Ieee P1363.3™/D2 Drafttxttrialusetxtgorrporstd For Vartitlepar

1IEEE P1363.
3™/D2
2DrafttxtTrialUsetxtGorRPorSTD for
3varTitlePAR
4
5 Annex A (informative)
6 Number-Theoretic Background
7
8Prepared by the varWorkingGroup Working Group of the
9varCommittee Committee
10Copyright © <year> by the Institute of Electrical and Electronics Engineers, Inc.

11Three Park Avenue
12New York, New York 10016-5997, USA
13All rights reserved.
14This document is an unapproved draft of a proposed IEEE Standard. As such, this document is subject to
15change. USE AT YOUR OWN RISK! Because this is an unapproved draft, this document must not be
16utilized for any conformance/compliance purposes. Permission is hereby granted for IEEE Standards
17Committee participants to reproduce this document for purposes of international standardization
18consideration. Prior to adoption of this document, in whole or in part, by another standards development
19organization, permission must first be obtained from the IEEE Standards Activities Department
20(stds.ipr@ieee.org). Other entities seeking permission to reproduce this document, in whole or in part, must
21also obtain permission from the IEEE Standards Activities Department.
22IEEE Standards Activities Department
23445 Hoes Lane
24Piscataway, NJ 08854, USA
1 1
2 Copyright © <year> IEEE. All rights reserved.
3 This is an unapproved IEEE Standards Draft, subject to change.
4
1Abstract: This standard specifies common identity-based public-key cryptographic techniques that use
2pairings, including mathematical primitives for secret value (key) derivation, public-key encryption, and
3digital signatures, and cryptographic schemes based on those primitives. It also specifies related
4cryptographic parameters, public keys and private keys. The purpose of this standard is to provide a
5reference for specifications of a variety of techniques from which applications may select.
6Keywords: Public-key cryptography, encryption, identity-based encryption, pairing-based encryption,
7pairing-based cryptography.
8
9
1The Institute of Electrical and Electronics Engineers, Inc.

23 Park Avenue, New York, NY 10016-5997, USA
3
4Copyright © 200X by the Institute of Electrical and Electronics Engineers, Inc.
5All rights reserved. Published XX Month XXXX. Printed in the United States of America.
6
7IEEE is a registered trademark in the U.S. Patent & Trademark Office, owned by the Institute of Electrical and Electronics
8Engineers, Incorporated.
9
10PDF: ISBN 978-0-XXXX-XXXX-X STDXXXX
11Print: ISBN 978-0-XXXX-XXXX-X STDPDXXXX
12
13No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written
14permission of the publisher.
15
16
17 2
20
1CONTENTS
2A.1. Integer and Modular Arithmetic: Overview.......................................................................................5

3A.1.1. Modular arithmetic........................................................................................................................5
4A.1.2. Prime finite fields..........................................................................................................................6
5A.1.3. Modular Square Roots...................................................................................................................7
6A.2. Integer and Modular Arithmetic: Algorithms....................................................................................7

7A.2.1. Modular Exponentiation................................................................................................................7
8A.2.2. The Extended Euclidean Algorithm..............................................................................................8
9A.2.3. Evaluating Legendre Symbols......................................................................................................8
10A.2.4. Generating Lucas Sequences.........................................................................................................9
11A.2.5. Finding Square Roots Modulo a Prime.........................................................................................9
12A.2.6. Finding Square Roots Modulo a Power of 2...............................................................................10
13A.2.7. Computing the Order of a Given Integer Modulo a Prime.........................................................11
14A.2.8. Constructing an Integer of a Given Order Modulo a Prime........................................................11
15A.3. Extension Fields: Overview.............................................................................................................11

16A.3.1. Finite Fields.................................................................................................................................11
17A.3.2. Polynomials over Finite Fields....................................................................................................12
18A.3.3. Extension Fields..........................................................................................................................13
19A.3.4. Polynomial Basis Representations..............................................................................................13
20A.3.5. Extension Fields (cont'd).............................................................................................................14
21A.4. Extension Fields: Algorithms...........................................................................................................14

22A.4.1. Exponentiation............................................................................................................................14
23A.4.2. Division.......................................................................................................................................15
24A.4.3. Squares........................................................................................................................................15
25A.4.4. Square Roots...............................................................................................................................15
26A.4.5. Trace in Binary Field Extension..................................................................................................16
27A.4.6. Half-Trace in Binary Fields.........................................................................................................17
28A.4.7. Solving Quadratic Equations over GF (2m).................................................................................17
29A.5. Polynomials over a Finite Field.......................................................................................................18

30A.5.1. Exponentiation Modulo a Polynomial.........................................................................................18
31A.5.2. G.C.D.'s over a Finite Field.........................................................................................................18
32A.5.3. Factoring Polynomials over GF (p) (Special Case)....................................................................18
33A.5.4. Factoring Polynomials over GF (2) (Special Case)....................................................................19
34A.5.5. Checking Polynomials over GF (2r) for Irreducibility................................................................19
35A.5.6. Finding a Root in GF (2m) of an Irreducible Binary Polynomial................................................20
36A.5.7. Embedding in an Extension Field...............................................................................................20
37A.6. Elliptic Curves: Overview................................................................................................................20

38A.6.1. Introduction.................................................................................................................................20
39A.6.2. Operations on Elliptic Curves.....................................................................................................23
40A.6.3. Elliptic Curve Cryptography (ECC)............................................................................................24
41A.6.4. Analogies with DL......................................................................................................................25
42A.6.5. Curve Orders...............................................................................................................................25
43A.6.6. Representation of Points..............................................................................................................26
44A.7. Elliptic Curves: Algorithms............................................................................................................27

45A.7.1. Full Addition and Subtraction (prime case)................................................................................27
46A.7.2. Full Addition and Subtraction (binary case)...............................................................................28
47A.7.3. Full Addition and Subtraction (supersingular curves in Characteristic 2)..................................28
1 3
4
1A.7.4. Elliptic Scalar Multiplication......................................................................................................29
2A.7.5. Projective Elliptic Doubling (prime case)...................................................................................29
3A.7.6. Projective Elliptic Addition (prime case)....................................................................................30
4A.7.7. Projective Elliptic Doubling (binary case)..................................................................................32
5A.7.8. Projective Elliptic Addition (binary case)...................................................................................33
6A.7.9. Projective Full Addition and Subtraction....................................................................................35
7A.7.10. Projective Elliptic Scalar Multiplication.....................................................................................35
8A.7.11. Decompression of y Coordinates (prime case)............................................................................36
9A.7.12. Decompression of y Coordinates (binary case)...........................................................................36
10A.8. Functions for Elliptic Curve Parameter and Key Generation..........................................................36

11A.8.1. Finding a Random Point on an Elliptic Curve (prime case).......................................................36
12A.8.2. Finding a Random Point on an Elliptic Curve (binary case).......................................................37
13A.8.3. Finding a Point of Large Prime Order.........................................................................................37
14A.8.4. Curve Orders over Small Binary Fields......................................................................................38
15A.8.5. Curve Orders over Extension Fields...........................................................................................38
16A.8.6. Curve Orders via Subfields.........................................................................................................38
17A.9. Class Group Calculations.................................................................................................................39

18A.9.1. Overview.....................................................................................................................................39
19A.9.2. Class Group and Class Number..................................................................................................39
20A.9.3. Reduced Class Polynomials........................................................................................................40
21A.10. Complex Multiplication...................................................................................................................43

22A.10.1. Overview.....................................................................................................................................43
23A.10.2. Finding a Nearly Prime Order over GF (p).................................................................................44
24A.10.3. Finding a Nearly Prime Order over GF (2m)...............................................................................46
25A.10.4. Constructing a Curve and Point (prime case)..............................................................................47
26A.10.5. Constructing a Curve and Point (binary case).............................................................................50
27A.11. Pairing-Friendly Elliptic Curves......................................................................................................51

28A.11.1. Curve Families............................................................................................................................52
29A.11.2. Super-Singular Curves................................................................................................................52
30A.11.3. MNT Curves................................................................................................................................53
31A.11.4. Cocks-Pinch Curves....................................................................................................................54
32A.11.5. BN Curves...................................................................................................................................55
33A.11.6. KSS Curves.................................................................................................................................55
34A.12. Pairings.............................................................................................................................................55
35A.12.1. Pairing Types...............................................................................................................................55
36A.12.2. The Miller Loop..........................................................................................................................55
37A.12.3. Pairing Calculations....................................................................................................................56
38A.12.4. The Weil Pairing.........................................................................................................................56
39A.12.5. Tate..............................................................................................................................................56
40A.12.6. Eta................................................................................................................................................56
41A.12.7. Ate...............................................................................................................................................57
42A.12.8. R-Ate...........................................................................................................................................57
43A.13. Choosing a Curve and Pairing.........................................................................................................57

44A.13.1. Recommended Security Parameters............................................................................................57
45A.13.2. Curve-Pairing Compatibility.......................................................................................................57
46
1 4
4
1A.1. Integer and Modular Arithmetic: Overview
2A.1.1. Modular arithmetic
3A.1.1.1. Modular reduction
4Modular arithmetic is based on a fixed integer m > 1 called the modulus. The fundamental operation is
5reduction modulo m. To reduce an integer a modulo m, one divides a by m and takes the remainder r. This
6operation is written
7 r := a mod m.
8The remainder must satisfy 0 £ r < m.

9Examples:
10 11 mod 8 = 3
11 7 mod 9 = 7
12 –2 mod 11 = 9
13 12 mod 12 = 0
14A.1.1.2. Congruences
15Two integers a and b are said to be congruent modulo m if they have the same result upon reduction
16modulo m. This relationship is written
17 a º b (mod m).
18Two integers are congruent modulo m if and only if their difference is divisible by m.
19Example:
20 11 º 19 (mod 8).
21If r = a mod m, then r º a (mod m).
22If a0 º b0 (mod m) and a1 º b1 (mod m), then
23 a0 + a1 º b0 + b1 (mod m)
24 a0 – a1 º b0 – b1 (mod m)
25 a0a1 º b0b1 (mod m).
26A.1.1.3. Integers modulo m
27The integers modulo m are the possible results of reduction modulo m. Thus the set of integers modulo m
28is
29 Zm = {0, 1, …, m – 1}.
30One performs addition, subtraction, and multiplication on the set Zm by performing the corresponding
31integer operation and reducing the result modulo m. For example, in Z7
1 5
4
1 3=6+4
2 5=1–3
3 6 = 4 ´ 5.
4A.1.1.4. Modular exponentiation
5If v is a positive integer and g is an integer modulo m, then modular exponentiation is the operation of
6computing gv mod m (also written exp (g, v) mod m). Section A.2.1. contains an efficient method for
7modular exponentiation.
8A.1.1.5. G.C.D.'s and L.C.M.'s
9If m and h are integers, the greatest common divisor (or G.C.D.) is the largest positive integer d dividing
10both m and h. If d = 1, then m and h are said to be relatively prime (or coprime). Section A.2.2. contains an
11efficient method for computing the G.C.D.
12The least common multiple (or L.C.M.) is the smallest positive integer l divisible by both m and h. The
13G.C.D. and L.C.M. are related by
14 GCD (h, m) ´ LCM (h, m) = hm
15(for h and m positive), so that the L.C.M. is easily computed if the G.C.D. is known.
16A.1.1.6. Modular division
17The multiplicative inverse of h modulo m is the integer k modulo m such that hk º 1 (mod m). The
18multiplicative inverse of h is commonly written h–1 (mod m). It exists if h is relatively prime to m and not
19otherwise.
20If g and h are integers modulo m, and h is relatively prime to m, then the modular quotient g/h modulo m is
21the integer gh–1 mod m. If c is the modular quotient, then c satisfies g º hc (mod m).
22The process of finding the modular quotient is called modular division. Section A.2.2. contains an efficient
23method for modular division.
24A.1.2. Prime finite fields
25A.1.2.1. The field GF (p)
26In the case in which m equals a prime p, the set Zp forms a prime finite field and is denoted GF (p).
27In the finite field GF (p), modular division is possible for any denominator other than 0. The set of nonzero
28elements of GF (p) is denoted GF (p)*.
29A.1.2.2. Orders
30The order of an element c of GF (p)* is the smallest positive integer v such that cv º 1 (mod p). The order
31always exists and divides p – 1. If k and l are integers, then ck º cl (mod p) if and only if k º l (mod v).
32A.1.2.3. Generators
33If v divides p – 1, then there exists an element of GF (p)* having order v. In particular, there always exists
34an element g of order p – 1 in GF (p)*. Such an element is called a generator for GF (p)* because every
1 6
4
1element of GF (p)* is some power of g. In number-theoretic language, g is also called a primitive root for
2p.
3A.1.2.4. Exponentiation and discrete logarithms
4Suppose that the element g of GF (p)* has order v. Then an element h of GF (p)* satisfies
5 h º g l (mod p)
6for some l if and only if h v º 1 (mod p). The exponent l is called the discrete logarithm of h (with respect
7to the base g). The discrete logarithm is an integer modulo v.
8A.1.3. Modular Square Roots
9A.1.3.1. The Legendre symbol
 a
10If p > 2 is prime, and a is any integer, then the Legendre symbol   is defined as follows. If p divides a,
 p
 a  a
11then   = 0. If p does not divide a, then   equals 1 if a is a square modulo p and –1 otherwise.
 p  p
12(Despite the similarity in notation, a Legendre symbol should not be confused with a rational fraction; the
13distinction must be made from the context.)
14Algorithms for computing Legendre symbol are given in A.2.3..
15A.1.3.2. Square roots modulo a prime
16Let p be an odd prime, and let g be an integer with 0 £ g < p. A square root modulo p of g is an integer z
17with 0 £ z < p and
18 z 2 º g (mod p).
 g
19The number of square roots modulo p of g is 1+J, where J is the Jacobi symbol   .
 p
20If g = 0, then there is one square root modulo p, namely z = 0. If g ¹ 0, then g has either 0 or 2 square roots
21modulo p. If z is one square root, then the other is p – z.
22A procedure for computing square roots modulo a prime is given in A.2.5..
23A.2. Integer and Modular Arithmetic: Algorithms

