Reference Work Entry

Encyclopedia of Cryptography and Security

pp 843-844

NIST Elliptic Curves

  • Darrel HankersonAffiliated withDepartment of Mathematics, Auburn University
  • , Alfred MenezesAffiliated withDepartment of Combinatorics and Optimization, University of Waterloo

Related Concepts

Elliptic Curve Cryptography


The NIST elliptic curves are a set of curves from the FIPS 186-3 standard that are recommended for US federal government use.


In FIPS 186-3, NIST recommended 15 elliptic curves of varying security levels for US federal government use. The curves are of three types: random elliptic curves over a prime field, random elliptic curves over a binary (characteristic 2) field, and Koblitz [2] elliptic curves over a binary field. Some of the selection criteria and parameters are described here; see [1] for details.

Table 1 lists the NIST-recommended elliptic curves. The curve parameters were chosen so that the corresponding elliptic curve groups have prime order (for curves over \(\mathbb{F}_p\)) or nearly prime order (two or four times a prime) for curves over binary fields.
NIST Elliptic Curves. Table 1

NIST-recommended curves

\({y}^{2} = {x}^{3} - 3x + b\text{ over }\mathbb{F}_p\)

\({y}^{2} + xy = {x}^{3} + a{x}^{2} + b\text{ over }\mathbb{F}_2[z]/(f)\)



Prime p


Reduction polynomial f


\(\mathrm{P} - 192\)

\({2}^{192} - {2}^{64} - 1\)

\(\mathrm{B} - 163,K - 163\)

\({z}^{163} + {z}^{7} + {z}^{6} + {z}^{3} + 1\)


P − 224

\({2}^{224} - {2}^{96} + 1\)

\(\mathrm{B} - 233,\mathrm{K} - 233\)

\({z}^{233} + {z}^{74} + 1\)


P − 256

\({2}^{256} - {2}^{224} + {2}^{192} + {2}^{96} - 1\)

B − 283, \(\mathrm{K} - 283\)

\({z}^{283} + {z}^{12} + {z}^{7} + {z}^{5} + 1\)


P − 384

\({2}^{384} - {2}^{128} - {2}^{96} + {2}^{32} - 1\)

B − 409, K − 409

\({z}^{409} + {z}^{87} + 1\)


P − 521

\({2}^{521} - 1\)

B − 571, \(\mathrm{K} - 571\)

\({z}^{571} + {z}^{10} + {z}^{5} + {z}^{2} + 1\)


For the curves over \(\mathbb{F}[p]\), the primes p are Mersenne-like and chosen to allow fast reduction of integers modulo p. Two curves at each security level are chosen in the binary case, random and Koblitz. The Koblitz curves have a ∈ { 0, 1} and b = 1, which allow significant acceleration in point multiplication algorithms by replacing doubling with an inexpensive operation. (Point halving techniques have similar features, applying to a wider selection of curves but offering less acceleration.) The representation determined by f(z) = z m + r(z) permits fast reduction due to the small number of terms and possibly the relatively low degree of r. The random prime and binary curves are “random” in the sense that curve parameter b can be independently verified as the output of a certain hashing procedure.

Compared with public-key schemes where security is based on the discrete logarithm problem or the integer factorization problem elliptic curve keys can be significantly shorter at a given security level. 2 is an abbreviated summary of comparable strengths given in [3] for various security mechanisms. In the table, “strength” of a symmetric-key encryption scheme is understood to mean the number of steps in an exhaustive search through the keyspace under the assumption that there are no better attacks. For example, an idealized symmetric-key cipher with keys of length 128 bits would have 128 bits of security and approximately 2128 steps to uncover a key via exhaustive search. Also, “strength” of a hash function is the number of steps to find a collision using a generic collision-finding algorithm.
NIST Elliptic Curves. Table 2

Equivalent security levels

Bits of Security

Symmetric-key encryption

Hash functiona





2-key Triple-DESd






3-key Triple-DES























aWeakerhash algorithms are permitted, depending on application.

b“FFC”denotes methods where the basis for security is the DLP on finite fields, while“ICC” includes RSA and other mechanisms where security is based on theinteger factorization problem. In both cases, the size is the bitlength of themodulus.

cThesize is the bitlength of the order of the elliptic curve base point.

dNoattack on 2-key Triple-DES is known that takes fewer than280steps.

eNIST[3] notes that “SHA-1 has recently been demonstrated to provide less than 80bits of security for digital signatures; at the publication of this Recommendation,the security strength against collisions is assessed at 69 bits. The use of SHA-1 isnot recommended for the generation of digital signatures in new systems; newsystems should use one of the larger hash functions. For the present time, SHA-1is included here to reflect its widespread use in existing systems, for which thereduced security strength may not be of great concern when only 80-bits ofsecurity are required.”

The comparable strengths listed in the table are necessarily estimates, based on current knowlege of the specific algorithms and the state of the art in attacks on integer factorization and other problems. Nonetheless, the increasing parameter sizes required at higher security levels for traditional mechanisms in the column marked “FFC or IFC” are a significant factor in the choice of ECC for many applications. For example, see NSA Suite B.

Copyright information

© Springer Science+Business Media, LLC 2011
Show all