{\rtf1\ansi\ansicpg1252\uc1 \deff4\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;} {\f2\fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f4\froman\fcharset0\fprq2{\*\panose 00000000000000000000}Times;} {\f5\fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}Helvetica;}{\f6\fmodern\fcharset0\fprq1{\*\panose 00000000000000000000}Courier;}{\f7\fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}Geneva{\*\falt Arial};} {\f8\froman\fcharset0\fprq2{\*\panose 00000000000000000000}Tms Rmn;}{\f9\fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}Helv;}{\f10\froman\fcharset0\fprq2{\*\panose 00000000000000000000}MS Serif;} {\f11\fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}MS Sans Serif;}{\f12\froman\fcharset0\fprq2{\*\panose 00000000000000000000}New York;}{\f13\fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}System;} {\f14\fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f15\fdecor\fcharset0\fprq2{\*\panose 04020705040a02060702}Algerian;}{\f16\fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma;} {\f17\fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}AvantGarde;}{\f18\fnil\fcharset2\fprq2{\*\panose 00000000000000000000}Marlett;}{\f19\froman\fcharset2\fprq2{\*\panose 05050102010205020202}MT Extra;} {\f20\fswiss\fcharset0\fprq2{\*\panose 020b0506020202030204}Arial Narrow;}{\f21\fswiss\fcharset0\fprq2{\*\panose 020b0a04020102020204}Arial Black;}{\f22\froman\fcharset0\fprq2{\*\panose 02040602050305030304}Book Antiqua;} {\f23\froman\fcharset0\fprq2{\*\panose 02050604050505020204}Bookman Old Style;}{\f24\froman\fcharset0\fprq2{\*\panose 02040604050505020304}Century Schoolbook;}{\f25\fnil\fcharset2\fprq2{\*\panose 01010601010101010101}Monotype Sorts;} {\f26\froman\fcharset0\fprq2{\*\panose 00050102010706020507}Map Symbols;}{\f27\fswiss\fcharset0\fprq2{\*\panose 020b0706040902060204}Haettenschweiler;}{\f28\froman\fcharset0\fprq2{\*\panose 02020404030301010803}Garamond;} {\f29\fscript\fcharset0\fprq2{\*\panose 030f0702030302020204}Comic Sans MS;}{\f30\fscript\fcharset0\fprq2{\*\panose 03060802040406070304}Brush Script MT;}{\f31\fswiss\fcharset0\fprq2{\*\panose 020b0402020203020304}Century Gothic;} {\f32\fscript\fcharset0\fprq2{\*\panose 03010101010201010101}Monotype Corsiva;}{\f33\fswiss\fcharset0\fprq2{\*\panose 020e0602030304020304}Albertus Medium;}{\f34\fswiss\fcharset0\fprq2{\*\panose 020e0802040304020204}Albertus Extra Bold;} {\f35\fswiss\fcharset0\fprq2{\*\panose 020b0603020204030204}Antique Olive;}{\f36\fswiss\fcharset0\fprq2{\*\panose 020b0502050508020304}CG Omega;}{\f37\froman\fcharset0\fprq2{\*\panose 02020603050405020304}CG Times;} {\f38\froman\fcharset0\fprq2{\*\panose 02040706040705040204}Clarendon Condensed;}{\f39\fscript\fcharset0\fprq2{\*\panose 03030502040406070605}Coronet;}{\f40\fmodern\fcharset0\fprq1{\*\panose 020b0409020202030204}Letter Gothic;} {\f41\fscript\fcharset0\fprq2{\*\panose 03020702040402020504}Marigold;}{\f42\fswiss\fcharset0\fprq2{\*\panose 020b0603020202030204}Univers;}{\f43\fswiss\fcharset0\fprq2{\*\panose 020b0606020202060204}Univers Condensed;} {\f44\fnil\fcharset2\fprq2{\*\panose 05010101010101010101}WP MathExtendedB;}{\f45\fnil\fcharset2\fprq2{\*\panose 05010101010101010101}WP MathB;}{\f46\fnil\fcharset2\fprq2{\*\panose 05010101010101010101}WP MathExtendedA;} {\f47\fnil\fcharset2\fprq2{\*\panose 05010101010101010101}WP MathA;}{\f48\fswiss\fcharset0\fprq2{\*\panose 020e0702040304020204}Albertus;}{\f49\fswiss\fcharset0\fprq2{\*\panose 020b0904030504030204}Antique Olive Compact;} {\f50\froman\fcharset0\fprq2{\*\panose 02070603060706020303}Bodoni;}{\f51\froman\fcharset0\fprq2{\*\panose 02070a04080905020204}Bodoni Black;}{\f52\froman\fcharset0\fprq2{\*\panose 02040604040505020204}Clarendon;} {\f53\froman\fcharset0\fprq2{\*\panose 02040805050505020204}Clarendon Extended;}{\f54\fswiss\fcharset0\fprq2{\*\panose 020b0602020204020204}Gill Sans;}{\f55\fswiss\fcharset0\fprq2{\*\panose 020b0506020204020204}Gill Sans Condensed;} {\f56\fswiss\fcharset0\fprq2{\*\panose 020b0902020204020204}Gill Sans Extra Bold;}{\f57\fswiss\fcharset0\fprq2{\*\panose 020b0402020204020204}Gill Sans Light;}{\f58\froman\fcharset0\fprq2{\*\panose 02020502050305020303}Goudy Old Style;} {\f59\froman\fcharset0\fprq2{\*\panose 02040702050305020303}Goudy Old Style Extrabold;}{\f60\froman\fcharset0\fprq2{\*\panose 02060502020205020404}Graphos;}{\f61\fswiss\fcharset0\fprq2{\*\panose 020b0504020202050204}Metrostyle;} {\f62\fswiss\fcharset0\fprq2{\*\panose 020b0507020202060204}Metrostyle Extended;}{\f63\froman\fcharset0\fprq2{\*\panose 0208090404030b020404}Ozzie Black;}{\f64\froman\fcharset0\fprq2{\*\panose 02060608060706030204}Strider;} {\f65\fswiss\fcharset0\fprq2{\*\panose 020b0605030502020204}Univers Extended;}{\f66\fswiss\fcharset0\fprq2{\*\panose 020b0406020202050204}Univers Light Condensed;}{\f67\fnil\fcharset0\fprq2{\*\panose 00000000000000000000}Kerala;} {\f68\fswiss\fcharset0\fprq2{\*\panose 020b0806030902050204}Impact;}{\f69\fnil\fcharset2\fprq2{\*\panose 05000000000000000000}MS Outlook;}{\f70\fnil\fcharset0\fprq2{\*\panose 00000000000000000000}Deepa;} {\f71\fswiss\fcharset0\fprq2{\*\panose 020b0500000000000000}Formata Condensed;}{\f72\fswiss\fcharset0\fprq2{\*\panose 020b0500000000000000}Formata BoldCondensed;}{\f73\fswiss\fcharset0\fprq2{\*\panose 020b0500000000000000}Formata CondensedOutline;} {\f74\fswiss\fcharset0\fprq2{\*\panose 020b0500000000000000}Formata LightCondensed;}{\f75\froman\fcharset0\fprq2{\*\panose 00000000000000000000}Bookman;}{\f76\fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}Helvetica-Narrow;} {\f77\froman\fcharset0\fprq2{\*\panose 00000000000000000000}NewCenturySchlbk;}{\f78\froman\fcharset0\fprq2{\*\panose 00000000000000000000}Palatino;}{\f79\froman\fcharset0\fprq2{\*\panose 00000000000000000000}ZapfChancery;} {\f80\fdecor\fcharset2\fprq2{\*\panose 00000000000000000000}ZapfDingbats;}{\f81\froman\fcharset186\fprq2{\*\panose 00000000000000000000}Goudy Old Style Extrabold Balti;}{\f82\fdecor\fcharset2\fprq2{\*\panose 04000600000000000000}Manorama;} {\f83\fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Verdana;}{\f84\froman\fcharset2\fprq2{\*\panose 05030102010509060703}Webdings;}{\f181\fswiss\fcharset238\fprq2 Tahoma CE;}{\f182\fswiss\fcharset204\fprq2 Tahoma Cyr;} {\f184\fswiss\fcharset161\fprq2 Tahoma Greek;}{\f185\fswiss\fcharset162\fprq2 Tahoma Tur;}{\f186\fswiss\fcharset186\fprq2 Tahoma Baltic;}{\f205\fswiss\fcharset238\fprq2 Arial Narrow CE;}{\f206\fswiss\fcharset204\fprq2 Arial Narrow Cyr;} {\f208\fswiss\fcharset161\fprq2 Arial Narrow Greek;}{\f209\fswiss\fcharset162\fprq2 Arial Narrow Tur;}{\f210\fswiss\fcharset186\fprq2 Arial Narrow Baltic;}{\f211\fswiss\fcharset238\fprq2 Arial Black CE;}{\f212\fswiss\fcharset204\fprq2 Arial Black Cyr;} {\f214\fswiss\fcharset161\fprq2 Arial Black Greek;}{\f215\fswiss\fcharset162\fprq2 Arial Black Tur;}{\f216\fswiss\fcharset186\fprq2 Arial Black Baltic;}{\f223\froman\fcharset238\fprq2 Bookman Old Style CE;} {\f224\froman\fcharset204\fprq2 Bookman Old Style Cyr;}{\f226\froman\fcharset161\fprq2 Bookman Old Style Greek;}{\f227\froman\fcharset162\fprq2 Bookman Old Style Tur;}{\f228\froman\fcharset186\fprq2 Bookman Old Style Baltic;} {\f253\froman\fcharset238\fprq2 Garamond CE;}{\f254\froman\fcharset204\fprq2 Garamond Cyr;}{\f256\froman\fcharset161\fprq2 Garamond Greek;}{\f257\froman\fcharset162\fprq2 Garamond Tur;}{\f258\froman\fcharset186\fprq2 Garamond Baltic;} {\f271\fswiss\fcharset238\fprq2 Century Gothic CE;}{\f275\fswiss\fcharset162\fprq2 Century Gothic Tur;}{\f276\fswiss\fcharset186\fprq2 Century Gothic Baltic;}{\f277\fscript\fcharset238\fprq2 Monotype Corsiva CE;} {\f281\fscript\fcharset162\fprq2 Monotype Corsiva Tur;}{\f283\fswiss\fcharset238\fprq2 Albertus Medium CE;}{\f287\fswiss\fcharset162\fprq2 Albertus Medium Tur;}{\f288\fswiss\fcharset186\fprq2 Albertus Medium Baltic;} {\f289\fswiss\fcharset238\fprq2 Albertus Extra Bold CE;}{\f293\fswiss\fcharset162\fprq2 Albertus Extra Bold Tur;}{\f294\fswiss\fcharset186\fprq2 Albertus Extra Bold Baltic;}{\f295\fswiss\fcharset238\fprq2 Antique Olive CE;} {\f299\fswiss\fcharset162\fprq2 Antique Olive Tur;}{\f300\fswiss\fcharset186\fprq2 Antique Olive Baltic;}{\f301\fswiss\fcharset238\fprq2 CG Omega CE;}{\f305\fswiss\fcharset162\fprq2 CG Omega Tur;}{\f306\fswiss\fcharset186\fprq2 CG Omega Baltic;} {\f307\froman\fcharset238\fprq2 CG Times CE;}{\f311\froman\fcharset162\fprq2 CG Times Tur;}{\f312\froman\fcharset186\fprq2 CG Times Baltic;}{\f313\froman\fcharset238\fprq2 Clarendon Condensed CE;}{\f317\froman\fcharset162\fprq2 Clarendon Condensed Tur;} {\f318\froman\fcharset186\fprq2 Clarendon Condensed Baltic;}{\f319\fscript\fcharset238\fprq2 Coronet CE;}{\f323\fscript\fcharset162\fprq2 Coronet Tur;}{\f325\fmodern\fcharset238\fprq1 Letter Gothic CE;}{\f329\fmodern\fcharset162\fprq1 Letter Gothic Tur;} {\f330\fmodern\fcharset186\fprq1 Letter Gothic Baltic;}{\f331\fscript\fcharset238\fprq2 Marigold CE;}{\f335\fscript\fcharset162\fprq2 Marigold Tur;}{\f337\fswiss\fcharset238\fprq2 Univers CE;}{\f341\fswiss\fcharset162\fprq2 Univers Tur;} {\f342\fswiss\fcharset186\fprq2 Univers Baltic;}{\f343\fswiss\fcharset238\fprq2 Univers Condensed CE;}{\f347\fswiss\fcharset162\fprq2 Univers Condensed Tur;}{\f348\fswiss\fcharset186\fprq2 Univers Condensed Baltic;} {\f373\fswiss\fcharset238\fprq2 Albertus CE;}{\f377\fswiss\fcharset162\fprq2 Albertus Tur;}{\f378\fswiss\fcharset186\fprq2 Albertus Baltic;}{\f379\fswiss\fcharset238\fprq2 Antique Olive Compact CE;} {\f383\fswiss\fcharset162\fprq2 Antique Olive Compact Tur;}{\f384\fswiss\fcharset186\fprq2 Antique Olive Compact Baltic;}{\f385\froman\fcharset238\fprq2 Bodoni CE;}{\f389\froman\fcharset162\fprq2 Bodoni Tur;}{\f390\froman\fcharset186\fprq2 Bodoni Baltic;} {\f391\froman\fcharset238\fprq2 Bodoni Black CE;}{\f395\froman\fcharset162\fprq2 Bodoni Black Tur;}{\f396\froman\fcharset186\fprq2 Bodoni Black Baltic;}{\f397\froman\fcharset238\fprq2 Clarendon CE;}{\f401\froman\fcharset162\fprq2 Clarendon Tur;} {\f402\froman\fcharset186\fprq2 Clarendon Baltic;}{\f403\froman\fcharset238\fprq2 Clarendon Extended CE;}{\f407\froman\fcharset162\fprq2 Clarendon Extended Tur;}{\f408\froman\fcharset186\fprq2 Clarendon Extended Baltic;} {\f409\fswiss\fcharset238\fprq2 Gill Sans CE;}{\f413\fswiss\fcharset162\fprq2 Gill Sans Tur;}{\f414\fswiss\fcharset186\fprq2 Gill Sans Baltic;}{\f415\fswiss\fcharset238\fprq2 Gill Sans Condensed CE;} {\f419\fswiss\fcharset162\fprq2 Gill Sans Condensed Tur;}{\f420\fswiss\fcharset186\fprq2 Gill Sans Condensed Baltic;}{\f421\fswiss\fcharset238\fprq2 Gill Sans Extra Bold CE;}{\f425\fswiss\fcharset162\fprq2 Gill Sans Extra Bold Tur;} {\f426\fswiss\fcharset186\fprq2 Gill Sans Extra Bold Baltic;}{\f427\fswiss\fcharset238\fprq2 Gill Sans Light CE;}{\f431\fswiss\fcharset162\fprq2 Gill Sans Light Tur;}{\f432\fswiss\fcharset186\fprq2 Gill Sans Light Baltic;} {\f433\froman\fcharset238\fprq2 Goudy Old Style CE;}{\f437\froman\fcharset162\fprq2 Goudy Old Style Tur;}{\f438\froman\fcharset186\fprq2 Goudy Old Style Baltic;}{\f439\froman\fcharset238\fprq2 Goudy Old Style Extrabold CE;} {\f443\froman\fcharset162\fprq2 Goudy Old Style Extrabold Tur;}{\f444\froman\fcharset186\fprq2 Goudy Old Style Extrabold Baltic;}{\f445\froman\fcharset238\fprq2 Graphos CE;}{\f449\froman\fcharset162\fprq2 Graphos Tur;} {\f450\froman\fcharset186\fprq2 Graphos Baltic;}{\f451\fswiss\fcharset238\fprq2 Metrostyle CE;}{\f455\fswiss\fcharset162\fprq2 Metrostyle Tur;}{\f456\fswiss\fcharset186\fprq2 Metrostyle Baltic;}{\f457\fswiss\fcharset238\fprq2 Metrostyle Extended CE;} {\f461\fswiss\fcharset162\fprq2 Metrostyle Extended Tur;}{\f462\fswiss\fcharset186\fprq2 Metrostyle Extended Baltic;}{\f463\froman\fcharset238\fprq2 Ozzie Black CE;}{\f467\froman\fcharset162\fprq2 Ozzie Black Tur;} {\f468\froman\fcharset186\fprq2 Ozzie Black Baltic;}{\f469\froman\fcharset238\fprq2 Strider CE;}{\f473\froman\fcharset162\fprq2 Strider Tur;}{\f474\froman\fcharset186\fprq2 Strider Baltic;}{\f475\fswiss\fcharset238\fprq2 Univers Extended CE;} {\f479\fswiss\fcharset162\fprq2 Univers Extended Tur;}{\f480\fswiss\fcharset186\fprq2 Univers Extended Baltic;}{\f481\fswiss\fcharset238\fprq2 Univers Light Condensed CE;}{\f485\fswiss\fcharset162\fprq2 Univers Light Condensed Tur;} {\f486\fswiss\fcharset186\fprq2 Univers Light Condensed Baltic;}{\f493\fswiss\fcharset238\fprq2 Impact CE;}{\f494\fswiss\fcharset204\fprq2 Impact Cyr;}{\f496\fswiss\fcharset161\fprq2 Impact Greek;}{\f497\fswiss\fcharset162\fprq2 Impact Tur;} {\f498\fswiss\fcharset186\fprq2 Impact Baltic;}{\f583\fswiss\fcharset238\fprq2 Verdana CE;}{\f584\fswiss\fcharset204\fprq2 Verdana Cyr;}{\f586\fswiss\fcharset161\fprq2 Verdana Greek;}{\f587\fswiss\fcharset162\fprq2 Verdana Tur;} {\f588\fswiss\fcharset186\fprq2 Verdana Baltic;}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255; \red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \snext0 Normal;}{\s1\fi-432\li432\sb120\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx432\tx720\hyphpar0\ls28\adjustright \b\f1\fs28\expnd4\expndtw20\cf1\cgrid \sbasedon0 \snext0 heading 1;}{\s2\fi-576\li576\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel0\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid \sbasedon1 \snext2 heading 2;}{\s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel1\adjustright \b\f1\cf1\cgrid \sbasedon2 \snext3 heading 3;}{\s4\fi-864\li864\nowidctlpar\widctlpar\jclisttab\tx864\ls28\ilvl3\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 heading 4;}{\s5\fi-1008\li1008\nowidctlpar\widctlpar \jclisttab\tx1008\ls28\ilvl4\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 heading 5;}{\s6\fi-1152\li1152\nowidctlpar\widctlpar\jclisttab\tx1152\ls28\ilvl5\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 heading 6;}{ \s7\fi-1296\li1296\nowidctlpar\widctlpar\jclisttab\tx1296\ls28\ilvl6\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 heading 7;}{\s8\fi-1440\li1440\nowidctlpar\widctlpar\jclisttab\tx1440\ls28\ilvl7\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 heading 8;}{\s9\fi-1584\li1584\nowidctlpar\widctlpar\jclisttab\tx1584\ls28\ilvl8\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 heading 9;}{\*\cs10 \additive Default Paragraph Font;}{\*\cs15 \additive \ul\cf2 \sbasedon10 Hyperlink;}{\s16\nowidctlpar\widctlpar\tqc\tx4320\tqr\tx8640\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext16 footer;}{\*\cs17 \additive \sbasedon10 page number;}{\s18\sb240\nowidctlpar\widctlpar\adjustright \b\f1\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 1;}{\s19\sb60\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 2;}{\s20\li202\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 3;}{ \s21\li400\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 4;}{\s22\li600\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 5;}{ \s23\li800\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 6;}{\s24\li1000\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 7;}{ \s25\li1200\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 8;}{\s26\li1400\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid \sbasedon0 \snext0 \sautoupd toc 9;}{\s27\nowidctlpar\widctlpar\adjustright \f4\fs22\cgrid \sbasedon0 \snext27 Body Text;}}{\*\listtable{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360 \jclisttab\tx360 }{\listname ;}\listid60714086}{\list\listtemplateid-2016524044\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\b0\i0 \fi-648\li648\jclisttab\tx648 } {\listname ;}\listid215700465}{\list\listtemplateid-150590964\listsimple{\listlevel\levelnfc2\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'03(\'00);}{\levelnumbers\'02;}\fbias0 \fi-720\li1066\jclisttab\tx1066 }{\listname ;}\listid263878063}{\list\listtemplateid-2016524044\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\b0\i0 \fi-648\li648\jclisttab\tx648 }{\listname ;}\listid332993949} {\list\listtemplateid-2016524044\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\b0\i0 \fi-648\li648\jclisttab\tx648 }{\listname ;}\listid340469459} {\list\listtemplateid-2016524044\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\b0\i0 \fi-648\li648\jclisttab\tx648 }{\listname ;}\listid486286977} {\list\listtemplateid67698703\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\fi-360\li360\jclisttab\tx360 }{\listname ;}\listid509686584}{\list\listtemplateid67698689 \listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid528687450}{\list\listtemplateid-316395542\listsimple {\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\fbias0 \fi-360\li706\jclisttab\tx706 }{\listname ;}\listid722363548}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23 \leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid891042517}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0 \levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid931206117}{\list\listtemplateid67698703\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0 \levelstartat1\levelspace0\levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\fi-360\li360\jclisttab\tx360 }{\listname ;}\listid979503259}{\list\listtemplateid67698703\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0 \levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1029722150}{\list\listtemplateid67698703\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'02\'00.;}{\levelnumbers\'01;}\fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1039091046}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1039747375}{\list\listtemplateid67698703\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'02\'00.;}{\levelnumbers\'01;}\fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1059787391}{\list\listtemplateid67698725{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\'00;}{\levelnumbers\'01;}\s1 \fi-432\li432\jclisttab\tx432 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'03\'00.\'01;}{\levelnumbers\'01\'03;}\s2\fi-576\li576\jclisttab\tx576 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1 \levelspace0\levelindent0{\leveltext\'05\'00.\'01.\'02;}{\levelnumbers\'01\'03\'05;}\s3\fi-720\li720\jclisttab\tx720 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'07\'00.\'01.\'02.\'03;}{\levelnumbers \'01\'03\'05\'07;}\s4\fi-864\li864\jclisttab\tx864 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'09\'00.\'01.\'02.\'03.\'04;}{\levelnumbers\'01\'03\'05\'07\'09;}\s5\fi-1008\li1008\jclisttab\tx1008 } {\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'0b\'00.\'01.\'02.\'03.\'04.\'05;}{\levelnumbers\'01\'03\'05\'07\'09\'0b;}\s6\fi-1152\li1152\jclisttab\tx1152 }{\listlevel\levelnfc0\leveljc0\levelfollow0 \levelstartat1\levelspace0\levelindent0{\leveltext\'0d\'00.\'01.\'02.\'03.\'04.\'05.\'06;}{\levelnumbers\'01\'03\'05\'07\'09\'0b\'0d;}\s7\fi-1296\li1296\jclisttab\tx1296 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0 {\leveltext\'0f\'00.\'01.\'02.\'03.\'04.\'05.\'06.\'07;}{\levelnumbers\'01\'03\'05\'07\'09\'0b\'0d\'0f;}\s8\fi-1440\li1440\jclisttab\tx1440 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'11\'00.\'01.\'02.\'03.\'04.\'05.\'06.\'07.\'08;}{\levelnumbers\'01\'03\'05\'07\'09\'0b\'0d\'0f\'11;}\s9\fi-1584\li1584\jclisttab\tx1584 }{\listname ;}\listid1112945050}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0 \levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1179277030}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1 \levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1251888361}{\list\listtemplateid1059911142\listsimple{\listlevel\levelnfc2\leveljc0\levelfollow0\levelstartat1\levelspace0 \levelindent0{\leveltext\'03(\'00);}{\levelnumbers\'02;}\fbias0 \fi-720\li1066\jclisttab\tx1066 }{\listname ;}\listid1264606281}{\list\listtemplateid-2016524044\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0 {\leveltext\'02\'00.;}{\levelnumbers\'01;}\b0\i0 \fi-648\li648\jclisttab\tx648 }{\listname ;}\listid1271665142}{\list\listtemplateid-316395542\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'02\'00.;}{\levelnumbers\'01;}\fbias0 \fi-360\li706\jclisttab\tx706 }{\listname ;}\listid1320574164}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1435400061}{\list\listtemplateid-2016524044\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'02\'00.;}{\levelnumbers\'01;}\b0\i0 \fi-648\li648\jclisttab\tx648 }{\listname ;}\listid1445347342}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1458643328}{\list\listtemplateid-1451600070{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat5\levelspace0\levelindent0{\leveltext\'01\'00;}{\levelnumbers \'01;}\fbias0 \fi-720\li720\jclisttab\tx720 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'03\'00.\'01;}{\levelnumbers\'01\'03;}\fbias0 \fi-720\li720\jclisttab\tx720 }{\listlevel\levelnfc0\leveljc0 \levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'05\'00.\'01.\'02;}{\levelnumbers\'01\'03\'05;}\fbias0 \fi-720\li720\jclisttab\tx720 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext \'07\'00.\'01.\'02.\'03;}{\levelnumbers\'01\'03\'05\'07;}\fbias0 \fi-720\li720\jclisttab\tx720 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'09\'00.\'01.\'02.\'03.\'04;}{\levelnumbers\'01\'03\'05\'07\'09;} \fbias0 \fi-720\li720\jclisttab\tx720 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'0b\'00.\'01.\'02.\'03.\'04.\'05;}{\levelnumbers\'01\'03\'05\'07\'09\'0b;}\fbias0 \fi-1080\li1080\jclisttab\tx1080 } {\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'0d\'00.\'01.\'02.\'03.\'04.\'05.\'06;}{\levelnumbers\'01\'03\'05\'07\'09\'0b\'0d;}\fbias0 \fi-1080\li1080\jclisttab\tx1080 }{\listlevel\levelnfc0\leveljc0 \levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'0f\'00.\'01.\'02.\'03.\'04.\'05.\'06.\'07;}{\levelnumbers\'01\'03\'05\'07\'09\'0b\'0d\'0f;}\fbias0 \fi-1440\li1440\jclisttab\tx1440 }{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1 \levelspace0\levelindent0{\leveltext\'11\'00.\'01.\'02.\'03.\'04.\'05.\'06.\'07.\'08;}{\levelnumbers\'01\'03\'05\'07\'09\'0b\'0d\'0f\'11;}\fbias0 \fi-1440\li1440\jclisttab\tx1440 }{\listname ;}\listid1487621627}{\list\listtemplateid67698689\listsimple {\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1544949995}{\list\listtemplateid-2016524044\listsimple{\listlevel \levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'02\'00.;}{\levelnumbers\'01;}\b0\i0 \fi-648\li648\jclisttab\tx648 }{\listname ;}\listid1555116201}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0 \levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1610821642}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0 \levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1613977790}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1 \levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1660035646}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0 \levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1751850770}{\list\listtemplateid-2016524044\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0 {\leveltext\'02\'00.;}{\levelnumbers\'01;}\b0\i0 \fi-648\li648\jclisttab\tx648 }{\listname ;}\listid1789936030}}{\*\listoverridetable{\listoverride\listid1029722150\listoverridecount0\ls1}{\listoverride\listid1458643328\listoverridecount0\ls2} {\listoverride\listid1751850770\listoverridecount0\ls3}{\listoverride\listid1039091046\listoverridecount0\ls4}{\listoverride\listid509686584\listoverridecount0\ls5}{\listoverride\listid528687450\listoverridecount0\ls6}{\listoverride\listid979503259 \listoverridecount0\ls7}{\listoverride\listid979503259\listoverridecount0\ls8}{\listoverride\listid1613977790\listoverridecount0\ls9}{\listoverride\listid931206117\listoverridecount0\ls10}{\listoverride\listid722363548\listoverridecount0\ls11} {\listoverride\listid1435400061\listoverridecount0\ls12}{\listoverride\listid1039747375\listoverridecount0\ls13}{\listoverride\listid1544949995\listoverridecount0\ls14}{\listoverride\listid1271665142\listoverridecount0\ls15}{\listoverride\listid1555116201 \listoverridecount0\ls16}{\listoverride\listid340469459\listoverridecount0\ls17}{\listoverride\listid332993949\listoverridecount0\ls18}{\listoverride\listid1660035646\listoverridecount0\ls19}{\listoverride\listid1251888361\listoverridecount0\ls20} {\listoverride\listid1320574164\listoverridecount0\ls21}{\listoverride\listid1789936030\listoverridecount0\ls22}{\listoverride\listid486286977\listoverridecount0\ls23}{\listoverride\listid1445347342\listoverridecount0\ls24}{\listoverride\listid215700465 \listoverridecount0\ls25}{\listoverride\listid263878063\listoverridecount0\ls26}{\listoverride\listid1264606281\listoverridecount0\ls27}{\listoverride\listid1112945050\listoverridecount0\ls28}{\listoverride\listid1487621627\listoverridecount0\ls29} {\listoverride\listid1610821642\listoverridecount0\ls30}{\listoverride\listid891042517\listoverridecount0\ls31}{\listoverride\listid1179277030\listoverridecount0\ls32}{\listoverride\listid60714086\listoverridecount0\ls33}}{\*\revtbl {Unknown;}}{\info {\title Certicom ECC Challenge}{\author Certicom Corp.}{\operator Certicom Corp.}{\creatim\yr1997\mo11\dy12\hr10\min47}{\revtim\yr1997\mo11\dy12\hr11\min13}{\printim\yr1997\mo11\dy12\hr11\min9}{\version5}{\edmins19}{\nofpages27}{\nofwords7883} {\nofchars44938}{\*\company Certicom Corp.}{\nofcharsws55187}{\vern71}}\margl2016\margr2016 \widowctrl\ftnbj\aenddoc\lytprtmet\hyphcaps0\formshade\viewkind1\viewscale100\pgbrdrhead\pgbrdrfoot \fet0\sectd \sbknone\pgnlcrm\linex0\endnhere\titlepg\sectdefaultcl {\footer \pard\plain \s16\nowidctlpar\widctlpar\tqc\tx4320\tqr\tx8640\pvpara\phmrg\posxc\posy0\adjustright \f4\fs20\lang1024\cgrid {\field{\*\fldinst {\cs17 PAGE }}{\fldrslt {\cs17 ii}}}{\cs17 \par }\pard \s16\nowidctlpar\widctlpar\tqc\tx4320\tqr\tx8640\adjustright { \par }}{\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl2\pnucltr\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang{\pntxta )}} {\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl6\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl8 \pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl9\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}\pard\plain \qc\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\b\fs30 Certicom ECC Challenge \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { \par }\pard \qc\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Abstract \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b \par }\pard \qj\nowidctlpar\widctlpar\adjustright {Certicom is pleased to present the Certicom Elliptic Curve Cryptosystem (ECC) Challenge. The first of its kind, the ECC Challenge has been developed to increase the industry\rquote s understanding and appreciation for the difficulty of the elliptic curve discrete logarithm problem, and to encourage and stimulate further research in the security analysis of elliptic curve cryptosystems. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { \par }\pard \qj\fi300\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { It is our hope that the knowledge and experience gained from this Challenge will help confirm comparisons of the security levels of systems such as ECC, RSA and DSA that have been based primarily on theoretical considerat ions. We also hope it will provide additional information to users of elliptic curve public\_key cryptosystems in terms of selecting suitable key lengths for}{\b }{a}{\b }{desired level of security. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b The Certicom ECC Challenge Defined \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b \par }\pard \qj\fi300\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {The Challenge is to compute the E CC private keys from the given list of ECC public keys and associated system parameters. This is the type of problem facing an adversary who wishes to completely defeat an elliptic curve cryptosystem. