mirror of
https://github.com/J08nY/std-curves.git
synced 2026-01-10 05:48:08 -05:00
Add Brainpool method.
This commit is contained in:
J08nY
@@ -63,7 +63,8 @@ export default ({data, location}) => {
|
||||
<Styled.p>
|
||||
The curve listing includes its parameters, computed characteristics such as number of points or j-invariant as
|
||||
well as SAGE code which can be used to instantiate the curve and a JSON export of all of the curve data.
|
||||
New curves are currently being added, the database is definitely not complete.
|
||||
New curves are currently being added, the database is definitely not complete. This site also
|
||||
contains <Link to={"/methods"}>documentation</Link> of the several methods of generating elliptic curves which are in the database.
|
||||
</Styled.p>
|
||||
<Styled.p>
|
||||
The presence of a certain curve in this database does not mean that the curve is secure, only that it is notable
|
||||
|
||||
@@ -2,16 +2,145 @@ import React from 'react'
|
||||
import Entry from '../../components/entry'
|
||||
import { Styled } from "theme-ui"
|
||||
import Link from "../../components/Link";
|
||||
import Pseudocode from "../../components/Pseudocode";
|
||||
import { InlineMath } from "react-katex";
|
||||
|
||||
export default ({data, location}) => {
|
||||
|
||||
let rfcCodeCommon = `
|
||||
\\begin{algorithm}
|
||||
\\caption{RFC5639 UpdateSeed}
|
||||
\\begin{algorithmic}
|
||||
\\PROCEDURE{UpdateSeed}{$s$}
|
||||
\\STATE Convert $s$ to an integer $z$
|
||||
\\STATE Convert $(z+1) \\mod 2^{160}$ to a bit string $t$
|
||||
\\RETURN $t$
|
||||
\\ENDPROCEDURE
|
||||
\\end{algorithmic}
|
||||
\\end{algorithm}
|
||||
`;
|
||||
let rfcCodePrimes = `
|
||||
\\begin{algorithm}
|
||||
\\caption{RFC5639 Verifiably Random Primes}
|
||||
\\begin{algorithmic}
|
||||
\\INPUT bit size $L$ of the required prime
|
||||
\\INPUT 160 bit-string seed $s$
|
||||
\\PROCEDURE{GeneratePrime}{$s$}
|
||||
\\STATE Let $c = $ \\CALL{FindInteger}{$s$}
|
||||
\\STATE Let $p$ be the smallest prime $p \\ge c$ with $p \\equiv 3 \\mod 4$
|
||||
\\IF{$2^{L-1} \\le p \\le 2^L - 1$}
|
||||
\\RETURN $p$
|
||||
\\ENDIF
|
||||
\\STATE Let $s = UpdateSeed(s)$ and go to Step 2
|
||||
\\ENDPROCEDURE
|
||||
\\PROCEDURE{FindInteger}{$s$}
|
||||
\\STATE Let $v = \\lfloor (L-1) / 160 \\rfloor$ and $w = L - 160v$
|
||||
\\STATE Compute $h = \\text{SHA-1}(s)$
|
||||
\\STATE Let $h_0$ be the bit string obtained by taking the $w$ rightmost bits of $h$
|
||||
\\STATE Convert $s$ to an integer $z$
|
||||
\\FOR{$i = 1$ \\textbf{to} $v$}
|
||||
\\STATE Let $z_i = (z + i) \\mod 2^{160}$
|
||||
\\STATE Convert $z_i$ to bit-string $s_i$
|
||||
\\STATE Let $h_i = \\text{SHA-1}(s_i)$
|
||||
\\ENDFOR
|
||||
\\STATE Let $h$ be the string obtained by the concatenation of $h_0 , \\ldots , h_v$ from left to right
|
||||
\\STATE Convert $h$ to an integer $x$
|
||||
\\RETURN $x$
|
||||
\\ENDPROCEDURE
|
||||
\\end{algorithmic}
|
||||
\\end{algorithm}
|
||||
`;
|
||||
let rfcCodeCurves = `
|
||||
\\begin{algorithm}
|
||||
\\caption{RFC5639 Verifiably Random Curves $\\mathbb{F}_p$}
|
||||
\\begin{algorithmic}
|
||||
\\INPUT prime field size $p$ of bit-length $L$
|
||||
\\INPUT 160 bit-string seed $s$
|
||||
\\OUTPUT field elements $A, B \\in \\mathbb{F}_p$ which define an elliptic curve $\\mathcal{E}$
|
||||
\\OUTPUT generator $G$ of the elliptic curve $\\mathcal{E}$
|
||||