24A.2.1. Modular Exponentiation
25Modular exponentiation can be performed efficiently by the binary method outlined below.
26Input: a positive integer v, a modulus m, and an integer g modulo m.
27Output: gv mod m.
28
291. Let v = vrvr–1...v1v0 be the binary representation of v, where the most significant bit vr of v is 1.
1 7
4
12. Set x ¬ g.
23. For i from r – 1 downto 0 do
3 3.1 Set x ¬ x2 mod m.
4 3.2 If vi = 1 then set x ¬ gx mod m.
54. Output x.
6There are several modifications that improve the performance of this algorithm. These methods are
7summarized in [Gor98].
8A.2.2. The Extended Euclidean Algorithm
9The following algorithm computes efficiently the G.C.D. d of m and h. If m and h are relatively prime, the
10algorithm also finds the quotient g/h modulo m.
11Input: an integer m > 1 and integers g and h > 0. (If only the G.C.D. of m and h is desired, no input g is
12required.)
13Output: the G.C.D. d of m and h and, if d = 1, the integer c with 0 < c < m and c º g/h (mod m).
14
151. If h = 1 then output d := 1 and c := g and stop.
162. Set r0 ¬ m.
173. Set r1 ¬ h mod m.
184. Set s0 ¬ 0.
195. Set s1 ¬ g mod m.
206. While r1 > 0
21 6.1 Set q ¬ ë r0 / r1û.
22 6.2 Set r2 ¬ r0 – qr1 mod m
23 6.3 Set s2 ¬ s0 – qs1 mod m
24 6.4 Set r0 ¬ r1
25 Set r1 ¬ r2
26 Set s0 ¬ s1
27 Set s1 ¬ s2
287. Output d : = r0.
298. If r0 = 1 then output c := s0
30If m is prime, the quotient exists provided that h ( 0 (mod m), and can be found efficiently using
31exponentiation via
32 c := g hm–2 mod m.
33A.2.3. Evaluating Legendre Symbols
34The following algorithm efficiently computes the Legendre symbol.
35Input: an integer a and a prime p.
a
36Output: the Legendre symbol   .
 p
37
381. Set x ¬ a, y ¬ p, L ¬ 1
392. While y > 1
40 2.1 Set x ¬ (x mod y)
41 2.2 If x > y/2 then
1 8
4
1 2.2.1 Set x ¬ y – x.
2 2.2.2 If y º 3(mod 4) then set L ¬ –L
3 2.3 If x = 0 then set x ¬ 1, y ¬ 0, L ¬ 0
4 2.4 While 4 divides x
5 2.4.1 Set x ¬ x/4
6 2.5 If 2 divides x then
7 2.5.1 Set x ¬ x/2.
8 2.5.2 If y º ± 3 (mod 8) then set L¬ –L
9 2.6 If x º 3 (mod 4) and y º 3 (mod 4) then set L ¬ –L
10 2.7 Switch x and y
113. Output L
12The Legendre symbol can also be found efficiently using exponentiation via
 a
13   := a (p – 1)/2 mod p.
 p
14A.2.4. Generating Lucas Sequences
15Let P and Q be nonzero integers. The Lucas sequence Vk for P, Q is defined by
16 V0 = 2, V1 = P, and Vk = PVk–1 – QVk–2 for k ³ 2.
17This recursion is adequate for computing Vk for small values of k. For large k, one can compute Vk modulo
18an odd integer n > 2 using the following algorithm (see [JQ96]). The algorithm also computes the quantity
19Q ëk/2û mod n; this quantity will be useful in the application given in A.2.5..
20Input: an odd integer n > 2, integers P and Q, and a positive integer k.
21Output: Vk mod n and Q ëk/2û mod n.

22
231. Set v0 ¬ 2, v1 ¬ P, q0 ¬ 1, q1 ¬ 1
242. Let k = kr kr–1...k1 k0 be the binary representation of k, where the leftmost bit kr of k is 1.
253. For i from r downto 0 do
26 3.1 Set q0 ¬ q0 q1 mod n
27 3.2 If ki = 1 then set
28 q1 ¬ q0 Q mod n
29 v0 ¬ v0 v1 – P q0 mod n
30 v1 ¬ v12 – 2 q1 mod n
31 else set
32 q1 ¬ q0
33 v1 ¬ v0 v1 – P q0 mod n
34 v0 ¬ v02 – 2 q0 mod n
354. Output v0 and q0.
36A.2.5. Finding Square Roots Modulo a Prime
37The following algorithm computes a square root z modulo p of g ¹ 0.

38Input: an odd prime p, and an integer g with 0 < g < p.
39Output: a square root modulo p of g if one exists. (In Case III, the message “no square roots exist” is
40returned if none exists.)
1 9
4
1
2I. p º 3 (mod 4), that is p = 4k + 3 for some positive integer k. (See [Leh69].)
3 1. Compute (via A.2.1.) and output z := g k + 1 mod p.
4II. p º 5 (mod 8), that is p = 8k + 5 for some positive integer k. (See [Atk92].)
5 1. Compute g := (2g)k mod p via A.2.1.
6 2. Compute i := 2gg 2 mod p
7 3. Compute and output z := gg (i – 1) mod p
8III p º 1 (mod 8). (See [Leh69].)
9 1. Set Q ¬ g.
10 2. Generate a value P with 0 < P < p not already chosen.
11 3. Compute via A.2.4. the quantities
12 V := V(p+1)/2 mod p and Q0 := Q (p–1)/4 mod p.

13
14 4. Set z ¬ V / 2 mod p.
15 5. If (z 2 mod p) = g then output z and stop.
16 6. If 1 < Q0 < p – 1 then output the message “no square roots exist” and stop.
17 7. Go to Step 2.
18NOTES
191—To perform the modular division of an integer V by 2 (needed in Step 4 of case III), one can simply divide by 2 the
20integer V or V + p (whichever is even). (The integer division by 2 can be accomplished by shifting the binary
21expansion of the dividend by one bit.)
222—As written, the algorithm for Case III works for all p º 1 (mod 4), although it is less efficient than the algorithm for
23Case II when p º 5 (mod 8).
243—In Case III, a given choice of P will produce a solution if and only if P 2 – 4Q is not a quadratic residue modulo p.
25If P is chosen at random, the probability of this is at least 1/2. Thus only a few values of P will be required. It may
26therefore be possible to speed up the process by restricting to very small values of P and implementing the
27multiplications by P in A.2.4. by repeated addition.
284—In cases I and II, the algorithm produces a solution z provided that one exists. If it is unknown whether a solution
29exists, then the output z should be checked by comparing w := z 2 mod p with g. If w = g, then z is a solution; otherwise
30no solutions exist. In case III, the algorithm performs the determination of whether or not a solution exists.
31A.2.6. Finding Square Roots Modulo a Power of 2

32If r > 2 and a < 2r is a positive integer congruent to 1 modulo 8, then there is a unique positive integer b
33less than 2r–2 such that b2 º a (mod 2r). The number b can be computed efficiently using the following
34algorithm. The binary representations of the integers a, b, h are denoted as
35 a = ar–1...a1a0,
36 b = br–1...b1b0,
37 h = hr–1...h1h0.
38Input: an integer r > 2, and a positive integer a º 1 (mod 8) less than 2r.
39Output: the positive integer b less than 2r–2 such that b2 º a (mod 2r).
40
411. Set h ¬ 1.
422. Set b ¬ 1.
433. For j from 2 to r – 2 do
44 If hj+1 ¹ aj+1 then
45 Set bj ¬ 1.
1 10
4
1 If 2j < r
2 then h ¬ (h + 2j+1b – 22j) mod 2 r.
3 else h ¬ (h + 2j+1b) mod 2 r.
44. If br–2 = 1 then set b ¬ 2r–1 – b.
55. Output b.
6A.2.7. Computing the Order of a Given Integer Modulo a Prime
7Let p be a prime and let g satisfy 1 < g < p. The following algorithm determines the order of g modulo p
8when the factorization of p-1 is known.
9Input: a prime p and an integer g with 1 < g < p.
10Output: the order d of g modulo p.

11
121. Factor p  1  pi
ei
i
132. For all divisors d of p-1

14 For all primes pi | d
15 If gd ≡ 1 (mod p) and g d / pi ≠ 1 (mod p)
16 Output d.
17A.2.8. Constructing an Integer of a Given Order Modulo a Prime
18Let p be a prime and let T divide p – 1. The following algorithm generates an element of GF (p) of order T
19when the factorization of p-1 is known.
20Input: a prime p and an integer T dividing p – 1.
21Output: an integer u having order T modulo p.

22
231. Generate a random integer g between 1 and p.
242. Compute via A.2.7. the order d of g modulo p.
253. If T does not divide d then go to Step 1.
264. Output u := gd/T mod p.
27A.3. Extension Fields: Overview

28A.3.1. Finite Fields
29A finite field (or Galois field) is a set with finitely many elements in which the usual algebraic operations
30(addition, subtraction, multiplication, division by nonzero elements) are possible, and in which the usual
31algebraic laws (commutative, associative, distributive) hold. The order of a finite field is the number of
32elements it contains. If q > 1 is an integer, then a finite field of order q exists if q is a prime power and not
33otherwise.
34The finite field of a given order is unique, in the sense that any two fields of order q display identical
35algebraic structure. Nevertheless, there are often many ways to represent a field. It is traditional to denote
36the finite field of order q by Fq or GF (q); this Standard uses the latter notation for typographical reasons. It
37should be borne in mind that the expressions “the field GF (q)” and “the field of order q” usually imply a
38choice of field representation.
39In pairing based cryptography one makes use of GF(pn) for various n and p.
1 11
4
1A.3.2. Polynomials over Finite Fields
2A polynomial over GF (q) is a polynomial with coefficients in GF (q). Addition and multiplication of
3polynomials over GF (q) are defined as usual in polynomial arithmetic, except that the operations on the
4coefficients are performed in GF (q).
5A polynomial over the prime field GF (p) is commonly called a polynomial modulo p. Addition and
6multiplication are the same as for polynomials with integer coefficients, except that the coefficients of the
7results are reduced modulo p.
8Example: Over the prime field GF (7),
9 (t 2 + 4t + 5) + (t 3 + t + 3) = t 3 + t 2 + 5t + 1
10 (t 2 + 3t + 4) (t + 4) = t 3 + 2t + 2.
11A binary polynomial is a polynomial modulo 2.
12Example: Over the field GF (2),
13 (t 3 + 1) + (t 3 + t) = t + 1
14 (t 2 + t + 1) (t +1) = t 3 + 1.
15A polynomial over GF (q) is reducible if it is the product of two smaller degree polynomials over GF (q);
16otherwise it is irreducible. For instance, the above examples show that t 3 + 2t + 2 is reducible over GF (7)
17and that the binary polynomial t 3 + 1 is reducible.
18Every nonzero polynomial over GF (q) has a unique representation as the product of powers of irreducible
19polynomials. (This result is analogous to the fact that every positive integer has a unique representation as
20the product of powers of prime numbers.) The degree-1 factors correspond to the roots of the polynomial.
21A.3.2.1. Polynomial Congruences
22Modular reduction and congruences can be defined among polynomials over GF (q), in analogy to the
23definitions for integers given in A.1.1.. To reduce a polynomial a (t) modulo a nonconstant polynomial
24m (t), one divides a (t) by m (t) by long division of polynomials and takes the remainder r (t). This
25operation is written
26 r (t) := a (t) mod m (t).
27The remainder r (t) must either equal 0 or have degree smaller than that of m (t).
28If m (t) = t – c for some element c of GF (q), then a (t) mod m (t) is just the constant a (c).
29Two polynomials a (t) and b (t) are said to be congruent modulo m (t) if they have the same result upon
30reduction modulo m (t). This relationship is written
31 a (t) º b (t) (mod m(t)).
32One can define addition, multiplication, and exponentiation of polynomials (to integral powers) modulo
33m (t), analogously to how they are defined for integer congruences in A.1.1.. In the case of a prime field
34GF (p), each of these operations involves both reduction of the polynomials modulo m (t) and reduction of
35the coefficients modulo p.
1 12
4
1A.3.3. Extension Fields
2If m is a positive integer, the extension field GF (pm) consists of the pm possible m-tuples of integers modulo
3p. Thus, for example,
4 GF (23) = {000, 001, 010, 011, 100, 101, 110, 111}.
5 GF (32) = {00, 01, 02, 10, 11, 12, 20, 21, 22}.
7The integer m is called the degree of the field.
8A.3.3.1. Addition
9For m > 1, addition of two elements is implemented by component-wise addition modulo p. Thus, for
10example in GF(25) we have,
11 (11001) + (10100) = (01101)
12and in GF(32) we have,
13 (01) + (22) = (20)
14A.3.3.2. Multiplication
15There is more than one way to implement multiplication in GF (pm). To specify a multiplication rule, one
16chooses a basis representation for the field. The basis representation is a rule for interpreting each m-tuple;
17the multiplication rule follows from this interpretation.
18For the purposes of this standard we focus on polynomial basis representations.
19A.3.4. Polynomial Basis Representations
20In a polynomial basis representation, each element of GF (pm) is represented by a different polynomial
21modulo p of degree less than m. More explicitly, the tuple (am-1 … a2 a1 a0) is taken to represent the binary
22polynomial
23 am–1 tm–1 + … + a2t 2 + a1t + a0.
24The polynomial basis is the set
25 B = {t m–1, …, t2, t, 1}.
26The addition of m-tuples, as defined in A.3.3., corresponds to addition of polynomials modulo p.
27Multiplication is defined in terms of an irreducible binary polynomial f(t) of degree m, called the field
28polynomial for the representation. The product of two elements is simply the product of the corresponding
29polynomials, reduced modulo f(t).
30There is a polynomial basis representation for GF (pm) corresponding to each irreducible polynomial f(t)
31modulo p of degree m. Irreducible polynomials modulo p exist of every degree. Roughly speaking, every
32one out of m polynomials modulo p of degree m is irreducible.
1 13
4
1A.3.5. Extension Fields (cont'd)
2A.3.5.1. Exponentiation
3If k is a positive integer and a is an element of GF (pm), then exponentiation is the operation of computing
4a k. Section A.4.3. contains an efficient method for exponentiation.
5A.3.5.2. Division
6If a and b ¹ 0 are elements of the field GF (pm), then the quotient a /b is the element g such that a = bg.
7In the finite field GF (pm), modular division is possible for any denominator other than 0. The set of
8nonzero elements of GF (pm) is denoted GF (pm)*.
9Section A.4.2. contains an efficient method for division.
10A.3.5.3. Orders
11The order of an element g of GF (pm)* is the smallest positive integer v such that g v = 1. The order always
12exists and divides pm – 1. If k and l are integers, then g k = g l in GF (pm) if and only if k º l (mod v).
13A.3.5.4. Generators
14If v divides pm – 1, then there exists an element of GF (pm)* having order v. In particular, there always
15exists an element g of order pm – 1 in GF (pm)*. Such an element is called a generator for GF (pm)* because
16every element of GF (pm)* is some power of g.
17A.3.5.5. Exponentiation and discrete logarithms
18Suppose that the element g of GF (pm)* has order v. Then an element h of GF (pm)* satisfies h = g l for
19some l if and only if h v = 1. The exponent l is called the discrete logarithm of h (with respect to the base
20g). The discrete logarithm is an integer modulo v.
21A.3.5.6. Field extensions
22Given two extensions K = GF (pn) and L = GF (pm), L is an extension of K if and only if n | m. For pairing
23based cryptography we often require that K be embedded in the extension L. This is defined in A.5.7..
24A.4. Extension Fields: Algorithms

25The following algorithms perform operations in a finite field GF (pm) having pm elements. The elements of
26GF (pm) are represented by a polynomial basis modulo the irreducible polynomial f (t).
27A.4.1. Exponentiation
28Exponentiation can be performed efficiently by the binary method outlined below.
29Input: a positive integer k, a field GF (pm) and a field element a.
30Output: a k.
31
321. Let k = kr kr–1 ... k1 k0 be the binary representation of k, where the most significant bit kr of k is 1.
332. Set x ¬ a.
1 14
4
2 3.1 Set x ¬ x2.
3 3.2 If ki = 1 then set x ¬ a x.
44. Output x.
7A.4.2. Division
8The quotient a /b can be computed directly (i.e. in one step by an algorithm with inputs a and b), or
9indirectly (by computing the multiplicative inverse b –1 and then multiplying it by a). The common method
10of performing division in a finite field GF (pm) is the indirect method using,
11The Extended Euclidean Algorithm.
12Input: two polynomials f(x), g(x) ¹ 0 over GF (pm).