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { \par }\pard \qj\fi300\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {There are two Challenge Levels: Level I, comprising 109\_bit and 131\_bit challenges; and Level II, comprising 163\_bit, 191\_bit, 239\_bit and 359\_bit challenges. The 109\_ bit challenges are considered feasible and could be solved within a few months, while the 131\_bit challenges will require significantly more resources to solve. All Level II challenges are believed to be computationally infeasible. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { \par }\pard \qj\fi300\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {The Certicom ECC Challenge is preceded by some Exercises: 79\_bit, 89\_bit and 97\_bit, respectively. These Exercises are feasible to complete given the current state o f knowledge in algorithmic number theory and the computational resources available to the industry. Certicom believes that it is feasible that the 79\_bit exercises could be solved in a matter of hours, the 89\_ bit exercises could be solved in a matter of days, and the 97\_bit exercises in a matter of weeks using a network of 3000 computers. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { \par }\pard \qj\fi300\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {Participants can attempt solving the Exercise and Challenge sets using one or both of two finite fields. The first involves elliptic curves over the finite field }{\f15 F}{\sub 2}{ \i\up6\sub m}{ (the field having 2}{\i\super m}{ elements in it), and the second involves elliptic curves over the finite field }{\f15 F}{\i\sub p}{ (the field of integers modulo an odd prime }{\i p}{). \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { \par }\pard \qj\fi300\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {The following sections present further background on the Certicom ECC Challenge, a mathematical overview of t he elliptic curve discrete logarithm problem, a detailed technical description of the Challenge, the Challenge lists and corresponding prizes, and details on how to report solutions. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright { \par }\pard \qc\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\page }{\b\fs28\ul Contents \par }\pard\plain \s18\sb240\nowidctlpar\widctlpar\tx400\tqr\tldot\tx8198\adjustright \b\f1\lang1024\cgrid {\field\fldedit{\*\fldinst { TOC \\o "1-3" }}{\fldrslt {1\tab Introduction\tab }{\field{\*\fldinst { PAGEREF _Toc403967185 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100380035000000}}}{\fldrslt {1}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {1.1\tab Background\tab }{\field{\*\fldinst { PAGEREF _Toc403967186 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100380036000000}}}{\fldrslt {1}}}{ \par 1.2\tab Elliptic curve cryptosystems\tab }{\field{\*\fldinst { PAGEREF _Toc403967187 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100380037000000}}}{\fldrslt {1}}}{ \par 1.3\tab Why have a challenge?\tab }{\field{\*\fldinst { PAGEREF _Toc403967188 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100380038000000}}}{\fldrslt {2}}}{ \par }\pard\plain \s18\sb240\nowidctlpar\widctlpar\tx400\tqr\tldot\tx8198\adjustright \b\f1\lang1024\cgrid {2\tab The Elliptic Curve Discrete Logarithm Problem (ECDLP)\tab }{\field{\*\fldinst { PAGEREF _Toc403967189 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100380039000000}}}{\fldrslt {3}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {2.1\tab The discrete logarithm problem\tab }{\field{\*\fldinst { PAGEREF _Toc403967190 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390030000000}}}{\fldrslt {3}}}{ \par 2.2\tab Algorithms known for the ECDLP\tab }{\field{\*\fldinst { PAGEREF _Toc403967191 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390031000000}}}{\fldrslt {3}}}{ \par 2.3\tab Is there a subexponential\_time algorithm for ECDLP?\tab }{\field{\*\fldinst { PAGEREF _Toc403967192 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390032000000}} }{\fldrslt {5}}}{ \par }\pard\plain \s18\sb240\nowidctlpar\widctlpar\tx400\tqr\tldot\tx8198\adjustright \b\f1\lang1024\cgrid {3\tab The Challenge Explained\tab }{\field{\*\fldinst { PAGEREF _Toc403967193 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390033000000}}}{\fldrslt {5}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {3.1\tab Elliptic curves over }{\f15 F}{\sub 2}{\i\up6\sub m}{ \_ format and examples\tab }{\field{\*\fldinst { PAGEREF _Toc403967194 \\h }{ {\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390034000000}}}{\fldrslt {6}}}{ \par }\pard\plain \s20\li202\nowidctlpar\widctlpar\tx1200\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {3.1.1\tab The finite field }{\f15 F}{\sub 2}{\i\up6\sub m}{\tab }{\field{\*\fldinst { PAGEREF _Toc403967195 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390035000000}}}{\fldrslt {6}}}{ \par 3.1.2\tab Elliptic curves over }{\f15 F}{\sub 2}{\i\up6\sub m}{\tab }{\field{\*\fldinst { PAGEREF _Toc403967196 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390036000000}} }{\fldrslt {7}}}{ \par 3.1.3\tab Format for challenge parameters (the }{\f15 F}{\sub 2}{\i\up6\sub m}{ case)\tab }{\field{\*\fldinst { PAGEREF _Toc403967197 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390037000000}}}{\fldrslt {8}}}{ \par 3.1.4\tab Random elliptic curves and points (the }{\f15 F}{\sub 2}{\i\up6\sub m}{ case)\tab }{\field{\*\fldinst { PAGEREF _Toc403967198 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390038000000}}}{\fldrslt {9}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {3.2\tab Elliptic curves over }{\f15 F}{\i\sub p}{ \_ format and examples\tab }{\field{\*\fldinst { PAGEREF _Toc403967199 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003100390039000000}}}{\fldrslt {11}}}{ \par }\pard\plain \s20\li202\nowidctlpar\widctlpar\tx1200\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {3.2.1\tab The finite field }{\f15 F}{\i\sub p}{\tab }{\field{\*\fldinst { PAGEREF _Toc403967200 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300030000000}}}{\fldrslt {11}}}{ \par 3.2.2\tab Elliptic curves over }{\f15 F}{\i\sub p}{\tab }{\field{\*\fldinst { PAGEREF _Toc403967201 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300031000000}}}{\fldrslt {12}}}{ \par 3.2.3\tab Format for challenge parameters (the }{\f15 F}{\i\sub p}{ case)\tab }{\field{\*\fldinst { PAGEREF _Toc403967202 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300032000000}}}{\fldrslt {13}}}{ \par 3.2.4\tab Random elliptic curves and points (the }{\f15 F}{\i\sub p}{ case)\tab }{\field{\*\fldinst { PAGEREF _Toc403967203 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300033000000}}}{\fldrslt {14}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {3.3\tab Further details about the challenge\tab }{\field{\*\fldinst { PAGEREF _Toc403967204 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300034000000}}}{\fldrslt {16}}}{ \par 3.4\tab Time estimates for exercises and challenges\tab }{\field{\*\fldinst { PAGEREF _Toc403967205 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300035000000}}}{\fldrslt {17}}}{ \par }\pard\plain \s18\sb240\nowidctlpar\widctlpar\tx400\tqr\tldot\tx8198\adjustright \b\f1\lang1024\cgrid {4\tab Exercise Lists and Challenge Lists\tab }{\field{\*\fldinst { PAGEREF _Toc403967206 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300036000000}}}{\fldrslt {18}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {4.1\tab Elliptic curves over }{\f15 F}{\sub 2}{\i\up6\sub m}{\tab }{\field{\*\fldinst { PAGEREF _Toc403967207 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300037000000}}}{\fldrslt {18}}}{ \par }\pard\plain \s20\li202\nowidctlpar\widctlpar\tx1200\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {4.1.1\tab Exercises\tab }{\field{\*\fldinst { PAGEREF _Toc403967208 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300038000000}}}{\fldrslt {18}}}{ \par 4.1.2\tab Level I challenges\tab }{\field{\*\fldinst { PAGEREF _Toc403967209 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200300039000000}}}{\fldrslt {18}}}{ \par 4.1.3\tab Level II challenges\tab }{\field{\*\fldinst { PAGEREF _Toc403967210 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310030000000}}}{\fldrslt {19}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {4.2\tab Elliptic curves over }{\f15 F}{\i\sub p}{\tab }{\field{\*\fldinst { PAGEREF _Toc403967211 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310031000000}}}{\fldrslt {19}}}{ \par }\pard\plain \s20\li202\nowidctlpar\widctlpar\tx1200\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {4.2.1\tab Exercises\tab }{\field{\*\fldinst { PAGEREF _Toc403967212 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310032000000}}}{\fldrslt {19}}}{ \par 4.2.2\tab Level I challenges\tab }{\field{\*\fldinst { PAGEREF _Toc403967213 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310033000000}}}{\fldrslt {20}}}{ \par 4.2.3\tab Level II challenges\tab }{\field{\*\fldinst { PAGEREF _Toc403967214 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310034000000}}}{\fldrslt {20}}}{ \par }\pard\plain \s18\sb240\nowidctlpar\widctlpar\tx400\tqr\tldot\tx8198\adjustright \b\f1\lang1024\cgrid {5\tab Challenge Rules\tab }{\field{\*\fldinst { PAGEREF _Toc403967215 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310035000000}}}{\fldrslt {20}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {5.1\tab The Rules and Reporting a Solution\tab }{\field{\*\fldinst { PAGEREF _Toc403967216 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310036000000}}}{\fldrslt {20}}}{ \par }\pard\plain \s20\li202\nowidctlpar\widctlpar\tx1200\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {5.1.1\tab Format of Submissions\tab }{\field{\*\fldinst { PAGEREF _Toc403967217 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310037000000}}}{\fldrslt {21}}}{ \par }\pard\plain \s19\sb60\nowidctlpar\widctlpar\tx800\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {5.2\tab Prizes and Status\tab }{\field{\*\fldinst { PAGEREF _Toc403967218 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310038000000}}}{\fldrslt {21}}}{ \par }\pard\plain \s20\li202\nowidctlpar\widctlpar\tx1200\tqr\tldot\tx8198\adjustright \f4\fs20\lang1024\cgrid {5.2.1\tab Exercise Prize Lists\tab }{\field{\*\fldinst { PAGEREF _Toc403967219 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200310039000000}}}{\fldrslt {22}}}{ \par 5.2.2\tab Level I Challenge Prize List\tab }{\field{\*\fldinst { PAGEREF _Toc403967220 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200320030000000}}}{\fldrslt {23}}}{ \par 5.2.3\tab Level II Challenge Prize List\tab }{\field{\*\fldinst { PAGEREF _Toc403967221 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200320031000000}}}{\fldrslt {23}}}{ \par 5.2.4\tab Administration and Collection of Prizes\tab }{\field{\*\fldinst { PAGEREF _Toc403967222 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200320032000000}}}{\fldrslt {24}}}{ \par }\pard\plain \s18\sb240\nowidctlpar\widctlpar\tx400\tqr\tldot\tx8198\adjustright \b\f1\lang1024\cgrid {6\tab References\tab }{\field{\*\fldinst { PAGEREF _Toc403967223 \\h }{{\*\datafield 08d0c9ea79f9bace118c8200aa004ba90b02000000080000000e0000005f0054006f0063003400300033003900360037003200320033000000}}}{\fldrslt {24}}}{ \par }\pard\plain \s20\li202\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid }}\pard\plain \s20\li202\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid {\fs22 \sect }\sectd \marglsxn1584\margrsxn1440\pgnrestart\linex0\endnhere\sectdefaultcl {\footer \pard\plain \s16\nowidctlpar\widctlpar\tqc\tx4320\tqr\tx8640\pvpara\phmrg\posxc\posy0\adjustright \f4\fs20\lang1024\cgrid {\field{\*\fldinst {\cs17 PAGE }}{\fldrslt {\cs17 25}}}{\cs17 \par }\pard \s16\nowidctlpar\widctlpar\tqc\tx4320\tqr\tx8640\adjustright { \par }}\pard\plain \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 \par {\*\bkmkstart _Toc403967185}{\listtext\pard\plain\s1 \b\f1\fs28\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 1\tab}}\pard\plain \s1\fi-432\li432\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx432\tx720\hyphpar0\ls28\outlinelevel0\adjustright \b\f1\fs28\expnd4\expndtw20\cf1\cgrid {Introduction{\*\bkmkend _Toc403967185} \par }\pard\plain \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid { \par {\*\bkmkstart _Toc403967186}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 1.1\tab}}\pard\plain \s2\fi-576\li576\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Background{\*\bkmkend _Toc403967186} \par }\pard\plain \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\b \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Since the invention of public\_key cryptography in 1976 by Whitfield Diffie and Martin Hellman, numerous public\_ key cryptographic systems have been proposed. All of these systems rely on the difficulty of a mathematical problem for their security. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Over the years, many of the proposed public\_ key cryptographic systems have been broken, and many others have been demonstrated to be impractical. Today, only three types of systems should be considered both secure and efficient. Examples of such systems, classified according to the mathematical pro blem on which they are based, are: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\b\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \fi-360\li706\sa240\nowidctlpar\widctlpar\tx20\tx280\tx330\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls1\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls1\adjustright {\b\fs22 Integer factorization problem (IFP): }{\fs22 RSA and Rabin\_Williams. \par {\pntext\pard\plain\b\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \fi-360\li706\sa240\nowidctlpar\widctlpar\tx20\tx280\tx330\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls1\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls1\adjustright {\b\fs22 Discrete logarithm problem (DLP): }{\fs22 the U.S. government\rquote s Digital Signature Algorithm (DSA), the Diffie\_Hellman and MQV key agreement schemes, the ElGamal encryption and signature schemes, and the Schnorr and Nyberg \_Rueppel signature schemes. \par {\pntext\pard\plain\b\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \fi-360\li706\sa240\nowidctlpar\widctlpar\tx20\tx280\tx330\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls1\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls1\adjustright {\b\fs22 Elliptic curve discrete logarithm problem (ECDLP): }{\fs22 the elliptic curve analogue of the DSA (ECDSA), and the elliptic curve analogues of the Diffie\_ Hellman and MQV key agreement schemes, the ElGamal encryption and signature schemes, and the Schnorr and Nyberg\_Rueppel signature schemes. \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 None of these problems have been }{\i\fs22 proven }{\fs22 to be intractable (i.e., difficult to solve in an efficient manner). Rather, they are }{\i\fs22 believed }{\fs22 to be intractable because years of intensive study by leading mathematicians and computer scientists around the world has failed to yield efficient algorithms for solving them. As more effort is expended o ver time in studying and understanding these problems, our confidence in the security of the corresponding cryptographic systems will continue to grow. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967187}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 1.2\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Elliptic curve cryptosystems{\*\bkmkend _Toc403967187} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 Elliptic curve cryptosystems (ECC) were prop osed independently in 1985 by Victor Miller [Miller] and Neal Koblitz [Koblitz]. At the time, both Miller and Koblitz regarded the concept of ECC as mathematically elegant, however felt that its implementation would be impractical. Since 1985, ECC has rec e ived intense scrutiny from cryptographers, mathematicians, and computer scientists around the world. On the one hand, the fact that no significant weaknesses have been found has led to high confidence in the security of ECC. On the other hand, great strid es have been made in improving the efficiency of the system, to the extent that today ECC is not just practical, but it is the most efficient public\_key system known. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The primary reason for the attractiveness of ECC over systems such as RSA and DSA is that the best algorithm known for solving the underlying mathematical problem (namely, the ECDLP) takes }{\i\fs22 fully exponential }{\fs22 time. In contrast, }{\i\fs22 subexponential\_time }{\fs22 algorithms are known for underlying mathematical problems on which RSA and DSA are based, namely th e integer factorization (IFP) and the discrete logarithm (DLP) problems. This means that the algorithms for solving the ECDLP become infeasible much more rapidly as the problem size increases than those algorithms for the IFP and DLP. For this reason, ECC offers security equivalent to RSA and DSA while using far smaller key sizes. \par \par The attractiveness of ECC will}{\f6\fs26 }{\fs22 increase relative to other public\_key cryptosystems as computing power improvements force a general increase in the key size. The benefits of this higher\_strength-per\_bit include: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls2\adjustright {\fs22 higher speeds, \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls2\adjustright {\fs22 lower power consumption, \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls2\adjustright {\fs22 bandwidth savings, \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls2\adjustright {\fs22 storage efficiencies, and \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa240\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls2\adjustright {\fs22 smaller certificates. \par }\pard \qj\fi346\li14\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 These advantages are particularly beneficial in applications where bandwidth, processing capacity, power availability, or storage are constrained. Such applications include: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls3\adjustright {\fs22 chip cards, \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls3\adjustright {\fs22 electronic commerce, \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls3\adjustright {\fs22 web servers, \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls3\adjustright {\fs22 cellular telephones, and \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls3\adjustright {\fs22 pagers. \par }\pard \nowidctlpar\widctlpar\tx20\tx240\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967188}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 1.3\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Why have a challenge?{\*\bkmkend _Toc403967188} \par }\pard\plain \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 The objectives of this }{ECC }{\fs22 challenge are the following: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx260\tx310\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls4\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls4\adjustright {\fs22 To increase the cryptographic community\rquote s understanding and appreciation of the difficulty of the ECDLP. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx280\tx330\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls4\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls4\adjustright {\fs22 To confirm comparisons of the security levels of systems such as ECC, RSA}{\f6\fs26 }{\fs22 and DSA}{\f6\fs26 }{\fs22 that have been made based primarily on theoretical considerations. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx280\tx330\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls4\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls4\adjustright {\fs22 To provide information on how users of elliptic curve public\_key cryptosystems should select suitable key lengths for a desired level of security. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx260\tx310\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls4\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls4\adjustright {\fs22 To determine whether there is any}{\fs28 }{\fs22 significant difference in the difficulty of the ECDLP for elliptic curves over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 and the ECDLP for elliptic curves over }{ \f15\fs22 F}{\i\fs22\sub p}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx260\tx310\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls4\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls4\adjustright {\fs22 To determine whether there is any}{\fs28 }{\fs22 significant difference in the difficulty of the ECDLP for random elliptic curves over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 and the ECDLP for Koblitz curves. \par }\pard \qj\fi-360\li706\sa240\nowidctlpar\widctlpar\tx260\tx310\tqr\tx9360\adjustright {\fs22 6. To encourage and stimulate research in computational and algorithmic number theory and, in particular, the study of the ECDLP.}{\f6\fs26 \par {\*\bkmkstart _Toc403967189}{\listtext\pard\plain\s1 \b\f1\fs28\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 2\tab}}\pard\plain \s1\fi-432\li432\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx432\tx720\hyphpar0\ls28\outlinelevel0\adjustright \b\f1\fs28\expnd4\expndtw20\cf1\cgrid {The Elliptic Curve Discrete Logarithm Problem (ECDLP){\*\bkmkend _Toc403967189} \par }\pard\plain \qj\li14\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This section provides a brief overview of the state\_of\_the\_ art in algorithms known for solving the elliptic curve discrete logarithm problem. For more information, the reader is referred to Chapter 3 of the }{\i\fs22 Handbook of Applied Cryptography }{\fs22 [MVV].}{\i\fs22 \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967190}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 2.1\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {The discrete logarithm problem{\*\bkmkend _Toc403967190} \par }\pard\plain \qj\li14\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 Roughly speaking, the }{\i\fs22 discrete logarithm problem }{\fs22 is}{\i\fs22 }{\fs22 the problem of \ldblquote inverting\rdblquote the process of exponentiation. The problem can be posed in a variety of algebraic settings. The most commonly studied versions of this problem are: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx260\tx310\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls5\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls5\adjustright {\i\fs22 The discrete logarithm problem in a finite field (DLP): }{\fs22 Given a finite field }{\f15\fs22 F}{\i\fs22\sub q}{\fs22 and elements }{\i\fs22 g, h }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{ \i\fs22 }{\f15\fs22 F}{\i\fs22\expnd4\expndtw24\sub q}{\fs22 ,}{\i\fs22 }{\fs22 find an integer }{\i\fs22 l}{\fs22 such that }{\i\fs22 g}{\i\fs22\dn2\super l}{\fs22 = }{\i\fs22 h}{\fs22 in }{\f15\fs22 F}{\i\fs22\sub q}{\i\fs22 , }{\fs22 provided that such an integer exists. \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-360\li706\nowidctlpar\widctlpar\tx260\tx310\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls5\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls5\adjustright {\i\fs22 The elliptic curve discrete logarithm problem (ECDLP): }{\fs22 Given an elliptic curve }{\i\fs22 E }{\fs22 defined over a finite field }{\f15\fs22 F}{\i\fs22\expnd4\expndtw24\sub q}{\fs22 , and two points }{\i\fs22 P}{\fs22 , }{ \i\fs22 Q }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\i\fs22\sub q}{\fs22 )}{\i\fs22 , }{\fs22 find an integer }{\i\fs22 l}{\fs22 such that }{\i\fs22 lP = Q }{\fs22 in }{\i\fs22 E, }{ \fs22 provided that such an integer exists. \par }\pard \nowidctlpar\widctlpar\tx260\tx310\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 On the surface, these two problems look quite different. In the first problem, \ldblquote multiplicative\rdblquote notation is used: }{\i\fs22 g}{\i\fs22\dn2\super l}{\i\fs22 }{\fs22 refers to the process of }{\i\fs22 multiplying g }{\fs22 by itself }{\i\fs22 l}{\fs22 times. In the second problem, \ldblquote additive\rdblquote notation is used: }{\i\fs22 lP }{\fs22 refers to the process of }{\i\fs22 adding P }{\fs22 to itself }{\i\fs22 l}{\fs22 times. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 If one casts these notational differences aside, then the two problems are abstractly the same. What is intriguing about the two problems, however, is that the second appears to be much more difficult than the first. The fundamental reason for this is that the algebraic objects in the DLP (}{\i\fs22 finite fields}{\fs22 )}{\i\fs22 }{\fs22 are equipped with two basic operations: addition and multiplication of field elements. In contrast, the algebraic objects in the ECDLP (}{\i\fs22 elliptic curves over finite felds}{\fs22 )}{\i\fs22 }{\fs22 are equipped with only one basic operation: addition of elliptic curve points. The additional structure present in the DLP has led to the discovery of the }{\i\fs22 index\_calculus methods, }{\fs22 which have a }{\i\fs22 subexponential }{\fs22 running time. Elliptic curves do not possess this additional structure, and for this reason noone has been able to apply the index\_calculus methods to the ECDLP (except in very special and well-understood cases). This absence of subexponential\_ time algorithms for the ECDLP, together with efficient implementation of the elliptic curve arithmetic, is precisely the reason that elliptic curve cryptosystems have proven so attractive for practical use. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967191}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 2.2\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Algorithms known for the ECDLP{\*\bkmkend _Toc403967191} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This section briefly overviews the algorithms known for the ECDLP. All of these algorithms take }{\i\fs22 fully exponential time. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 \par }\pard \li346\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The notation used is the following: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls6\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls6\adjustright {\i\fs22 q}{\i\f7 }{\fs22 is the order of the underlying finite field.}{\i\f7 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls6\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls6\adjustright {\f15\fs22 F}{\i\fs22\sub q}{\i\fs22 }{\fs22 is the underlying finite field of order }{\i\fs22 q.}{\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls6\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls6\adjustright {\i\fs22 E }{\fs22 is an elliptic curve defined over }{\f15\fs22 F}{\i\fs22\sub q}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls6\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls6\adjustright {\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\i\fs22\sub q}{\fs22 )}{\i\fs22 }{\fs22 is the set of points on }{\i\fs22 E }{\fs22 both of whose coordinates are in }{\f15\fs22 F}{\i\fs22\expnd4\expndtw24\sub q}{\fs22 , together with the point at infinity.}{\i\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls6\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls6\adjustright {\i\fs22 P}{\fs22 is a point in }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\i\fs22\sub q}{\fs22 )}{\i\fs22 .}{\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls6\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls6\adjustright {\i\fs22 n }{\fs22 is the large prime order of the point }{\i\fs22 P}{\fs22 .