\\PROCEDURE{GenerateCurve}{$p, s$}
|
||||
\\STATE Let $h = $ \\CALL{FindInteger2}{$s$}
|
||||
\\STATE Convert $h$ to an integer $A$
|
||||
\\IF{$-3 \\equiv A*Z^4 \\mod p$ is not solvable}
|
||||
\\STATE Let $s = $ \\CALL{UpdateSeed}{$s$} and go to Step 2
|
||||
\\ENDIF
|
||||
\\STATE Compute one solution $Z$ of $-3 \\equiv A*Z^4 \\mod p$
|
||||
\\STATE Let $s = $ \\CALL{UpdateSeed}{$s$}
|
||||
\\STATE Let $B = $ \\CALL{FindInteger2}{$s$}
|
||||
\\IF{$B$ is a square $\\mod p$}
|
||||
\\STATE Let $s = $ \\CALL{UpdateSeed}{$s$} and go to Step 8
|
||||
\\ENDIF
|
||||
\\IF{$4*A^3 + 27*B^2 \\equiv 0 \\mod p$}
|
||||
\\STATE Let $s = $ \\CALL{UpdateSeed}{s} and go to Step 2
|
||||
\\ENDIF
|
||||
\\STATE Check that the elliptic curve $\\mathcal{E}$ over $\\mathbb{F}_p$ given by $y^2 = x^3 + A x + B$ fulfills all security and functional requirements
|
||||
\\STATE Let $s = $ \\CALL{UpdateSeed}{$s$}
|
||||
\\STATE Let $k = $ \\CALL{FindInteger2}{$s$}
|
||||
\\STATE Determine the points $Q$ and $-Q$ having the smallest x-coordinate on $\\mathcal{E}(\\mathbb{F}_p)$. Randomly select one of them as point $P$
|
||||
\\STATE Compute the base point $G = [k]P$.
|
||||
\\RETURN ($A, B, G$)
|
||||
\\ENDPROCEDURE
|
||||
\\PROCEDURE{FindInteger2}{$s$}
|
||||
\\STATE Let $v = \\lfloor (L-1) / 160 \\rfloor$ and $w = L - 160v - 1$
|
||||
\\STATE Compute $h = \\text{SHA-1}(s)$
|
||||
\\STATE Let $h_0$ be the bit string obtained by taking the $w$ rightmost bits of $h$
|
||||
\\STATE Convert $s$ to an integer $z$
|
||||
\\FOR{$i = 1$ \\textbf{to} $v$}
|
||||
\\STATE Let $z_i = (z + i) \\mod 2^{160}$
|
||||
\\STATE Convert $z_i$ to bit-string $s_i$
|
||||
\\STATE Let $h_i = \\text{SHA-1}(s_i)$
|
||||
\\ENDFOR
|
||||
\\STATE Let $h$ be the string obtained by the concatenation of $h_0 , \\ldots , h_v$ from left to right
|
||||
\\STATE Convert $h$ to an integer $x$
|
||||
\\RETURN $x$
|
||||
\\ENDPROCEDURE
|
||||
\\end{algorithmic}
|
||||
\\end{algorithm}`;
|
||||
return (
|
||||
<Entry data={data} location={location} title={"Brainpool"}>
|
||||
<Styled.h2>Brainpool</Styled.h2>
|
||||
|
||||
<Styled.p>
|
||||
<Styled.h3>Technical requirements</Styled.h3>
|
||||
<ul>
|
||||
<li>For each of the bit-lengths <InlineMath>160, 192, 224, 256, 320, 384, 512</InlineMath> one curve shall be proposed.</li>
|
||||
<li>The base field size <InlineMath>p</InlineMath> should be congruent to <InlineMath>{`3 \\mod 4`}</InlineMath>.</li>
|
||||
<li>The curve should be <InlineMath>{`\\mathbb{F}_p`}</InlineMath>-isomorphic to a curve with <InlineMath>{`A \\equiv -3 \\mod p`}</InlineMath>.</li>
|
||||
<li>The prime <InlineMath>p</InlineMath> must not be of a special form in order to avoid patented fast arithmetic on the base field.</li>
|
||||
<li>The order of the curve <InlineMath>{`\\lvert \\mathcal{E}(\\mathbb{F}_p) \\rvert`}</InlineMath> should be smaller than the size of the base field <InlineMath>p</InlineMath>.</li>
|
||||
<li>The curve coefficient <InlineMath>B</InlineMath> should be non-square in <InlineMath>{`\\mathbb{F}_p`}</InlineMath>.</li>
|
||||
</ul>
|
||||
<Styled.h3>Security requirements</Styled.h3>
|
||||
<ul>
|
||||
<li>The embedding degree <InlineMath>{`l = \\min\\{t \\vert q \\text{divides} p^t - 1 \\}`}</InlineMath> should be large, where <InlineMath>q</InlineMath> is the order
|
||||
of the basepoint and <InlineMath>p</InlineMath> the size of the base field. Specifically, <InlineMath>{`(q - 1) / l < 100`}</InlineMath>.</li>