13Output: d(x) = GCD (f(x), g(x)), s(x), t(x) satisfying s(x)f(x)+t(x)g(x) = d(x)
14
151. Set s1(x) ¬ 1, s2(x) ¬ 0, t1(x) ¬ 1, t2(x) ¬ 0
162. While g(x) ¹ 0
17 2.1 Set q(x) ¬ f(t) / g(t), r(x) ¬ f(x) – g(x)q(x).
18 2.2 Set s(x) ¬ s2(x) – q(x)s1(x), t(x) ¬ t2(x) – q(x)t1(x)
19 2.3 Set f(x) ¬ g(x), g(x) ¬ r(x)
20 2.4 Set s2(x) ¬ s1(x), s1(x) ¬ s(x), t2(x) ¬ t1(x), t1(x) ¬ t(x)
213. Set d(x) ¬ f(x), s(x) ¬ s2(x) , t(x) ¬ t2(x).
224. Output d(x), s(x), t(x)
23This algorithm produces the t(x), the multiplicative inversion of g(x) modulo f(x). By ë f(x) / g(x)û is meant
24the quotient upon polynomial division, dropping any remainder.
25A.4.3. Squares
26To determine whether a given element is a square, the Legendre symbol can be computed as follows:
27Input: f(x), g(x) ¹ 0  GF (pm) where g(x) is irreducible

28Output: the Legendre-Kronecker-Jacobi symbol (f(x) / g(x))
29
301. Set k ¬ 1
312. While deg(m) ≠ 0
32 2.1. if f(x) = 0, return 0
33 2.2. a  the leading coefficient of f(x)
34 2.3. f(x)  f(x) / a
a
35 2.4. if deg(m)  1 (mod 2) then k  k  
 p
36 2.5. if pdeg(m)  3 (mod 4) and deg (m) deg (f)  1 (mod 2) then k  -k
37 2.6. r(x)  f(x), f(x)  m(x) mod r(x), m(x)  r(x)
383. return k
39A.4.4. Square Roots

40To compute a square root in a finite field, the Tonelli-Shanks algorithm is used.
1 15
4
1Input: an element a  GF (q) where q = pk
2Output: an element x  GF (q) such that a = x2 or ‘quadratic non-residue’ if a is not a square.

3
41. Write q – 1 = 2ev
n
52. Choose n  GF (q) until   = -1. Set z ← nv
q
((v-1)/2)
63. Set y ← z, r ← e, x ← a , b ← ax2, x ← ax
74. if b = 1, return x
8 m
otherwise find the smallest integer m such that b 2  1 . If m = r return 'a is a quadratic non-
9residue'
r  m 1
105. Set t ← y 2 , y ← t2, r ← m, x ← xt, b ← by and go to (4)
11Notes: p, k, q, e, v, r, m are integers
12a, x, n, z, y, b, t are elements  GF (q)
n
13   can be computed by forming n(q-1)/2
q
14A.4.5. Trace in Binary Field Extension
15If  is an element of GF (2m), the trace of  is
16 Tr() =  + 2 + 22 + ... + 2m–1.
17The value of Tr () is 0 for half the elements of GF (2m), and 1 for the other half.
18The trace can be computed efficiently as follows.
19The basic algorithm inputs ÎGF (2m) and outputs T = Tr ().

20
211. Set T ¬.
222. For i from 1 to m – 1 do
23 2.1 T ¬ T 2 +.
243. Output T.
25If many traces are to be computed with respect to a fixed polynomial basis
26 {t m–1, …, t, 1},
27then it is more efficient to compute and store the element
28 t = (tm–1…t1t0)
29where each coordinate
30 tj = Tr (t j)
31is computed via the basic algorithm. Subsequent traces can be computed via
32 Tr (a) = a × t,
1 16
4
1where the “dot product” of the bit strings is given by bitwise AND (or bitwise multiplication).
2A.4.6. Half-Trace in Binary Fields
3If m is odd, the half-trace of  Î GF (2m) is
4 HfTr () = + 22 + 24 + ... + 2m–1.
5The following algorithm inputs ÎGF (2m) and outputs H = HfTr ()

6
71. Set H ¬.
82. For i from 1 to (m – 1) /2 do
9 2.1 H ¬ H 2.
10 2.2 H ¬ H 2 +.
113. Output H.
12A.4.7. Solving Quadratic Equations over GF (2m)
13If  is an element of GF (2m), then the equation
14 z2 + z = 
15has 2 – 2T solutions over GF (2m), where T = Tr (). Thus, there are either 0 or 2 solutions. If z is one
16solution, then the other solution is z + 1. In the case  = 0, the solutions are 0 and 1.
17The following algorithms compute a solution if one exists.
18Input: a field GF (2m) along with a polynomial or normal basis for representing its elements; an element 
19¹ 0.
20Output: an element z for which z 2 + z = , if such an element exists.
21If m is odd, then compute z := half-trace of  via A.4.6.. For m even, proceed as follows.
22
231. Choose random r Î GF (2m)
242. Set z ¬ 0 and w ¬r.
253. For i from 1 to m – 1 do
26 3.1 Set z ¬ z2 + w 2.
27 3.2 Set w ¬ w2 + r.
284. If w = 0 then go to Step 1
295. Output z.
30If the latter algorithm is to be used repeatedly for the same field, and memory is available, then it is more
31efficient to precompute and store r and the values of w. Any element of trace 1 will serve as r, and the
32values of w depend only on r and not on 
33The above algorithm produces a solution z provided that one exists. If it is unknown whether a solution
34exists, then the output z should be checked by comparing g := z2 + z with b. If g = b, then z is a solution;
35otherwise no solutions exist.
1 17
4
1A.5. Polynomials over a Finite Field
2The computations below can take place either over a prime field (having a prime number p of elements) or
3over a binary field (having 2m elements).
4A.5.1. Exponentiation Modulo a Polynomial
5If k is a positive integer and f(t) and m(t) are polynomials with coefficients in the field GF (q), then f(t)k
6mod m(t) can be computed efficiently by the binary method outlined below.
7Input: a positive integer k, a field GF (q), and polynomials f(t) and m(t) with coefficients in GF (q).
8Output: the polynomial f(t)k mod m(t).

9
101. Let k = kr kr–1 ... k1 k0 be the binary representation of k, where the most significant bit kr of k is 1.
112. Set u(t) ¬ f(t) mod m(t).
13 3.1 Set u(t) ¬ u(t)2 mod m(t).
14 3.2 If ki = 1 then set u(t) ¬ u(t) f(t) mod m(t).
154. Output u(t).
18A.5.2. G.C.D.'s over a Finite Field
19If f(t) and g(t) ¹ 0 are two polynomials with coefficients in the field GF (q), then there is a unique monic
20polynomial d(t) of largest degree which divides both f(t) and g(t). The polynomial d(t) is called the
21greatest common divisor or G.C.D. of f(t) and g(t). The following algorithm computes the G.C.D. of two
22polynomials.
23Input: a finite field GF (q) and two polynomials f(t), g(t) ¹ 0 over GF (q).
24Output: d(t) = GCD( f(t), g(t)).
25
261. Set a(t) ¬ f(t), b(t) ¬ g(t).
272. While b(t) ¹ 0
28 2.1 Set c(t) ¬ the remainder when a(t) is divided by b(t).
29 2.2 Set a(t) ¬ b(t).
30 2.3 Set b(t) ¬ c(t).
313. Set  ¬ the leading coefficient of a(t).
324. Set d(t) ¬ a –1 a(t).
335. Output d(t).
34A.5.3. Factoring Polynomials over GF (p) (Special Case)
35Let f(t) be a polynomial with coefficients in the field GF (p), and suppose that f(t) factors into distinct
36irreducible polynomials of degree d. (This is the special case needed in A.10..) The following algorithm
37finds a random degree-d factor of f(t) efficiently.
38Input: a prime p > 2, a positive integer d, and a polynomial f(t) which factors modulo p into distinct
39irreducible polynomials of degree d.
40Output: a random degree-d factor of f(t).

1 18
4
1
21. Set g(t) ¬ f(t).
32. While deg(g) > d
4 2.1 Choose u(t) ¬ a random monic polynomial of degree 2d – 1.
5 2.2 Compute via A.5.1.
d
1)/ 2
6 c(t) := u( t )( p mod g(t).
7 2.3 Set h(t) ¬ GCD(c(t) – 1, g(t)).
8 2.4 If h(t) is constant or deg(g) = deg(h) then go to Step 2.1.
9 2.5 If 2 deg(h) > deg(g) then set g(t) ¬ g(t) / h(t); else g(t) ¬ h(t).
103. Output g(t).
11A.5.4. Factoring Polynomials over GF (2) (Special Case)
12Let f(t) be a polynomial with coefficients in the field GF (2), and suppose that f(t) factors into distinct
13irreducible polynomials of degree d. (This is the special case needed in A.10..) The following algorithm
14finds a random degree-d factor of f(t) efficiently.
15Input: a positive integer d, and a polynomial f(t) which factors modulo 2 into distinct irreducible
16polynomials of degree d.
17Output: a random degree-d factor of f(t).

18
191. Set g(t) ¬ f(t).
202. While deg(g) > d
21 2.1 Choose u(t) ¬ a random monic polynomial of degree 2d – 1.
22 2.2 Set c(t) ¬ u(t).
23 2.3 For i from 1 to d – 1 do
24 2.3.1 c(t) ¬ c(t)2 + u(t) mod g(t).
25 2.4 Compute h(t) := GCD(c(t), g(t)) via A.5.2..
283. Output g(t).
29A.5.5. Checking Polynomials over GF (2r) for Irreducibility
30If f(t) is a polynomial with coefficients in the field GF (2r), then f(t) can be tested efficiently for
31irreducibility using the following algorithm.
32Input: a polynomial f(t) with coefficients in GF (2r).
33Output: the message “True” if f(t) is irreducible; the message “False” otherwise.
34
351. Set d ¬ degree of f(t).
362. Set u(t) ¬ t.
373. For i from 1 to ëd/2û do
38 3.1 For j from 1 to r do
39 Set u(t) ¬ u(t)2 mod f(t)
40 Next j
41 3.2 Set g(t) ¬ GCD(u(t) + t, f(t)).
42 3.3 If g(t) ¹ 1 then output “False” and stop.
433. Output “True.”
1 19
4
1A.5.6. Finding a Root in GF (2m) of an Irreducible Binary Polynomial
2If f(t) is an irreducible polynomial modulo 2 of degree d dividing m, then f(t) has d distinct roots in the field
3GF (2m). A random root can be found efficiently using the following algorithm.
4Input: an irreducible polynomial modulo 2 of degree d, and a field GF (2m), where d divides m.
5Output: a random root of f(t) in GF (2m).

6
71. Set g(t) ¬ f(t) (g(t) is a polynomial over GF (2m)).
82. While deg(g) > 1
9 2.1 Choose random u Î GF (2m).
10 2.2 Set c(t) ¬ ut.
11 2.3 For i from 1 to m – 1 do
12 2.3.1 c(t) ¬ c(t)2 + ut mod g(t).
13 2.4 Set h(t) ¬ GCD(c(t), g(t)).
163. Output g(0).
17A.5.7. Embedding in an Extension Field
18Given a field F = GF (pd), the following algorithm embeds F into an extension field K = GF (pde).
19Input: integers d and e; a polynomial basis B for F = GF (pd) with field polynomial f(t); a polynomial
20basis for K = GF (pde).
21Output: an embedding of F into K; that is a function taking each a Î F to a corresponding element b of

22K.
23
241. Compute via A.5.6. a root l Î K of f(t).
252. Output
26 b := am–1 l m–1 + … + a2l 2 + a1l + a0,
27 where (am–1 … a1 a0) is the m-tuple representing a with respect to B.

28
29A.6. Elliptic Curves: Overview

30A.6.1. Introduction
31A plane curve is defined to be the set of points satisfying an equation F (x, y) = 0. The simplest plane
32curves are lines (whose defining equation has degree 1 in x and y) and conic sections (degree 2 in x and y).
33The next simplest are the cubic curves (degree 3). These include elliptic curves, so called because they
34arose historically from the problem of computing the circumference of an ellipse. This Standard restricts its
35attention to cubic plane curves, although other representations could be defined. The coefficients of such a
36curve must satisfy a side condition to guarantee the mathematical property of nonsingularity. The side
37condition is given below for each family of curves.)
38An elliptic curve is a non-singular (smooth) algebraic curve of genus one with a defined point. The set of
39points on an elliptic curve is topologically equivalent to a torus - a surface with one hole in it – and,
40simplistically, the number of holes in a surface is the definition of the term genus. Elliptic curves should
41strictly be written as a pair (E, O) where E is the curve and O the defined point. However, O is invariably
1 20
4
1taken to be the point at infinity and the elliptic curve is often simply referred to as E. (Note: see [Sil86] for
2a mathematically precise definition of “elliptic curve.”)
3In cryptography, the elliptic curves of interest are those defined over finite fields. That is, the coefficients
4of the defining equation F (x, y) = 0 are elements of GF (q), and the points on the curve are of the form P =
5(x, y), where x and y are elements of GF (q). Examples are given below.
6A.6.1.1. The Weierstrass equation
7There are several kinds of defining equations for elliptic curves, but the most common are the Weierstrass
8equations. This standard will be concerned with both ordinary and supersingular curves.
9
10— For the finite fields GF (pm) with p > 3, the standard Weierstrass equation for ordinary curves is
11 y 2 = x 3 + ax + b
12 where a and b are integers modulo p for which 4a 3 + 27b 2 ( 0 (mod p).
13
14— For the binary finite fields GF (2m), the standard Weierstrass equation for ordinary curves is
15 y 2 + xy = x 3 + ax 2 + b
16 where a and b are elements of GF (2m) with b ¹ 0.