}{\i\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa240\nowidctlpar\widctlpar\tx20\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls6\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls6\adjustright {\i\fs22 Q }{\fs22 is another point in }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\i\fs22\sub q}{\fs22 )}{\i\fs22 . \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The ECDLP is:}{\f6\fs26 }{\fs22 Given }{\i\fs24 q}{\fs24 ,}{\i\f7\fs14 }{\i\fs22 E}{\fs22 ,}{\i\fs22 P}{\fs22 ,}{\i\fs22 n }{\fs22 and }{\i\fs22 Q}{\fs22 , find an integer }{ \i\fs22 l}{\fs22 , 0 }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 l}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 n \endash }{\fs22 1}{\i\fs22 , }{\fs22 such that }{\i\fs22 lP = Q}{\fs22 , provided that such an integer exists. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 For the remainder of the discussion, we shall only consider instances of the ECDLP for which the integer }{\i\fs22 l }{\fs22 exists. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx20\tx280\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls8\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls8\adjustright {\i\fs22 Naive exhaustive search}{\fs22 . \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 In this method, one simply computes successive multiples of }{\i\fs22 P}{\fs22 : }{\i\fs22 P}{\fs22 , }{\i\fs22 2P}{ \fs22 ,}{\i\fs22 3P}{\fs22 ,}{\i\fs22 4P}{\fs22 ,}{\i\fs22 ... }{\fs22 until }{\i\fs22 Q}{\fs22 is obtained. This method can take up to }{\i\fs22 n }{\fs22 steps in the worst case. \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx20\tx240\tx280\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls8\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls8\adjustright {\i\fs22 Baby\_step giant\_step algorithm}{\fs22 . \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 This algorithm is a time\_memory trade\_off of the method of exhaustive search. It requires storage for about }{\dn8 {\pict{\*\picprop\shplid1127{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\picscalex100\picscaley86\piccropl0\piccropr0\piccropt0\piccropb0 \picw670\pich635\picwgoal380\pichgoal360\wmetafile8\bliptag422358224\blipupi2304{\*\blipuid 192cacd0772b1f4c2d3aa369ace41946}010009000003d30000000400150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02400260021200000026060f001a00ffffffff000010000000c0ffffffb6ffffff20020000f60100000b00000026060f00 0c004d617468547970650000400009000000fa02000010000000000000002200040000002d010000050000001402680148000500000013024c01790009000000 fa02000020000000000000002200040000002d01010005000000140254017900050000001302d601c000040000002d010000050000001402d601c80005000000 130252002601050000001402520026010500000013025200110215000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d61 6e000000040000002d01020008000000320ac0013e01010000006e000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01030004000000f00102000300000000000000000000000000000000000000}}{\fs22 points, and its running time is roughly }{\dn8 {\pict{\*\picprop\shplid1130{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley86\piccropl0\piccropr0\piccropt0\piccropb0\picw670\pich635\picwgoal380\pichgoal360\wmetafile8\bliptag422358224\blipupi2304{\*\blipuid 192cacd0772b1f4c2d3aa369ace41946} 010009000003d30000000400150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02400260021200000026060f001a00ffffffff000010000000c0ffffffb6ffffff20020000f60100000b00000026060f00 0c004d617468547970650000400009000000fa02000010000000000000002200040000002d010000050000001402680148000500000013024c01790009000000 fa02000020000000000000002200040000002d01010005000000140254017900050000001302d601c000040000002d010000050000001402d601c80005000000 130252002601050000001402520026010500000013025200110215000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d61 6e000000040000002d01020008000000320ac0013e01010000006e000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01030004000000f00102000300000000000000000000000000000000000000}}{\fs22 steps in the worst case. \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx20\tx240\tx280\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls8\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls8\adjustright {\i\fs22 Pollard\rquote s rho algorithm}{\fs22 . \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 This algorithm, due to Pollard [Pollard], is a randomized version of the baby\_step giant\_ step algorithm. It has roughly the same expected running time (}{\dn8 {\pict{\*\picprop\shplid1128{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw1305\pich635\picwgoal740\pichgoal360\wmetafile8\bliptag-1868913269\blipupi2304{\*\blipuid 909aa58b0c32aa55536c4b3ec4c2b4e8} 010009000003200100000400150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002a0041200000026060f001a00ffffffff000010000000c0ffffffb6ffffff60040000f60100000b00000026060f00 0c004d617468547970650000400009000000fa02000010000000000000002200040000002d010000050000001402680148000500000013024c01790009000000 fa02000020000000000000002200040000002d01010005000000140254017900050000001302d601c000040000002d010000050000001402d601c80005000000 1302520026010500000014025200260105000000130252005a0415000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d61 6e000200040000002d01020008000000320ac0018c0301000000320008000000320ac001e602010000002f0015000000fb0280fe000000000000900101000000 0402001054696d6573204e657720526f6d616e005900040000002d01030004000000f001020008000000320ac001f201010000006e0010000000fb0280fe0000 000000009001010000020002001053796d626f6c0000040000002d01020004000000f001030008000000320ac00120010100000070000a00000026060f000a00 ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01030004000000f001020003000000000000000000000000000000000000000000}}{\fs22 steps}{\fs16 }{\fs22 ) as the baby\_step giant\_ step algorithm, but is superior in that it requires a negligible amount of storage. \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx20\tx240\tx280\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls8\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls8\adjustright {\i\fs22 Distributed version of Pollard\rquote s rho algorithm}{\fs22 . \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Van Oorschot and Wiener [VW] showed how Pollard\rquote s rho algorithm can be parallelized so that when the algorithm is run in parallel on }{\i\fs22 m}{\fs22 processors, the expected running time of the algorithm is roughly }{\dn8 {\pict{\*\picprop\shplid1129{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}} {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw1870\pich635\picwgoal1060\pichgoal360\wmetafile8\bliptag183838248\blipupi2303{\*\blipuid 0af526286a78a8f3fc1800617da2ea11}010009000003300100000400150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002a0061200000026060f001a00ffffffff000010000000c0ffffffb6ffffff60060000f60100000b00000026060f00 0c004d617468547970650000400009000000fa02000010000000000000002200040000002d010000050000001402680148000500000013024c01790009000000 fa02000020000000000000002200040000002d01010005000000140254017900050000001302d601c000040000002d010000050000001402d601c80005000000 130252002601050000001402520026010500000013025200580415000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d61 6e000000040000002d01020008000000320ac0013e05010000006d0008000000320ac001f201010000006e0015000000fb0280fe000000000000900100000000 0402001054696d6573204e657720526f6d616e005d00040000002d01030004000000f001020008000000320ac0019804010000002f0008000000320ac0018b03 01000000320008000000320ac001e502010000002f0010000000fb0280fe0000000000009001010000020002001053796d626f6c0000040000002d0102000400 0000f001030008000000320ac00120010100000070000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01030004000000f001020003000000000000000000000000000000000000000000}}{\fs22 steps. That is, using }{\b\fs22 }{\i\fs22 m}{\fs22 processors results in an }{\i\fs22 m}{\fs22 \_fold speed\_up. \par This distributed version of Pollard\rquote s rho algorithm is the fastest general\_purpose algorithm known for the ECDLP. \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx20\tx240\tx280\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls8\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls8\adjustright {\i\fs22 Pohlig\_Hellman algorithm}{\fs22 . \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 This algorithm, due to Pohlig and Hellman [PH], exploits the factorization of }{\i\fs22 n, }{\fs22 the order of the point }{\i\fs22 P}{\fs22 . The algorithm reduces the problem of recovering }{\i\fs22 l}{\fs22 to the problem of recovering }{\i\fs22 l}{\fs22 modulo each of the prime factors of }{\i\fs22 n; }{\fs22 the desired number }{\i\fs22 l}{ \fs22 can then be recovered by using the Chinese Remainder Theorem. \par The implications of this algorithm are the following. To construct the most difficult instance of the ECDLP, one must select an elliptic curve whose order is divisible by a large prime }{\i\fs22 n. }{\fs22 Preferably, this order should be a prime or almost a prime (i.e. a large prime }{\i\fs22 n }{\fs22 times a small integer }{\i\fs22 h}{\fs22 ). The elliptic curves in the exercises and challenges posed here are all of this type. \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 6.\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx20\tx240\tx280\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls8\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls8\adjustright {\i\fs22 A special class of elliptic curves: supersingular curves}{\fs22 . \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Menezes, Okamoto and Vanstone [MOV, Menezes] and Frey and R\'fc ck [FR] showed how, under mild assumptions, the ECDLP in an elliptic curve }{\i\fs22 E}{\fs22 defined over a finite field }{\f15\fs22 F}{\i\fs22\sub q}{\i\fs22 }{\fs22 can be reduced to the DLP in some extension field }{\f15\fs22 F}{\i\fs22\sub q}{ \i\fs22\up6\sub B}{\fs22 for some }{\i\fs22 B }{\fs22 {\field{\*\fldinst SYMBOL 179 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 }{\fs22 1}{\i\fs22 , }{\fs22 where the index\_calculus algorithms apply. The reduction algorithm is only practical if }{ \i\fs22 B }{\fs22 is}{\i\fs22 }{\fs22 small \emdash this is not the case for most elliptic curves. To ensure that this reduction algorithm does not apply to a particular curve, one only needs to check that }{\i\fs22 n, }{\fs22 the order of the point }{ \i\fs22 P}{\fs22 , does not divide }{\i\fs22 q}{\i\fs22\super B}{\fs22 \endash 1 for all small }{\i\fs22 B }{\fs22 for which the DLP in }{\f15\fs22 F}{\i\fs22\sub q}{\i\fs22\up6\sub B}{\fs22 is intractable (1 }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 B }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 2000/(log}{\fs22\sub 2}{\fs22 }{\i\fs22 q}{\fs22 )}{\i\f7\fs14 }{\fs22 suffices). \par For the very special class of }{\i\fs22 supersingular elliptic curves, }{\fs22 it is known that }{\i\fs22 B }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 6}{\i\fs22 . }{\fs22 It follows that the reduction algorithm yields a subexponential\_time algorithm for the ECDLP in supersingular curves. \par {\pntext\pard\plain\i\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 7.\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx20\tx240\tx280\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls8\pnrnot0\pndec\pnstart1\pnindent360\pnhang{\pntxta .}} \ls8\adjustright {\i\fs22 Another special class of elliptic curves: anomalous curves}{\fs22 . \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360\adjustright {\fs22 Smart [Smart] and Satoh and Araki [SA] independently showed that the ECDLP for the special class of anomalous elliptic curves is easy to solve. An }{\i\fs22 anomalous elliptic curve}{\fs22 over }{\f15\fs22 F}{\i\fs22\sub q}{\fs22 is an ellipic curve over }{\f15\fs22 F}{\i\fs22\sub q}{\fs22 which has exactly }{\i\fs22 q}{\fs22 points. The attack does not extend to any other classes of elliptic curves. Consequently, by verifying that the number of points on an elliptic does not equal the num ber of elements in the underlying field, one can easily ensure that the Smart-Satoh-Araki attack does not apply to a particular curve. \par {\*\bkmkstart _Toc403967192}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 2.3\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Is there a subexponential\_time algorithm for ECDLP?{\*\bkmkend _Toc403967192} \par }\pard\plain \qj\li14\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 Whether or not there exists a subexponential\_ time algorithm for the ECDLP is an important unsettled question, and one of great relevance to the security of ECC. It is extremely unlikely that anyone will ever be able to }{\i\fs22 prove }{\fs22 that no subexponential\_ time algorithm exists for the ECDLP. (Analogously, it is extremely unlikely that anyone will ever be able to }{\i\fs22 prove }{\fs22 that no polynomial-time (efficient) algorithm exists for the integer factorization and discrete logarithm problems.) However, much work has been done on the DLP over the past 20 years, and more specifically on the ECDLP over the past 12 years. No subexponential\_time algorithm has been discovered for the ECDLP, confirming the widely\_held belief that no such algorithm exists. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 A summary of the work done on the ECDLP and further references can be found in the Certicom whitepaper [Certicom]. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967193}{\listtext\pard\plain\s1 \b\f1\fs28\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3\tab}}\pard\plain \s1\fi-432\li432\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx432\tx720\hyphpar0\ls28\outlinelevel0\adjustright \b\f1\fs28\expnd4\expndtw20\cf1\cgrid {The Challenge Explained{\*\bkmkend _Toc403967193} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This section gives an overview of some of the mathematics that is relevant to this challenge. The format for the challenge parameters presented in Section 4 is also explained. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi320\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 For further background on finite fields, consult the books by McEliece [McEliece] and Lidl and Niederreiter [LN]. For further background on elliptic curves, consult the books by Koblitz [Koblitz3] and Menezes [Menezes]. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967194}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.1\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Elliptic curves over }{\b0\f15 F}{\sub 2}{\i\up6\sub m}{ \_ format and examples{\*\bkmkend _Toc403967194} \par {\*\bkmkstart _Toc403967195}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.1.1\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 The finite field }{\b0\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 {\*\bkmkend _Toc403967195} \par }\pard\plain \qj\li14\sb120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 There are many ways to represent the elements of a finite field with 2}{\i\fs22\super m}{\fs22 elements. The particular method used in this challenge is called a }{\i\fs22 polynomial basis representation. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Let }{\i\fs22 f}{\fs16 }{\fs22 (}{\i\fs22 x}{\fs22 )}{\i\fs22 }{\i\fs16 = }{\i\fs22 x}{\i\fs22\super m}{\i\fs22 }{\fs22 +}{\i\fs22 f}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super l}{\i\fs22\super }{\fs22 + \'85 +}{\i\fs22 f}{\fs22\sub 2}{\i\fs22 x}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 f}{\fs22\sub 1}{\i\fs22 x }{\fs22 +}{\i\fs22 f}{\fs22\sub 0}{\i\fs22 }{\fs22 (where}{\i\fs16 }{ \i\fs22 f}{\i\fs22\sub i}{\i\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \{0, 1\}}{\i\fs22 }{\fs22 for }{\i\fs22 i}{\fs22 = 0, 1, . . ., }{\i\fs22 m}{\fs16 }{\fs22 \endash }{\fs16 }{\fs22 1) be an irreducible polynomial of degree }{\i\fs22 m}{\fs22 over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22 . }{\fs22 That is, }{\i\fs22 f }{\fs22 (}{\i\fs22 x}{\fs22 )}{\i\fs22 }{\fs22 cannot be factored as a product of two polynomials over }{\f15\fs22 F}{ \fs22\expnd4\expndtw24\sub 2}{\fs22 ,}{\i\fs22 }{\fs22 each of degree less than }{\i\fs22 m}{\fs22 . The polynomial }{\i\fs22 f }{\fs22 (}{\i\fs22 x}{\fs22 )}{\i\fs22 is }{\fs22 called the }{\i\fs22 reduction polynomial. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 \par }\pard \li346\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The finite field }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 is comprised of all polynomials over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22 }{\fs22 of degree less than }{\i\fs22 m }{\fs22 : \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li864\sa120\nowidctlpar\widctlpar\tx20\tx1840\tx3100\tx3600\adjustright {\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\i\fs22 = }{\fs22 \{}{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super l}{\i\fs22\super }{ \fs22 + }{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -2 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super 2}{\i\fs22\super }{\fs22 + \'85}{\i\fs22 + a}{\fs22\sub 1}{\i\fs22 x }{\fs22 + }{\i\fs22 a}{\fs22\sub 0}{\fs22 : }{\i\fs22 a}{\i\fs22\sub i}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \{0, 1\}\}.}{\i\fs16 \par }\pard \nowidctlpar\widctlpar\tx20\tx1840\tx3100\tx3600\adjustright {\i\fs16 \par }\pard \fi346\li14\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The field element }{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super l}{\i\fs22\super }{\fs22 + }{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -2 }{ \i\fs22 x}{\i\fs22\super m\_}{\fs22\super 2}{\i\fs22\super }{\fs22 + \'85}{\i\fs22 + a}{\fs22\sub 1}{\i\fs22 x }{\fs22 + }{\i\fs22 a}{\fs22\sub 0}{\fs22 is}{\fs16 }{\fs22 usually denoted by the binary string (}{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -1 }{ \i\fs22 a}{\i\fs22\sub m}{\fs22\sub -2 }{\fs22 \'85 }{\i\fs22 a}{\fs22\sub 1}{\i\fs22 a}{\fs22\sub 0}{\fs22 )}{\i\fs16 }{\fs22 of length }{\i\fs22 m}{\fs22 , so that \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li864\nowidctlpar\widctlpar\tx20\tx1840\tx3100\tx3600\adjustright {\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\i\fs22 = }{\fs22 \{(}{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -2 }{\fs22 \'85 }{\i\fs22 a}{ \fs22\sub 1}{\i\fs22 a}{\fs22\sub 0}{\fs22 ) : }{\i\fs22 a}{\i\fs22\sub i}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \{0, 1\}\}.}{\i\fs16 \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 \par }\pard \fi346\li14\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Thus the elements of }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 can be represented by the set of all binary strings of length }{\i\fs22 m}{\fs22 . The multiplicative identity element (1) is represented by the bit string (00. . .01), while the zero element (additive identity) is represented by the bit string of all 0\rquote s. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The following arithmetic operations are defined on the elements of }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 : \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx200\tx250\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls9\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls9\adjustright {\i\fs22 Addition}{\fs22 : }{\i\fs22 }{\fs22 If }{\i\fs22 a }{\i\f7 =}{\i\fs16 }{\fs22 (}{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -2 }{\fs22 \'85 }{\i\fs22 a}{\fs22\sub 1}{\i\fs22 a}{\fs22\sub 0}{ \fs22 ) }{\i\fs16 }{\fs22 and }{\i\fs22 b }{\i\f7 = }{\fs22 (}{\i\fs22 b}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 b}{\i\fs22\sub m}{\fs22\sub -2 }{\fs22 \'85 }{\i\fs22 b}{\fs22\sub 1}{\i\fs22 b}{\fs22\sub 0}{\fs22 ) are elements of }{\f15\fs22 F}{ \fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 , then }{\i\fs22 a + b }{\i\f7 =}{\i\fs22 c }{\i\f7 = }{\fs22 (}{\i\fs22 c}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 c}{\i\fs22\sub m}{\fs22\sub -2 }{\fs22 \'85 }{\i\fs22 c}{\fs22\sub 1}{\i\fs22 c}{\fs22\sub 0}{\fs22 ) }{\i\fs22 , }{\fs22 where }{\i\fs22 c}{\i\fs22\sub i}{\fs22 }{\i\f7 =}{\fs22 (}{\i\fs22 a}{\i\fs22\sub i}{\fs22 +}{\i\fs22 b}{\i\fs22\sub i}{\fs22 ) mod 2. That is, field addition is performed bitwise. \par {\pntext\pard\plain\f3\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx200\tx250\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls9\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls9\adjustright {\i\fs24 Multiplication}{\fs24 :}{\i\fs24 }{\fs18 If }{\i\fs22 a }{\i\f7 =}{\i\fs16 }{\fs22 (}{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -2 }{\fs22 \'85 }{\i\fs22 a}{\fs22\sub 1}{\i\fs22 a}{\fs22\sub 0}{\fs22 ) }{\i\fs16 }{\fs22 and }{\i\fs22 b }{\f7 =}{\i\f7 }{\fs22 (}{\i\fs22 b}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 b}{\i\fs22\sub m}{\fs22\sub -2 }{\fs22 \'85 }{\i\fs22 b}{\fs22\sub 1}{\i\fs22 b}{\fs22\sub 0}{\fs22 ) are elements of }{\f15\fs22 F} {\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 , then }{\i\fs22 a}{\fs22 }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\fs22 }{\i\fs22 b }{\i\f7 = }{\i\fs24 r }{\i\f7 =}{\fs16 }{\fs22 (}{\i\fs22 r}{\i\fs22\sub m}{\fs22\sub -1 }{ \i\fs22 r}{\i\fs22\sub m}{\fs22\sub -2 }{\fs22 \'85 }{\i\fs22 r}{\fs22\sub 1}{\i\fs22 r}{\fs22\sub 0}{\fs22 )}{\fs16 , }{\fs22 where the polynomial}{\fs18 }{\i\fs22 r}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super l}{ \i\fs22\super }{\fs22 + }{\i\fs22 r}{\i\fs22\sub m}{\fs22\sub -2 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super 2}{\i\fs22\super }{\fs22 + \'85}{\i\fs22 + r}{\fs22\sub 1}{\i\fs22 x }{\fs22 + }{\i\fs22 r}{\fs22\sub 0}{\fs22 is}{\fs16 }{\fs22 the remainder when the polynomial \par }\pard \li864\sa180\nowidctlpar\widctlpar\tx20\tx1840\tx3100\tx3600{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 (}{\i\fs22 a}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super l}{\i\fs22\super }{\fs22 + }{\i\fs22 a }{\i\fs22\sub m}{\fs22\sub -2 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super 2}{\i\fs22\super }{\fs22 + \'85}{\i\fs22 + a}{\fs22\sub 1}{\i\fs22 x }{\fs22 + }{\i\fs22 a}{\fs22\sub 0}{\fs22 ) }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt \f3\fs16}}}{\fs16 }{\fs22 (}{\i\fs22 b}{\i\fs22\sub m}{\fs22\sub -1 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super l}{\i\fs22\super }{\fs22 + }{\i\fs22 b}{\i\fs22\sub m}{\fs22\sub -2 }{\i\fs22 x}{\i\fs22\super m\_}{\fs22\super 2}{\i\fs22\super }{\fs22 + \'85}{\i\fs22 + b}{\fs22\sub 1}{\i\fs22 x }{\fs22 + }{\i\fs22 b}{\fs22\sub 0}{\fs22 )}{\fs22\sub }{\fs22 is divided by }{\i\fs22 f(x) }{\fs22 over}{\fs18 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22 . \par {\pntext\pard\plain\f3\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx200\tx250\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls9\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls9\adjustright {\i\fs24 Inversion}{\fs22 :}{\i\fs22 }{\fs22 If }{\i\fs24 a }{\fs22 is}{\i\fs22 }{\fs22 a non\_zero element in }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 , the }{\i\fs22 inverse }{\fs22 of }{\i\fs22 a, }{\fs22 denoted }{ \i\fs22 a}{\fs22\super \_l}{\fs22 , is the unique element }{\i\fs22 c}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 for which }{\i\fs22 a }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 c = }{\fs22 1. \par }\pard \li14\sb120\nowidctlpar\widctlpar\tx20\tx480\tqr\tx9360\adjustright {\b\fs22 Example}{\b\fs18 }{\fs22 (}{\i\fs24 The finite field }{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 4}{\fs22 ) \par }\pard \li20\nowidctlpar\widctlpar\tx20\tx480\tqr\tx9360\adjustright {\i\fs22 \par }{\fs22 Let}{\fs18 }{\i\fs22 f}{\fs16 }{\fs22 (}{\i\fs22 x}{\fs22 )}{\i\fs22 = x}{\fs22\super 4}{\i\fs22 }{\fs22 +}{\fs18 }{\i\fs22 x}{\fs18 }{\fs22 +}{\fs18 }{\fs22 1 be the reduction polynomial. Then the elements of }{\f15\fs22 F}{\fs22\sub 2}{ \fs22\up6\sub 4}{\i\fs22 }{\fs22 are: \par }{\fs18 \tab \par }\trowd \trqc\trgaph108\trleft-108 \clvertalt\cltxlrtb \cellx900\clvertalt\cltxlrtb \cellx1908\clvertalt\cltxlrtb \cellx2916\clvertalt\cltxlrtb \cellx3924\clvertalt\cltxlrtb \cellx4932\clvertalt\cltxlrtb \cellx5940\clvertalt\cltxlrtb \cellx6948 \clvertalt\cltxlrtb \cellx7956\pard \nowidctlpar\widctlpar\intbl\tx20\tx480\tqr\tx9360\adjustright {\fs22 (0000)}{\fs18 \cell }{\fs22 (1000)}{\fs18 \cell }{\fs22 (0100)}{\fs18 \cell }{\fs22 (1100)}{\fs18 \cell }{\fs22 (0010)}{\fs18 \cell }{\fs22 (1010)}{ \fs18 \cell }{\fs22 (0110)}{\fs18 \cell }{\fs22 (1110)}{\fs18 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs18 \row }\trowd \trqc\trgaph108\trleft-108 \clvertalt\cltxlrtb \cellx900\clvertalt\cltxlrtb \cellx1908\clvertalt\cltxlrtb \cellx2916 \clvertalt\cltxlrtb \cellx3924\clvertalt\cltxlrtb \cellx4932\clvertalt\cltxlrtb \cellx5940\clvertalt\cltxlrtb \cellx6948\clvertalt\cltxlrtb \cellx7956\pard \nowidctlpar\widctlpar\intbl\tx20\tx480\tqr\tx9360\adjustright {\fs22 (0001)}{\fs18 \cell }{\fs22 (1001)}{\fs18 \cell }{\fs22 (0101)}{\fs18 \cell }{\fs22 (1101)}{\fs18 \cell }{\fs22 (0011)}{\fs18 \cell }{\fs22 (1011)}{\fs18 \cell }{\fs22 (0111)}{\fs18 \cell }{\fs22 (1111)}{\fs18 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs18 \row }\pard \li20\nowidctlpar\widctlpar\tx20\tx480\tqr\tx9360\adjustright {\fs18 \par \par }{\fs22 Examples of the arithmetic operations in }{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 4}{\i\fs22 }{\fs22 are: \par }\pard \nowidctlpar\widctlpar\tx20\tx480\tqr\tx9360\adjustright {\fs18 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls10\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls10\adjustright {\fs22 (1101) + (1001) }{\f7 =}{\fs22 (0100). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls10\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls10\adjustright {\fs22 (1101) }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\fs22 (1001) }{\f7 =}{\fs22 (1111). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls10\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls10\adjustright {\fs22 (1101)}{\fs22\super \_l}{\fs22 }{\f7 =}{\fs22 (0100). \par {\*\bkmkstart _Toc403967196}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.1.2\tab}}\pard\plain \s3\fi-720\li720\sb120\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid {\fs22 Elliptic curves over }{\b0\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 {\*\bkmkend _Toc403967196} \par }\pard\plain \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 A (non\_supersingular) }{\i\fs22 elliptic curve E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) over }{\f15\fs22 F}{\fs22\sub 2}{ \i\fs22\up6\sub m}{\fs22 defined by the parameters }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m }{\fs22 ,}{\fs22 }{\i\fs22 b }{\i\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 }{\fs22 0,}{\i\fs22 }{\fs22 is the set of all solutions (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ), }{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 , to the equation \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs18 \par }\pard \qc\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 y}{\fs22\super 2}{\fs22 + }{\i\fs22 xy}{\fs22 }{\f7 =}{\fs22 }{\i\fs22 x}{\fs22\super 3}{\fs22 + }{\i\fs22 ax}{\fs22\super 2}{\fs22 + }{\i\fs22 b}{\fs22 , \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs18 \par }\pard \li14\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 together with an extra point }{\f30\fs22 O}{\fs22 , the }{\i\fs22 point at infinity. \par }\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The set of points }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) forms a group with the following addition rules: \par {\pntext\pard\plain\f30\fs22\lang1024\cgrid \hich\af30\dbch\af0\loch\f30 1.