|
||||
<li>The curves are not trace one curves. Specifically <InlineMath>{`\\lvert \\mathcal{E}(\\mathbb{F}_p) \\rvert \\ne p`}</InlineMath>.</li>
|
||||
<li>The class number of the maximal order of the endomorphism ring of the curve is larger than <InlineMath>10000000</InlineMath>.</li>
|
||||
<li>The group order <InlineMath>{`\\lvert \\mathcal{E}(\\mathbb{F}_p) \\rvert`}</InlineMath> should be a prime number <InlineMath>q</InlineMath>.</li>
|
||||
</ul>
|
||||
|
||||
</Styled.p>
|
||||
<Styled.h3>Original method</Styled.h3>
|
||||
Brainpool published their method of generating verifiably random curves in the <b>ECC Brainpool Standard Curves and Curve Generation</b> <Link to="#brainpool-std">[1]</Link> document,
|
||||
along with generated domain parameters claimed to be generated using the presented method and seeds.
|
||||
However, the presented <Link to={"/brainpool"}>curves</Link> were (with the exception of the 512-bit curves) <b>not</b> generated
|
||||
using the presented method, as they have properties that can not result from the presented method of generating curves.
|
||||
See the <b>BADA55 paper</b> <Link to="bada55-brainpool">[3]</Link> for more information.
|
||||
|
||||
<Styled.h3>RFC 5639 method</Styled.h3>
|
||||
Brainpool published an RFC with their fixed method of generating verifiably random curves and generated curves in <b>RFC 5639</b> <Link to="#rfc-5639">[2]</Link>,
|
||||
which matches the generated curves and seeds.
|
||||
|
||||
<pre>
|
||||
<Pseudocode code={rfcCodeCommon} options={{lineNumber: true, noEnd: true, captionCount: 0}}/>
|
||||
</pre>
|
||||
|
||||
<Styled.h4>Generating primes</Styled.h4>
|
||||
<pre>
|
||||
<Pseudocode code={rfcCodePrimes} options={{lineNumber: true, noEnd: true, captionCount: 1}}/>
|
||||
</pre>
|
||||
|
||||
<Styled.h4>Generating curves</Styled.h4>
|
||||
<pre>
|
||||
<Pseudocode code={rfcCodeCurves} options={{lineNumber: true, noEnd: true, captionCount: 2}}/>
|
||||
</pre>
|
||||
<Styled.h4>References</Styled.h4>
|
||||
<ol>
|
||||
<li id="brainpool-std">Manfred Lochter: <Link to="http://www.ecc-brainpool.org/download/Domain-parameters.pdf">ECC Brainpool Standard Curves and Curve Generation v. 1.0</Link>, <Link to="https://web.archive.org/web/20170921224120/http://www.ecc-brainpool.org/download/Domain-parameters.pdf">[archive]</Link></li>
|
||||
|
||||
@@ -10,8 +10,8 @@ export default ({data, location}) => {
|
||||
\\begin{algorithm}
|
||||
\\caption{NIST Verifiably Random Curves over $\\mathbb{F}_p$}
|
||||
\\begin{algorithmic}
|
||||
\\REQUIRE prime field size $p$ of bit-length $l$
|
||||
\\ENSURE bit-string seed $s$ and field elements $a, b \\in \\mathbb{F}_p$ which define an elliptic curve
|
||||
\\INPUT prime field size $p$ of bit-length $l$
|
||||
\\OUTPUT bit-string seed $s$ and field elements $a, b \\in \\mathbb{F}_p$ which define an elliptic curve
|
||||
\\PROCEDURE{GenerateCurve}{$p$}
|
||||
\\STATE Let $v = \\lfloor \\ (l - 1) / 160 \\rfloor $; Let $w = l - 160v - 1 $
|
||||
\\STATE Let $s$ be a random bit string of 160 bits
|
||||
@@ -37,8 +37,8 @@ export default ({data, location}) => {
|
||||
\\begin{algorithm}
|
||||
\\caption{NIST Verifiably Random Curves over $\\mathbb{F}_{2^m}$}
|
||||
\\begin{algorithmic}
|
||||
\\REQUIRE binary field size $2^m$
|
||||