17
18— One can also define the following supersingular curves. We define these by giving the base field,
19 then the “embedding degree” k (which will be used later), followed by the equation of the curve. We
20 will only be interested in even embedding degree curves.
21  GF (2s), k=2, s even
22 y 2 + y = x 3 + δx
23 where Tr δ ≠0 [MRC: This is Tr_F_q/F_4 from ‘Taxonomy’ 3.2. Is this different to Tr as define
24 in A.4.5?]
25  GF (2s), k=2, s odd
26 y2 + y = x3
27 [MRC: In ‘Taxonomy’ 3.2 only the char 2 case is explicitly given. What are the corresponding
28 char 3 curves?]
29  GF (p) with p > 3, k=2
30 y 2 = x 3 + ax + b
31 o
If p ≡3 (mod 4) then b=0 and –a is not a square mod p
32 o
If p ≡5 (mod 6) then a=0
33 o
If p ≡1 (mod 12) then a = 3mc2, b = 2mc3, where m = j / (1728 – j) and c  GF (p)×
34  GF (2s), k=4
35 y2 + y = x3 + x + b
36 for b=0 or 1
37  GF (3s), k=6
38 y2 = x3 - x + b
39 for b= 0 or 1
40
41[NB. Include the SS forms here]
1 21
4
1Given a Weierstrass equation, the elliptic curve E consists of the solutions (x, y) over GF (q) to the defining
2equation, along with an additional element called the point at infinity (denoted O). The points other than O
3are called finite points. The number of points on E (including O) is called the order of E and is denoted by
4#E (GF (q)).
5Example: Let E be the curve
6 y 2 = x 3 + 10 x + 5
7over the field GF (13). Then the points on E are
8 {O, (1,4), (1,9), (3,6), (3,7), (8,5), (8,8), (10,0), (11,4), (11,9)}.
9Thus the order of E is #E (GF (13)) = 10.
10Example: Let E be the curve
11 y 2 + xy = x 3 + (t + 1) x 2 + 1
12over the field GF (23) given by the polynomial basis with field polynomial t 3 + t + 1 = 0. Then the points
13on E are
14 {O, ((000), (001)),

15 ((010), (100)), ((010), (110)), ((011), (100)), ((011), (111)),
16 ((100), (001)), ((100), (101)), ((101), (010)), ((101), (111)),
17 ((110), (000)), ((110), (110)), ((111), (001)), ((111), (110))}.
18Thus the order of E is #E (GF (23)) = 14.
19For more information on elliptic curve cryptography, see [Bla99].
20A.6.1.2. Pairings
21The primitives defined in the body of this standard use the general concept of a pairing. Here, we define a
22pairing e as a bilinear map between elements of two finite, cyclic, additive groups, G1 and G2 to a third
23finite, cyclic group GT defined multiplicatively. Both of G1 and G2 are of prime order r, as is GT.
24Notationally, we have:
25 e:G1 × G2  GT
26where the bilinear property is such that
27 For all P, P’  G1 and all Q, Q’  G2, e(P + P’,Q) = e(P,Q)e(P’,Q) and e(P,Q + Q’) = e(P,Q) e(P,Q’)
28We also impose the condition that the map be non-degenerate, i.e:
29 For all 0 ≠ P  G1 there exists Q  G2 such that e(P,Q) ≠ 1 and
30 For all 0 ≠ Q  G2 there exists P  G1 such that e(P,Q) ≠ 1
31For cryptographic use, the groups G1 and G2 over which the pairings are defined are sub-groups of points
32on an elliptic curve.
33Elliptic curves fall into two general categories: supersingular curves and ordinary curves. The former are
34curves where the kernel of the ‘multiplication by p’ map (where p is the characteristic of K) is trivial.
1 22
4
1Supersingular curves were the first to be considered for use in pairing-based cryptography because they
2possess maps (non F_q-rational endomorphisms) that prove useful in constructing the Tate pairing.
3The first pairing-based cryptosystems used the Weil and Tate pairings on supersingular curves. Further
4research in pairing-based cryptography has led to a range of suitable pairings and families of curves. Apart
5from super-singular curves, all the curve families are of ordinary curves. The primary factors that dictate
6which pairing and curve to use are the efficiency of computations and the security level. As with most
7cryptography, increasing levels of security can be obtained by increasing the size of the field over which
8the operations are defined, but not all curve-pairing combinations have the same relationship between
9security and efficiency. To give some guidance for the best choices, section A.13.1. suggests some
10appropriate system parameters for different levels of security and section A.13.2. suggests appropriate
11combinations of pairings and curves.
12A.6.1.3. Twists
13For a field K, if char (K) ≠ 2,3 we define quadratic, quartic and sextic twists of E(K) as follows. Let
14 E: y 2 = x 3 + Ax + B
15Case 1: if A, B ≠ 0, there are Quadratic Twists only, one can define the twist by giving a value and D
16 givingto produce the curve
17 E': y 2 = x 3 + D2Ax +D3B
18 Essentially there are two such values of D, one producing the original curve and one producing the
19 quadratic twist.
20Case 2: if B = 0, there are Quartic Twists and Quadratic Twistsonly and D giving. By giving a value D
21 one can define the quartic twists by
22 E': y 2 = x 3 + DAx
23 There are essentially four such values of D, which produce non-isomorphic curves over the base
24 field. One of these produces the same curve, two the quartic twists and the remaining one produces
25 the quadratic twist of E.
26Case 2: if A = 0, there are Sextic Twists and Quadratic twistsonly and D giving. By giving a suitable value
27 of D one can define the twists via
28 E': y 2 = x 3 + DB
29 There are essentially six such values of D, one produces the curve itself, one produces the quadratic
30 twist, two produce a cubic twist, whilst the remaining two produce sextic twists.
31A.6.2. Operations on Elliptic Curves
32There is an addition operation on the points of an elliptic curve which possesses the algebraic properties of
33ordinary addition (e.g. commutativity and associativity). This operation can be described geometrically as
34follows.
35Define the inverse of the point P = (x, y) to be
 ( x, y ) if p  3

36  P  ( x, x  y ) if q = 2m and E is ordinary
 ( x, c  y )
 m
if q = 2 and E is supersingular
37Then the sum P + Q of the points P and Q is the point R with the property that P, Q, and –R lie on a
38common line.
1 23
4
1A.6.2.1. The point at infinity
2The point at infinity O plays a role analogous to that of the number 0 in ordinary addition. Thus
3 P + O = P,
4 P + (– P) = O
5for all points P.
6A.6.2.2. Full addition
7When implementing the formulae for elliptic curve addition, it is necessary to distinguish between
8doubling (adding a point to itself) and adding two distinct points that are not inverses of each other,
9because the formulae are different in the two cases. Besides this, there are also the special cases involving
10O. By full addition is meant choosing and implementing the appropriate formula for the given pair of
11points. Algorithms for full addition are given in A.7.1., A.7.2., A.7.3. and A.7.9..
12A.6.2.3. Scalar multiplication
13Elliptic curve points can be added but not multiplied. It is, however, possible to perform scalar
14multiplication, which is another name for repeated addition of the same point. If n is a positive integer and
15P a point on an elliptic curve, the scalar multiple nP is the result of adding n copies of P. Thus, for
16example, 5P = P + P + P + P + P.
17The notion of scalar multiplication can be extended to zero and the negative integers via
18 0P = O, (–n) P = n (–P).
19A.6.3. Elliptic Curve Cryptography (ECC)
20A.6.3.1. Orders
21The order of a point P on an elliptic curve is the smallest positive integer r such that rP = O. The order
22always exists and divides the order of the curve #E(GF (q)). If k and l are integers, then kP = lP if and only
23if k º l (mod r).
24A.6.3.2. Elliptic curve discrete logarithms
25Suppose that the point G on E has prime order r where r 2 does not divide the order of the curve #E(GF (q)).
26Then a point P satisfies P = lG for some l if and only if rP = O. The coefficient l is called the elliptic curve
27discrete logarithm of P (with respect to the base point G). The elliptic curve discrete logarithm is an
28integer modulo r.
29A.6.3.3. EC-based cryptography
30Suppose that the base point G on E has order r as described in the preceding paragraph. Then a key pair
31can the defined as follows.
32
33— The private key s is an integer modulo r.
34— The corresponding public key W is a point on E defined by W := sG.
35It is necessary to compute an elliptic curve discrete logarithm in order to derive a private key from its
36corresponding public key. For this reason, public-key cryptography based on key pairs of this type relies
37for its security on the difficulty of the elliptic curve discrete logarithm problem. Thus it is an example of
1 24
4
1EC-based cryptography. The difficulty of the elliptic curve discrete logarithm problem is discussed in
2Annex D.4.2.
3A.6.4. Analogies with DL
4The discrete logarithm problem in finite fields GF (q)* and the elliptic curve discrete logarithm are in some
5sense the same abstract problem in two different settings. As a result, the primitives and schemes of DL
6and EC based cryptography are closely analogous to each other. The following table makes these analogies
7explicit.
DL EC
Setting GF (q)* curve E over GF (q)
Basic operation multiplication in GF (q) addition of points
Main operation exponentiation scalar multiplication
Base element generator g base point G
Base element order prime r prime r
Private key s (integer modulo r) s (integer modulo r)
Public key w (element of GF (q)) W (point on E)
8A.6.5. Curve Orders
9The most difficult part of generating EC parameters is finding a base point of prime order. Generating such
10a point requires knowledge of the curve order n = #E(GF (q)). Since r must divide n, one has the following
11problem: given a field F = GF (q), find an elliptic curve defined over F whose order is divisible by a
12sufficiently large prime r. (Note that “sufficiently large” is defined in terms of the desired security; see
13Annex A.6.3. and A.13.1..) This section discusses this problem.
14A.6.5.1. Basic facts

15— If n is the order of an elliptic curve over GF (q), then the Hasse bound is
16 q–2 q + 1 £ n £ q + 2 q + 1.
17 Thus the order of an elliptic curve over GF (q) is approximately q.

18
19— If q is a prime p, let n be the order of the curve y 2 = x 3 + ax + b, where a and b are both nonzero.
20 Then if l ¹ 0, the order of the curve y 2 = x 3 + al 2x + bl 3 is n if l is a square modulo p and
21 2p + 2 – n otherwise. (This fact allows one to replace a given curve by one with the same order and
22 satisfying some extra condition, such as a = p – 3 which will be used in A.7.5..) In the case b = 0,
23 there are four possible orders; in the case a = 0, there are six. (The formulae for these orders can be
24 found in Step 6 of A.10.2.3..)
25— If q = 2m, let n be the order of the curve y 2 + xy = x 3 + ax 2 + b, where a and b are both nonzero.
26 Then if l ¹ 0, the order of the curve y 2 + xy = x 3 + (a + l) x 2 + b is n if l has trace 0 and
27 2m+1 + 2 – n otherwise (see A.4.5.). (This fact allows one to replace a given curve by one with the
28 same order and satisfying some extra condition, such as a = 0 which will be used in A.7.8..)
29— If q = 2m, then the curves y 2 + xy = x 3 + ax 2 + b and y 2 + xy = x 3 + a 2 x 2 + b 2 have the same order.
1 25
4
1A.6.5.2. Near primality
2Given a trial division bound lmax, the positive integer k is called smooth if every prime divisor of k is at most
3lmax. Given large positive integers rmin and rmax, u is called nearly prime if u = kr for some prime r in the
4interval rmin £ r £ r max and some smooth integer k. (The requirement that k be smooth is omitted in most
5definitions of near primality. It is included here to guarantee that there exists an efficient algorithm to
6check for near primality.) In the case in which a prime order curve is desired, the bound lmax is set to 1.
7NOTE—since all elliptic curves over GF (q) have order at most umax = q + 2 q + 1, then rmax should be no greater
8than umax. (If no maximum is desired, e.g., as in draft ANSI X9.62 [ANS98e], then one takes rmax ¬ umax.) Moreover, if
9rmin is close to umax, then there will be a small number of possible curves to choose from, so that finding a suitable one
10will be more difficult. If a prime-order curve is desired, a convenient choice is rmin = q + q.
11A.6.6. Representation of Points
12This section discusses the issues involved in choosing representations for points on elliptic curves, for
13purposes of internal computation and for external communication.
14A.6.6.1. Affine coordinates
15A finite point on E is specified by two elements x, y in GF (q) satisfying the defining equation for E. These
16are called the affine coordinates for the point. The point at infinity O has no affine coordinates. For
17purposes of internal computation, it is most convenient to represent O by a pair of coordinates (x, y) not on
18E. For q = 2 m, the simplest choice is O = (0,0). For q = pm, one chooses O = (0, 0) unless b = 0, in which
19case O = (0, 1).
20A.6.6.2. Coordinate compression
21The affine coordinates of a point require 2ml bits to store and transmit where q itself requires l bits to
22represent it. This is far more than is needed, however. For purposes of external communication, therefore,
23it can be advantageous to compress one or both of the coordinates.
24The y coordinate can always be compressed. The compressed y coordinate, denoted ~y , is a single bit,
25defined as follows.
26
27— if q is a power of an odd prime, then ~
y := y mod 2, where y is interpreted as a positive integer less
28 ~
than q. Put another way, y is the rightmost bit of y.
29— ~
if q is a power of 2, then y is the rightmost bit of the field element y x –1 (except when x = 0, in
30 ~
which case y := 0).
31NOTES
321—Algorithms for decompressing coordinates are given in A.7.11. and A.7.12..
332—There are many other possible ways to compress coordinates; the methods given here are the ones that have
34appeared in the literature (see [Men95], [Ser98]).
35A.6.6.3. Projective coordinates
36If division within GF (q) is relatively expensive, then it may pay to keep track of numerators and
37denominators separately. In this way, one can replace division by  with multiplication of the denominator
38by . This is accomplished by the projective coordinates X, Y , and Z, given by
1 26
4
X Y
1 x 2
,y  3.
Z Z
2The projective coordinates of a point are not unique because
3 (X, Y, Z) = ( 2X,  3Y,  Z)
4for every nonzero  Î GF (q).
5The projective coordinates of the point at infinity are ( 2,  3, 0), where  ¹ .

6Other kinds of projective coordinates exist, but the ones given here provide the fastest arithmetic on elliptic
7curves. (See [CC87].)
8The formulae above provide the method for converting a finite point from projective coordinates to affine.
9To convert from affine to projective, one proceeds as follows.
10 X ¬ x, Y ¬ y, Z ¬ 1.
11Projective coordinates are well suited for internal computation, but not for external communication since
12they require so many bits. They are more common over GF (p) since division tends to be more expensive
13there.
14A.7. Elliptic Curves: Algorithms

15A.7.1. Full Addition and Subtraction (prime case)
16The following algorithm implements a full addition (on a curve modulo p) in terms of affine coordinates.
17Note that this algorithm can also be used for supersingular curves of characteristic 3.
18Input: a field K = GF(pn) for p > 3; coefficients a, b for an elliptic curve E: y 2 = x 3 + ax + b over K;
19points P0 = (x0, y0) and P1 = (x1, y1) on E.
20Output: the point P2 := P0 + P1.

21
221. If P0 = O then output P2 ¬ P1 and stop
232. If P1 = O then output P2 ¬ P0 and stop
243. If x0 ¹ x1 then
25 3.1 set l ¬ (y0 – y1) / (x0 – x1) mod p
26 3.2 go to step 7
274. If y0 ¹ y1 then output P2 ¬ O and stop
285. If y1 = 0 then output P2 ¬ O and stop
296 Set l ¬ (3 x12 + a) / (2y1) mod p
307. Set x2 ¬ l 2 – x0 – x1 mod p
318. Set y2 ¬ (x1 – x2) l – y1 mod p
329. Output P2 ¬ (x2, y2)
33The above algorithm requires 3 or 4 modular multiplications and a modular inversion.
34To subtract the point P = (x, y), one adds the point –P = (x, –y).
1 27
4
1A.7.2. Full Addition and Subtraction (binary case)
2The following algorithm implements a full addition (on an ordinary curve over GF (2m)) in terms of affine
3coordinates.
4Input: a field GF (2m); coefficients a, b for an elliptic curve E: y 2 + xy = x 3 + ax 2 + b over GF (2m); points
5P0 = (x0, y0) and P1 = (x1, y1) on E.