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls11\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls11\adjustright {\f30\fs22 O}{\fs22 + }{\f30\fs22 O}{\fs22 = }{\f30\fs22 O}{\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls11\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls11\adjustright {\fs22 (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) + }{\f30\fs22 O}{\fs22 = }{\f30\fs22 O }{\fs22 + (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) = (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) for all (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls11\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls11\adjustright {\fs22 (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) + (}{\i\fs22 x}{\fs22 , }{\i\fs22 x}{\fs22 + }{\i\fs22 y}{\fs22 ) = }{\f30\fs22 O}{\fs22 for all (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) (i.e., the negative of the point (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) is \endash (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) = (}{\i\fs22 x }{\fs22 , }{\i\fs22 x}{\fs22 + }{\i\fs22 y}{\fs22 )). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \fi-360\li706\sa120\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls11\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls11\adjustright {\fs22 (Rule for adding two distinct points that are not inverses of each other) \par }\pard \qj\li691\sa120\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Let }{\i\fs22 P}{\fs22 = (}{\i\fs22 x}{\fs22\sub l}{\fs22 , }{\i\fs22 y}{\fs22\sub l}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) and }{\i\fs22 Q}{\fs22 = (}{\i\fs22 x}{\fs22\sub 2}{\fs22 , }{\i\fs22 y}{\fs22\sub 2}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) be two points such that }{\i\fs22 x}{\fs22\sub 1}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 x}{\fs22\sub 2}{\fs22 . Then }{\i\fs22 P}{\fs22 + }{\i\fs22 Q}{\fs22 = (}{\i\fs22 x}{\fs22\sub 3}{\fs22 , }{\i\fs22 y}{\fs22\sub 3}{\fs22 ),}{\i\fs16 }{\fs22 where \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\dn10 {\pict{\*\picprop\shplid1131{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}} {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw4198\pich635\picwgoal2380\pichgoal360\wmetafile8\bliptag1444500633\blipupi-164{\*\blipuid 56195499b022ece2f014eea35c68df89} 0100090000036f0100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002e00e1200000026060f001a00ffffffff000010000000c0ffffffb7ffffffa00e0000f70100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e002900040000002d010000 08000000320aa001440e010000002c0015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e003900040000002d01 010004000000f001000008000000320ab301790b01000000320008000000320ab301ca0801000000310008000000320af400cb0301000000320008000000320a b301ee0001000000330015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e00ccca040000002d01000004000000 f001010008000000320aa0017e0d01000000610008000000320aa001d00a01000000780008000000320aa0013a0801000000780008000000320aa0014c000100 0000780010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01010004000000f001000008000000320aa001580c0100 00002b0008000000320aa0019809010000002b0008000000320aa0010207010000002b0008000000320aa001aa04010000002b0008000000320aa001d6010100 00003d0010000000fb0280fe0000000000009001010000020002001053796d626f6c0000040000002d01000004000000f001010008000000320aa001ca050100 00006c0008000000320aa0010003010000006c000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f0010000030000000000000000ffffff0000000000000000}}{\fs22 \par \tab }{\dn10 {\pict{\*\picprop\shplid1132{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw4904\pich600\picwgoal2780\pichgoal340\wmetafile8\bliptag686778760\blipupi136{\*\blipuid 28ef69881a8e24551bc554d8dbf3a5a2} 010009000003900100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02200260111200000026060f001a00ffffffff000010000000c0ffffffa6ffffff20110000c60100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e00bcc2040000002d010000 09000000320a8001ec0e03000000616e640008000000320a8001980e01000000200008000000320a80014a0e010000002c0008000000320a80016c0801000000 290008000000320a8001080401000000280015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e00150004000000 2d01010004000000f001000008000000320a9301ca0d01000000310008000000320a9301120b01000000330008000000320a9301dc0701000000330008000000 320a9301340501000000310008000000320a9301060101000000330015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f 6d616e00bcc2040000002d01000004000000f001010008000000320a8001340d01000000790008000000320a8001700a01000000780008000000320a80013a07 01000000780008000000320a8001a40401000000780008000000320a80015e0001000000790010000000fb0280fe000000000000900100000002000200105379 6d626f6c0000040000002d01010004000000f001000008000000320a8001ea0b010000002b0008000000320a80013809010000002b0008000000320a80010206 010000002b0008000000320a8001ee01010000003d0010000000fb0280fe0000000000009001010000020002001053796d626f6c0000040000002d0100000400 0000f001010008000000320a80011803010000006c000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f00100000300000000000000000000ffffff0000000000000000}}{\fs22 \par \tab }{\dn24 {\pict{\*\picprop\shplid1133{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw2223\pich1094\picwgoal1260\pichgoal620\wmetafile8\bliptag-1684885742\blipupi-1293{\*\blipuid 9b92af126c6240ec33555a47b6d3a89f} 010009000003760100000300150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02e003e0071200000026060f001a00ffffffff000010000000c0ffffffb4ffffffa0070000940300000b00000026060f00 0c004d617468547970650000c00009000000fa02000010000000000000002200040000002d010000050000001402000202030500000013020002420715000000 fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e002900040000002d01010008000000320a60026407010000002e000800 0000320a6002120102000000202015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e003500040000002d010200 04000000f001010008000000320a9b03960601000000310008000000320a9b03ef0301000000320008000000320a8501ae0601000000310008000000320a8501 ef0301000000320015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e008000040000002d01010004000000f001 020008000000320a8803060601000000780008000000320a8803460301000000780008000000320a7201180601000000790008000000320a7201400301000000 790010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01020004000000f001010008000000320a8803ce0401000000 2b0008000000320a7201ce04010000002b0008000000320a6002cc01010000003d0010000000fb0280fe0000000000009001010000020002001053796d626f6c 0000040000002d01010004000000f001020008000000320a60023400010000006c000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01020004000000f00101000300000000000000000000ffffff0000000000000000}}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls11\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls11\adjustright {\fs22 (Rule for doubling a point) \par }\pard \qj\li691\sa120\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360\adjustright {\fs22 Let }{\i\fs22 P}{\fs22 = (}{\i\fs22 x}{\fs22\sub l}{\fs22 , }{\i\fs22 y}{\fs22\sub l}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) be a point with }{\i\fs22 x}{\fs22\sub 1}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 0. (If }{\i\fs22 x}{\fs22\sub 1}{ \fs22 = 0 then }{\i\fs22 P}{\fs22 = \endash }{\i\fs22 P}{\fs22 , and so 2}{\i\fs22 P}{\fs22 = }{\f30\fs22 O}{\fs22 .) Then 2}{\i\fs22 P}{\fs22 = (}{\i\fs22 x}{\fs22\sub 3}{\fs22 , }{\i\fs22 y}{\fs22\sub 3}{\fs22 ),}{\i\fs16 }{\fs22 where \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tx2880\tqr\tx9360\adjustright {\fs22 \tab }{\dn10 {\pict{\*\picprop\shplid1134{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}} {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw2681\pich635\picwgoal1520\pichgoal360\wmetafile8\bliptag-1894735003\blipupi-1293{\*\blipuid 8f10a3657292ddf3e69973d1a0c28e08} 0100090000033f0100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02400280091200000026060f001a00ffffffff000010000000c0ffffffb7ffffff40090000f70100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e002c00040000002d010000 08000000320aa001ed08010000002c0015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e002500040000002d01 010004000000f001000008000000320af400cb0301000000320008000000320ab301ee0001000000330015000000fb0280fe0000000000009001010000000402 001054696d6573204e657720526f6d616e002c00040000002d01000004000000f001010008000000320aa001280801000000610008000000320aa0014c000100 0000780010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01010004000000f001000008000000320aa00102070100 00002b0008000000320aa001aa04010000002b0008000000320aa001d601010000003d0010000000fb0280fe0000000000009001010000020002001053796d62 6f6c0000040000002d01000004000000f001010008000000320aa001ca05010000006c0008000000320aa0010003010000006c000a00000026060f000a00ffff ffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f001000003000000000000000000000000002d0100000000}}{\fs22 \par \tab }{\dn12 {\pict{\*\picprop\shplid1135{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw3986\pich670\picwgoal2260\pichgoal380\wmetafile8\bliptag-1104025215\blipupi-258{\*\blipuid be31e98166a923c3a1deb48629c4ccb1} 010009000003780100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c026002200e1200000026060f001a00ffffffff000010000000c0ffffffb7ffffffe00d0000170200000b00000026060f00 0c004d617468547970650000600015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e003100040000002d010000 09000000320aa001b00b03000000616e640008000000320aa0015c0b01000000200008000000320aa0010e0b010000002c0008000000320aa001470901000000 290008000000320aa001a50801000000310008000000320aa001ee0501000000280015000000fb0220ff0000000000009001000000000402001054696d657320 4e657720526f6d616e003500040000002d01010004000000f001000008000000320a0002840a01000000330008000000320af400ef0301000000320008000000 320a0002c00301000000310008000000320a0002060101000000330015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f 6d616e006800040000002d01000004000000f001010008000000320aa001e20901000000780008000000320aa001300301000000780008000000320aa0015e00 01000000790010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01010004000000f001000008000000320aa001a907 010000002b0008000000320aa001ce04010000002b0008000000320aa001ee01010000003d0010000000fb0280fe000000000000900101000002000200105379 6d626f6c0000040000002d01000004000000f001010008000000320aa0017106010000006c000a00000026060f000a00ffffffff01000000000010000000fb02 1000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f0010000030000000000000000000000000000f40ea000000000}}{\fs22 \par \tab }{\dn24 {\pict{\*\picprop\shplid1136{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw2150\pich1094\picwgoal1219\pichgoal620\wmetafile8\bliptag-113905029\blipupi-1372{\*\blipuid f935f27bad8a38167183c43954770efc} 0100090000035e0100000300150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02e003a0071200000026060f001a00ffffffff000010000000c0ffffffb4ffffff60070000940300000b00000026060f00 0c004d617468547970650000c00009000000fa02000010000000000000002200040000002d010000050000001402000296050500000013020002fd0615000000 fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e003900040000002d01010008000000320a60021f07010000002e000800 0000320a6002120102000000202015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e0094c0040000002d010200 04000000f001010008000000320a9b035e0601000000310008000000320a85016a0601000000310008000000320a73029e0301000000310015000000fb0280fe 0000000000009001010000000402001054696d6573204e657720526f6d616e003800040000002d01010004000000f001020008000000320a8803ce0501000000 780008000000320a7201d40501000000790008000000320a60020e0301000000780010000000fb0280fe0000000000009001000000020002001053796d626f6c 0000040000002d01020004000000f001010008000000320a60026b04010000002b0008000000320a6002cc01010000003d0010000000fb0280fe000000000000 9001010000020002001053796d626f6c0000040000002d01010004000000f001020008000000320a60023400010000006c000a00000026060f000a00ffffffff 01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01020004000000f001010003000000000000ffffff00ffffff0000000000000000}}{\fs22 \par }\pard \li14\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Example }{\fs22 (}{\i\fs22 An elliptic curve over }{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 4}{\fs22 )}{\i\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Consider the finite field }{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 4}{\fs22\up6 }{\fs22 defined by the reduction polynomial }{\i\fs22 f}{\fs16 }{\fs22 (}{\i\fs22 x}{\fs22 )}{\i\fs22 = x}{\fs22\super 4}{\i\fs22 + x + }{\fs22 1.}{\i\fs22 \par }\pard \qj\li14\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 y}{\fs22\super 2}{\i\fs22 + xy = x}{\fs22\super 3}{\i\fs22 }{\fs22 + (0011)}{\i\fs22 x}{\fs22\super 2}{\fs22 + (0001) is an equation for an elliptic curve }{\i\fs22 E}{ \fs22 over }{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 4}{\i\fs22 . }{\fs22 Here }{\i\fs22 a}{\fs22 = (0011) and }{\i\fs22 b = }{\fs22 (0001). The solutions over }{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 4}{\i\fs22 }{\fs22 to this equation are: \par }\trowd \trqc\trgaph108\trleft-108 \clvertalt\cltxlrtb \cellx1332\clvertalt\cltxlrtb \cellx2772\clvertalt\cltxlrtb \cellx4212\clvertalt\cltxlrtb \cellx5652\clvertalt\cltxlrtb \cellx7092\pard \qj\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright { \fs22 (0000,0001)\cell (0001,1100)\cell (0001,1101)\cell (1000,0101)\cell (1000,1101)\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trqc\trgaph108\trleft-108 \clvertalt\cltxlrtb \cellx1332\clvertalt\cltxlrtb \cellx2772 \clvertalt\cltxlrtb \cellx4212\clvertalt\cltxlrtb \cellx5652\clvertalt\cltxlrtb \cellx7092\pard \qj\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 (0110,1000)\cell (0110,1110)\cell (1100,0101)\cell (1100,1001)\cell (1010,0111)\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trqc\trgaph108\trleft-108 \clvertalt\cltxlrtb \cellx1332\clvertalt\cltxlrtb \cellx2772\clvertalt\cltxlrtb \cellx4212\clvertalt\cltxlrtb \cellx5652\clvertalt\cltxlrtb \cellx7092\pard \qj\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 (1010,1101)\cell (0111,0010)\cell (0111,0101)\cell (1111,0000)\cell (1111,1111)\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qj\fi346\li14\sb120\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 4}{\fs22 ) has 16 points, including the point at infinity }{\f30\fs22 O}{\fs22 . The following are examples of the addition law: \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls12\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls12\adjustright {\fs22 (1100, 0101) + (1000, 1101) = (0001, 1101). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls12\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls12\adjustright {\fs22 2(1100, 0101) = (0111, 0101). \par {\*\bkmkstart _Toc403967197}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.1.3\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 Format for challenge parameters (the }{\b0\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 case){\*\bkmkend _Toc403967197} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This subsection describes the conventions used for representing the challenge parameters for elliptic curves over }{\f15\fs22 F}{\fs22\sub 2}{ \i\fs22\up6\sub m}{\fs22 . Two types of elliptic curves over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 are included in the challenge: }{\i\fs22 random curves }{\fs22 and }{\i\fs22 Koblitz curves. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 Koblitz curves }{\fs22 over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\i\fs22 }{\fs22 are special types of elliptic curves }{\i\fs22 E }{\fs22 defined over }{\f15\fs22 F}{\fs22\sub 2}{\fs22 which have exactly 2 points in }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\fs22 ). They were first proposed for use in elliptic curve cryptography by Koblitz [Koblitz2]; see also [Solinas]. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 There have not been any mathematical discoveries to date to suggest that the ECDLP for randomly generated elliptic curves is any easier or harder than the ECDLP for Koblitz curves. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Challenge parameters (random curves) \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 m}{\fs22 \emdash the order of}{\b\fs22 }{\fs22 the finite field is 2}{\i\fs22\super m}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx250\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\i\fs22 f}{\fs16 }{\fs22 (}{\i\fs22 x}{\fs22 )}{\i\fs22 \emdash }{\fs22 the reduction polynomial which defines the polynomial basis representation of }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\fs22 seedE \emdash the seed that was}{\b\fs22 }{\fs22 used to generate the parameters }{\i\fs22 a }{\fs22 and }{\i\fs22 b }{\fs22 (see Algorithm 1 in Section 3.1.4).}{\i\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 a, b \emdash }{\fs22 the field elements which define the elliptic curve }{\i\fs22 E: y}{\i\fs22\super 2}{\i\fs22 + xy = x}{\fs22\super 3}{\i\fs22 +}{\i\fs16 }{\i\fs22 ax}{\fs22\super 2}{\i\fs22 + b.}{\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\fs22 seedP \emdash the seed that was used to generate the point }{\i\fs22 P}{\fs22 (see Algorithm 3 in Section 3.1.4). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 x}{\i\fs22\sub P}{\fs22 , }{\i\fs22 y}{\i\fs22\sub P}{\fs22 \emdash the }{\i\fs22 x}{\fs22 \_ and }{\i\fs22 y}{\fs22 \_coordinates of the base point }{\i\fs22 P}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 n \emdash }{\fs22 the order of the point }{\i\fs22 P}{\fs22 ; }{\i\fs22 n}{\fs22 is a prime number.}{\i\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 h \emdash }{\fs22 the co\_factor }{\i\fs22 h }{\fs22 (the number of points in }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) divided by }{\i\fs22 n}{\fs22 )}{\i\fs22 .}{\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\fs22 seedQ \emdash the seed that was used to generate the point }{\i\fs22 Q}{\fs22 (see Algorithm 3 in Section 3.1.4). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 x}{\i\fs22\sub Q}{\fs22 , }{\i\fs22 y}{\i\fs22\sub Q}{\fs22 \emdash the }{\i\fs22 x}{\fs22 \_ and }{\i\fs22 y}{\fs22 \_coordinates of the public key point }{\i\fs22 Q}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tx240\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\b Challenge parameters (Koblitz curves) \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\b\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 m}{\fs22 \emdash the order of}{\b\fs22 }{\fs22 the finite field is 2}{\i\fs22\super m}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx250\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\i\fs22 f}{\fs16 }{\fs22 (}{\i\fs22 x}{\fs22 )}{\i\fs22 \emdash }{\fs22 the reduction polynomial which defines the polynomial basis representation of }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 a, b \emdash }{\fs22 the field elements which define the elliptic curve }{\i\fs22 E: y}{\i\fs22\super 2}{\i\fs22 + xy = x}{\fs22\super 3}{\i\fs22 +}{\i\fs16 }{\i\fs22 ax}{\fs22\super 2}{\i\fs22 + b.}{\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\fs22 seedP \emdash the seed that was used to generate the point }{\i\fs22 P}{\fs22 (see Algorithm 3 in Section 3.1.4). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 x}{\i\fs22\sub P}{\fs22 , }{\i\fs22 y}{\i\fs22\sub P}{\fs22 \emdash the }{\i\fs22 x}{\fs22 \_ and }{\i\fs22 y}{\fs22 \_coordinates of the base point }{\i\fs22 P}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 n \emdash }{\fs22 the order of the point }{\i\fs22 P}{\fs22 ; }{\i\fs22 n}{\fs22 is a prime number.}{\i\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 h \emdash }{\fs22 the co\_factor }{\i\fs22 h }{\fs22 (the number of points in }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) divided by }{\i\fs22 n}{\fs22 )}{\i\fs22 .}{\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\fs22 seedQ \emdash the seed that was used to generate the point }{\i\fs22 Q}{\fs22 (see Algorithm 3 in Section 3.1.4). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 x}{\i\fs22\sub Q}{\fs22 , }{\i\fs22 y}{\i\fs22\sub Q}{\fs22 \emdash the }{\i\fs22 x}{\fs22 \_ and }{\i\fs22 y}{\fs22 \_coordinates of the public key point }{\i\fs22 Q}{\fs22 . \par }\pard \li14\sb120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Data formats \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls14\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls14\adjustright {\i\fs22 Integers }{\fs22 are represented in hexadecimal, the rightmost bit being the least significant bit. Example: The decimal integer 123456789 is represented in hexadecimal as 075BCD15. \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls14\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls14\adjustright {\i\fs22 Field elements }{\fs22 (of }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) are represented in hexadecimal, padded with 0\rquote s on the left. \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx220\tx270\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Example: Suppose }{\i\fs22 m}{\fs22 = 23. The field element }{\i\fs22 a }{\fs22 = }{\i\fs22 x}{\fs22\super 22}{\fs22 + }{ \i\fs22 x}{\fs22\super 21}{\fs22 + }{\i\fs22 x}{\fs22\super 19}{\i\fs22 + x}{\fs22\super 17}{\fs22 + }{\i\fs22 x}{\fs22\super 5}{\fs22 + 1 is}{\fs14 }{\fs22 represented in binary as (11010100000000000100001), or in hexadecimal as 006A0021. \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls14\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls14\adjustright {\i\fs22 Seeds }{\fs22 for generating random elliptic curves and random elliptic curve points (see Section 3.1.4) are 160\_bit strings and are represented in hexadecimal. \par {\*\bkmkstart _Toc403967198}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.1.4\tab}}\pard\plain \s3\fi-720\li720\sb120\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid {\fs22 Random elliptic curves and points (the }{\b0\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 case){\*\bkmkend _Toc403967198} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This subsection describes the method that is used for }{\i\fs22 verifiably }{\fs22 selecting elliptic curves and points at random. The defining parameters of the elliptic curve or point are defined to be outputs of the one\_way hash function SHA\_1 (as specified in FIPS 180\_1 [SHA\_1]). The input seed to SHA\_ 1 then serves as proof (under the assumption that SHA\_1 cannot be inverted) that the elliptic curve or point were indeed generated at random. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li346\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The following notation is used: }{\i\fs22 s}{\fs22 = }{\fs22 {\field{\*\fldinst SYMBOL 235 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 (}{\i\fs22 m}{\fs22 \endash 1)/160}{\fs22 {\field{\*\fldinst SYMBOL 251 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 and }{\i\fs22 h = m }{\fs22 \endash 160 }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 s}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li14\sa180\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Algorithm 1: Generating a random elliptic curve over }{\f15 F}{\b\sub 2}{\b\i\up6\sub m}{\b \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Input:}{\b\fs24 }{\fs22 A field size }{\i\fs22 q}{\fs22 = 2}{\i\fs22\super m}{\fs22 .}{\fs24 \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Output:}{\b\fs24 }{\fs22 A 160\_bit bit string seedE and field elements }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{ \f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 which define an elliptic curve }{\i\fs22 E }{\fs22 over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls15\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls15\adjustright {\fs22 Choose an arbitrary bit string seedE of length 160 bits.}{\i\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls15\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls15\adjustright {\fs22 Compute }{\i\fs22 H = }{\fs22 SHA\_1(seedE), and let }{\i\fs22 b}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h }{\fs22 bits obtained by taking the }{\i\fs22 h }{\fs22 rightmost bits of }{\i\fs22 H.}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls15\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls15\adjustright {\fs22 For }{\i\fs22 i}{\fs22 from 1 to }{\i\fs22 s}{\fs22 do: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Compute }{\i\fs22 b}{\i\fs22\sub i}{\i\fs22 = }{\fs22 SHA\_1((seedE + }{\i\fs22 i}{\fs22 ) mod 2}{\fs22\super 160}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls15\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls15\adjustright {\fs22 Let }{\i\fs22 b }{\fs22 be the field element obtained by the concatenation of }{\i\fs22 b}{\fs22\sub 0}{\fs22 , }{\i\fs22 b}{\fs22\sub 1}{\fs22 , \'85}{\i\fs22 , b}{\i\fs22\sub s}{\fs22 as follows: \par }\pard \li648\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 b = b}{\fs22\sub 0}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 b}{\fs22\sub 1}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \'85 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 b}{\i\fs22\sub s}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls15\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls15\adjustright {\fs22 If }{\i\fs22 b }{\fs22 = 0 then go to step 1.}{\i\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 6.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls15\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls15\adjustright {\fs22 Let }{\i\fs22 a }{\fs22 be an arbitrary element of}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 . \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 (Note: For a fixed }{\i\fs22 b, }{\fs22 there are only 2 essentially different choices for }{\i\fs22 a \emdash }{\fs22 other values of }{\i\fs22 a}{\fs22 give rise to }{\i\fs22 isomorphic }{\fs22 elliptic curves. Hence the choice of }{\i\fs22 a }{\fs22 is}{\i\fs22 }{\fs22 essentially without loss of generality.) \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 7.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls15\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls15\adjustright {\fs22 The elliptic curve chosen over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 is \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 E }{\fs22 :}{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 xy }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{\i\fs22 ax}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 b}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 8.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls15\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls15\adjustright {\fs22 Output(seedE, }{\i\fs22 a, b}{\fs22 ).}{\i\fs22 \par }\pard \li14\sb120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Algorithm 2: Verifying that an elliptic curve was randomly generated \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs24 \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Input:}{\b\fs24 }{\fs22 A field size }{\i\fs22 q}{\fs22 = 2}{\i\fs22\super m}{\fs22 , a bit string seedE of length 160 bits, and field elements }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 which define an elliptic curve }{\i\fs22 E }{\fs22 :}{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 xy }{\fs22 =} {\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{\i\fs22 ax}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 b}{\fs22 over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 . }{\b\fs22 \par Output: }{\fs22 Acceptance or rejection that }{\i\fs22 E }{\fs22 was randomly generated using Algorithm 1.}{\fs24 \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs24 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \qj\fi-317\li663\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls16\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls16\adjustright {\fs22 Compute }{\i\fs22 H = }{\fs22 SHA\_1(seedE), and let }{\i\fs22 b}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h }{\fs22 bits obtained by taking the }{\i\fs22 h }{\fs22 rightmost bits of }{\i\fs22 H.