\\ENSURE bit-string seed $s$ and field elements $a, b \\in \\mathbb{F}_{2^m}$ which define an elliptic curve
|
||||
\\INPUT binary field size $2^m$
|
||||
\\OUTPUT bit-string seed $s$ and field elements $a, b \\in \\mathbb{F}_{2^m}$ which define an elliptic curve
|
||||
\\PROCEDURE{GenerateCurve}{$p$}
|
||||
\\STATE Let $v = \\lfloor \\ (m - 1) / 160 \\rfloor $; Let $w = m - 160v $
|
||||
\\STATE Let $s$ be a random bit string of 160 bits
|
||||
@@ -62,7 +62,8 @@ export default ({data, location}) => {
|
||||
<Styled.h2>NIST</Styled.h2>
|
||||
<Styled.p>
|
||||
The NIST <b>FIPS 186-4</b> <Link to="#fips-186-4">[1]</Link> standard defines recommended curves for use in ECDSA
|
||||
and a verifiably random method for generating them in appendices <i>D.5</i> and <i>D.7</i>.
|
||||
and a verifiably random method for generating them in appendices <i>D.5</i> and <i>D.7</i>. The curves are presented
|
||||
in the <Link to={"/nist"}>NIST</Link> category.
|
||||
</Styled.p>
|
||||
<Styled.h3>Generating <InlineMath>{`\\mathbb{F}_p`}</InlineMath> curves</Styled.h3>
|
||||
<pre>
|
||||
|
||||
@@ -9,11 +9,11 @@ export default ({data, location}) => {
|
||||
\\begin{algorithm}
|
||||
\\caption{SECG Verifiably Random Curves}
|
||||
\\begin{algorithmic}
|
||||
\\REQUIRE A "seed" octet string $S$ of length $g/8$ octets
|
||||
\\REQUIRE field size $q$
|
||||
\\REQUIRE hash function $Hash$ of output length $hashlen$ octets
|
||||
\\REQUIRE field element $a \\in \\mathbb{F}_q$
|
||||
\\ENSURE field element $b \\in \\mathbb{F}_q$
|
||||
\\INPUT A "seed" octet string $S$ of length $g/8$ octets
|
||||
\\INPUT field size $q$
|
||||
\\INPUT hash function $Hash$ of output length $hashlen$ octets
|
||||
\\INPUT field element $a \\in \\mathbb{F}_q$
|
||||
\\OUTPUT field element $b \\in \\mathbb{F}_q$
|
||||
\\PROCEDURE{GenerateCurve}{$S$, $g$, $q$, $Hash$, $hashlen$, $a$}
|
||||
\\STATE Let $m = \\lceil \\log_2 q \\rceil$
|
||||
\\STATE Let $t = 8hashlen$
|
||||
@@ -48,12 +48,12 @@ export default ({data, location}) => {
|
||||
\\begin{algorithm}
|
||||
\\caption{SECG Verifiably Random Points}
|
||||
\\begin{algorithmic}
|
||||
\\REQUIRE A "seed" octet string $S$ of length $g/8$ octets
|
||||
\\REQUIRE field size $q$
|
||||
\\REQUIRE hash function $Hash$ of output length $hashlen$ octets
|
||||
\\REQUIRE elliptic curve parameters $a, b \\in \\mathbb{F}_q$
|
||||
\\REQUIRE elliptic curve cofactor $h$
|
||||
\\ENSURE elliptic curve point $G$
|
||||
\\INPUT A "seed" octet string $S$ of length $g/8$ octets
|
||||
\\INPUT field size $q$
|
||||
\\INPUT hash function $Hash$ of output length $hashlen$ octets
|
||||
\\INPUT elliptic curve parameters $a, b \\in \\mathbb{F}_q$
|
||||
\\INPUT elliptic curve cofactor $h$
|
||||
\\OUTPUT elliptic curve point $G$
|
||||
\\PROCEDURE{GeneratePoint}{$S$, $g$, $q$, $Hash$, $hashlen$, $a$, $b$, $h$}
|
||||
\\STATE Let $A = 4261736520706F696E74_{16}$ which is the octet string of "Base point" in ASCII
|
||||
\\STATE Let $B = 01_{16}$ an octet string of length 1
|
||||
@@ -80,7 +80,8 @@ export default ({data, location}) => {
|
||||
<Styled.h2>SECG</Styled.h2>
|
||||
<Styled.p>
|
||||
The SECG method for generating verifiably random domain parameters is specified in the <b>SEC 1: Elliptic Curve Cryptography</b> <Link to="#secg-sec1">[1]</Link> standard,
|
||||
specifically in sections <i>3.1.3.1</i> and <i>3.1.3.2</i>. These methods are compatible to those in the <b>ANSI X9.62</b> standard.