7
81. If P0 = O, then output P2 ¬ P1 and stop
11 3.1 set l ¬ (y0 + y1) / (x0 + x1)
12 3.2 set x2 ¬ a + l 2 + l + x0 + x1
13 3.3 go to step 7
155. If x1 = 0 then output P2 ¬ O and stop
166. Set
17 6.1 l ¬ x1 + y1 / x1
18 6.2 x2 ¬ a + l 2 + l
197. y2 ¬ (x1 + x2) l + x2 + y1
208. P2 ¬ (x2, y2)
21The above algorithm requires 2 general multiplications, a squaring, and a multiplicative inversion.
22To subtract the point P = (x, y), one adds the point –P = (x, x + y).
23A.7.3. Full Addition and Subtraction (supersingular curves in

24 Characteristic 2)
25The following algorithm implements a full addition (on a supersingular curve over GF (2m)) in terms of
26affine coordinates.
27Input: a field GF (2m); coefficients a, b for an elliptic curve E: y 2 + y = x 3 + ax + b over GF (2m); points
28P0 = (x0, y0) and P1 = (x1, y1) on E.

30
34 3.1 set l ¬ (y0 + y1) / (x0 + x1)
35 3.2 set x2 ¬ l 2 + x0 + x1
36 3.3 go to step 7
385. If x1 = 0 then output P2 ¬ O and stop
396. Set
40 6.1 l ¬ a + x02
41 6.2 x2 ¬ l 2
427. y2 ¬ (x1 + x2) l + y1 + 1
438. P2 ¬ (x2, y2)
1 28
4
1The above algorithm requires 2 general multiplications, a squaring, and a multiplicative inversion.
2To subtract the point P = (x, y), one adds the point –P = (x, x + y).
3A.7.4. Elliptic Scalar Multiplication
4Scalar multiplication can be performed efficiently by the addition-subtraction method outlined below.
5Input: an integer n and an elliptic curve point P.
6Output: the elliptic curve point nP.

7
81. If n = 0 then output O and stop.
92. If n < 0 the set Q ¬ (–P) and k ¬ (–n), else set Q ¬ P and k ¬ n.
103. Let hl hl–1 ...h1 h0 be the binary representation of 3k, where the most significant bit hl is 1.
114. Let kl kl–1...k1 k0 be the binary representation of k.
125. Set S ¬ Q.
136. For i from l – 1 downto 1 do
14 Set S ¬ 2S.
15 If hi = 1 and ki = 0 then compute S ¬ S + Q via A.7.1., A.7.2. or A.7.3..
16 If hi = 0 and ki = 1 then compute S ¬ S – Q via A.7.1., A.7.2. or A.7.3..
177. Output S.
20A.7.5. Projective Elliptic Doubling (prime case)
21The projective form of the doubling formula on the curve y 2 = x 3 + ax + b over GF(pm) for p > 3 is
22 2 (X1, Y1, Z1) = (X2, Y2, Z2),
23where
24 M = 3 X 12 + a Z14 ,
25 Z2 = 2Y1Z1,
26 S = 4X1 Y12 ,
27 X2 = M 2 – 2S,
28 T = 8 Y14 ,
29 Y2 = M (S – X2) – T.
30The algorithm Double given below performs these calculations.
31Input: a modulus p; the coefficients a and b defining a curve E modulo p; projective coordinates (X1, Y1,
32Z1) for a point P1 on E.
33Output: projective coordinates (X2, Y2, Z2) for the point P2 = 2P1.
34
351. T1 ¬ X1
362. T2 ¬ Y1
373. T3 ¬ Z1
384. If T2 = 0 or T3 = 0 then output (1, 1, 0) and stop.
395. If a = p – 3 then
1 29
4
1 T4 ¬ T32
2 T5 ¬ T1 – T4
3 T4 ¬ T1 + T4
4 T5 ¬ T4 ´ T5
5 T4 ¬ 3 ´ T5
6 =M
7 else
8 T4 ¬ a
9 T5 ¬ T32
10 T5 ¬ T52
11 T5 ¬ T4 ´ T5
12 T4 ¬ T12
13 T4 ¬ 3 ´ T4
14 T4 ¬ T4 + T5
15 =M
166. T3 ¬ T2 ´ T3
177. T3 ¬ 2 ´ T3 = Z2
188. T2 ¬ T22
199. T5 ¬ T1 ´ T2
2010. T5 ¬ 4 ´ T5 =S
2111. T1 ¬ T42
2212. T1 ¬ T1 – 2 ´ T5
23 = X2
2
2413. T2 ¬ T2
2514. T2 ¬ 8 ´ T2 =T
2615. T5 ¬ T5 – T1
2716. T5 ¬ T4 ´ T5
2817. T2 ¬ T5 – T2
29 = Y2
3018. X2 ¬ T 1
3119. Y2 ¬ T2
3220. Z2 ¬ T3
33This algorithm requires 10 field multiplications and 5 temporary variables. If a is small enough that
34multiplication by a can be done by repeated addition, only 9 field multiplications are required. If a = p – 3,
35then only 8 field multiplications are required (see [CC87]). The proportion of elliptic curves modulo p that
36can be rescaled so that a = p – 3 is about 1/4 if p º 1 (mod 4) and about 1/2 if p º 3 (mod 4). (See Annex
37A.6.5., Basic Facts.)
38A.7.6. Projective Elliptic Addition (prime case)
39The projective form of the adding formula on the curve y 2 = x 3 + ax + b over GF(pm) for p > 3, is
40 (X0, Y0, Z0) + (X1, Y1, Z1) = (X2, Y2, Z2),
41where
42 U0 = X0 Z12 ,
43 S0 = Y0 Z13 ,
1 30
4
1 U1 = X1 Z 02 ,
2 S1 = Y1 Z 03 ,
3 W = U0 – U1,
4 R = S0 – S1,
5 T = U0 + U1,
6 M = S0 + S1,
7 Z2 = Z0Z1W,
8 X2 = R 2 – TW 2,
9 V = TW 2 – 2X2,
10 2Y2 = VR – MW 3.
11The algorithm Add given below performs these calculations.
12Input: a modulus p; the coefficients a and b defining a curve E modulo p; projective coordinates (X0, Y0,
13Z0) and (X1, Y1, Z1) for points P0 and P1 on E, where Z0 and Z1 are nonzero.
14Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1, unless P0 = P1. In this case, the
15triplet (0, 0, 0) is returned. (The triplet (0, 0, 0) is not a valid projective point on the curve, but rather a
16marker indicating that routine Double should be used.)
17
181. T1 ¬ X0 = U0 (if Z1 = 1)
192. T2 ¬ Y0 = S0 (if Z1 = 1)
203. T3 ¬ Z0
214. T4 ¬ X1
225. T5 ¬ Y1
236. If Z1 ¹ 1 then
24 T6 ¬ Z1
25 T7 ¬ T62
26 T1 ¬ T1 ´ T7 = U0 (if Z1 ¹ 1)
27 T7 ¬ T6 ´ T7
28 T2 ¬ T2 ´ T7 = S0 (if Z1 ¹ 1)
297. T7 ¬ T32
308. T4 ¬ T4 ´ T7 = U1
319. T7 ¬ T3 ´ T7
3210. T5 ¬ T5 ´ T7 = S1
3311. T4 ¬ T1 – T4 =W
3412. T5 ¬ T2 – T5 =R
3513. If T4 = 0 then
36 If T5 = 0 then output (0,0,0) and stop
37 else output (1, 1, 0) and stop
3814. T1 ¬ 2 ´ T1 – T4 =T
3915. T2 ¬ 2 ´ T2 – T5 =M
4016. If Z1 ¹ 1 then
41 T3 ¬ T3 ´ T6
4217. T3 ¬ T3 ´ T4 = Z2
4318. T7 ¬ T42
4419. T4 ¬ T4 ´ T7
4520. T7 ¬ T1 ´ T7
4621. T1 ¬ T52
4722. T1 ¬ T1 – T7 = X2
4823. T7 ¬ T7 – 2 ´ T1 =V
1 31
4
124. T5 ¬ T5 ´ T7
225. T4 ¬ T2 ´ T4
326. T2 ¬ T5 – T4
427. T2 ¬ T2 / 2 = Y2
528. X2 ¬ T 1
629. Y2 ¬ T2
730. Z2 ¬ T3
8NOTE—the modular division by 2 in Step 27 can be carried out in the same way as in A.2.4..
9This algorithm requires 16 field multiplications and 7 temporary variables. In the case Z1 = 1, only 11 field
10multiplications and 6 temporary variables are required. (This is the case of interest for elliptic scalar
11multiplication.)
12A.7.7. Projective Elliptic Doubling (binary case)
13The projective form of the doubling formula on the curve y 2 + xy = x 3 + ax 2 + b over GF (2m) uses, not the
14coefficient b, but rather the field element
m 2
15 c := b2 ,
16computed from b by m – 2 squarings. (Thus b = c 4.) The formula is
17 2 (X1, Y1, Z1) = (X2, Y2, Z2),
18where
19 Z2 = X1 Z12 ,
20 X2 = (X1 + c Z12 )4,
21 U = Z2 + X 12 + Y1Z1,
22 Y2 = X 14 Z2 + UX2.
23The algorithm Double given below performs these calculations.
24Input: a field of 2m elements; the field elements a and c specifying a curve E over GF (2m); projective
25coordinates (X1, Y1, Z1) for a point P1 on E.
26Output: projective coordinates (X2, Y2, Z2) for the point P2 = 2P1.
27
281. T1 ¬ X1
292. T2 ¬ Y1
303. T3 ¬ Z1
314. T4 ¬ c
325. If T1 = 0 or T3 = 0 then output (1, 1, 0) and stop.
336. T2 ¬ T2 ´ T3
347. T3 ¬ T32
358. T4 ¬ T3 ´ T4
369. T3 ¬ T1 ´ T3 = Z2
3710. T2 ¬ T2 + T3
3811. T4 ¬ T1 + T4
1 32
4
112. T4 ¬ T42
213. T4 ¬ T42 = X2
314. T1 ¬ T12
415. T2 ¬ T1 + T2 =U
516. T2 ¬ T2 ´ T4
617. T1 ¬ T12
718. T1 ¬ T1 ´ T3
819. T2 ¬ T1 + T2 = Y2
920. T1 ¬ T4
1021. X2 ¬ T 1
1122. Y2 ¬ T2
1223. Z2 ¬ T3
13This algorithm requires 5 field squarings, 5 general field multiplications, and 4 temporary variables.
14A.7.8. Projective Elliptic Addition (binary case)
15The projective form of the adding formula on the curve y 2 + xy = x 3 + ax2 + b over GF (2m) is
16 (X0, Y0, Z0) + (X1, Y1, Z1) = (X2, Y2, Z2),
17where
18 U0 = X0 Z12 ,
19 S0 = Y0 Z13 ,
20 U1 = X1 Z 02 ,
21 W = U0 + U1,
22 S1 = Y1 Z 03 ,
23 R = S0 + S1,
24 L = Z0 W
25 V = RX1 + LY1,
26 Z2 = LZ1,
27 T = R + Z 2,
28 X2 = a Z22 + TR + W 3,
29 Y2 = TX2 + VL 2.
30The algorithm Add given below performs these calculations.
31Input: a field of 2m elements; the field elements a and b defining a curve E over GF (2m); projective
32coordinates (X0, Y0, Z0) and (X1, Y1, Z1) for points P0 and P1 on E, where Z0 and Z1 are nonzero.
33Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1, unless P0 = P1. In this case, the
34triplet (0, 0, 0) is returned. (The triplet (0, 0, 0) is not a valid projective point on the curve, but rather a
35marker indicating that routine Double should be used.)
36
371. T1 ¬ X0 = U0 (if Z1 = 1)
382. T2 ¬ Y0 = S0 (if Z1 = 1)
393. T3 ¬ Z0
404. T4 ¬ X1
1 33
4
15. T5 ¬ Y1
26. If a ¹ 0 then
3 T9 ¬ a
47. If Z1 ¹ 1 then
5 T6 ¬ Z1
6 T7 ¬ T62
7 T1 ¬ T1 ´ T7 = U0 (if Z1 ¹ 1)
8 T7 ¬ T6 ´ T7
9 T2 ¬ T2 ´ T7 = S0 (if Z1 ¹ 1)
108. T7 ¬ T32
119. T8 ¬ T4 ´ T7 = U1
1210. T1 ¬ T1 + T8 =W
1311. T7 ¬ T3 ´ T7
1412. T8 ¬ T5 ´ T7 = S1
1513. T2 ¬ T2 + T8 =R
1614. If T1 = 0 then
17 If T2 = 0 then output (0, 0, 0) and stop
18 else output (1, 1, 0) and stop
1915. T4 ¬ T2 ´ T4
2016. T3 ¬ T1 ´ T3 = L (= Z2 if Z1 =
21 1)
2217. T5 ¬ T3 ´ T5
2318. T4 ¬ T4 + T5 =V
2419. T5 ¬ T32
2520. T7 ¬ T4 ´ T5
2621. If Z1 ¹ 1 then
27 T3 ¬ T3 ´ T6 = Z2 (if Z1 ¹ 1)
2822. T4 ¬ T2 + T3 =T
2923. T2 ¬ T2 ´ T4
3024. T5 ¬ T12
3125. T1 ¬ T1 ´ T5
3226. If a ¹ 0 then
33 T8 ¬ T32
34 T9 ¬ T8 ´ T9
35 T1 ¬ T1 + T9
3627. T1 ¬ T1 + T2 = X2
3728. T4 ¬ T1 ´ T4
3829. T2 ¬ T4 + T7 = Y2
3930. X2 ¬ T 1
4031. Y2 ¬ T2
4132. Z2 ¬ T3
42This algorithm requires 5 field squarings, 15 general field multiplications and 9 temporary variables. If
43a = 0, then only 4 field squarings, 14 general field multiplications and 8 temporary variables are required.
44(About half of the elliptic curves over GF (2m) can be rescaled so that a = 0. They are precisely the curves
45with order divisible by 4. See Annex A.6.5., Basic Facts.)
46In the case Z1 = 1, only 4 field squarings, 11 general field multiplications, and 8 temporary variables are
47required. If also a = 0, then only 3 field squarings, 10 general field multiplications, and 7 temporary
48variables are required. (These are the cases of interest for elliptic scalar multiplication.)
1 34
4
1A.7.9. Projective Full Addition and Subtraction
2The following algorithm FullAdd implements a full addition in terms of projective coordinates.
3Input: a field of q elements; the field elements a and b defining a curve E over GF (q); projective
4coordinates (X0, Y0, Z0) and (X1, Y1, Z1) for points P0 and P1 on E.
5Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1.
6
71. If Z0 = 0 then output (X2, Y2, Z2) ¬ (X1, Y1, Z1) and stop.
82. If Z1 = 0 then output (X2, Y2, Z2) ¬ (X0, Y0, Z0) and stop.
93. Set (X2, Y2, Z2) ¬ Add[(X0, Y0, Z0), (X1, Y1, Z1)].
104. If (X2, Y2, Z2) = (0, 0, 0) then set (X2, Y2, Z2) ¬ Double[(X1, Y1, Z1)]
115. Output (X2, Y2, Z2).
12An elliptic subtraction is implemented as follows:
13 Subtract[(X0, Y0, Z0), (X1, Y1, Z1)] = FullAdd[(X0, Y0, Z0), (X1, U, Z1)]
14where
  Y1 mod p if q  p
15 U= 
 X 1Z1  Y1 if q  2 m
16A.7.10. Projective Elliptic Scalar Multiplication
17Input: an integer n and an elliptic curve point P = (X, Y, Z).
18Output: the elliptic curve point nP = (X*, Y*, Z*).