}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-317\li663\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls16\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls16\adjustright {\fs22 For }{\i\fs22 i}{\fs22 from 1 to }{\i\fs22 s}{\fs22 do: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Compute }{\i\fs22 b}{\i\fs22\sub i}{\i\fs22 = }{\fs22 SHA\_1((seedE + }{\i\fs22 i}{\fs22 ) mod 2}{\fs22\super 160}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-317\li663\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls16\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls16\adjustright {\fs22 Let }{\i\fs22 b}{\f6\fs22 \rquote }{\i\fs22 }{\fs22 be the field element obtained by the concatenation of }{\i\fs22 b}{\fs22\sub 0}{\fs22 , }{\i\fs22 b}{\fs22\sub 1}{\fs22 , \'85}{\i\fs22 , b}{\i\fs22\sub s}{\fs22 as follows: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 b}{\f6\fs22 \rquote }{\i\fs22 = b}{\fs22\sub 0}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 b}{\fs22\sub 1}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \'85 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}}{\i\fs22 b}{\i\fs22\sub s}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-317\li663\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls16\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls16\adjustright {\fs22 If }{\i\fs22 b = b}{\f6\fs22 \rquote }{\i\fs22 }{\fs22 then accept; otherwise reject. \par }\pard \li14\sb120\sa180\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Algorithm 3: Generating a random elliptic curve point \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Input:}{\b\fs24 }{\fs22 Field elements }{\i\fs22 a}{\fs22 , }{\i\fs22 b}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{ \fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 which define an elliptic curve }{\i\fs22 E }{\fs22 :}{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 xy }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{\i\fs22 ax}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 b}{\fs22 over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 . The order of }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) is }{\i\fs22 n }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt \f3\fs16}}}{\i\fs22 h}{\fs22 , where }{\i\fs22 n}{\fs22 is a prime.}{\fs24 \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Output:}{\b\fs24 }{\fs22 A bit string seedP, a field element }{\i\fs22 y}{\i\fs22\sub U}{\i\fs22 , }{\fs22 and a point }{\i\fs22 P }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) of order }{\i\fs22 n}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \fi-648\li994\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls17\adjustright {\fs22 Choose an arbitrary bit string seedE of length 160 bits.}{\i\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls17\adjustright {\fs22 Compute }{\i\fs22 H = }{\fs22 SHA\_1(seedP), and let }{\i\fs22 x}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h }{\fs22 bits obtained by taking the }{\i\fs22 h }{\fs22 rightmost bits of }{\i\fs22 H.}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls17\adjustright {\fs22 For }{\i\fs22 i}{\fs22 from 1 to }{\i\fs22 s}{\fs22 do: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Compute }{\i\fs22 x}{\i\fs22\sub i}{\i\fs22 = }{\fs22 SHA\_1((seedP + }{\i\fs22 i}{\fs22 ) mod 2}{\fs22\super 160}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls17\adjustright {\fs22 Let }{\i\fs22 x}{\i\fs22\sub U}{\i\fs22 }{\fs22 be the field element obtained by the concatenation of }{\i\fs22 x}{\fs22\sub 0}{\fs22 , }{\i\fs22 x}{\fs22\sub 1}{\fs22 , \'85}{\i\fs22 , x}{\i\fs22\sub s}{\fs22 as follows: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 x}{\i\fs22\sub U}{\i\fs22 = x}{\fs22\sub 0}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 x}{\fs22\sub 1}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}} {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \'85 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{ \i\fs22 x}{\i\fs22\sub s}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls17\adjustright {\fs22 If the equation }{\dn10 {\pict{\*\picprop\shplid1137{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw4128\pich635\picwgoal2340\pichgoal360\wmetafile8\bliptag-169166613\blipupi-201{\*\blipuid f5eab8ebadf52842d07958ce698a098e} 010009000003570100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002a00e1200000026060f001a00ffffffff000010000000c0ffffffb7ffffff600e0000f70100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e002100040000002d010000 08000000320aa0019e0d01000000620008000000320aa001000a02000000617808000000320aa001160701000000780008000000320aa001c204010000007900 08000000320aa0013a0301000000780008000000320aa0015e0001000000790015000000fb0220ff0000000000009001010000000402001054696d6573204e65 7720526f6d616e006100040000002d01010004000000f001000008000000320ab301540b01000000550008000000320ab301aa0701000000550008000000320a b301ce0301000000550010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01000004000000f001010008000000320a a001840c010000002b0008000000320aa001da08010000002b0008000000320aa001d405010000003d0008000000320aa0010202010000002b0015000000fb02 20ff0000000000009001000000000402001054696d6573204e657720526f6d616e002100040000002d01010004000000f001000008000000320af4007f0b0100 0000320008000000320af400ce0701000000330008000000320af40023010100000032000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01000004000000f00101000300000000000000000000000000030000000000}}{ \fs22 does not have a solution }{\i\fs22 y}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 , then go to step 1.}{\i\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 6.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls17\adjustright {\fs22 Select an arbitrary solution }{\i\fs22 y}{\i\fs22\sub U}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 to the equation }{\dn10 {\pict{\*\picprop\shplid1138{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw4128\pich635\picwgoal2340\pichgoal360\wmetafile8\bliptag-169166613\blipupi-201{\*\blipuid f5eab8ebadf52842d07958ce698a098e} 010009000003570100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002a00e1200000026060f001a00ffffffff000010000000c0ffffffb7ffffff600e0000f70100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e002100040000002d010000 08000000320aa0019e0d01000000620008000000320aa001000a02000000617808000000320aa001160701000000780008000000320aa001c204010000007900 08000000320aa0013a0301000000780008000000320aa0015e0001000000790015000000fb0220ff0000000000009001010000000402001054696d6573204e65 7720526f6d616e006100040000002d01010004000000f001000008000000320ab301540b01000000550008000000320ab301aa0701000000550008000000320a b301ce0301000000550010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01000004000000f001010008000000320a a001840c010000002b0008000000320aa001da08010000002b0008000000320aa001d405010000003d0008000000320aa0010202010000002b0015000000fb02 20ff0000000000009001000000000402001054696d6573204e657720526f6d616e002100040000002d01010004000000f001000008000000320af4007f0b0100 0000320008000000320af400ce0701000000330008000000320af40023010100000032000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01000004000000f00101000300000000000000000000000000030000000000}}{ \fs22 . \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 (Note: this equation will have either 1 or 2 distinct solutions. Hence the choice of }{\i\fs22 y}{\i\fs22\sub U}{\i\fs22 }{ \fs22 is}{\i\fs22 }{\fs22 essentially without loss of generality.) \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 7.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls17\adjustright {\fs22 Let }{\i\fs22 U}{\fs22 be the point (}{\i\fs22 x}{\i\fs22\sub U}{\fs22 , }{\i\fs22 y}{\i\fs22\sub U}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 8.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls17\adjustright {\fs22 Compute }{\i\fs22 P}{\fs22 = }{\i\fs22 hU}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 9.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls17\adjustright {\fs22 If }{\i\fs22 P}{\fs22 = }{\f30\fs22 O}{\fs22 then go to step 1. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 10.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls17\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls17\adjustright {\fs22 Output(seedP, }{\i\fs22 y}{\i\fs22\sub U}{\i\fs22 , P}{\fs22 ).}{\i\fs22 \par }\pard \li14\sb120\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Algorithm 4: Verifying that an elliptic curve point was randomly generated \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Input:}{\b\fs24 }{\fs22 A field size }{\i\fs22 q}{\fs22 = 2}{\i\fs22\super m}{\fs22 , field elements }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 which define an elliptic curve }{\i\fs22 E }{\fs22 :}{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 xy }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{ \fs22 +}{\i\fs22 ax}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 b}{\fs22 over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 , a bit string seedP of length 160 bits, a field element }{\i\fs22 y}{\i\fs22\sub U}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\i\fs22 ,}{\fs22 and an elliptic curve point }{\i\fs22 P}{\fs22 = (}{\i\fs22 x}{\i\fs22\sub P}{\fs22 , }{\i\fs22 y}{\i\fs22\sub P}{\fs22 ). The order of }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 ) is }{\i\fs22 n }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 h}{\fs22 , where }{\i\fs22 n}{\fs22 is a prime.}{\b\fs22 \par Output: }{\fs22 Acceptance or rejection that }{\i\fs22 P }{\fs22 was randomly generated using Algorithm 3.}{\fs24 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls18\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls18\adjustright {\fs22 Compute }{\i\fs22 H = }{\fs22 SHA\_1(seedP), and let }{\i\fs22 x}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h }{\fs22 bits obtained by taking the }{\i\fs22 h }{\fs22 rightmost bits of }{\i\fs22 H.}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls18\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls18\adjustright {\fs22 For }{\i\fs22 i}{\fs22 from 1 to }{\i\fs22 s}{\fs22 do: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Compute }{\i\fs22 x}{\i\fs22\sub i}{\i\fs22 = }{\fs22 SHA\_1((seedP + }{\i\fs22 i}{\fs22 ) mod 2}{\fs22\super 160}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls18\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls18\adjustright {\fs22 Let }{\i\fs22 x}{\i\fs22\sub U}{\i\fs22 }{\fs22 be the field element obtained by the concatenation of }{\i\fs22 x}{\fs22\sub 0}{\fs22 , }{\i\fs22 x}{\fs22\sub 1}{\fs22 , \'85}{\i\fs22 , x}{\i\fs22\sub s}{\fs22 as follows: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 x}{\i\fs22\sub U}{\i\fs22 = x}{\fs22\sub 0}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 x}{\fs22\sub 1}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}} {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \'85 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{ \i\fs22 x}{\i\fs22\sub s}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls18\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls18\adjustright {\fs22 Let }{\i\fs22 U}{\fs22 be the point (}{\i\fs22 x}{\i\fs22\sub U}{\fs22 , }{\i\fs22 y}{\i\fs22\sub U}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls18\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls18\adjustright {\fs22 Verify that }{\i\fs22 U}{\fs22 satisfies the equation }{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 xy }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{\i\fs22 ax}{\fs22\super 2}{\i\fs22 }{\fs22 +}{\i\fs22 b}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 6.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls18\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls18\adjustright {\fs22 Compute }{\i\fs22 P}{\f6\fs22 \rquote }{\fs22 = }{\i\fs22 hU}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 7.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls18\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls18\adjustright {\fs22 If }{\i\fs22 P }{\f6\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 P}{\f6\fs22 \rquote }{\fs22 then reject. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 8.\tab}}\pard \li346\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls18\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls18\adjustright {\fs22 Accept.}{\i\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par {\*\bkmkstart _Toc403967199}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.2\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Elliptic curves over }{\b0\f15 F}{\i\sub p}{ \_ format and examples{\*\bkmkend _Toc403967199} \par {\*\bkmkstart _Toc403967200}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.2.1\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 The finite field }{\b0\f15\fs22 F}{\i\fs22\sub p}{\fs22 {\*\bkmkend _Toc403967200} \par }\pard\plain \li14\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 Let }{\i\fs22 p}{\fs22 be a prime number. The finite field }{\f15\fs24 F}{\i\fs24\sub p}{\fs22 is comprised of the set of integers \par }\pard \li648\sa120\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360\adjustright {\fs22 \tab \{0, 1, 2, \'85, }{\i\fs22 p}{\fs22 \endash 1\} \par }\pard \li14\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 with the following arithmetic operations: \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls19\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls19\adjustright {\i\fs22 Addition}{\fs22 :}{\i\fs22 }{\fs22 If }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 }{\f15\fs24 F}{\i\fs24\sub p}{\i\fs22 , }{\fs22 then }{\i\fs22 a + b = r, }{\fs22 where }{\i\fs22 r }{\fs22 is the remainder when }{\i\fs22 a + b }{\fs22 is}{\i\fs22 }{\fs22 divided by }{\i\fs22 p }{\fs22 and 0 }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 r }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 p }{\fs22 \endash }{\i\fs22 }{\fs22 1}{\i\fs22 . }{\fs22 This is known as addition modulo }{\i\fs22 p}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls19\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls19\adjustright {\i\fs22 Multiplication: }{\fs22 If }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 }{\f15\fs24 F}{\i\fs24\sub p}{\i\fs22 , }{\fs22 then }{\i\fs22 a }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 b = s, }{\fs22 where }{\i\fs22 s}{\fs22 is the remainder when }{\i\fs22 a }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\fs16 }{\i\fs22 b }{\fs22 is}{\i\fs22 }{\fs22 divided by }{\i\fs22 p}{\fs22 and 0 }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 s }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 p }{\fs22 \endash }{\i\fs22 }{ \fs22 1}{\i\fs22 .}{\fs22 This is known as multiplication modulo }{\i\fs22 p}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls19\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls19\adjustright {\i\fs22 Inversion: }{\fs22 If }{\i\fs22 a }{\fs22 is}{\i\fs22 }{\fs22 a non\_zero element in }{\f15\fs24 F}{\i\fs24\sub p}{\fs22 , the }{\i\fs22 inverse }{\fs22 of }{\i\fs22 a }{\fs22 modulo }{\i\fs22 p}{\fs22 , denoted }{\i\fs22 a}{ \i\fs22\super \_}{\fs22\super 1}{\i\fs22 , }{\fs22 is}{\i\fs22 }{\fs22 the unique integer }{\i\fs22 c }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 }{\f15\fs24 F}{\i\fs24\sub p}{\fs22 for which }{\i\fs22 a }{ \fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 c = }{\fs22 1. \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Example ( }{\i\fs22 The finite field }{\f15\fs22 F}{\fs22\sub 23}{\fs22 )}{\i\fs22 \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The elements of }{\f15\fs22 F}{\fs22\sub 23}{\i\fs22 }{\fs22 are \{0, 1, 2, . . ., 22\}. Examples of the}{\b\fs22 }{\fs22 arithmetic operations in }{\f15\fs22 F}{\fs22\sub 23}{ \i\fs22 }{\fs22 are: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls20\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls20\adjustright {\fs22 12 + 20 = 9. \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls20\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls20\adjustright {\fs22 8 }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\fs16 }{\fs22 9 = 3. \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls20\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls20\adjustright { \fs22 8}{\fs22\super \endash 1}{\fs22 = 3. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967201}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.2.2\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 Elliptic curves over }{\b0\f15\fs22 F}{\i\fs22\sub p}{\fs22 {\*\bkmkend _Toc403967201} \par }\pard\plain \qj\li14\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 Let }{\i\fs22 p}{\fs22 > 3 be a prime number. Let }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{ \i\fs22 }{\f15\fs24 F}{\i\fs24\sub p}{\fs22 be such that 4}{\i\fs22 a}{\fs22\super 3}{\i\fs22 + }{\fs22 27}{\i\fs22 b}{\fs22\super 2}{\i\fs22 }{\f6\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 }{\fs22 0}{ \i\fs22 }{\fs22 in }{\f15\fs24 F}{\i\fs24\sub p}{\fs22 . An }{\i\fs22 elliptic curve E}{\fs22 (}{\f15\fs24 F}{\i\fs24\sub p}{\fs22 )}{\i\fs22 }{\fs22 over }{\f15\fs24 F}{\i\fs24\sub p}{\fs22 defined by the parameters }{\i\fs22 a }{\fs22 and }{\i\fs22 b }{\fs22 is}{\i\fs22 }{\fs22 the set of all solutions (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ), }{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 }{\f15\fs24 F}{ \i\fs24\sub p}{\fs22 , to the equation \par }\pard \li648\sa120\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360\adjustright {\fs22 \tab }{\i\fs22 y}{\fs22\super 2}{\i\fs22 = x}{\fs22\super 3}{\i\fs22 + ax + b,}{\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 together with an extra point }{\f30\fs22 O}{\fs22 , the }{\i\fs22 point at infinity. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 \par }\pard \li346\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The set of points }{\i\fs22 E}{\fs22 (}{\f15\fs24 F}{\i\fs24\sub p}{\fs22 )}{\i\fs22 }{\fs22 forms a group with the following addition rules: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f30\fs22\lang1024\cgrid \hich\af30\dbch\af0\loch\f30 1.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls21\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls21\adjustright {\f30\fs22 O}{\fs22 + }{\f30\fs22 O}{\fs22 = }{\f30\fs22 O}{\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls21\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls21\adjustright {\fs22 (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) + }{\f30\fs22 O}{\fs22 = }{\f30\fs22 O }{\fs22 + (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) = (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) for all (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs24 F}{\i\fs24\sub p}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls21\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls21\adjustright {\fs22 (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) + (}{\i\fs22 x}{\fs22 , \endash }{\i\fs22 y}{\fs22 ) = }{\f30\fs22 O}{\fs22 for all}{\fs16 }{\fs22 (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs24 F}{\i\fs24\sub p}{\fs22 )}{\fs16 }{\fs22 (i.e.,}{\fs16 }{\fs22 the negative of the point (}{\i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 )}{\fs16 }{\fs22 is \endash }{\fs16 }{\fs22 (}{ \i\fs22 x}{\fs22 , }{\i\fs22 y}{\fs22 ) =}{\fs16 }{\fs22 (}{\i\fs22 x}{\fs22 , \endash }{\i\fs22 y}{\fs22 )). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls21\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls21\adjustright {\fs22 (Rule for adding two distinct points that are not inverses of each other) \par }\pard \qj\li691\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Let }{\i\fs22 P}{\fs22 = (}{\i\fs22 x}{\fs22\sub l}{\fs22 , }{\i\fs22 y}{\fs22\sub l}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs24 F}{\i\fs24\sub p}{\fs22 ) and }{\i\fs22 Q}{\fs22 = (}{\i\fs22 x}{\fs22\sub 2}{\fs22 , }{\i\fs22 y}{\fs22\sub 2}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs24 F}{\i\fs24\sub p}{\fs22 ) be two points such that }{\i\fs22 x}{\fs22\sub 1}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 x}{\fs22\sub 2}{ \fs22 . Then }{\i\fs22 P}{\fs22 + }{\i\fs22 Q}{\fs22 = (}{\i\fs22 x}{\fs22\sub 3}{\fs22 , }{\i\fs22 y}{\fs22\sub 3}{\fs22 )}{\i\fs16 , }{\fs22 where \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\dn10 {\pict{\*\picprop\shplid1139{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}} {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw2893\pich635\picwgoal1640\pichgoal360\wmetafile8\bliptag1112284470\blipupi-1077{\*\blipuid 424c1d366b9e51473d66281d9d9ca260} 0100090000034f0100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002400a1200000026060f001a00ffffffff000010000000c0ffffffb7ffffff000a0000f70100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e00047f040000002d010000 08000000320aa001a609010000002c0015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e001900040000002d01 010004000000f001000008000000320ab301150901000000320008000000320ab3016c0601000000310008000000320af400cb0301000000320008000000320a b301ee0001000000330015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e00047f040000002d01000004000000 f001010008000000320aa0016c0801000000780008000000320aa001dc0501000000780008000000320aa0014c0001000000780010000000fb0280fe00000000 00009001000000020002001053796d626f6c0000040000002d01010004000000f001000008000000320aa0013a07010000002d0008000000320aa001aa040100 00002d0008000000320aa001d601010000003d0010000000fb0280fe0000000000009001010000020002001053796d626f6c0000040000002d01000004000000 f001010008000000320aa0010003010000006c000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f00100000300000000000000000000000001010000000000}}{\fs22 \par \tab }{\dn10 {\pict{\*\picprop\shplid1140{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw4128\pich600\picwgoal2340\pichgoal340\wmetafile8\bliptag847364304\blipupi-219{\*\blipuid 3281c0d02edddb82cb166e42ddeaeff7} 010009000003780100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c022002a00e1200000026060f001a00ffffffff000010000000c0ffffffa6ffffff600e0000c60100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e000000040000002d010000 09000000320a80012a0c03000000616e640008000000320a8001d60b01000000200008000000320a8001880b010000002c0008000000320a8001640801000000 290008000000320a8001080401000000280015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e00250004000000 2d01010004000000f001000008000000320a9301090b01000000310008000000320a9301d40701000000330008000000320a9301330501000000310008000000 320a9301060101000000330015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e000000040000002d0100000400 0000f001010008000000320a8001730a01000000790008000000320a8001320701000000780008000000320a8001a30401000000780008000000320a80015e00 01000000790010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01010004000000f001000008000000320a80012f09 010000002d0008000000320a80010006010000002d0008000000320a8001ee01010000003d0010000000fb0280fe000000000000900101000002000200105379 6d626f6c0000040000002d01000004000000f001010008000000320a80011803010000006c000a00000026060f000a00ffffffff01000000000010000000fb02 1000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f0010000030000000000000000000000000000f40ea000000000}}{\fs22 \par \tab }{\dn24 {\pict{\*\picprop\shplid1141{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw2223\pich1094\picwgoal1260\pichgoal620\wmetafile8\bliptag704725913\blipupi-1293{\*\blipuid 2a014399bbe2a522d979224789a636b8} 010009000003760100000300150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02e003e0071200000026060f001a00ffffffff000010000000c0ffffffb4ffffffa0070000940300000b00000026060f00 0c004d617468547970650000c00009000000fa02000010000000000000002200040000002d0100000500000014020002020305000000130200023b0715000000 fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e004500040000002d01010008000000320a60025d07010000002e000800 0000320a6002120102000000202015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e001100040000002d010200 04000000f001010008000000320a9b03900601000000310008000000320a9b03ef0301000000320008000000320a8501a80601000000310008000000320a8501 ef0301000000320015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e003400040000002d01010004000000f001 020008000000320a8803000601000000780008000000320a8803460301000000780008000000320a7201120601000000790008000000320a7201400301000000 790010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01020004000000f001010008000000320a8803ce0401000000 2d0008000000320a7201ce04010000002d0008000000320a6002cc01010000003d0010000000fb0280fe0000000000009001010000020002001053796d626f6c 0000040000002d01010004000000f001020008000000320a60023400010000006c000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01020004000000f001010003000000000000ffffff00ffffff0000000000000000}}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls21\pnrnot0\pndec\pnstart1\pnindent706\pnhang{\pntxta .