Reference Work Entry

Encyclopedia of Cryptography and Security

pp 843-844

# NIST Elliptic Curves

• Darrel HankersonAffiliated withDepartment of Mathematics, Auburn University
• , Alfred MenezesAffiliated withDepartment of Combinatorics and Optimization, University of Waterloo

## Definition

The NIST elliptic curves are a set of curves from the FIPS 186-3 standard that are recommended for US federal government use.

## Applications

In FIPS 186-3, NIST recommended 15 elliptic curves of varying security levels for US federal government use. The curves are of three types: random elliptic curves over a prime field, random elliptic curves over a binary (characteristic 2) field, and Koblitz [2] elliptic curves over a binary field. Some of the selection criteria and parameters are described here; see [1] for details.

Table 1 lists the NIST-recommended elliptic curves. The curve parameters were chosen so that the corresponding elliptic curve groups have prime order (for curves over $$\mathbb{F}_p$$) or nearly prime order (two or four times a prime) for curves over binary fields.
NIST Elliptic Curves. Table 1

NIST-recommended curves

 Curve Prime p $${y}^{2} = {x}^{3} - 3x + b\text{ over }\mathbb{F}_p$$ $${y}^{2} + xy = {x}^{3} + a{x}^{2} + b\text{ over }\mathbb{F}_2[z]/(f)$$ $$\mathrm{P} - 192$$ $${2}^{192} - {2}^{64} - 1$$ $$\mathrm{B} - 163,K - 163$$ $${z}^{163} + {z}^{7} + {z}^{6} + {z}^{3} + 1$$ P − 224 $${2}^{224} - {2}^{96} + 1$$ $$\mathrm{B} - 233,\mathrm{K} - 233$$ $${z}^{233} + {z}^{74} + 1$$ P − 256 $${2}^{256} - {2}^{224} + {2}^{192} + {2}^{96} - 1$$ B − 283, $$\mathrm{K} - 283$$ $${z}^{283} + {z}^{12} + {z}^{7} + {z}^{5} + 1$$ P − 384 $${2}^{384} - {2}^{128} - {2}^{96} + {2}^{32} - 1$$ B − 409, K − 409 $${z}^{409} + {z}^{87} + 1$$ P − 521 $${2}^{521} - 1$$ B − 571, $$\mathrm{K} - 571$$ $${z}^{571} + {z}^{10} + {z}^{5} + {z}^{2} + 1$$

For the curves over $$\mathbb{F}[p]$$, the primes p are Mersenne-like and chosen to allow fast reduction of integers modulo p. Two curves at each security level are chosen in the binary case, random and Koblitz. The Koblitz curves have a ∈ { 0, 1} and b = 1, which allow significant acceleration in point multiplication algorithms by replacing doubling with an inexpensive operation. (Point halving techniques have similar features, applying to a wider selection of curves but offering less acceleration.) The representation determined by f(z) = z m + r(z) permits fast reduction due to the small number of terms and possibly the relatively low degree of r. The random prime and binary curves are “random” in the sense that curve parameter b can be independently verified as the output of a certain hashing procedure.

Compared with public-key schemes where security is based on the discrete logarithm problem or the integer factorization problem elliptic curve keys can be significantly shorter at a given security level. 2 is an abbreviated summary of comparable strengths given in [3] for various security mechanisms. In the table, “strength” of a symmetric-key encryption scheme is understood to mean the number of steps in an exhaustive search through the keyspace under the assumption that there are no better attacks. For example, an idealized symmetric-key cipher with keys of length 128 bits would have 128 bits of security and approximately 2128 steps to uncover a key via exhaustive search. Also, “strength” of a hash function is the number of steps to find a collision using a generic collision-finding algorithm.
NIST Elliptic Curves. Table 2

Equivalent security levels

 Bits of Security Symmetric-key encryption Hash functiona FFC or IFCb ECCc 80 2-key Triple-DESd SHA-1e 1,024 160 112 3-key Triple-DES SHA-224 2,048 224 128 AES-128 SHA-256 3,072 256 192 AES-192 SHA-384 7,680 384 256 AES-256 SHA-512 15,360 512

aWeakerhash algorithms are permitted, depending on application.

b“FFC”denotes methods where the basis for security is the DLP on finite fields, while“ICC” includes RSA and other mechanisms where security is based on theinteger factorization problem. In both cases, the size is the bitlength of themodulus.

cThesize is the bitlength of the order of the elliptic curve base point.

dNoattack on 2-key Triple-DES is known that takes fewer than280steps.

eNIST[3] notes that “SHA-1 has recently been demonstrated to provide less than 80bits of security for digital signatures; at the publication of this Recommendation,the security strength against collisions is assessed at 69 bits. The use of SHA-1 isnot recommended for the generation of digital signatures in new systems; newsystems should use one of the larger hash functions. For the present time, SHA-1is included here to reflect its widespread use in existing systems, for which thereduced security strength may not be of great concern when only 80-bits ofsecurity are required.”

The comparable strengths listed in the table are necessarily estimates, based on current knowlege of the specific algorithms and the state of the art in attacks on integer factorization and other problems. Nonetheless, the increasing parameter sizes required at higher security levels for traditional mechanisms in the column marked “FFC or IFC” are a significant factor in the choice of ECC for many applications. For example, see NSA Suite B.