19
201. If n = 0 or Z = 0 then output (1, 1, 0) and stop.
212. Set
22 2.1 X* ¬ X
23 2.2 Z* ¬ Z
24 2.3 Z1 ¬ 1
253. If n < 0 then go to Step 6
264. Set
27 4.1 k ¬ n
28 4.2 Y* ¬ Y
295. Go to Step 8
306. Set k ¬ (–n)
317. If q = p then set Y* ¬ –Y (mod p); else set Y* ¬ XZ +Y
328. If Z* = 1 then set X1 ¬ X*, Y1 ¬ Y*; else set X1 ¬ X* / (Z*)2, Y1 ¬ Y* / (Z*)3
339. Let hl hl–1 ...h1 h0 be the binary representation of 3k, where the most significant bit hl is 1.
3410. Let kl kl–1...k1 k0 be the binary representation of k.
3511. For i from l – 1 downto 1 do
36 11.1 Set (X*, Y*, Z*) ¬ Double[(X*, Y*, Z*)].
37 11.2 If hi = 1 and ki = 0 then set (X*, Y*, Z*) ¬ FullAdd[(X*, Y*, Z*), (X1, Y1, Z1)].
38 11.3 If hi = 0 and ki = 1 then set (X*, Y*, Z*) ¬ Subtract[(X*, Y*, Z*), (X1, Y1, Z1)].
3912. Output (X*, Y*, Z*).
1 35
4
1A.7.11. Decompression of y Coordinates (prime case)
2The following algorithm recovers the y coordinate of an elliptic curve point from its compressed form.
3Input: a prime number p, an elliptic curve E defined over K = GF(pm) for p > 3, the x coordinate of a point
4(x, y) on E, and the compressed representation ~y of the y coordinate.
5Output: the y coordinate of the point.

6
71. Compute g := x3 + ax + b over K
82. Find a square root z of g modulo p via A.4.4.. If the output of A.4.4. is “no square roots exist,” then
9 return an error message and stop.
103. Let ~z be the rightmost bit of z (in other words, z mod 2).
114. If ~ ~
z = y then y ¬ z, else y ¬ p – z.
125. Output y.
13NOTE—when implementing the algorithm from A.2.5., the existence of modular square roots should be checked.
14Otherwise, a value may be returned even if no modular square roots exist.
15A.7.12. Decompression of y Coordinates (binary case)
16The following algorithm recovers the y coordinate of an elliptic curve point from its compressed form.
17Input: a field GF (2m), an elliptic curve E defined over GF (2m), the x coordinate of a point (x, y) on E, and
18the compressed representation ~y of the y coordinate.
19Output: the y coordinate of the point.

20
211. If x = 0 then compute y := b via A.4.4. and go to Step 7.
222. Compute the field element a := x3 + ax2 + b in GF (2m)
233. Compute the element b := a (x2)–1 via A.4.2.
244. Find a field element z such that z2 + z = b via A.4.7.. If the output of A.4.7. is “no solutions exist,”
25 then return an error message and stop.
265. Let ~z be the rightmost bit of z
276. Compute y := (z + ~ ~
z + y )x
287. Output y.
29NOTES
301—When implementing the algorithm from A.4.7., the existence of solutions to the quadratic equation should be
31checked. Otherwise, a value may be returned even if no solutions exist.
32A.8. Functions for Elliptic Curve Parameter and Key Generation

33A.8.1. Finding a Random Point on an Elliptic Curve (prime case)
34The following algorithm provides an efficient method for finding a random point (other than O) on a given
35elliptic curve over the finite field GF (p).
36Input: a field K = GF(pm) where p > 3 and the parameters a, b of an elliptic curve E over K.
37Output: a randomly generated point (other than O) on E.

38
1 36
4
11. Choose random x  K.
22. Set  ¬ x3 + ax + b.
33. If  = 0 then output (x, 0) and stop.
44. Apply the appropriate technique from A.4.4. to find a square root modulo p of  or determine that
5 none exist.
65. If the result of Step 4 indicates that no square roots exist, then go to Step 1. Otherwise the output of
7 Step 4 is an element b with 0 < b < p such that
8 b 2 º .
9
106. Generate a random bit m and set y ¬ (–1) m b.
117. Output (x, y).
12A.8.2. Finding a Random Point on an Elliptic Curve (binary case)
13The following algorithm provides an efficient method for finding a random point (other than O) on a given
14elliptic curve over the finite field GF (2m).
15Input: a field GF (2m) and the parameters a, b of an elliptic curve E over GF (2m).
16Output: a randomly generated point (other than O) on E.

17
181. Choose random x in GF (2m).
192. If x = 0 then output (0, b2m–1) and stop.
203. Set  ¬ x3 + ax2 + b.
214. If  = 0 then output (x, 0) and stop.
225. Set  ¬ x – 2 .
236. Apply the appropriate technique from A.4.7. to find an element z for which z2 + z =  or determine
24 that none exist.
257. If the result of Step 6 indicates that no solutions exist, then go to Step 1. Otherwise the output of
26 Step 6 is a solution z.
278. Generate a random bit m and set y ¬ (z + m) x.
289. Output (x, y).
29A.8.3. Finding a Point of Large Prime Order
30If the order #E(GF (q)) = u of an elliptic curve E is nearly prime, the following algorithm efficiently
31produces a random point on E whose order is the large prime factor r of u = kr. (See A.6.5. for the
32definition of nearly prime.)
33Input: a prime r, a positive integer k not divisible by r, and an elliptic curve E over the field GF (q).
34Output: if #E(GF (q)) = kr, a point G on E of order r. If not, the message “wrong order.”
35
361. Generate a random point P (not O) on E via A.8.1. or A.8.2..
372. Set G ¬ kP.
383. If G = O then go to Step 1.
394. Set Q ¬ rG.
405. If Q ¹ O then output “wrong order” and stop.
416. Output G.
1 37
4
1A.8.4. Curve Orders over Small Binary Fields
2If d is “small” (i.e. it is feasible to perform 2 d arithmetic operations), then the order of the curve y2 + xy = x3
3+ ax2 + b over GF (2d) can be calculated directly as follows. Let
4 m = (–1) Tr (a).
5For each nonzero x Î GF (2d), let
6 l (x) = Tr (x + b/x2).
7Then
8 #E(GF (2d)) = 2d + 1 +   ( 1)
x 0
(x)
.
9A.8.5. Curve Orders over Extension Fields
10Given the order of an elliptic curve E over a finite field GF (2d), the following algorithm computes the
11order of E over the extension field GF (2de).
12Input: positive integers d and e, an elliptic curve E defined over GF (2d), and the order w of E over
13GF (2d).
14Output: the order u of E over GF (2de).

15
161. Set P ¬ 2d + 1 – w and Q ¬ 2d.
172. Compute via A.2.4. the Lucas sequence element Ve.
183. Compute u := 2de + 1 – Ve.
194. Output u.
20A.8.6. Curve Orders via Subfields
21The algorithms of A.8.4. and A.8.5. allow construction of elliptic curves with known orders over GF (2m),
22provided that m is divisible by an integer d that is small enough for A.8.4.. The following algorithm finds
23such curves with nearly prime orders when such exist. (See Annex A.6.5. for the definition of nearly
24prime.)
25Input: a field GF (2m); a subfield GF (2d) for some (small) d dividing m; lower and upper bounds rmin and
26rmax for the base point order.
27Output: elements a, b Î GF (2m) specifying an elliptic curve E, along with the nearly prime order n =
28#E(GF (2m)), if one exists; otherwise, the message “no such curve.”
29
301. Select elements a0, b0 Î GF (2d) such that b0 has not already been selected. (If all of the b0’s have
31 already been tried, then output the message “no such curve” and stop.) Let E be the elliptic curve y2
32 + xy = x3 + a0 x2 + b0.
332. Compute the order w = #E(GF (2d)) via A.8.4..
343. Compute the order u = #E(GF (2m)) via A.8.5..
354. Test u for near-primality using the techniques in [ANS98g].
365. If u is nearly prime, then set l ¬ 0 and n ¬ u and go to Step 9.
376. Set u¢ = 2m+1 + 2 – u.
387. Test u¢ for near-primality using the techniques in [ANS98g].
398. If u¢ is nearly prime, then set l ¬ 1 and n ¬ u¢, else go to Step 1.
1 38
4
19. Find the elements a1, b1 Î GF (2m) corresponding to a0 and b0 via A.5.7..
210. If l = 0 then set t ¬ 0. If l = 1 and m is odd, then set t ¬ 1. Otherwise, find an element t Î
3 GF (2m) of trace 1 by trial and error using A.4.5..
411. Set a ¬ a1 + t and b ¬ b1
512. Output n, a, b.
6NOTE—It follows from the Basic Facts of A.6.5. that any a0 can be chosen at any time in Step 1.
7A.9. Class Group Calculations

8The following computations are necessary for the complex multiplication technique described in A.10..
9A.9.1. Overview
10A reduced symmetric matrix is one of the form
 A B
11 S  
 B C
12where the integers A, B, C satisfy the following conditions:

13
14i) GCD (A, 2B, C) = 1,
15ii) |2B| £ A £ C,
16iii) If either A = |2B| or A = C, then B ³ 0.
17The matrix S will be abbreviated as [A, B, C] when typographically convenient.
18The determinant D := AC – B 2 of S will be assumed throughout this section to be positive and squarefree
19(i.e., containing no square factors).
20Given D, the class group H (D) is the set of all reduced symmetric matrices of determinant D. The class
21number h(D) is the number of matrices in H(D).
22The class group is used to construct the reduced class polynomial. This is a polynomial wD (t) with integer
23coefficients of degree h (D). The reduced class polynomial is used in A.10. to construct elliptic curves with
24known orders.
25A.9.2. Class Group and Class Number
26The following algorithm produces a list of the reduced symmetric matrices of a given determinant D. See
27[Bue89].
28Input: a squarefree determinant D > 0.
29Output: the class group H (D).

30
311. Let s be the largest integer less than D/3.
322. For B from 0 to s do
33 2.1 List the positive divisors A1, …, Ar of D + B 2 that satisfy 2B £ A £ D  B2 .
34 2.2 For i from 1 to r do
35 2.2.1 Set C ¬ (D + B 2) / Ai
36 2.2.2 If GCD (Ai, 2B, C) = 1 then
1 39
4
1 list [Ai, B, C].
2 if 0 < 2B < Ai < C then list [Ai, – B, C].
33. Output list.
4Example: D = 71. The values of B that need to be checked are 0 £ B < 5.

5
6— B = 0 gives A = 1, leading to [1,0,71].
7— B = 1 gives A = 2,3,4,6,8, leading to [3, ±1,24] and [8, ±1,9].
8— B = 2 gives A = 5, leading to [5, ±2, 15].
9— B = 3 gives A = 8, but no reduced matrices.
10— B = 4 gives no divisors A in the right range.
11Thus the class group is
12 H (71) = {[1,0,71], [3, ±1,24], [8, ±1,9], [5, ±2, 15]} .
13and the class number is h (71) = 7.
14A.9.3. Reduced Class Polynomials
15Let
 (1)  z 

( 3 j 2  j )/ 2 2
16 F(z) = 1 +
j
 z (3 j  j )/ 2
j 1
17 = 1 – z – z2 + z5 + z7 – z12 – z15 + ...
18and
  D  Bi 
19 q = exp   .
 A 
20Let
21 ƒ0(A, B, C) = q –1/24 F(–q) / F(q 2),

22 ƒ1(A, B, C) = q –1/24 F(q) / F(q 2),
23 ƒ2(A, B, C) = 2 q 1/12F(q 4) / F(q 2).
24NOTE—since
25 | |  e   3/ 2
 0.0658287 ,
26the series F (z) used in computing the numbers ƒJ(A, B, C) converges as quickly as a power series in e   3/2 .
27If [A, B, C] is a matrix of determinant D, then its class invariant is
G
28 C(A, B, C) = (N BL 2–I/6 (ƒJ (A, B, C))K) ,
29[MRC: a correction has been made to change –BL to BL in the above expression following a comment
30from another working group member. Is this correct?]
1 40
4
1where:
2 G = GCD(D,3),
3 if D  1,2,6,7 (mod 8),

0 if D  3 (mod 8) and D  0 (mod 3),

3 I
2 if D  3 (mod 8) and D  0 (mod 3),
6 if D  5 (mod 8 ),
0 for AC odd,

4 J  1 for C even,
2 for A even ,

2 if D  1,2,6 (mod 8),


5 K  1 if D  3,7 (mod 8),
4 if D  5 (mod 8),

 A  C  A2 C if AC odd or D  5 (mod 8) and C even,


 A  2C  AC
2
if D  1,2,3,6,7 (mod 8) and C even,
6L  
 A  C  5 AC
2
if D  3 (mod 8) and A even,
 A  C  AC 2 if D  1,2,5,6,7 (mod 8) and A even,
( 1)( A 1)/ 8

2
if A odd,
8 M 2
( 1)( C 1)/ 8 if A even,
1 if D  5 (mod 8)
 or D  3 (mod 8) and AC odd

 or D  7 (mod 8) and AC even,


9 N  M if D  1,2,6 (mod 8)
 or D  7 (mod 8) and AC odd,

 M if D  3 (mod 8) and AC even,



10 = e p iK/24.
11If [A1, B1, C1], ..., [Ah ,Bh ,Ch] are the reduced symmetric matrices of (positive squarefree) determinant D,
12then the reduced class polynomial for D is
1 41
4
h
1 wD(t) =  (t  C( A , B , C )) .
j 1
j j j
2The reduced class polynomial has integer coefficients.
3NOTE—The above computations must be performed with sufficient accuracy to identify each coefficient of the
4polynomial wD (t). Since each such coefficient is an integer, this means that the error incurred in calculating each
5coefficient should be less than 1/2.
6Example.
 1 
7w71(t)= t  f0  1,0,71  
 2 
 e  i / 8  e i / 8 
8 t  f1  31
, ,24   t  f1  3,1,24 
 2  2 
 e 23i / 24   e 23i / 24 
9  t  f2  8,1,9 t  f2  8,1,9 
 2  2 
 e 5i /12   e 5i /12 

