U F₂m to the equation y² + x_Uy = x_U³ + ax_U² + b.
(Note: This equation will have either 1 or 2 distinct solutions. Hence the choice of y_U is essentially without loss of generality.)

7. Let U be the point (x_U , y_U).

8. Compute P = hU.

9. If P = O, then go to step 1.

10. Output(seedP, y_U , P).

Algorithm 4: Verifying that an elliptic curve point was randomly generated

Input: A field size q = 2^m, field elements a, b F₂m which define an elliptic curve E: y² + xy = x³ + ax² + b over F₂m, a bit string seedP of length 160 bits, a field element y_U F₂m, and an elliptic curve point P = (x_P , y_P). The order of E(F₂m) is n ^. h, where n is a prime.
Output: Acceptance or rejection that P was randomly generated using Algorithm 3.

1. Compute H = SHA-1(seedP), and let x₀ denote the bit string of length h bits obtained by taking the h rightmost bits of H.

2. For i from 1 to s do:
Compute x_i = SHA-1((seedP + i) mod 2¹⁶⁰).

3. Let x_U be the field element obtained by the concatenation of x₀ , x₁ , ... , x_s as follows:

x_U = x₀ x₁ ... x_s.

4. Let U be the point (x_U , y_U).

5. Verify that U satisfies the equation y² + xy = x³ + ax² + b .

6. Compute P' = hU.

7. If P P' then reject.

8. Accept.

Copyright © Certicom Corp., 1997-2000. All rights reserved.
Information subject to change. http://www.certicom.com