|
||||
specifically in sections <i>3.1.3.1</i> and <i>3.1.3.2</i>. These methods are compatible to those in the <b>ANSI X9.62</b> standard. The curves are presented
|
||||
in the <Link to={"/secg"}>SECG</Link> category.
|
||||
</Styled.p>
|
||||
|
||||
<Styled.h3>Generating curves</Styled.h3>
|
||||
|
||||
@@ -10,8 +10,8 @@ export default ({data, location}) => {
|
||||
\\begin{algorithm}
|
||||
\\caption{ANSI X9.62 Verifiably Random Curves over $\\mathbb{F}_p$}
|
||||
\\begin{algorithmic}
|
||||
\\REQUIRE prime field size $p$
|
||||
\\ENSURE bit-string $SEED$ and field elements $a, b \\in \\mathbb{F}_p$ which define an elliptic curve
|
||||
\\INPUT prime field size $p$
|
||||
\\OUTPUT bit-string $SEED$ and field elements $a, b \\in \\mathbb{F}_p$ which define an elliptic curve
|
||||
\\PROCEDURE{GenerateCurve}{$p$}
|
||||
\\STATE Let $t = \\lfloor \\log_{2} p \\rfloor $; Let $s = \\lfloor (t - 1) / 160 \\rfloor $; Let $h = t - 160 s $
|
||||
\\STATE Let $SEED$ be a random bit string of at least 160 bits
|
||||
@@ -36,8 +36,8 @@ export default ({data, location}) => {
|
||||
\\begin{algorithm}
|
||||
\\caption{ANSI X9.62 Verifiably Random Curves over $\\mathbb{F}_{2^m}$}
|
||||
\\begin{algorithmic}
|
||||
\\REQUIRE field size $q = 2^m$
|
||||
\\ENSURE bit-string $SEED$ and field elements $a, b \\in \\mathbb{F}_{2^m}$ which define an elliptic curve
|
||||
\\INPUT field size $q = 2^m$
|
||||
\\OUTPUT bit-string $SEED$ and field elements $a, b \\in \\mathbb{F}_{2^m}$ which define an elliptic curve
|
||||
\\PROCEDURE{GenerateCurve}{$q = 2^m$}
|
||||
\\STATE Let $t = m$; Let $s = \\lfloor (t - 1) / 160 \\rfloor $; Let $h = t - 160 s $
|
||||
\\STATE Let $SEED$ be a random bit string of at least 160 bits
|
||||
@@ -61,7 +61,8 @@ export default ({data, location}) => {
|
||||
<Styled.h2>ANSI X9.62</Styled.h2>
|
||||
<Styled.p>
|
||||
The <b>ANSI X9.62</b> <Link to="#ansi-x962">[1]</Link> standard published by the American National Standards Institute provides a way of
|
||||
generating verifiably random elliptic curves in its appendices <i>A.3.3.1</i> and <i>A.3.3.2</i>.
|
||||
generating verifiably random elliptic curves in its appendices <i>A.3.3.1</i> and <i>A.3.3.2</i>. The curves are presented
|
||||
in the <Link to={"/x962"}>ANSI X9.62</Link> category.
|
||||
</Styled.p>
|
||||
<Styled.h3>Generating <InlineMath>{`\\mathbb{F}_p`}</InlineMath> curves</Styled.h3>
|
||||
<pre>
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
line-height: 0
|
||||
}
|
||||
.ps-algorithm > .ps-line:nth-child(1) {
|
||||
line-height: 1em
|
||||
margin-top: -0.9em;
|
||||
}
|
||||
|
||||
.ps-algorithmic .ps-block {
|
||||
|
||||
Reference in New Issue
Block a user