## Related Concepts

## Definition

The NIST elliptic curves are a set of curves from the FIPS 186-3 standard that are recommended for US federal government use.

## Applications

In FIPS 186-3, NIST recommended 15 elliptic curves of varying security levels for US federal government use. The curves are of three types: random elliptic curves over a prime field, random elliptic curves over a binary (characteristic 2) field, and Koblitz [2] elliptic curves over a binary field. Some of the selection criteria and parameters are described here; see [1] for details.

NIST-recommended curves

\({y}^{2} = {x}^{3} - 3x + b\text{ over }\mathbb{F}_p\) |
\({y}^{2} + xy = {x}^{3} + a{x}^{2} + b\text{ over }\mathbb{F}_2[z]/(f)\) | |||
---|---|---|---|---|

Curve |
Prime |
Curve |
Reduction polynomial | |

\(\mathrm{P} - 192\) |
\({2}^{192} - {2}^{64} - 1\) |
\(\mathrm{B} - 163,K - 163\) |
\({z}^{163} + {z}^{7} + {z}^{6} + {z}^{3} + 1\) | |

P − 224 |
\({2}^{224} - {2}^{96} + 1\) |
\(\mathrm{B} - 233,\mathrm{K} - 233\) |
\({z}^{233} + {z}^{74} + 1\) | |

P − 256 |
\({2}^{256} - {2}^{224} + {2}^{192} + {2}^{96} - 1\) |
B − 283, \(\mathrm{K} - 283\) |
\({z}^{283} + {z}^{12} + {z}^{7} + {z}^{5} + 1\) | |

P − 384 |
\({2}^{384} - {2}^{128} - {2}^{96} + {2}^{32} - 1\) |
B − 409, K − 409 |
\({z}^{409} + {z}^{87} + 1\) | |

P − 521 |
\({2}^{521} - 1\) |
B − 571, \(\mathrm{K} - 571\) |
\({z}^{571} + {z}^{10} + {z}^{5} + {z}^{2} + 1\) |

For the curves over \(\mathbb{F}[p]\), the primes *p* are Mersenne-like and chosen to allow fast reduction of integers modulo *p*. Two curves at each security level are chosen in the binary case, random and Koblitz. The Koblitz curves have *a* ∈ { 0, 1} and *b* = 1, which allow significant acceleration in point multiplication algorithms by replacing doubling with an inexpensive operation. (Point halving techniques have similar features, applying to a wider selection of curves but offering less acceleration.) The representation determined by *f*(*z*) = *z*
^{
m
} + *r*(*z*) permits fast reduction due to the small number of terms and possibly the relatively low degree of *r*. The random prime and binary curves are “random” in the sense that curve parameter *b* can be independently verified as the output of a certain hashing procedure.

^{128}steps to uncover a key via exhaustive search. Also, “strength” of a hash function is the number of steps to find a collision using a generic collision-finding algorithm.

Equivalent security levels

Bits of Security |
Symmetric-key encryption |
Hash function |
FFC or IFC |
ECC | |
---|---|---|---|---|---|

80 |
2-key Triple-DES |
SHA-1 |
1,024 |
160 | |

112 |
3-key Triple-DES |
SHA-224 |
2,048 |
224 | |

128 |
AES-128 |
SHA-256 |
3,072 |
256 | |

192 |
AES-192 |
SHA-384 |
7,680 |
384 | |

256 |
AES-256 |
SHA-512 |
15,360 |
512 |

The comparable strengths listed in the table are necessarily estimates, based on current knowlege of the specific algorithms and the state of the art in attacks on integer factorization and other problems. Nonetheless, the increasing parameter sizes required at higher security levels for traditional mechanisms in the column marked “FFC or IFC” are a significant factor in the choice of ECC for many applications. For example, see NSA Suite B.