}} \ls21\adjustright {\fs22 (Rule for doubling a point) \par }\pard \qj\li691\nowidctlpar\widctlpar\tx20\tx240\tx280\tqr\tx9360\adjustright {\fs22 Let }{\i\fs22 P}{\fs22 = (}{\i\fs22 x}{\fs22\sub l}{\fs22 , }{\i\fs22 y}{\fs22\sub l}{\fs22 ) }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}}{\i\fs22 E}{\fs22 (}{\f15\fs24 F}{\i\fs24\sub p}{\fs22 ) be a point with }{\i\fs22 y}{\fs22\sub 1}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 0. (If }{\i\fs22 y}{\fs22\sub 1}{\fs22 = 0 then } {\i\fs22 P}{\fs22 = \endash }{\i\fs22 P}{\fs22 , and so 2}{\i\fs22 P}{\fs22 = }{\f30\fs22 O}{\fs22 .) Then 2}{\i\fs22 P}{\fs22 = (}{\i\fs22 x}{\fs22\sub 3}{\fs22 , }{\i\fs22 y}{\fs22\sub 3}{\fs22 ),}{\i\fs16 }{\fs22 where \par }\pard \qj\li691\sa180\nowidctlpar\widctlpar\tx20\tx240\tx280\tx2880\tqr\tx9360\adjustright {\fs22 \tab }{\dn10 {\pict{\*\picprop\shplid1142{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}} {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw2328\pich635\picwgoal1320\pichgoal360\wmetafile8\bliptag352793842\blipupi-1722{\*\blipuid 150734f213f64c081f7ec5614297b5df} 0100090000033f0100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02400240081200000026060f001a00ffffffff000010000000c0ffffffb7ffffff00080000f70100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e000000040000002d010000 08000000320aa001b107010000002c0008000000320aa001ca0501000000320015000000fb0220ff0000000000009001000000000402001054696d6573204e65 7720526f6d616e002900040000002d01010004000000f001000008000000320ab301310701000000310008000000320af400cb0301000000320008000000320a b301ee0001000000330015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e000000040000002d01000004000000 f001010008000000320aa001a10601000000780008000000320aa0014c0001000000780010000000fb0280fe0000000000009001000000020002001053796d62 6f6c0000040000002d01010004000000f001000008000000320aa001aa04010000002d0008000000320aa001d601010000003d0010000000fb0280fe00000000 00009001010000020002001053796d626f6c0000040000002d01000004000000f001010008000000320aa0010003010000006c000a00000026060f000a00ffff ffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f001000003000000000000000000000000002d0100000000}}{\fs22 \par \tab }{\dn10 {\pict{\*\picprop\shplid1143{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw4128\pich600\picwgoal2340\pichgoal340\wmetafile8\bliptag902384632\blipupi-219{\*\blipuid 35c94bf8e4ee3be959a75a96c8ed20ae} 010009000003780100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c022002a00e1200000026060f001a00ffffffff000010000000c0ffffffa6ffffff600e0000c60100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e002100040000002d010000 09000000320a80012c0c03000000616e640008000000320a8001d80b01000000200008000000320a80018a0b010000002c0008000000320a8001650801000000 290008000000320a8001080401000000280015000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e00cd0004000000 2d01010004000000f001000008000000320a93010a0b01000000310008000000320a9301d50701000000330008000000320a9301330501000000310008000000 320a9301060101000000330015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e002100040000002d0100000400 0000f001010008000000320a8001740a01000000790008000000320a8001330701000000780008000000320a8001a30401000000780008000000320a80015e00 01000000790010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01010004000000f001000008000000320a80013009 010000002d0008000000320a80010106010000002d0008000000320a8001ee01010000003d0010000000fb0280fe000000000000900101000002000200105379 6d626f6c0000040000002d01000004000000f001010008000000320a80011803010000006c000a00000026060f000a00ffffffff01000000000010000000fb02 1000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f001000003000000000000ffffff00ffffff00f40ea000000000}}{\fs22 \par \tab }{\dn28 {\pict{\*\picprop\shplid1144{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw2293\pich1235\picwgoal1300\pichgoal700\wmetafile8\bliptag796653429\blipupi-1077{\*\blipuid 2f7bf775a4c62367c9bc50e2feae3de1} 0100090000036e0100000300150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02600420081200000026060f001a00ffffffff000010000000c0ffffffa5ffffffe0070000050400000b00000026060f00 0c004d617468547970650000e00009000000fa02000010000000000000002200040000002d010000050000001402400202030500000013024002790715000000 fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e007400040000002d01010008000000320aa0029b07010000002e000800 0000320ac803410401000000320008000000320ab201100301000000330008000000320aa002120102000000202015000000fb0220ff00000000000090010000 00000402001054696d6573204e657720526f6d616e001a00040000002d01020004000000f001010008000000320adb03c00501000000310008000000320a0601 9b0401000000320008000000320ac5016c0401000000310015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e00 7400040000002d01010004000000f001020008000000320ac8032a0501000000790008000000320ab201a00601000000610008000000320ab201dc0301000000 780010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01020004000000f001010008000000320ab2017a0501000000 2b0008000000320aa002cc01010000003d0010000000fb0280fe0000000000009001010000020002001053796d626f6c0000040000002d01010004000000f001 020008000000320aa0023400010000006c000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01020004000000f001010003000000000000000000000000000000f00100000000}}{\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Example }{\fs22 (}{\i\fs22 An elliptic curve over }{\f15\fs22 F}{\fs22\sub 23}{\fs22 )}{\i\fs22 \par }\pard \qj\li14\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 y}{\fs22\super 2}{\i\fs22 = x}{\fs22\super 3}{\i\fs22 }{\fs22 + }{\i\fs22 x}{\fs22 + 1 is an equation for an elliptic curve }{\i\fs22 E}{\fs22 over }{\f15\fs22 F}{ \fs22\sub 23}{\i\fs22 . }{\fs22 Here }{\i\fs22 a}{\fs22 = 1 and }{\i\fs22 b = }{\fs22 1. The solutions over }{\f15\fs22 F}{\fs22\sub 23}{\i\fs22 }{\fs22 to this equation are: \par }\trowd \trqc\trgaph108\trleft-108 \clvertalt\cltxlrtb \cellx810\clvertalt\cltxlrtb \cellx1620\clvertalt\cltxlrtb \cellx2610\clvertalt\cltxlrtb \cellx3420\clvertalt\cltxlrtb \cellx4410\clvertalt\cltxlrtb \cellx5220\clvertalt\cltxlrtb \cellx6210 \clvertalt\cltxlrtb \cellx7191\clvertalt\cltxlrtb \cellx8181\pard \qj\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 (0, 1)\cell (0, 22)\cell (1, 7)\cell (1, 16)\cell (3, 10)\cell (3, 13)\cell (4, 0)\cell (5, 4)\cell (5, 19)\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trqc\trgaph108\trleft-108 \clvertalt\cltxlrtb \cellx810\clvertalt\cltxlrtb \cellx1620\clvertalt\cltxlrtb \cellx2610\clvertalt\cltxlrtb \cellx3420\clvertalt\cltxlrtb \cellx4410 \clvertalt\cltxlrtb \cellx5220\clvertalt\cltxlrtb \cellx6210\clvertalt\cltxlrtb \cellx7191\clvertalt\cltxlrtb \cellx8181\pard \qj\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 (6, 4)\cell (6, 19)\cell (7, 11)\cell (7, 12)\cell (9, 7) \cell (9, 16)\cell (11, 3)\cell (11, 20)\cell (12, 4)\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trqc\trgaph108\trleft-108 \clvertalt\cltxlrtb \cellx810\clvertalt\cltxlrtb \cellx1620\clvertalt\cltxlrtb \cellx2610 \clvertalt\cltxlrtb \cellx3420\clvertalt\cltxlrtb \cellx4410\clvertalt\cltxlrtb \cellx5220\clvertalt\cltxlrtb \cellx6210\clvertalt\cltxlrtb \cellx7191\clvertalt\cltxlrtb \cellx8181\pard \qj\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 (12, 19)\cell (13, 7)\cell (13, 16)\cell (17, 3)\cell (17, 20)\cell (18, 3)\cell (18, 20)\cell (19, 5)\cell (19, 18)\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi346\li14\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\fs22\sub 23}{\fs22 ) has 28 points, including the point at infinity }{\f30\fs22 O}{\fs22 . The following are examples of the addition law: \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls12\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls12\adjustright {\fs22 (3, 10) + (9, 7) = (17, 20). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls12\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls12\adjustright {\fs22 2(3, 10) = (7, 12). \par {\*\bkmkstart _Toc403967202}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.2.3\tab}}\pard\plain \s3\fi-720\li720\sb120\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid {\fs22 Format for challenge parameters (the }{\b0\f15\fs22 F}{\i\fs22\sub p}{\fs22 case){\*\bkmkend _Toc403967202} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This subsection describes the conventions used for representing the challenge parameters for elliptic curves over }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 . }{\i\fs22 \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Challenge parameters \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 p}{\fs22 \emdash the order of}{\b\fs22 }{\fs22 the finite field; }{\i\fs22 p}{\fs22 is a prime number. \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\fs22 seedE \emdash the seed that was}{\b\fs22 }{\fs22 used to generate the parameters }{\i\fs22 a }{\fs22 and }{\i\fs22 b }{\fs22 (see Algorithm 5 in Section 3.2.4).}{\i\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx220\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 a, b \emdash }{\fs22 the field elements which define the elliptic curve }{\i\fs22 E: y}{\i\fs22\super 2}{\i\fs22 = x}{\fs22\super 3}{\i\fs22 +}{\i\fs16 }{\i\fs22 ax + b.}{\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\fs22 seedP \emdash the seed that was used to generate the point }{\i\fs22 P}{\fs22 (see Algorithm 7 in Section 3.2.4). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 x}{\i\fs22\sub P}{\fs22 , }{\i\fs22 y}{\i\fs22\sub P}{\fs22 \emdash the }{\i\fs22 x}{\fs22 \_ and }{\i\fs22 y}{\fs22 \_coordinates of the base point }{\i\fs22 P}{\fs22 . \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 n \emdash }{\fs22 the order of the point }{\i\fs22 P}{\fs22 ; }{\i\fs22 n}{\fs22 is a prime number.}{\i\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 h \emdash }{\fs22 the co\_factor }{\i\fs22 h }{\fs22 (the number of points in }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\i\fs22\sub p}{\fs22 ) divided by }{\i\fs22 n}{\fs22 )}{\i\fs22 .}{\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang {\pntxtb \'b7}}\ls13\adjustright {\fs22 seedQ \emdash the seed that was used to generate the point }{\i\fs22 Q}{\fs22 (see Algorithm 7 in Section 3.2.4). \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx20\tx200\tx240\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls13\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls13\adjustright {\i\fs22 x}{\i\fs22\sub Q}{\fs22 , }{\i\fs22 y}{\i\fs22\sub Q}{\fs22 \emdash the }{\i\fs22 x}{\fs22 \_ and }{\i\fs22 y}{\fs22 \_coordinates of the public key point }{\i\fs22 Q}{\fs22 . \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Data formats \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls14\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls14\adjustright {\i\fs22 Integers }{\fs22 are represented in hexadecimal, the rightmost bit being the least significant bit. Example: The decimal integer 123456789 is represented in hexadecimal as 075BCD15. \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li706\sa180\nowidctlpar\widctlpar\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls14\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls14\adjustright {\i\fs22 Field elements }{\fs22 (of }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 ) are represented as hexadecimal integers. \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \qj\fi-360\li706\sa180\nowidctlpar\widctlpar\tx220\tx270\jclisttab\tx706\tqr\tx9360{\*\pn \pnlvlblt\ilvl0\ls14\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}} \ls14\adjustright {\i\fs22 Seeds }{\fs22 for generating random elliptic curves and random elliptic curve points (see Section 3.2.4) are 160\_bit strings and are represented in hexadecimal. \par {\*\bkmkstart _Toc403967203}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.2.4\tab}}\pard\plain \s3\fi-720\li720\sb120\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid {\fs22 Random elliptic curves and points (the }{\b0\f15\fs22 F}{\i\fs22\sub p}{\fs22 case){\*\bkmkend _Toc403967203} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This subsection describes the method that is used for }{\i\fs22 verifiably }{\fs22 selecting elliptic curves and points at random. The defining parameters of the elliptic curve or point are defined to be outputs of the one\_way hash function SHA\_1 (as specified in FIPS 180\_1 [SHA\_1]). The input seed to SHA\_ 1 then serves as proof (under the assumption that SHA\_1 cannot be inverted) that the elliptic curve or point were indeed generated at random. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li346\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The following notation is used: }{\i\fs22 t = }{\fs22 {\field{\*\fldinst SYMBOL 233 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 log}{\fs22\sub 2}{\i\fs22 p}{\fs22 {\field{\*\fldinst SYMBOL 249 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 , s}{\fs22 = }{\fs22 {\field{\*\fldinst SYMBOL 235 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 (}{\i\fs22 t}{\fs22 \endash 1)/160}{\fs22 {\field{\*\fldinst SYMBOL 251 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 and }{\i\fs22 h = t }{\fs22 \endash 160 }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 s}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li14\sa180\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Algorithm 5: Generating a random elliptic curve over }{\f15 F}{\b\i\sub p}{\b \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Input:}{\b\fs24 }{\fs22 A field size }{\i\fs22 p}{\fs22 , where }{\i\fs22 p}{\fs22 is a prime.}{\fs24 \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Output:}{\b\fs24 }{\fs22 A 160\_bit bit string seedE and field elements }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{ \f15\fs22 F}{\i\fs22\sub p}{\fs22 which define an elliptic curve }{\i\fs22 E }{\fs22 over }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \fi-648\li994\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls22\adjustright {\fs22 Choose an arbitrary bit string seedE of length 160 bits.}{\i\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls22\adjustright {\fs22 Compute }{\i\fs22 H = }{\fs22 SHA\_1(seedE), and let }{\i\fs22 c}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h }{\fs22 bits obtained by taking the }{\i\fs22 h }{\fs22 rightmost bits of }{\i\fs22 H.}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls22\adjustright {\fs22 Let }{\i\fs22 W}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h}{\fs22 bits obtained by setting the leftmost bit of }{\i\fs22 c}{\fs22\sub 0}{\fs22 to 0. (This ensures that }{\i\fs22 r}{\fs22 < }{ \i\fs22 p}{\fs22 .) \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls22\adjustright {\fs22 For }{\i\fs22 i}{\fs22 from 1 to }{\i\fs22 s}{\fs22 do: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Compute }{\i\fs22 W}{\i\fs22\sub i}{\i\fs22 = }{\fs22 SHA\_1((seedE + }{\i\fs22 i}{\fs22 ) mod 2}{\fs22\super 160}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls22\adjustright {\fs22 Let }{\i\fs22 W }{\fs22 be the bit string obtained by the concatenation of }{\i\fs22 W}{\fs22\sub 0}{\fs22 , }{\i\fs22 W}{\fs22\sub 1}{\fs22 , \'85}{\i\fs22 , W}{\i\fs22\sub s}{\fs22 as follows: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 W = W}{\fs22\sub 0}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 W}{\fs22\sub 1}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \'85 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 W}{\i\fs22\sub s}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 6.\tab}}\pard \fi-259\li605\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls22\adjustright {\fs22 Let }{\i\fs22 w}{\fs22\sub 1}{\fs22 ,}{\i\fs22 w}{\fs22\sub 2}{\fs22 ,\'85 ,}{\i\fs22 w}{\i\fs22\sub t}{\i\fs22 }{\fs22 be the bits of }{\i\fs22 W}{\fs22 from leftmost to rightmost. Let }{\i\fs22 r}{\fs22 be the integer }{\dn14 {\pict{\*\picprop\shplid1145{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw2681\pich706\picwgoal1520\pichgoal400\wmetafile8\bliptag1740608368\blipupi-1218{\*\blipuid 67bf93707ec26b1f3bc9c76650785ad0} 010009000003940100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02800280091200000026060f001a00ffffffff000010000000c0ffffffb7ffffff40090000370200000b00000026060f00 0c004d617468547970650000700010000000fb02c0fd0000000000009001000000020002001053796d626f6c0000040000002d01000008000000320af9016d02 01000000e50010000000fb0220ff0000000000009001000000020002001053796d626f6c0000040000002d01010004000000f001000008000000320af4003008 010000002d0008000000320ab301a704010000003d0010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d0100000400 0000f001010008000000320aa0014001010000003d0015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e002100 040000002d01010004000000f001000008000000320aa001f608010000002e0008000000320aa0010d0701000000320015000000fb0220ff0000000000009001 000000000402001054696d6573204e657720526f6d616e00c900040000002d01000004000000f001010008000000320ab3011e0501000000310015000000fb02 20ff0000000000009001010000000402001054696d6573204e657720526f6d616e002100040000002d01010004000000f001000008000000320af400b9080100 0000690008000000320af400d10701000000740008000000320ab3019a0601000000690008000000320af4004f0401000000740008000000320ab3014f040100 0000690015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e00c900040000002d01000004000000f00101000800 0000320aa001b00501000000770008000000320aa0013a000100000072000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f00100000300000000000000000000ffffff0000400000000000}}{\i\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 7.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls22\adjustright {\fs22 Choose arbitrary integers }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 such that }{\i\fs22 r}{\fs22 }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\fs22 }{\i\fs22 b}{\fs22\super 2}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 186 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 a}{\fs22\super 3}{\fs22 (mod }{\i\fs22 p}{ \fs22 ). \par }\pard \qj\li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 (Note: For a fixed }{\i\fs22 r}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 0,}{\i\fs22 }{\fs22 there are only 2 essentially different choices for }{\i\fs22 a}{\fs22 and }{\i\fs22 b \emdash }{\fs22 other values of }{\i\fs22 a}{\fs22 and }{\i\fs22 b}{\fs22 give rise to }{\i\fs22 isomorphic }{\fs22 elliptic curv es. Hence the choice of }{\i\fs22 a}{\fs22 and }{\i\fs22 b }{\fs22 is}{\i\fs22 }{\fs22 essentially without loss of generality.) \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 8.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls22\adjustright {\fs22 If 4}{\i\fs22 a}{\fs22\super 3 }{\fs22 + 27}{\i\fs22 b}{\fs22\super 2}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 186 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 0 (mod }{\i\fs22 p}{\fs22 ) then go to step 1. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 9.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls22\adjustright {\fs22 The elliptic curve chosen over }{\f15\fs22 F}{\i\fs22\sub p}{\i\fs22 }{\fs22 is \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 E }{\fs22 :}{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{ \i\fs22 ax }{\fs22 +}{\i\fs22 b}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 10.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls22\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls22\adjustright {\fs22 Output(seedE, }{\i\fs22 a, b}{\fs22 ).}{\i\fs22 \par }\pard \li14\sb120\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b \page Algorithm 6: Verifying that an elliptic curve was randomly generated \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Input:}{\b\fs24 }{\fs22 A field size }{\i\fs22 p}{\fs22 (a prime), a bit string seedE of length 160 bits, and field elements }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 which define an elliptic curve }{\i\fs22 E }{\fs22 :}{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{\i\fs22 ax }{ \fs22 +}{\i\fs22 b}{\fs22 over }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 . }{\b\fs22 \par Output: }{\fs22 Acceptance or rejection that }{\i\fs22 E }{\fs22 was randomly generated using Algorithm 5.}{\fs24 \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs24 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \qj\fi-259\li605\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls23\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls23\adjustright {\fs22 Compute }{\i\fs22 H = }{\fs22 SHA\_1(seedE), and let }{\i\fs22 c}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h }{\fs22 bits obtained by taking the }{\i\fs22 h }{\fs22 rightmost bits of }{\i\fs22 H.}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-259\li605\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls23\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls23\adjustright {\fs22 Let }{\i\fs22 W}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h}{\fs22 bits obtained by setting the leftmost bit of }{\i\fs22 c}{\fs22\sub 0}{\fs22 to 0. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-317\li663\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls23\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls23\adjustright {\fs22 For }{\i\fs22 i}{\fs22 from 1 to }{\i\fs22 s}{\fs22 do: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Compute }{\i\fs22 W}{\i\fs22\sub i}{\i\fs22 = }{\fs22 SHA\_1((seedE + }{\i\fs22 i}{\fs22 ) mod 2}{\fs22\super 160}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-317\li663\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls23\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls23\adjustright {\fs22 Let }{\i\fs22 W}{\f6\fs22 \rquote }{\fs22 be the bit string obtained by the concatenation of }{\i\fs22 W}{\fs22\sub 0}{\fs22 , }{\i\fs22 W}{\fs22\sub 1}{\fs22 , \'85}{\i\fs22 , W}{\i\fs22\sub s}{\fs22 as follows: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 W}{\f6\fs22 \rquote }{\i\fs22 = W}{\fs22\sub 0}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 W}{\fs22\sub 1}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \'85 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}}{\i\fs22 W}{\i\fs22\sub s}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \qj\fi-317\li663\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls23\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls23\adjustright {\fs22 Let }{\i\fs22 w}{\fs22\sub 1}{\fs22 ,}{\i\fs22 w}{\fs22\sub 2}{\fs22 ,\'85 ,}{\i\fs22 w}{\i\fs22\sub t}{\i\fs22 }{\fs22 be the bits of }{\i\fs22 W}{\fs22 from leftmost to rightmost. Let }{\i\fs22 r}{\f6\fs22 \rquote }{\fs22 be the integer }{\dn14 {\pict{\*\picprop\shplid1146{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw2681\pich706\picwgoal1520\pichgoal400\wmetafile8\bliptag339219356\blipupi-1218{\*\blipuid 1438139c154e2f93298a51b495d65d71} 0100090000039c0100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02800280091200000026060f001a00ffffffff000010000000c0ffffffb7ffffff40090000370200000b00000026060f00 0c004d617468547970650000700010000000fb02c0fd0000000000009001000000020002001053796d626f6c0000040000002d01000008000000320af9017902 01000000e50010000000fb0220ff0000000000009001000000020002001053796d626f6c0000040000002d01010004000000f001000008000000320af4003c08 010000002d0008000000320ab301b304010000003d0010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d0100000400 0000f001010008000000320aa0014c01010000003d0015000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e002500 040000002d01010004000000f001000008000000320aa0010209010000002e0008000000320aa001190701000000320008000000320aa001e800010000002700 15000000fb0220ff0000000000009001000000000402001054696d6573204e657720526f6d616e002500040000002d01000004000000f001010008000000320a b3012a0501000000310015000000fb0220ff0000000000009001010000000402001054696d6573204e657720526f6d616e002500040000002d01010004000000 f001000008000000320af400c50801000000690008000000320af400dd0701000000740008000000320ab301a60601000000690008000000320af4005b040100 0000740008000000320ab3015b0401000000690015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e0025000400 00002d01000004000000f001010008000000320aa001bc0501000000770008000000320aa0013a000100000072000a00000026060f000a00ffffffff01000000 000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01010004000000f001000003000000000000ffffff00ffffff0000000000000000}}{\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 6.\tab}}\pard \qj\fi-317\li663\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls23\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls23\adjustright {\fs22 If }{\i\fs22 r}{\f6\fs22 \rquote }{\f6\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 b}{\fs22\super 2}{\i\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 186 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}}{\fs22 }{\i\fs22 a}{\fs22\super 3}{\fs22 (mod }{\i\fs22 p}{\fs22 )}{\i\fs22 }{\fs22 then accept; otherwise reject. \par }\pard \li14\sa180\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Algorithm 7: Generating a random elliptic curve point \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Input:}{\b\fs24 }{\fs22 Field elements }{\i\fs22 a}{\fs22 , }{\i\fs22 b}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{ \i\fs22\sub p}{\fs22 which define an elliptic curve }{\i\fs22 E }{\fs22 :}{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{\i\fs22 ax }{\fs22 +}{\i\fs22 b}{\fs22 over }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 . The order of }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\i\fs22\sub p}{\fs22 ) is }{\i\fs22 n }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 h}{\fs22 , where }{\i\fs22 n}{\fs22 is a prime.}{\fs24 \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Output:}{\b\fs24 }{\fs22 A bit string seedP, a field element }{\i\fs22 y}{\i\fs22\sub U}{\i\fs22 , }{\fs22 and a point }{\i\fs22 P }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\i\fs22\sub p}{\fs22 ) of order }{\i\fs22 n}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \fi-648\li994\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 Choose an arbitrary bit string seedP of length 160 bits.}{\i\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 Compute }{\i\fs22 H = }{\fs22 SHA\_1(seedP), and let }{\i\fs22 c}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h }{\fs22 bits obtained by taking the }{\i\fs22 h }{\fs22 rightmost bits of }{\i\fs22 H.}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 Let }{\i\fs22 x}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h}{\fs22 bits obtained by setting the leftmost bit of }{\i\fs22 c}{\fs22\sub 0}{\fs22 to 0. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 For }{\i\fs22 i}{\fs22 from 1 to }{\i\fs22 s}{\fs22 do: \par }\pard \li648\sb120\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Compute }{\i\fs22 x}{\i\fs22\sub i}{\i\fs22 = }{\fs22 SHA\_1((seedE + }{\i\fs22 i}{\fs22 ) mod 2}{\fs22\super 160}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 Let }{\i\fs22 x}{\i\fs22\sub U}{\i\fs22 }{\fs22 be the bit string obtained by the concatenation of }{\i\fs22 x}{\fs22\sub 0}{\fs22 , }{\i\fs22 x}{\fs22\sub 1}{\fs22 , \'85}{\i\fs22 , x}{\i\fs22\sub s}{\fs22 as follows: \par }\pard \li648\sb120\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 x}{\i\fs22\sub U}{\i\fs22 = x}{\fs22\sub 0}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 x}{\fs22\sub 1}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \'85 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt \f3\fs22}}}{\i\fs22 x}{\i\fs22\sub s}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 6.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls24\adjustright {\fs22 If the equation }{\dn10 {\pict{\*\picprop\shplid1147{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw3069\pich635\picwgoal1740\pichgoal360\wmetafile8\bliptag577867315\blipupi-916{\*\blipuid 22718e33c1c5f7d9932d738a37cd14bf} 0100090000032f0100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002e00a1200000026060f001a00ffffffff000010000000c0ffffffb7ffffffa00a0000f70100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e002100040000002d010000 08000000320aa001da0901000000620008000000320aa0013d0602000000617808000000320aa001540301000000780008000000320aa0015e00010000007900 15000000fb0220ff0000000000009001010000000402001054696d6573204e657720526f6d616e002100040000002d01010004000000f001000008000000320a b301910701000000550008000000320ab301e80301000000550010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01 000004000000f001010008000000320aa001c108010000002b0008000000320aa0011805010000002b0008000000320aa0011202010000003d0015000000fb02 20ff0000000000009001000000000402001054696d6573204e657720526f6d616e002100040000002d01010004000000f001000008000000320af4000c040100 0000330008000000320af40023010100000032000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01000004000000f00101000300000000000000000002010000000000000000}}{\fs22 does not have a solution }{ \i\fs22 y}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 , then go to step 1.}{\i\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 7.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 Select an arbitrary solution }{\i\fs22 y}{\i\fs22\sub U}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 to the equation }{\dn10 {\pict{\*\picprop\shplid1148{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw3069\pich635\picwgoal1740\pichgoal360\wmetafile8\bliptag577867315\blipupi-916{\*\blipuid 22718e33c1c5f7d9932d738a37cd14bf}0100090000032f0100000200150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002e00a1200000026060f001a00ffffffff000010000000c0ffffffb7ffffffa00a0000f70100000b00000026060f00 0c004d617468547970650000500015000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e002100040000002d010000 08000000320aa001da0901000000620008000000320aa0013d0602000000617808000000320aa001540301000000780008000000320aa0015e00010000007900 15000000fb0220ff0000000000009001010000000402001054696d6573204e657720526f6d616e002100040000002d01010004000000f001000008000000320a b301910701000000550008000000320ab301e80301000000550010000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01 000004000000f001010008000000320aa001c108010000002b0008000000320aa0011805010000002b0008000000320aa0011202010000003d0015000000fb02 20ff0000000000009001000000000402001054696d6573204e657720526f6d616e002100040000002d01010004000000f001000008000000320af4000c040100 0000330008000000320af40023010100000032000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01000004000000f00101000300000000000000000002010000000000000000}}{\fs22 . \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 (Note: this equation will have either 1 or 2 distinct solutions. Hence the choice of }{\i\fs22 y}{\i\fs22\sub U}{\i\fs22 }{ \fs22 is}{\i\fs22 }{\fs22 essentially without loss of generality.) \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 8.