10 t  f0  5,2,15   t  f0  5,2,15 
 2  2 
11= (t – 2.13060682983889533005591468688942503...)
12 (t – (0.95969178530567025250797047645507504...) +
13 (0.34916071001269654799855316293926907...) i)
14 (t – (0.95969178530567025250797047645507504...) –
15 (0.34916071001269654799855316293926907...) i)
16 (t + (0.7561356880400178905356401098531772...) +
17 (0.0737508631630889005240764944567675...) i)
18 (t + (0.7561356880400178905356401098531772...) –
19 (0.0737508631630889005240764944567675...) i)
20 (t + (0.2688595121851000270002877100466102...) –
21 (0.84108577401329800103648634224905292...) i)
22 (t + (0.2688595121851000270002877100466102...) +
23 (0. 84108577401329800103648634224905292...) i)
1 42
4
1= t 7 – 2t 6 – t 5 + t 4 + t 3 + t 2 – t – 1.
2A.10. Complex Multiplication
3A.10.1. Overview
4If E is a non-supersingular elliptic curve over GF (q) of order u, then
5 Z = 4q – (q + 1 – u)2
6is positive by the Hasse bound (see Annex A.6.5.). Thus there is a unique factorization
7 Z = DV 2
8where D is squarefree (i.e. contains no square factors). Thus, for each non-supersingular elliptic curve over
9GF (q) of order u, there exists a unique squarefree positive integer D such that
10(*) 4q = W 2 + DV 2,
11(**) u=q+1±W
12for some W and V.
13It is said that E has complex multiplication by D (or, more properly, by  D ). D is called a CM
14discriminant for q.
15If one knows D for a given curve E, one can compute its order via (*) and (**). As will be demonstrated
16below, one can construct the curves with CM by small D. Therefore one can obtain curves whose orders u
17satisfy (*) and (**) for small D. The near-primes are plentiful enough that one can find curves of nearly
18prime order with small enough D to construct.
19Over GF (p), the CM technique is also called the Atkin-Morain method (see [Mor91]); over GF (2m), it is
20also called the Lay-Zimmer method (see [LZ94]). Although it is possible (over GF (p)) to choose the order
21first and then the field, it is preferable to choose the field first since there are fields in which the arithmetic
22is especially efficient.
23There are two basic steps involved: finding an appropriate order, and constructing a curve having that
24order. More precisely, one begins by choosing the field size q, the minimum point order rmin, and trial
25division bound lmax. Given those quantities, D is called appropriate if there exists an elliptic curve over
26GF (q) with CM by D and having nearly prime order.
27
28Step 1 (A.10.2. and A.10.3., Finding a Nearly Prime Order):
29 Find an appropriate D. When one is found, record D, the large prime r, and the positive integer k
30 such that u = kr is the nearly prime curve order.
31
32Step 2 (A.10.4. and A.10.5., Constructing a Curve and Point):
33 Given D, k and r, construct an elliptic curve over GF (q) and a point of order r.
1 43
4
1A.10.2. Finding a Nearly Prime Order over GF (p)
2A.10.2.1. Congruence Conditions
3A squarefree positive integer D can be a CM discriminant for p only if it satisfies the following congruence
4conditions. Let

 
p  1 
2
5 K   .
rmin 
 
6
7— If p º 3 (mod 8), then D º 2, 3, or 7 (mod 8).
8— If p º 5 (mod 8), then D is odd.
9— If p º 7 (mod 8), then D º 3, 6, or 7 (mod 8).
10— If K = 1, then D º 3 (mod 8).
11— If K = 2 or 3, then D ( 7 (mod 8).
12Thus the possible squarefree D's are as follows:
13If K = 1, then
14 D = 3, 11, 19, 35, 43, 51, 59, 67, 83, 91, 107, 115, ….
15If p º 1 (mod 8) and K = 2 or 3, then

16 D = 1, 2, 3, 5, 6, 10, 11, 13, 14, 17, 19, 21, ….
17If p º 1 (mod 8) and K ³ 4, then

18 D = 1, 2, 3, 5, 6, 7, 10, 11, 13, 14, 15, 17, ….

20 D = 2, 3, 10, 11, 19, 26, 34, 35, 42, 43, 51, 58, ….

22 D = 2, 3, 7, 10, 11, 15, 19, 23, 26, 31, 34, 35, ….

24 D = 1, 3, 5, 11, 13, 17, 19, 21, 29, 33, 35, 37, ….

26 D = 1, 3, 5, 7, 11, 13, 15, 17, 19, 21, 23, 29, ….

28 D = 3, 6, 11, 14, 19, 22, 30, 35, 38, 43, 46, 51, ….

1 44
4
1 D = 3, 6, 7, 11, 14, 15, 19, 22, 23, 30, 31, 35, ….
2A.10.2.2. Testing for CM Discriminants (prime case)
3Input: a prime p and a squarefree positive integer D satisfying the congruence conditions from A.10.2.1..
4Output: if D is a CM discriminant for p, an integer W such that
5 4p = W 2 + DV 2
6for some V. [In the cases D = 1 or 3, the output also includes V.] If not, the message “not a CM
7discriminant.”
8
91. Apply the appropriate technique from A.2.5. to find a square root modulo p of –D or determine that
10 none exist.
112. If the result of Step 1 indicates that no square roots exist, then output “not a CM discriminant” and
12 stop. Otherwise, the output of Step 1 is an integer B modulo p.
133. Let A ¬ p and C ¬ (B 2 + D) / p.
 A B  1
144. Let S    and U    .
 B C  0
155. Until |2B| £ A £ C, repeat the following steps.
 B 1
16 5.1 Let     .
C 2
 0  1
17 5.2 Let T   .
1  
18 5.3 Replace U by T –1U.
19 5.4 Replace S by T t S T, where T t denotes the transpose of T.
206. If D = 11 and A = 3, let d ¬ 0 and repeat 5.2, 5.3, 5.4.
217. Let X and Y be the entries of U. That is,
 X
22 U   .
Y
23
248. If D = 1 or 3 then output W ¬ 2X and V ¬ 2Y and stop.
259. If A = 1 then output W ¬ 2X and stop.
2610. If A = 4 then output W ¬ 4X + BY and stop.
2711. Output “not a CM discriminant.”
28A.10.2.3. Finding a Nearly Prime Order (prime case)
29Input: a prime p, a trial division bound lmax, and lower and upper bounds rmin and rmax for base point order.
30Output: a squarefree positive integer D, a prime r in the interval rmin £ r £ rmax, and a smooth integer k
31such that u = kr is the order of an elliptic curve modulo p with complex multiplication by D.
32
331. Choose a squarefree positive integer D, not already chosen, satisfying the congruence conditions of
34 A.10.2.1..
  D
352. Compute via A.2.3. the Jacobi symbol J =   . If J = –1 then go to Step 1.
 p 
363. List the odd primes l dividing D.
1 45
4
 p
14. For each l, compute via A.2.3 the Jacobi symbol J =   . If J = –1 for some l, then go to Step 1.
l
25. Test via A.10.2.2. whether D is a CM discriminant for p. If the result is “not a CM discriminant,” go
3 to Step 1. (Otherwise, the result is the integer W, along with V if D = 1 or 3.)
46. Compile a list of the possible orders, as follows.
5 — If D = 1, the orders are
6 p + 1 ± W, p + 1 ± V.
7
8 — If D = 3, the orders are
9 p + 1 ± W, p + 1 ± (W + 3V)/2, p + 1 ± (W – 3V)/2.
10
11 — Otherwise, the orders are p + 1 ± W.
127. Test each order for near-primality. If any order is nearly prime, output (D, k, r) and stop.
138. Go to Step 1.
14Example: Let p = 2192 – 264 – 1. Then
1 D 2
15 p = 4X 2 – 2XY + Y and p + 1 – (4X – Y) = r
4
16where D = 235,
17 X = –31037252937617930835957687234,
18 Y = 5905046152393184521033305113,
19and r is the prime
20 r = 6277101735386680763835789423337720473986773608255189015329.
21Thus there is a curve modulo p of order r having complex multiplication by D.
22A.10.3. Finding a Nearly Prime Order over GF (2m)
23A.10.3.1. Testing for CM Discriminants (binary case)
24Input: a field degree d and a squarefree positive integer D º 7 (mod 8).

25Output: if D is a CM discriminant for 2 d, an odd integer W such that
26 2 d+2 = W 2 + DV 2,
27for some odd V. If not, the message “not a CM discriminant.”

28
291. Compute via A.2.6. an integer B such that B 2 º –D (mod 2d+2).
302. Let A ¬ 2d+2 and C ¬ (B 2 + D) / 2d+2 (Note: the variables A and C will remain positive throughout the
31 algorithm.)
 A B  1
323. Let S    and U    .
 B C  0
334. Until |2B| £ A £ C, repeat the following steps.
1 46
4
 B 1
1 4.1 Let     .
C 2
 0  1
2 4.2 Let T   
1  
3 4.3 Replace U by T –1U.
4 4.4 Replace S by T t S T, where T t denotes the transpose of T.
55. Let X and Y be the entries of U. That is,
 X
6 U   .
Y
7
86. If A = 1, then output W ¬ X and stop.
97. If A = 4 and Y is even, then output W ¬ (4X + BY) / 2 and stop.
108. Output “not a CM discriminant.”
11A.10.3.2. Finding a Nearly Prime Order (binary case)
12Input: a field degree d, a trial division bound lmax, and lower and upper bounds rmin and rmax for base point
13order.
14Output: a squarefree positive integer D, a prime r in the interval rmin £ r £ rmax, and a smooth integer k
15such that u = kr is the order of an elliptic curve over GF (2d) with complex multiplication by D.
16
171. Choose a squarefree positive integer D º 7 (mod 8), not already chosen.
182. Compute H ¬ the class group for D via A.9.2..
193. Set h ¬ the number of elements in H.
204. If d does not divide h, then go to Step 1.
215. Test via A.14.3.1 whether D is a CM discriminant for 2 d. If the result is “not a CM discriminant,” go
22 to Step 1. (Otherwise, the result is the integer W.)
236. The possible orders are 2d + 1 ± W.
247. Test each order for near-primality. If any order is nearly prime, output (D, k, r) and stop.
258. Go to Step 1.
26Example: Let q = 2155. Then
27 4q = X 2 + DY 2 and q + 1 – X = 4r
28where D = 942679, X = 229529878683046820398181, Y = –371360755031779037497, and r is the prime
29 r = 11417981541647679048466230373126290329356873447.
30Thus there is a curve over GF (q) of order 4r having complex multiplication by D.
31A.10.4. Constructing a Curve and Point (prime case)
32A.10.4.1. Constructing a Curve with Prescribed CM (prime case)
33Given a prime p and a CM discriminant D, the following technique produces an elliptic curve y2 º x3 + a0 x
34+ b0 (mod p) with CM by D. (Note that there are at least two possible orders among curves with CM by D.
35The curve constructed here will have the proper CM, but not necessarily the desired order. This curve will
36be replaced in A.10.4.2. by one of the desired order.)
1 47
4
1For nine values of D, the coefficients of E can be written down at once:
D a0 b0
1 1 0
2 –30 56
3 0 1
7 –35 98
11 –264 1694
19 –152 722
43 –3440 77658
67 –29480 1948226
163 –8697680 9873093538
2For other values of D, the following algorithm may be used.
3Input: a prime modulus p and a CM discriminant D > 3for p.
4Output: a0 and b0 such that the elliptic curve
5 y 2 º x 3 + a0x + b0 (mod p)
6has CM by D.
7
81. Compute w(t) ¬ wD(t) mod p via A.9.3..
92. Let W be the output from A.10.2.2..
103. If W is even, then use A.5.3. with d = 1 to compute a linear factor t – s of wD(t) modulo p. Let
11 V := (–1)D 2 4I/K s 24/(GK) mod p,
12 where G, I and K are as in A.9.3.. Finally, let
13 a0 := –3(V + 64)(V + 16) mod p,

14 b0 := 2(V + 64)2 (V – 8) mod p.
15
164. If W is odd, then use A.5.3. with d = 3 to find a cubic factor g (t) of wD(t) modulo p. Perform the
17 following computations, in which the coefficients of the polynomials are integers modulo p.
  t 24 mod g ( t ) if 3 | D,
18 V ( t ):  
 256t mod g ( t ) if 3 | D,
8
19 a1(t) := –3(V(t) + 64) (V(t) + 256) mod g(t),

20 b1(t) := 2(V(t) + 64)2 (V(t) – 512) mod g(t),
21 a3(t) := a1(t)3 mod g(t),

22 b2(t) := b1(t)2 mod g(t).
1 48
4
1 Now let s be a nonzero coefficient from a3(t), and let t be the corresponding coefficient from b2(t).
2 Finally, let
3 a0 := st mod p,
4 b0 := st 2 mod p.
5
65. Output (a0, b0).
7Example: If D = 235, then
8 wD (t) = t 6 – 10 t 5 + 22 t 4 – 24 t 3 + 16 t 2 – 4 t + 4.
9If p = 2192 – 264 – 1, then
10 wD (t) º (t 3 – (5 + f)t 2 + (1 – f)t – 2) (t 3 – (5 – f)t 2 + (1 + f)t – 2) (mod p),
11where f = 1254098248316315745658220082226751383299177953632927607231. The resulting

12coefficients are
13 a0 = –2089023816294079213892272128,
14 b0 = –36750495627461354054044457602630966837248.
15Thus the curve y 2 º x 3 + a0x + b0 modulo p has CM by D = 235.

16A.10.4.2. Choosing the Curve and Point (prime case)
17Input: EC parameters p, k, and r, and coefficients a0, b0 produced by A.10.4..
18Output: a curve E modulo p and a point G on E of order r, or a message “wrong order.”

19
201. Select an integer x with 0 < x < p.
212. If D = 1 then set a ¬ a0x mod p and b ¬ 0.
22 If D = 3 then set a ¬ 0 and b ¬ b0x mod p.
23 Otherwise, set a ¬ a0x 2 mod p and b ¬ b0x 3 mod p.
243. Look for a point G of order r on the curve
25 y2 º x3 + ax + b (mod p)
26 via A.8.3..
27
284. If the output of A.8.3. is “wrong order” then output the message “wrong order” and stop.
295. Output the coefficients a, b and the point G.
30The method of selecting x in the first step of this algorithm depends on the kind of coefficients desired.
31Two examples follow.
32
33— If D ¹ 1 or 3, and it is desired that a = –3 (see A.7.6.), then take x to be a solution of the congruence
34 a0x 2 º –3 (mod p), provided one exists. If one does not exist, or if this choice of x leads to the
35 message “wrong order,” then select another curve as follows. If p º 3 (mod 4) and the result was
36 “wrong order,” then choose p – x in place of x; the result leads to a curve with a = –3 and the right
37 order. If no solution x exists, or if p º 1 (mod 4), then repeat A.10.4. with another root of the
38 reduced class polynomial. The proportion of roots leading to a curve with a = –3 and the right order
39 is roughly one-half if p º 3 (mod 4), and one-quarter if p º 1 (mod 4).
1 49
4
1— If there is no restriction on the coefficients, then choose x at random. If the output is the message
2 “wrong order,” then repeat the algorithm until a set of parameters a, b G is obtained. This will
3 happen for half the values of x, unless D = 1 (one-quarter of the values) or D = 3 (one-sixth of the
4 values).
5A.10.5. Constructing a Curve and Point (binary case)
6A.10.5.1. Constructing a Curve with Prescribed CM (binary case)
7Input: a field GF (2m), a CM discriminant D for 2m, and the desired curve order u.
8Output: a and b such that the elliptic curve
9 y2 + xy = x3 + ax2 + b
10over GF (2m) has order u.