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 Let }{\i\fs22 U}{\fs22 be the point (}{\i\fs22 x}{\i\fs22\sub U}{\fs22 , }{\i\fs22 y}{\i\fs22\sub U}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 9.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 Compute }{\i\fs22 P}{\fs22 = }{\i\fs22 hU}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 10.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls24\adjustright {\fs22 If }{\i\fs22 P}{\fs22 = }{\f30\fs22 O}{\fs22 then go to step 1. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 11.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls24\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls24\adjustright {\fs22 Output(seedP, }{\i\fs22 y}{\i\fs22\sub U}{\i\fs22 , P}{\fs22 ).}{\i\fs22 \par }\pard \li14\sb120\sa120\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b Algorithm 8: Verifying that an elliptic curve point was randomly generated \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 Input:}{\b\fs24 }{\fs22 A field size }{\i\fs22 p}{\fs22 (a prime), field elements }{\i\fs22 a, b }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{ \fs22 }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 which define an elliptic curve }{\i\fs22 E }{\fs22 :}{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{\i\fs22 ax }{\fs22 +}{\i\fs22 b}{\fs22 over }{\f15\fs22 F}{ \i\fs22\sub p}{\fs22 , a bit string seedP of length 160 bits, a field element }{\i\fs22 y}{\i\fs22\sub U}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 206 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\f15\fs22 F}{\i\fs22\sub p}{\i\fs22 ,}{\fs22 and an elliptic curve point }{\i\fs22 P}{\fs22 = (}{\i\fs22 x}{\i\fs22\sub P}{\fs22 , }{\i\fs22 y}{\i\fs22\sub P}{\fs22 ). The order of }{\i\fs22 E}{\fs22 (}{\f15\fs22 F}{\i\fs22\sub p}{\fs22 ) is }{\i\fs22 n }{\fs16 {\field{\*\fldinst SYMBOL 183 \\f "Symbol" \\s 8}{\fldrslt\f3\fs16}}}{\i\fs22 h}{\fs22 , where }{\i\fs22 n}{\fs22 is a prime.}{\b\fs22 \par Output: }{\fs22 Acceptance or rejection that }{\i\fs22 P }{\fs22 was randomly generated using Algorithm 7.}{\fs24 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 1.\tab}}\pard \qj\fi-259\li605\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls25\adjustright {\fs22 Compute }{\i\fs22 H = }{\fs22 SHA\_1(seedP), and let }{\i\fs22 c}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h }{\fs22 bits obtained by taking the }{\i\fs22 h }{\fs22 rightmost bits of }{\i\fs22 H.}{ \fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 2.\tab}}\pard \qj\fi-259\li605\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls25\adjustright {\fs22 Let }{\i\fs22 x}{\fs22\sub 0}{\fs22 denote the bit string of length }{\i\fs22 h}{\fs22 bits obtained by setting the leftmost bit of }{\i\fs22 c}{\fs22\sub 0}{\fs22 to 0. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 3.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls25\adjustright {\fs22 For }{\i\fs22 i}{\fs22 from 1 to }{\i\fs22 s}{\fs22 do: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 Compute }{\i\fs22 x}{\i\fs22\sub i}{\i\fs22 = }{\fs22 SHA\_1((seedE + }{\i\fs22 i}{\fs22 ) mod 2}{\fs22\super 160}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 4.\tab}}\pard \qj\fi-302\li648\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls25\adjustright {\fs22 Let }{\i\fs22 x}{\i\fs22\sub U}{\i\fs22 }{\fs22 be the bit string obtained by the concatenation of }{\i\fs22 x}{\fs22\sub 0}{\fs22 , }{\i\fs22 x}{\fs22\sub 1}{\fs22 , \'85}{\i\fs22 , x}{\i\fs22\sub s}{\fs22 as follows: \par }\pard \li648\sa180\nowidctlpar\widctlpar\tx20\tx300\tx2880\tqr\tx9360{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\fs22 \tab }{\i\fs22 x}{\i\fs22\sub U}{\i\fs22 = x}{\fs22\sub 0}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 x}{\fs22\sub 1}{\fs22 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}} {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 \'85 }{\fs22\expnd-6\expndtw-32 {\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}{\field{\*\fldinst SYMBOL 234 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{ \i\fs22 x}{\i\fs22\sub s}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 5.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls25\adjustright {\fs22 Let }{\i\fs22 U}{\fs22 be the point (}{\i\fs22 x}{\i\fs22\sub U}{\fs22 , }{\i\fs22 y}{\i\fs22\sub U}{\fs22 ). \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 6.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls25\adjustright {\fs22 Verify that }{\i\fs22 U}{\fs22 satisfies the equation }{\i\fs22 y}{\fs22\super 2}{\i\fs22 }{\fs22 =}{\i\fs22 x}{\fs22\super 3}{\i\fs22 }{\fs22 +}{\i\fs22 ax }{\fs22 +}{\i\fs22 b}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 7.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls25\adjustright {\fs22 Compute }{\i\fs22 P}{\f6\fs22 \rquote }{\fs22 = }{\i\fs22 hU}{\fs22 . \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 8.\tab}}\pard \qj\fi-302\li648\sa180\nowidctlpar\widctlpar\tx20\tx260\tx300\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang {\pntxta .}}\ls25\adjustright {\fs22 If }{\i\fs22 P }{\f6\fs22 {\field{\*\fldinst SYMBOL 185 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 P}{\f6\fs22 \rquote }{\fs22 then reject. \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 9.\tab}}\pard \li346\sa180\nowidctlpar\widctlpar\tx20\tx260\tx310\jclisttab\tx648\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls25\pnrnot0\pndec\pnb0\pni0\pnstart1\pnindent648\pnhang{\pntxta .}} \ls25\adjustright {\fs22 Accept.}{\i\fs22 \par {\*\bkmkstart _Toc403967204}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.3\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Further details about the challenge{\*\bkmkend _Toc403967204} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This subsection presents some more information about the challenge. Each problem posed is to compute the private key given the elliptic curve parameters, the base point }{\i\fs22 P}{\fs22 of order }{\i\fs22 n, }{\fs22 and the public key point }{\i\fs22 Q }{\fs22 . The }{\i\fs22 private key }{\fs22 is}{\i\fs22 }{\fs22 the }{\i\fs22 unique }{\fs22 integer }{\i\fs22 l}{\fs22 , 0 }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 l}{\fs22 }{\fs22 {\field{\*\fldinst SYMBOL 163 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\fs22 }{\i\fs22 n }{\fs22 - 1}{\i\fs22 , }{\fs22 such that }{\i\fs22 Q}{\fs22 = }{\i\fs22 lP. }{\fs22 Each problem is therefore an instance of the elliptic curve discrete logarithm problem (ECDLP); see Section 2. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 With the exception of the Koblitz curves, all elliptic curves have been chosen randomly in a }{\i\fs22 verifiable }{\fs22 manner (see Sections 3.1.4 and 3.2.4) \emdash anyone can verify that the elliptic curve parameters were indeed generated at random. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Another interesting feature of the challenge is that the points }{\i\fs22 P}{\fs22 and }{\i\fs22 Q}{\fs22 having order }{\i\fs22 n }{\fs22 were also chosen randomly in a }{ \i\fs22 verifiable }{\fs22 manner (see Sections 3.1.4 and 3.2.4). This means that each particular private key }{\i\fs22 l}{\fs22 is presently unknown even to the creators of the challenge!! However, any alleged solution }{\i\fs22 l}{\fs22 ' that is found to a challenge can easily be verified by checking that }{\i\fs22 Q}{\fs22 = }{\i\fs22 l'P. }{\fs22 The challenges presented here therefore adhere to the philosophy expressed by Matt Blaze [Blaze] at Crypto '97 that the solutions to a challenge should be unknown to the creators at the outset of the challenge. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li346\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The problems have been separated into two categories: \par }\pard \qj\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 (i)\tab}}\pard \qj\fi-720\li1066\sa180\nowidctlpar\widctlpar\tx20\tx720\jclisttab\tx1066\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls26\pnrnot0\pnlcrm\pnstart1\pnindent1066\pnhang {\pntxtb (}{\pntxta )}}\ls26\adjustright {\fs22 elliptic curves over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 , and \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 (ii)\tab}}\pard \qj\fi-720\li1066\sa180\nowidctlpar\widctlpar\tx20\tx720\jclisttab\tx1066\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls26\pnrnot0\pnlcrm\pnstart1\pnindent1066\pnhang {\pntxtb (}{\pntxta )}}\ls26\adjustright {\fs22 elliptic curves over }{\f15\fs22 F}{\i\fs22\sub p}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \sect }\sectd \marglsxn1440\margrsxn1440\sbknone\linex0\endnhere\sectdefaultcl \pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 There have not been any mathematical discoveries to date to suggest that the ECDLP for elliptic curves over }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m}{\fs22 is any easier or harder that the ECDLP for elliptic curves over }{\f15\fs22 F}{\i\fs22\sub p} {\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li346\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 For each of these categories, the problems have been further divided into three sub\_categories: \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs24 \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 (i)\tab}}\pard \fi-720\li1066\sa180\nowidctlpar\widctlpar\tx20\tx720\jclisttab\tx1066\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls27\pnrnot0\pnlcrm\pnstart1\pnindent1066\pnhang {\pntxtb (}{\pntxta )}}\ls27\adjustright {\fs22 Exercises, \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 (ii)\tab}}\pard \fi-720\li1066\sa180\nowidctlpar\widctlpar\tx20\tx720\jclisttab\tx1066\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls27\pnrnot0\pnlcrm\pnstart1\pnindent1066\pnhang {\pntxtb (}{\pntxta )}}\ls27\adjustright {\fs22 Level I Challenges, and \par {\pntext\pard\plain\f4\fs22\lang1024\cgrid \hich\af4\dbch\af0\loch\f4 (iii)\tab}}\pard \fi-720\li1066\sa180\nowidctlpar\widctlpar\tx20\tx720\jclisttab\tx1066\tqr\tx9360{\*\pn \pnlvlbody\ilvl0\ls27\pnrnot0\pnlcrm\pnstart1\pnindent1066\pnhang {\pntxtb (}{\pntxta )}}\ls27\adjustright {\fs22 Level II Challenges. \par }\pard \qj\fi346\li14\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 These are distinguished by the size of the parameter }{\i\fs22 n, }{\fs22 the prime order of the base point }{\i\fs22 P}{\fs22 . As the size of }{\i\fs22 n }{\fs22 increases, the problem is expected to become harder. By a }{\i\fs22 k\_bit challenge, }{\fs22 we shall mean a challenge whose parameter }{\i\fs22 n }{\fs22 has bitlength }{\i\fs22 k}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs24 \par {\*\bkmkstart _Toc403967205}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 3.4\tab}}\pard\plain \s2\fi-576\li576\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Time estimates for exercises and challenges{\*\bkmkend _Toc403967205} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 This subsection provides a }{\i\fs22 very rough }{\fs22 estimate for the time to solve a }{\i\fs22 k}{\fs22 \_bit challenge with parameter }{\i\fs22 n. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\i\fs24 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Recall from Section 2.2 that the distributed version of Pollard\rquote s rho algorithm using }{\i\fs22 m}{\fs22 processors takes approximately }{\dn8 {\pict{\*\picprop\shplid1149{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw1870\pich635\picwgoal1060\pichgoal360\wmetafile8\bliptag-1580071647\blipupi2303{\*\blipuid a1d205212e5225b9f1e49d28b0d84a26} 010009000003300100000400150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c024002a0061200000026060f001a00ffffffff000010000000c0ffffffb6ffffff60060000f60100000b00000026060f00 0c004d617468547970650000400009000000fa02000010000000000000002200040000002d010000050000001402680148000500000013024c01790009000000 fa02000020000000000000002200040000002d01010005000000140254017900050000001302d601c000040000002d010000050000001402d601c80005000000 1302520026010500000014025200260105000000130252005a0415000000fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d61 6e000200040000002d01020008000000320ac0014005010000006d0008000000320ac001f201010000006e0015000000fb0280fe000000000000900100000000 0402001054696d6573204e657720526f6d616e002100040000002d01030004000000f001020008000000320ac0019a04010000002f0008000000320ac0018c03 01000000320008000000320ac001e602010000002f0010000000fb0280fe0000000000009001010000020002001053796d626f6c0000040000002d0102000400 0000f001030008000000320ac00120010100000070000a00000026060f000a00ffffffff01000000000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01030004000000f0010200030000000000000000000000000000f40ea000000000}}{\fs22 steps. Here, each \ldblquote step\rdblquote is an elliptic curve addition or double. Thus, if a computer can perform a point operation in }{\i\fs22 s}{\fs22 microseconds, then the number of computer days required before a discrete logarithm is found is expected to be roughly \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs24 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tx2160\tqr\tx9360\adjustright {\fs24 \tab }{\dn24 {\pict{\*\picprop\shplid1150{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw6632\pich1164\picwgoal3760\pichgoal660\wmetafile8\bliptag-598075987\blipupi-756{\*\blipuid dc5a15ad13535aff08ae5a3264761a1f} 010009000003580200000400150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02200480171200000026060f001a00ffffffff000010000000c0ffffffa5ffffff40170000c50300000b00000026060f00 0c004d617468547970650000c00009000000fa02000010000000000000002200040000002d010000050000001402400240000500000013024002640705000000 14024802c8080500000013022c02f90809000000fa02000020000000000000002200040000002d0101000500000014023402f908050000001302b60240090400 00002d010000050000001402b60248090500000013023201a6090500000014023201a6090500000013023201da0c05000000140248020d150500000013022c02 3e15040000002d01010005000000140234023e15050000001302b6028515040000002d010000050000001402b6028d150500000013023201eb15050000001402 3201eb150500000013023201d71615000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e002d00040000002d010200 08000000320aa002d71601000000200008000000320aa002601101000000320008000000320aa002ba0e02000000202009000000320aa002da0c030000002020 200008000000320aa0020c0c01000000320008000000320aa002660b010000002f0008000000320ac803d60502000000323408000000320ac803120302000000 363008000000320ac803540002000000363008000000320ab2016b0302000000313015000000fb0220ff0000000000009001000000000402001054696d657320 4e657720526f6d616e008d00040000002d01030004000000f001020008000000320af401b41202000000333608000000320a0601700501000000360015000000 fb0280fe0000000000009001010000000402001054696d6573204e657720526f6d616e002d00040000002d01020004000000f001030008000000320aa0020316 010000006e0008000000320aa0027a0f01000000730008000000320aa002720a010000006e0008000000320ab201af0101000000730010000000fb0280fe0000 000000009001000000020002001053796d626f6c0000040000002d01030004000000f001020008000000320aa002eb1301000000b40008000000320aa0024c10 01000000b40008000000320aa002f40d01000000bb0008000000320aa002a60701000000b40008000000320ac803c20401000000b40008000000320ac8030402 01000000b40008000000320ab201810201000000b40010000000fb0220ff0000000000009001000000020002001053796d626f6c0000040000002d0102000400 0000f001030008000000320af4012b12010000002d0008000000320a0601f604010000002d0010000000fb0280fe000000000000900101000002000200105379 6d626f6c0000040000002d01030004000000f001020008000000320aa002a0090100000070000a00000026060f000a00ffffffff01000000000010000000fb02 1000070000000000bc02000000000102022253797374656d006e040000002d01020004000000f001030003000000000000ffffff000000000000000000000000}}{\fs24 machine days. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs24 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 To illustrate this, consider solving an instance of the ECDLP over }{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 89}{\fs22 with }{\i\fs22 n }{\fs22 {\field{\*\fldinst SYMBOL 187 \\f "Symbol" \\s 11}{\fldrslt\f3\fs22}}}{\i\fs22 }{\fs22 2}{\fs22\super 89}{\fs22 . A fast implementation of elliptic curve operations on a widely available computer, say a Pentium 100, for a curve over }{\f15\fs22 F}{\fs22\sub 2}{\fs22\up6\sub 89}{ \fs22 might take on the order of 50 micro seconds for a point operation. Thus such an implementation would require \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \li20\nowidctlpar\widctlpar\tx20\tx2160\tqr\tx9360\adjustright {\fs22 \tab }{\dn6 {\pict{\*\picprop\shplid1151{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}} {\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}} \picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw4551\pich670\picwgoal2580\pichgoal380\wmetafile8\bliptag1227853198\blipupi18{\*\blipuid 492f8d8ede228351ef606ad3dd0ad2a5} 0100090000037c0100000400150000000000050000000902000000000400000002010100050000000102ffffff00040000002e01180005000000310201000000 050000000b0200000000050000000c02600220101200000026060f001a00ffffffff000010000000c0ffffffa7ffffffe00f0000070200000b00000026060f00 0c004d617468547970650000300009000000fa02000010000000000000002200040000002d01000005000000140291018e060500000013027501bf0609000000 fa02000020000000000000002200040000002d0101000500000014027d01bf0605000000130210020607040000002d01000005000000140210020e0705000000 130261006c0705000000140261006c070500000013026100580915000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d61 6e000000040000002d0102000a000000320a0002280c0500000031383130300009000000320a0002380b030000002020200009000000320a0002580903000000 2020200008000000320a0002840701000000320008000000320a0002f10201000000320008000000320a00022e0002000000353015000000fb0220ff00000000 00009001000000000402001054696d6573204e657720526f6d616e001900040000002d01030004000000f001020008000000320a540143080200000038390800 0000320a5401350402000000333610000000fb0280fe0000000000009001000000020002001053796d626f6c0000040000002d01020004000000f00103000800 0000320a0002720a01000000bb0008000000320a00026c0501000000b40008000000320a0002dd0101000000b40010000000fb0220ff00000000000090010000 00020002001053796d626f6c0000040000002d01030004000000f001020008000000320a5401bb03010000002d000a00000026060f000a00ffffffff01000000 000010000000fb021000070000000000bc02000000000102022253797374656d006e040000002d01020004000000f001030003000000000000ffffff00ffffff0000000000000000}}{\fs22 machine days \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 to find a single discrete logarithm. So, for example, one such machine running 24 hours a day would require 18100 days. A network of 3000 such machines would require about 6 days. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi320\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 An implementation report of the Pollard rho algorithm for solving the ECDLP can be found in [HMV]. \par {\*\bkmkstart _Toc403967206}{\listtext\pard\plain\s1 \b\f1\fs28\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4\tab}}\pard\plain \s1\fi-432\li432\sb240\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx432\tx720\hyphpar0\ls28\outlinelevel0\adjustright \b\f1\fs28\expnd4\expndtw20\cf1\cgrid {Exercise Lists and Challenge Lists{\*\bkmkend _Toc403967206} \par {\*\bkmkstart _Toc403967207}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4.1\tab}}\pard\plain \s2\fi-576\li576\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Elliptic curves over }{\b0\f15 F}{\sub 2}{\i\up6\sub m}{{\*\bkmkend _Toc403967207} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 In the following tables, ECC2\_}{\i\fs22 k}{\fs22 denotes that the exercise or challenge is over a field }{\f15\fs22 F}{\fs22\sub 2}{\i\fs22\up6\sub m} {\fs22 , and that the parameter }{\i\fs22 n }{\fs22 has bitlength }{\i\fs22 k}{\fs22 . Furthermore, ECC2K\_}{\i\fs22 k}{\fs22 denotes that the elliptic curve used is a Koblitz curve (see Section 3.1.3), rather than a randomly generated curve. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 For a description of the format of the challenge parameters, see Section 3.1.3. For further details about the challenge, see Section 3.3. The time estimates for each exercise and challenge were derived as in Section 3.4. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Using these timings, it is expected that the 79\_bit exercise could be solved in a matter of hours, the 89\_bit exercise could be solved in a matter of days, and the 97\_ bit exercise in a matter of weeks using a network of 3000 computers. \par \par The 109\_bit Level I challenge is feasible using a very large network of computers. The 131\_bit Level I challenge is expected to be infeasible against realistic software and hardware attacks, unless of course a new algorithm for the ECDLP is discovered. \par \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The Level II challenges are infeasible given today\rquote s computer technology and knowledge. The elliptic curves for these challeng es meet the stringent security requirements imposed by forthcoming ANSI banking standards [X962, X963]. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par \par {\*\bkmkstart _Toc403967208}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4.1.1\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 Exercises{\*\bkmkend _Toc403967208} \par }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard\plain \qc\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid { \fs22 Exercise}{\b\fs22 \cell }{\fs22 Field size \par (in bits)}{\b\fs22 \cell }{\fs22 Estimated number \par of machine days}{\b\fs22 \cell }{\fs22 Prize \par (US$)}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2\_79}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 79\cell 565}{\b\fs22 \cell }{\i\fs22 Handbook of Applied Cryptography & Maple V software}{\b\i\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2\_89}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 89\cell 18100}{\b\fs22 \cell }{\i\fs22 Handbook of Applied Cryptograp hy & Maple V software}{\b\i\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2K\_95}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl \tx20\tqr\tx9360\adjustright {\fs22 97\cell 144815}{\b\fs22 \cell }{\fs22 $ 5,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb \brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2\_97}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 97\cell 289000}{\b\fs22 \cell }{\fs22 $ 5,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \li346\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par }\pard \nowidctlpar\widctlpar\tx20\tx1640\tqr\tx4200\tx4440\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967209}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4.1.2\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 Level I challenges{\*\bkmkend _Toc403967209} \par }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard\plain \qc\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid { \fs22 Challenge}{\b\fs22 \cell }{\fs22 Field size \par (in bits)}{\b\fs22 \cell }{\fs22 Estimated number \par of machine days}{\b\fs22 \cell }{\fs22 Prize \par (US$)}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2K\_108}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 109\cell 1.31 }{ \f1\fs22 x}{\fs22 10}{\fs22\super 7}{\b\fs22 \cell }{\fs22 $ 10,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2\_109}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 109\cell 1.85 }{\f1\fs22 x}{\fs22 10}{\fs22\super 7}{\b\fs22 \cell }{\fs22 $ 10,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2K\_130}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 131\cell 2.68}{\f1\fs22 x}{\fs22 10}{\fs22\super 10}{\b\fs22 \cell }{\fs22 $ 20,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2\_131}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 131\cell 3.79}{\f1\fs22 x}{\fs22 10}{\fs22\super 10}{\b\fs22 \cell }{\fs22 $ 20,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par \par {\*\bkmkstart _Toc403967210}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4.1.3\tab}}\pard\plain \s3\fi-720\li720\sa360\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 Level II challenges{\*\bkmkend _Toc403967210} \par }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard\plain \qc\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid { \fs22 Challenge}{\b\fs22 \cell }{\fs22 Field size \par (in bits)}{\b\fs22 \cell }{\fs22 Estimated number \par of machine days}{\b\fs22 \cell }{\fs22 Prize \par (US$)}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2\_163}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 163\cell 2.48 }{\f1\fs22 x}{\fs22 10}{\fs22\super 15}{\b\fs22 \cell }{\fs22 $ 30,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2K\_163}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 163\cell 2.48 }{\f1\fs22 x}{\fs22 10}{\fs22\super 15}{\b\fs22 \cell }{\fs22 $ 30,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2\_191}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl \tx20\tqr\tx9360\adjustright {\fs22 191\cell 4.07 }{\f1\fs22 x}{\fs22 10}{\fs22\super 19}{\b\fs22 \cell }{\fs22 $ 40,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \sb60\nowidctlpar\widctlpar\intbl \tx20\tqr\tx9360\adjustright {\fs22 ECC2\_238}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 239\cell 4.84 }{\f1\fs22 x}{\fs22 10}{\fs22\super 26}{\b\fs22 \cell }{\fs22 $ 50,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2K\_238}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 239\cell 4.84 }{ \f1\fs22 x}{\fs22 10}{\fs22\super 26}{\b\fs22 \cell }{\fs22 $ 50,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2\_353}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 359\cell 9.86 }{\f1\fs22 x}{\fs22 10}{\fs22\super 43}{\b\fs22 \cell }{\fs22 $ 100,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECC2K\_358}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 359\cell 5.58 }{ \f1\fs22 x}{\fs22 10}{\fs22\super 44}{\b\fs22 \cell }{\fs22 $ 100,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par }\pard \nowidctlpar\widctlpar\tx20\tx1700\tx3260\tx4540\tqr\tx9360\adjustright {\fs22 \par {\*\bkmkstart _Toc403967211}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4.2\tab}}\pard\plain \s2\fi-576\li576\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Elliptic curves over }{\b0\f15 F}{\i\sub p}{{\*\bkmkend _Toc403967211} \par }\pard\plain \qj\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 In the following tables, ECCp\_}{\i\fs22 k}{\fs22 denotes that the exercise or challenge is over a field }{\f15\fs24 F}{\i\fs22\sub p}{\fs22 (}{ \i\fs22 p}{\fs22 prime), and that the parameter }{\i\fs22 n}{\fs22 has bitlength }{\i\fs22 k}{\fs22 . \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 For a description of the format of the challenge parameters, see Section 3. 2.3. For further details about the challenge, see Section 3.3. The time estimates for each exercise and challenge were derived as in Section 3.4. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 Using these timings, it is expected that the 79\_bit exercise could be solved in a matter of hours, the 89\_bit exercise could be solved in a matter of days, and the 97\_ bit exercise in a matter of weeks using a network of 3000 computers. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The 109\_bit Level I challenge is feasible using a very large network of computers. The 131\_bit Level I challenge is expected to be infeasible against realistic software and hardware attacks, unless of course a new algorithm for the ECDLP is discovered. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi340\li20\nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 The Level II challenges are infeasible given today\rquote s computer technology and knowledge. The elliptic curves for these challenges m eet the stringent security requirements imposed by forthcoming ANSI banking standards [X962, X963]. \par }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\fs22 \par \par {\*\bkmkstart _Toc403967212}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4.2.1\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 Exercises{\*\bkmkend _Toc403967212} \par }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard\plain \qc\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid { \fs22 Exercise}{\b\fs22 \cell }{\fs22 Field size \par (in bits)}{\b\fs22 \cell }{\fs22 Estimated number \par of machine days}{\b\fs22 \cell }{\fs22 Prize \par (US$)}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_79}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 79\cell 565}{\b\fs22 \cell }{\i\fs22 Handbook of Applied Cryptography & Maple V software}{\b\i\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_89}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 89\cell 18100}{\b\fs22 \cell }{\i\fs22 Handbook of Applied Cryptograp hy & Maple V software}{\b\i\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv \brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_97}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 97\cell 289000}{\b\fs22 \cell }{\fs22 $ 5,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \nowidctlpar\widctlpar \tx20\tqr\tx9360\adjustright {\b\fs22 \par \par {\*\bkmkstart _Toc403967213}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4.2.2\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 Level I challenges{\*\bkmkend _Toc403967213} \par }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard\plain \qc\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid { \fs22 Challenge}{\b\fs22 \cell }{\fs22 Field size \par (in bits)}{\b\fs22 \cell }{\fs22 Estimated number \par of machine days}{\b\fs22 \cell }{\fs22 Prize \par (US$)}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_109}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 109\cell 1.85 }{\f1\fs22 x}{\fs22 10}{\fs22\super 7}{\b\fs22 \cell }{\fs22 $ 10,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_131}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 131\cell 3.79}{ \f1\fs22 x}{\fs22 10}{\fs22\super 10}{\b\fs22 \cell }{\fs22 $ 20,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par \par {\*\bkmkstart _Toc403967214}{\listtext\pard\plain\s3 \b\f1\fs22\cf1\cgrid \hich\af1\dbch\af0\loch\f1 4.2.3\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { \fs22 Level II challenges{\*\bkmkend _Toc403967214} \par }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard\plain \qc\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid { \fs22 Challenge}{\b\fs22 \cell }{\fs22 Field size \par (in bits)}{\b\fs22 \cell }{\fs22 Estimated number \par of machine days}{\b\fs22 \cell }{\fs22 Prize \par (US$)}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_163}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 163\cell 2.48 }{\f1\fs22 x}{\fs22 10}{\fs22\super 15}{\b\fs22 \cell }{\fs22 $ 30,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt \clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_191}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 191\cell 4.07 }{\f1\fs22 x}{\fs22 10}{\fs22\super 19}{\b\fs22 \cell }{\fs22 $ 40,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_239}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl \tx20\tqr\tx9360\adjustright {\fs22 239\cell 6.83 }{\f1\fs22 x}{\fs22 10}{\fs22\super 26}{\b\fs22 \cell }{\fs22 $ 50,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\trowd \trgaph108\trleft468\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1908\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3348\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx5310\clvertalt\clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx8910\pard \sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 ECCp\_359}{\b\fs22 \cell }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\tx20\tqr\tx9360\adjustright {\fs22 359\cell 7.88 }{\f1\fs22 x}{\fs22 10}{\fs22\super 44}{\b\fs22 \cell }{\fs22 $ 100,000}{\b\fs22 \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\b\fs22 \row }\pard \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright {\b\fs22 \par \par {\*\bkmkstart _Toc403967215}{\listtext\pard\plain\s1 \b\f1\fs28\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 5\tab}}\pard\plain \s1\fi-432\li432\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx432\tx720\hyphpar0\ls28\outlinelevel0\adjustright \b\f1\fs28\expnd4\expndtw20\cf1\cgrid {Challenge Rules{\*\bkmkend _Toc403967215} \par {\*\bkmkstart _Toc403967216}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 5.1\tab}}\pard\plain \s2\fi-576\li576\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {The Rules and Reporting a Solution{\*\bkmkend _Toc403967216} \par }\pard\plain \nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid {\fs22 \par }\pard \qj\nowidctlpar\widctlpar\adjustright {\fs22 Each exercise and challenge in the Exercise and Challenge Lists is based on the problem of computing the ECC private key from the given ECC public key and associated system parameters. An individual or group of individuals reporting a solution must also p rovide a full explanation of how that solution was reached. No reported solutions will be accepted without a detailed explanation of the steps taken and calculations made to find an ECC private key. \par \par As noted in Section 3.3, each particular private key is p resently unknown even to the creators of the Certicom ECC Challenge. Unique to all algorithms based on the discrete logarithm problem, a supposed ECC public key can be validated to ensure it conforms to the arithmetic requirements of a public-key. This va lidation is 100%. When an ECC public key is validated, it is known that a private key for the public key can logically exist. This capability of key validation is used in the Certicom ECC Challenge. \par \par The proposed solution must be sent via email to Certicom Corp., following the Format of Submissions specified in S ection 5.1.1. The correct solution for an Exercise or Challenge will be the one that was received first by Certicom Corp. and checked by an independent, third-party appointed by Certicom. \par \par Certicom C orp. reserves the right to change the contest rules at any time at its sole discretion, without notice, including the right to change or extend the challenge lists, to change the prize amounts, and/or to terminate the contest. While Certicom has appointed an independent, third-party to check the solutions, Certicom Corp. is the sole arbiter and administrator for this contest. Certicom\rquote s judgement in all matters is final. \par }\pard \nowidctlpar\widctlpar\adjustright {\fs22 \par Queries on the Certicom ECC Challenge can be addressed to: \par \par Certicom ECC Challenge Administrator \par Certicom Corp. \par 200 Matheson Blvd. West \par Mississauga, Ontario \par Canada L5R 3L7 \par \par For further information concerning the Certicom ECC Challenge, email inquiries can be sent to {\*\bkmkstart _Hlt402928250}}{\field\fldedit{\*\fldinst {\fs22 HYPERLINK mailto:Certicom-ECC-Challenge@certicom.com }{{\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000017000000240000004300650072007400690063006f006d002d004500430043002d004300680061006c006c0065006e006700650040006300650072007400690063006f006d002e0063006f006d000000e0c9ea79f9bace118c8200aa004ba90b560000006d0061006900 6c0074006f003a004300650072007400690063006f006d002d004500430043002d004300680061006c006c0065006e006700650040006300650072007400690063006f006d002e0063006f006d0000000000ffffff0000000000001402}}}{\fldrslt {\cs15\fs22\ul\cf2 certicom-ecc-challenge@certicom.com} }}{\fs22 {\*\bkmkend _Hlt402928250}. For news of the latest developments in the Certicom ECC Challenge, check Certicom\rquote s web site at }{\field\flddirty{\*\fldinst {\fs22 HYPERLINK http://www.certicom.com }{{\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000017000000110000007700770077002e006300650072007400690063006f006d002e0063006f006d000000e0c9ea79f9bace118c8200aa004ba90b3200000068007400740070003a002f002f007700770077002e006300650072007400690063006f006d002e0063006f00 6d002f00000000000000ffffff000009000000320a}}}{\fldrslt {\cs15\fs22\ul\cf2 www.certicom.com}}}{\fs22 . \par \par {\*\bkmkstart _Toc403967217}{\listtext\pard\plain\s3 \b\f1\cf1\cgrid \hich\af1\dbch\af0\loch\f1 5.1.1\tab}}\pard\plain \s3\fi-720\li720\sb120\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { Format of Submissions{\*\bkmkend _Toc403967217} \par }\pard\plain \sa120\nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid {\fs22 All solution submissions for any of the exercises or challenges must be sent by email to }{\field\flddirty{\*\fldinst {\fs22 HYPERLINK mailto:certicom-ecc-challenge@certicom.com }{{\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000017000000240000006300650072007400690063006f006d002d006500630063002d006300680061006c006c0065006e006700650040006300650072007400690063006f006d002e0063006f006d000000e0c9ea79f9bace118c8200aa004ba90b560000006d0061006900 6c0074006f003a006300650072007400690063006f006d002d006500630063002d006300680061006c006c0065006e006700650040006300650072007400690063006f006d002e0063006f006d0000000000ffffff0000202000000000}}}{\fldrslt {\cs15\fs22\ul\cf2 certicom-ecc-challenge@certicom.com} }}{\fs22 . The report of a solution should clearly state that the submission is being made for the Certicom ECC Challenge. The body of the email message must contain the following information, titled with the respective headers: \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\sa120\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls30\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls30\adjustright {\b\fs22 Name}{\fs22 : name(s) of the person or people making the submission; \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\sa120\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls30\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls30\adjustright {\b\fs22 Address}{\fs22 : mailing address of the reporting party; \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\sa120\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls30\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls30\adjustright {\b\fs22 Email}{\fs22 : email address of the reporting party; \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\sa120\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls30\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls30\adjustright {\b\fs22 Phone}{\fs22 : telephone number and area code of the reporting party; \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\sa120\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls31\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls31\adjustright {\b\fs22 Exercise or Challenge}{\fs22 : specific exercise or challenge for which the submission is being made (see Sections 4.1 and 4.2 for exercise and challenge tables); \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\sa120\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls32\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls32\adjustright {\b\fs22 Solution}{\fs22 : actual private key value being submitted; \par {\pntext\pard\plain\f3\fs22\lang1024\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\sa120\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls33\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls33\adjustright {\b\fs22 Method}{\fs22 : steps and computations taken to calculate the private key, and any other relevant information such as the estimated time taken to calculate the solution and the type of machine(s) used in the computations. \par }\pard \nowidctlpar\widctlpar\adjustright {\fs22 \par After each field, there must be the word \ldblquote DONE\rdblquote to indicate the end of the submission. The \ldblquote name\rdblquote , \ldblquote address\rdblquote , \ldblquote email\rdblquote , \ldblquote phone\rdblquote , \ldblquote exercise or challenge\rdblquote , \ldblquote solution\rdblquote , and \ldblquote method\rdblquote fields must be present in every submission. Without these fields, the solution report will be rejected. \par \par }\pard\plain \s27\nowidctlpar\widctlpar\adjustright \f4\fs22\cgrid { While it is preferred that the information fields be separated as specified above, information from two fields can be merged into one. Each field must start on a new line. If more than one person is reporting a solution in a group, the names of each individual along with their corresponding address, email and phone number should be contained in separate fields in alphabetical order. \par }\pard\plain \nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid {\fs22 \par {\*\bkmkstart _Toc403967218}{\listtext\pard\plain\s2 \b\f1\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 5.2\tab}}\pard\plain \s2\fi-576\li576\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx576\tx720\hyphpar0\ls28\ilvl1\outlinelevel1\adjustright \b\f1\expnd4\expndtw20\cf1\cgrid {Prizes and Status}{\fs22 {\*\bkmkend _Toc403967218} \par }\pard\plain \nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid {\fs22 The following are the official prize lists for the Certicom ECC Challenge: \par \par \par \par {\*\bkmkstart _Toc403967219}{\listtext\pard\plain\s3 \b\f1\cf1\cgrid \hich\af1\dbch\af0\loch\f1 5.2.1\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { Exercise Prize Lists{\*\bkmkend _Toc403967219} \par }\pard\plain \nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid {\fs22 \par }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx4500\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Exercise\cell Field Size \par (in bits)\cell Prize (US$)\cell Start Date\cell End Date\cell Time for Solution\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr \brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx4500\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-79\cell 79\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\i\fs22 Handbook of Applied Cryptography}{\fs22 and one complete }{\i\fs22 Maple V software}{\fs22 package for any platform requested\cell Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECCp-79\cell 79\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\i\fs22 Handbook of Applied Cryptography}{\fs22 and one complete }{\i\fs22 Maple V software}{\fs22 package for any platform requested\cell }{\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb \brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx4500\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-89\cell 89\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\i\fs22 Handbook of Applied Cryptography}{\fs22 and one complete }{\i\fs22 Maple V software}{\fs22 package for any platform requested\cell }{\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECCp-89\cell 89\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\i\fs22 Handbook of Applied Cryptography}{\fs22 and one complete }{\i\fs22 Maple V software}{\fs22 package for any platform requested\cell }{\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-97\cell 97\cell $5,000 \cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2K-95 \cell 97\cell $5,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx4500\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECCp-97\cell 97\cell $5,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright { \fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \nowidctlpar\widctlpar\adjustright {\fs22 \par Note: the }{\i\fs22 Handbook of Applied Cryptography}{\fs22 , co-authored by Dr. Alfred J. Menezes, Dr. Paul C. van Oorshcot, and Dr. Scott A. Vanstone, has a retail value of US$75 per copy. The Maple V software is a leading cryptographic research tool and has a retail value of $1000 and $2000 US, depending upon t he platform. \par }{ \par \page \par {\*\bkmkstart _Toc403967220}{\listtext\pard\plain\s3 \b\f1\cf1\cgrid \hich\af1\dbch\af0\loch\f1 5.2.2\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { Level I Challenge Prize List{\*\bkmkend _Toc403967220} \par }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx3960\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard\plain \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright \f4\fs20\lang1024\cgrid {\fs22 Challenge\cell Field Size (in bits)\cell Prize (US$)\cell Start Date\cell End Date\cell Time for Solution\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb \brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3960\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl \brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-109\cell 109\cell $10,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh \brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3960\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2K-108\cell 109\cell $10,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECCp-109\cell 109\cell $10,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-131\cell 131\cell $20,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2K-130\cell 131 \cell $20,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl \brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3960\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECCp-131\cell 131\cell $20,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \nowidctlpar\widctlpar\adjustright {\fs22 \par \par {\*\bkmkstart _Toc403967221}{\listtext\pard\plain\s3 \b\f1\cf1\cgrid \hich\af1\dbch\af0\loch\f1 5.2.3\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { Level II Challenge Prize List{\*\bkmkend _Toc403967221} \par }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx3960\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr \brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrdb\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard\plain \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright \f4\fs20\lang1024\cgrid {\fs22 Challenge\cell Field Size \par (in bits)\cell Prize (US$)\cell Start Date\cell End Date\cell Time for Solution\cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr \brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3960\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrdb\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb \brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-163\cell 163\cell $30,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST \cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt \clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3960\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2K-163\cell 163\cell $30,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECCp-163\cell 163\cell $30,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST \cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-191\cell 191\cell $40,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECCp-191\cell 191\cell $40,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-238\cell 239\cell $50,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2K-238\cell 239\cell $50,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECCp-239\cell 239\cell $50,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2-353\cell 359\cell $100,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST \cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\trowd \trgaph108\trleft-108\trbrdrt\brdrs\brdrw10 \trbrdrl\brdrs\brdrw10 \trbrdrb\brdrs\brdrw10 \trbrdrr\brdrs\brdrw10 \trbrdrh\brdrs\brdrw10 \trbrdrv\brdrs\brdrw10 \clvertalt \clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx1134\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx2268\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx3960\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx6300\clvertalt\clbrdrt \brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx7740\clvertalt\clbrdrt\brdrs\brdrw10 \clbrdrl\brdrs\brdrw10 \clbrdrb\brdrs\brdrw10 \clbrdrr\brdrs\brdrw10 \cltxlrtb \cellx9180\pard \qc\sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 ECC2K-358\cell 359\cell $100,000\cell }\pard \sb60\nowidctlpar\widctlpar\intbl\adjustright {\fs22 Thursday, November 6, 1997, 1 p.m. EST\cell \cell \cell }\pard \nowidctlpar\widctlpar\intbl\adjustright {\fs22 \row }\pard \nowidctlpar\widctlpar\adjustright {\fs22 \par \par {\*\bkmkstart _Toc403967222}{\listtext\pard\plain\s3 \b\f1\cf1\cgrid \hich\af1\dbch\af0\loch\f1 5.2.4\tab}}\pard\plain \s3\fi-720\li720\sa240\keepn\nowidctlpar\widctlpar\jclisttab\tx720\hyphpar0\ls28\ilvl2\outlinelevel2\adjustright \b\f1\cf1\cgrid { Administration and Collection of Prizes{\*\bkmkend _Toc403967222} \par }\pard\plain \nowidctlpar\widctlpar\adjustright \f4\fs20\lang1024\cgrid {\fs22 \par The first person or party to report the correct solution for any exercise or challenge, complete with the methodology and steps used to discover that solution, will win the prize for that particular exercise or challenge he/she has solved. \par \par An organized gr oup of individuals reporting a solution will be treated the same as one person reporting a solution, in that only one cash prize will be awarded to the group with the correct solution, reported as specified in section 5.1.1. The prize shall be administere d so that it is divided evenly among all members of that group. \par \par In several instances, there are two exercises or challenges with the same field size (e.g. 97-bit exercise) and the same corresponding cash prize, but are based on one of two finite fields\emdash elliptic curves over the finite field F}{\fs22\sub 2}{ \fs22\super m}{\fs22 and elliptic curves over the finite field F}{\fs22\sub p}{\fs22 . These exercises and challenges have different solutions and the corresponding prizes will be awarded accordingly. Therefore, should the correct solution be properly reported for the Exercise ECC2-97 (97-bit field size over the field F}{\fs22\sub 2}{ \fs22\super m}{\fs22 ), the ECC2K-97 exercise (97-bit field size over the field F}{\fs22\sub p}{\fs22 ) would still be available to solve and the cash prize available for award to the person(s) with the correct solution. \par }{\b\fs22 \par {\*\bkmkstart _Toc403967223}{\listtext\pard\plain\s1 \b\f1\fs28\expnd4\expndtw20\cf1\cgrid \hich\af1\dbch\af0\loch\f1 6\tab}}\pard\plain \s1\fi-432\li432\sb120\sa240\keepn\nowidctlpar\widctlpar \jclisttab\tx432\tx720\hyphpar0\ls28\outlinelevel0\adjustright \b\f1\fs28\expnd4\expndtw20\cf1\cgrid {References{\*\bkmkend _Toc403967223} \par }\pard\plain \nowidctlpar\widctlpar\tx20\tqr\tx9360\adjustright \f4\fs20\lang1024\cgrid {\fs22 \par }\pard \qj\li20\nowidctlpar\widctlpar\tx20\tx1380\tqr\tx9360\adjustright {\fs22 [Blaze]\tab M. Blaze, \ldblquote A better DES challenge\rdblquote , presentation at the rump session at Crypto \lquote 97. \par }\pard \nowidctlpar\widctlpar\tx20\tx1380\tqr\tx9360\adjustright {\fs22 \par }\pard \qj\fi-1382\li1396\sa180\nowidctlpar\widctlpar\tx20\tx1380\tqr\tx9360\adjustright {\fs22 [Certicom]\tab Certicom Corp. white paper, \ldblquote Remarks on the security of the elliptic curve cryptosystem\rdblquote , September 1997. Available from } {\field{\*\fldinst {\f6\fs22 HYPERLINK http://www.certicom.com }{\f6 {\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b02000000170000001800000068007400740070003a002f002f007700770077002e006300650072007400690063006f006d002e0063006f006d000000e0c9ea79f9bace118c8200aa004ba90b3200000068007400740070003a002f002f007700770077002e006300650072007400 690063006f006d002e0063006f006d002f00000000000000000000fb0200000000}}}{\fldrslt {\cs15\ul\cf2 http://www.certicom.com}}}{\f6\fs22 \par }\pard \qj\fi-1382\li1396\sa180\nowidctlpar\widctlpar\tx20\tx1400\tqr\tx9360\adjustright {\fs22 [FR]\tab G. Frey and H. R\'fcck, \ldblquote A remark concerning }{\i\fs22 m}{\fs22 \_ divisibility and the discrete logarithm in the divisor class group of curves\rdblquote , }{\i\fs22 Mathematics of Computation, }{\fs22 volume 62, pages 865\_874, 1994. \par [HMV]\tab G. Harper, A. Menezes and S. Vanstone, \ldblquote Public\_key cryptosystems with very small key lengths\rdblquote , }{\i\fs22 Advances in Cryptology \_ EUROCRYPT \lquote 92, }{\fs22 Lecture Notes in Com\-puter Science, volume 658, Springer\_ Verlag, pages 163\_173, 1993. \par [Koblitz]\tab N. Koblitz, \ldblquote Elliptic curve cryptosystems\rdblquote , }{\i\fs22 Mathematics of Computation, }{\fs22 volume 48, pages 203\_209, 1987. \par }\pard \qj\fi-1382\li1396\sa180\nowidctlpar\widctlpar\tx20\tx1380\tqr\tx9360\adjustright {\fs22 [Koblitz2]\tab N. Koblitz, \ldblquote CM\_curves with good cryptographic properties\rdblquote , }{\i\fs22 Advances in Cryp\-tology -CRYPTO \lquote 91, }{\fs22 Lecture Notes in Computer Science, volume 576, Springer\--Verlag, pages 279\_287, 1992. \par [Koblitz3]\tab N. Koblitz, }{\i\fs22 A Course in Number Theory and Cryptography, }{\fs22 Springer\_Verlag, 2}{\fs22\super nd}{\fs22 edition, 1994. \par }\pard \qj\fi-1382\li1396\sa180\nowidctlpar\widctlpar\tx20\tx1400\tqr\tx9360\adjustright {\fs22 [LN]\tab R. Lidl and H. Niederreiter, }{\i\fs22 Introduction to Finite Fields and their Applications, }{\fs22 Cambridge University Press, 1994. \par [McEliece]\tab R. McEliece, }{\i\fs22 Finite Fields for Computer Scientists and Engineers, }{\fs22 Kluwer Academic Publishers, 1987. \par [Menezes]\tab A. Menezes, }{\i\fs22 Elliptic Curve Pub1ic Key Cryptosystems, }{\fs22 Kluwer Academic Publishers, 1993. \par [MVV]\tab A. Menezes, P. van Oorschot and S. Vanstone, }{\i\fs22 Handbook of Applied Cryptography, }{\fs22 CRC Press, 1997. \par [MOV]\tab A. Menezes, T. Okamoto and S. Vanstone, \ldblquote Reducing elliptic curve logarithms to logarithms in a finite field\rdblquote , }{\i\fs22 IEEE Transactions on Information Theory, }{\fs22 volume 39, pages 1639\_1646, 1993. \par [Miller]\tab V. Miller, \ldblquote Uses of elliptic curves in cryptography\rdblquote , }{\i\fs22 Advances in Cryptology - CRYPTO \lquote 85, }{\fs22 Lecture Notes in Computer Science, volume 218, Springer\_Verlag, pages 417\_426, 1986. \par [VW]\tab P. van Oorschot and M. Wiener, \ldblquote Parallel collision search with cryptanalytic applications\rdblquote , to appear in }{\i\fs22 Journal of Cryptology. }{\fs22 (An earlier version appeared in the Proceedings of the 2nd ACM Conference on Computer and Communications Security, ACM Press, pages 210\_218, 1994.) \par }\pard \qj\fi-1382\li1396\sa180\nowidctlpar\widctlpar\tx20\tx1420\tqr\tx9360\adjustright {\fs22 [PH]\tab S. Pohlig and M. Hellman, \ldblquote An improved algorithm for computing logarithms over }{\i\fs22 GF}{\fs22 (}{\i\fs22 p}{\fs22 )}{\i\fs22 }{\fs22 and its cryptographic significance\rdblquote , }{\i\fs22 IEEE Transactions on Information Theory, }{\fs22 volume 24, pages 106\_110, 1978. \par [Pollard]\tab J. Pollard, \ldblquote Monte Carlo methods for index computation mod }{\i\fs22 p}{\fs22 \rdblquote , }{\i\fs22 Mathematics of Computation, }{\fs22 volume 32, pages 918\_924, 1978. \par [SHA\_1]\tab FIPS 180\_1, \ldblquote Secure hash standard\rdblquote , Federal Information Processing Standards Publication 180\_1, U.S. Department of Commerce/N.I.S.T., April 1995. \par [SA]\tab T. Satoh and K. Araki, \ldblquote Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves\rdblquote , preprint, 1997. \par [Smart]\tab N. Smart, Announcement of an attack on the ECDLP for anomalous elliptic curves, 1997. \par }\pard \qj\fi-1382\li1396\sa180\nowidctlpar\widctlpar\tx20\tx1380\tx1420\tqr\tx9360\adjustright {\fs22 [Solinas],\tab J. Solinas, \ldblquote An improved algorithm for arithmetic on a family of elliptic curves\rdblquote , }{\i\fs22 Advances in Cryptology \_ CRYPTO}{\b\i\fs22 }{\i\fs22 \lquote 97, }{\fs22 Lecture Notes in Computer Science, volume 1294, Springer\_Verlag, pages 357\_371, 1997. \par }\pard \qj\fi-1382\li1396\sa180\nowidctlpar\widctlpar\tx20\tx1400\tqr\tx9360\adjustright {\fs22 [X962]\tab ANSI X9.62, \ldblquote The elliptic curve digital signature algorithm (ECDSA)\rdblquote , draft stan\-dard, 1997. \par [X963]\tab ANSI X9.63, \ldblquote Elliptic curve key agreement and transport protocols\rdblquote , draft standard, 1997. \par }}