11
121. Compute w (t) ¬ wD(t) mod 2 via A.9.3..
132. Use A.10.3.1. to find the smallest divisor d of m greater than (log2 D) – 2 such that D is a CM
14 discriminant for 2d.
153. Compute p (t) := a degree d factor modulo 2 of w (t). (If d = h, then p (t) is just w (t) itself. If d < h,
16 p(t) is found via A.5.4..)
174. Compute a := a root in GF (2m) of p (t) = 0 via A.5.6..
185. If 3 divides D
19 then set b ¬ a
20 else set b ¬ a 3
216. If u is divisible by 4, then set a ¬ 0
22 else if m is odd, then set a ¬ 1
23 else generate (by trial and error using A.4.5.) a random element a Î GF (2m) of trace 1.
247. Output (a, b).
25Example: If D = 942679, then
26wD(t) º 1 + t 2 + t 6 + t 10 + t 12 + t 13 + t 16 + t 17 + t 20 + t 22 + t 24 + t 27 + t 30 + t 33 + t 35 + t 36 + t 37 + t 41 + t 42 + t 43 +
27t 45 + t 49 + t 51 + t 54 + t 56 + t 57 + t 59 + t 61 + t 65 + t 67 + t 68 + t 69 + t 70 + t 71 + t 72 + t 74 + t 75 + t 76 + t 82 + t 83 + t 87
28+ t 91 + t 93 + t 96 + t 99 + t 100 + t 101 + t 102 + t 103 + t 106 + t 108 + t 109 + t 110 + t 114 + t 117 + t 119 + t 121 + t 123 + t 125 +
29t 126 + t 128 + t 129 + t 130 + t 133 + t 134 + t 140 + t 141 + t 145 + t 146 + t 147 + t 148 + t 150 + t 152 + t 154 + t 155 + t 157 + t 158 +
42t 616 + t 620 (mod 2).
43This polynomial factors into 4 irreducibles over GF (2), each of degree 155. One of these is
1 50
4
1p(t) = 1 + t + t 2 + t 6 + t 9 + t 10 + t 11 + t 13 + t 14 + t 15 + t 16 + t 18 + t 19 + t 22 + t 23 + t 26 + t 27 + t 29 + t 31 + t 49 + t 50
2+ t 51 + t 54 + t 55 + t 60 + t 61 + t 62 + t 64 + t 66 + t 70 + t 72 + t 74 + t 75 + t 80 + t 82 + t 85 + t 86 + t 88 + t 89 + t 91 + t 93 +
4t 131 + t 132 + t 134 + t 136 + t 137 + t 138 + t 139 + t 140 + t 143 + t 145 + t 154 + t 155.
5If t is a root of p(t), then the curve
6 y 2+xy = x 3 + t 3
7over GF (2155) has order 4r, where r is the prime
8 r = 11417981541647679048466230373126290329356873447.
9A.10.5.2. Choosing the Curve and Point (binary case)
10Input: a field size GF (2m), an appropriate D, the corresponding k and r from A.10.3.2..
11Output: a curve E over GF (2m) and a point G on E of order r.

12
131. Compute a and b via A.10.5.1. with u = kr.
142. Find a point G of order r via A.8.3..
153. Output the coefficients a, b and the point G.
16A.11. Pairing-Friendly Elliptic Curves

17The general equation of an elliptic curve is
18 y2 + a1xy +a3y = x3 +a2x2 +a4x + a6
19If we let p denote the characteristic of K, the equation can be simplified for different values of p. If p > 3
20 y2 = x3 + ax + b, where 4a3 + 27b2 ≠ 0.
21If p = 2
22 y2 + xy = x3 + ax2 + b, where b ≠ 0.
23If E is supersingular and p = 3
24 y2 = x3 + ax + b, where b ≠ 0.
25If E is supersingular and p = 2
26 y2 + cy = x3 + ax + b, where c ≠ 0.
27
28To be useful for pairing-based cryptography a notion of ‘pairing-friendly’ curves has become established
29and this may be formalized by the following conditions. First we define the embedding degree of E with
30respect to r be defined as the smallest integer k such that r | qk – 1. Then an elliptic curve is pairing-friendly
31if:
32 There is a prime r | #E (GF (q)) such that r > q
33 k < log2(r) /8
1 51
4
1A.11.1. Curve Families
2All the curves we consider are defined over a finite field K = GF (q). For cryptographic use we also need a
3suitable subgroup of E(K) of size r. If #E(K) is the order of the group of points of E lying in K, the trace t
4of E/K is t = q + 1 - #E(K). Note that r | #E(K) and for h = #E(K) / r we define GT to be the subgroup of
5order r of GF(ph).
6The search for, and analysis of, pairing-friendly curves has led to a grouping of curves into families, which
7can often be described by equations in the parameters t, r, and q.
8If k is the embedding degree of E, we let  be the degrreesize of the maximal twist of E, which we denote
9E'. Note that  | k so we define the degree of field over which we consider the twist to be d = k/.
10Curves may then be classified as follows:
11 E1 = E(GF(p))
12 E2 = E(GF(pk))
13 E3 = E'(GF(pd))
14Note that for E2, r | pk – 1 and for E3, r | #E'(GF(pd)).
15The elements of E1 of order r form the 1-eigenspace of the Frobenius map with respect to r. This will in all
16cases be equal to the pairing group G1. The r-eigenspace of Frobenius lies in E2.
17Pairings may be classified into 3 different types according to the curve types. In particular the types depend
18on how the group G2 is represented.
19In all cases there is a map ζ:G2 → E2 and the Miller loop is always applied to ζ(Q), rather than the element
20Q itself.
21A.11.1.1. Type 1 (E Supersingular)

22G1 = G2 = a subgroup of E1 of order r
23A.11.1.2. Type 2 (E Ordinary)

24G1 = a subgroup of E1 of order r
25G2 = a subgroup of E2 of order r which is distinct from both the 1-eigenspace and the q-eigenspace of
26Frobenius.
27A.11.1.3. Type 3 (E Ordinary)

30A.11.2. Super-Singular Curves

31Supersingular curves have embedding degree k  {1, 2, 3, 4, 6}. We only consider those with even
32embedding degree.
1 52
4
1A.11.2.1. Super-Singular Curves with Embedding Degree 2
2In fields GF (2s) of characteristic 2, curves with k = 2 are of the form
3E1: y2 + y = x3 +x where s is even and Tr  ≠ 0

4E2: y2 + y = x3 where s is odd.
5[MRC: Check Sil for char 3 case]
6In fields of prime characteristic q = p > 3 supersingular curves with k = 2 can be defined by:
7If q ≡ 3 (mod 4), y2 = x3 + ax, where –a  (GF× (q))2 [define]

8If q ≡ 5 (mod 6), y2 = x3 + b
9If q ≡ 1 (mod 12), curves may be computed by:
10Input: q
11Output: An elliptic curve E parameterized in integers m and c
12 1) Find D, the smallest prime such that D ≡3 (mod 4) and (-D / q) = -1

13 2) Compute HD of Q ((-D)) using algm? [MRC: Can j simply be replaced by one of C(A,B,C)
14 from algm A.9.3.?]
15 3) Compute a root j  GF (q) of HD (mod q)
16 4) Set m = j / (1728 – j)
17 5) Return E: y2 = x3 + 3mc2x + 2mc3 for any c

19There are only two forms of supersingular curve with k = 4 and they only exist over field of characteristic
202.
21E1: y2 + y = x3 + x and E2: y2 + y = x3 + x + 1

23Supersingular curves with k = 6 only exist over fields of characteristic 3, i.e. GF (3s) and have the form
24E: y2 = x3 – x  d where d  GF (q) with “Tr d = 1” [MRC: define, and / or give an algm to compute it]
25A.11.3. MNT Curves

26The Miyaji, Nakabayashi and Takano (MNT) technique for finding ordinary pairing-friendly curves relies
27on the complex multiplication technique (ref.)
28Input: k = 3, 4, or 6, a maximal cofactor cmax, and the maximum discriminant Dmax
29Output: GF(q), and elliptic curve E such that |E(GF(q))| = cl where c ≤ cmax and l is prime
30 1. λ ← -2k/2 + 4
1 53
4
1 2. For c from 1 to cmax do
2 i. For c' from 1 to 4c – 1 do
3 a. nk ← λc + c'
4 b. m ← 4c – c'
5 c. fk ← nk2 – m2
6 d. for squarefree D = 1 to Dmax do
7 1. r ← c'mD
8 2. for each solution of y2 – rv2 = fk do
9 i. t ← (y – nk)/m + 1
10 ii. l ← Φk(t – 1) / c'
11 iii. q ← cl + t – 1
12 iv. if tℤ, l is prime and q is prime,
13 v. return q, and E computed by A.10.4., using p = q, t, D)
14 3. return ‘fail’
15A.11.4. Cocks-Pinch Curves

16Input: k, D squarefree
17Output: GF(q), and elliptic curve E
D
18 1. Choose a prime r such that k | r – 1 and   1
 r 
19 2. Find z a kth root of unity in (ℤ/rℤ)×
20 3. t' ← z + 1
21 4. y' ← (t'-2)/(-D) (mod r)
22 5. Choose t  ℤ such that t ≡ t' (mod r)'
23 6. Choose y  ℤ such that y ≡ y' (mod r)'
24 7. q ← (t2 + Dy2)/4
25 8. if q is prime and an integer and D ≤ 1012, construct E by A.10.4., using p = q, D
1 54
4
1A.11.5. BN Curves
2Barreto Naehrig Curves are of the form E: y2 = x3+b, parameterised by
3 r(x) = 36x4 - 36x3 + 18x2 - 6x + 1
4 q(x) = 36x4 - 36x3 + 24x2 - 6x + 1
5 t(x) = 6x2 + 1
6where r and q are both prime. For such curves, k = 12. To find a BN curve, choose random values for x
7until r and q are both prime then choose b  GF(q) such that #E(GF(p)) = r.
8A.11.6. KSS Curves
9A.12. Pairings
10All pairing algorithms defined here are based on the Miller algorithm [Mil86]. Optimizations, e.g. for
11specific curves, are usually not listed; these may be applied as appropriate provided the resulting algorithm
12produces identical results to the one given.
13A.12.1. Pairing Types

14Pairings may be classified into 3 different types according to the curve types (see A.11.1.) they are defined
15upon. In all cases there is a map ζ:G2 → E2 and the Miller loop is always applied to ζ(Q).
16Type 1 (E Supersingular)
17G1 = G2 = a subgroup of E1 of order r
18Type 2 (E Ordinary)
21Note that G2 ≠ G1 nor an image of a subgroup of E3.
22Type 3 (E Ordinary)
25The Miller Loop
26The Miller Loop is a function,
27 fQ',n(P)
28where P, Q  G1, Q' = ζ(Q)  E2. In defining the Miller loop we consider two arbitrary points on the curve
29and an arbitrary loop length n. When using this loop within a pairing calculation we will specify more
30precisely the values of P, Q and n.
31The basic algorithm is as follows:

1 55
4
1Input: P,Q  E2
2Output: fQ,n(P)
3 1) Set T  P, f  1
m 1
4 2) Write n as n 2
i 0
i
i
with ni  {0,1}
5 3) Loop for i from m – 1 down to 0

6 i. Set f  f.2lT,T(Q)
7 ii. Set T  2T
8 iii. If ni = 1 then,
9 a. Set f  f.lT,P(Q)
10 b. Set T  T + P
11 iv. End if
12 4) End loop
13 5) Return f
14[Nb. It is probably worth defining a general line function and restricting ourselves to even k, we may
15also wish to refine the basic Miller function below, e.g. to reflect the more common implantation in
16Tate algorithms etc.]
17The line functions lA,B(Q) are the functions obtained from producing the straight line y-mx-c which passes
18through the points A and B, and then substituting into this equation the x and y coordinate of the point Q.
19Hence if Q = (x, y), A = (x1, y1) and B = (x2, y2) then

( y 2  y1 ) ( x y  x 2 y1 )
20 l A, B (Q)  y  x 1 2
( x 2  x1 ) ( x1  x 2 )
21Input: a prime t > 2; a curve E; finite points Q', P on E with tQ' = tP = O , a line function lA,B(V).
22Output: the Miller function fQ',t(P).

23
241. Set A ¬ Q', B ¬ Q', f ¬ 1, n ¬ t.
252. Set n ¬ ën / 2û.
263. Set f ¬ lB,B (P) n ´ f.
274. Set B ¬ 2B.
285. If n is odd then
295.1 If n = 1
30 then f ¬ lA,-A (P) ´ f
31else f ¬ lA,B (P) ´ f.
325.2 Set A ¬ A + B.
336. If n > 1 then go to Step 2.
347. Output f
35A.12.2. Pairing Calculations
36In the main document we consider two pairings:

37 e1: G1 × G2 → GT
1 56
4
1and
2 e2: G2 × G1 → GT.
3The pairing e2 is computed from e1 via e2 (P,Q) = e1 (Q,P) so from now on we shall only consider e1 which
4we will denote e (P,Q).
5To compute e (P,Q) there are a number of pairings which can be used. They all, however, follow the same
6strategy: The element Q is mapped from G2 into E2 using the map ζ., then the Miller function is applied one
7or more times. Finally the resulting values are combined and possibly raised to some power. All of these
8operations can be heavily optimized but in this standard we only present the un-optimized methods.
10A.12.3. The Weil Pairing
11The Weil pairing is given by
 f p ,r (Q ' ) 
12 e( P, Q)  (1) r  
 f ( P) 
 Q ', r 
13where Q’ is the image of Q under ζ.
14 Let t > 2 be prime, and let P and Q be points on E with tP = tQ = O. The following procedure
15 computes the Weil pairing.
16
17Given three points (x0, y0), (x1, y1), (u, v) on E, define the function g ((x0, y0), (x1, y1), (u, v)) by
u  x1 if x0  x1 and y0   y1
 2
18 (3x1  a )( u  x1 )  2 y1 ( v  y1 ) if x0  x1 and y0  y1
( x  x )v  ( y  y )u  ( x y  x y ) if x  x
 0 1 0 1 0 1 1 0 0 1
19if E is the curve y2 = x3 + ax + b over GF (p), and
u  x1 if x 0  x1 and y 0  x1  y1
 3
20  x1  ( x1  y1 )u  x1 v if x 0  x1 and y 0  y1
2
( x  x )v  ( y  y )u  ( x y  x y ) if x  x
 0 1 0 1 0 1 1 0 0 1
21 if E is the curve y2 + xy = x3 + ax2 + b over GF (2m).
22
23 — Given points A, B, C on E, let
24 lA,B (C):= g(A, B, C) / g(A + B, – A – B, C).
25
26 — Given points R and S on E, let
27 j (R, S) := fR,l (S) / fS,l (R) from .
28
1 57
4
1 — Given points P and Q on E with lP = lQ = O, the Weil pairing <P, Q> is computed as
2 follows:
3 Choose random points T, U on E and let
4 V = P + T, W = Q + U.
5 Then
6 <P, Q> = j (T, U) j (U, V) j (V, W) j (W, T).
7 If, in evaluating <P, Q>, one encounters g((x0, y0), (x1, y1), (u, v)) = 0, then the calculation fails. In
8 this (unlikely) event, repeat the calculation with newly chosen T and U.
9 In the case t = 2, the Weil pairing is easily computed as follows: <P, Q> equals 1 if P = Q and –1
10 otherwise.
11 Define <P, O> =1 for all points P.
12 Tate
13The (reduced) Tate Pairing is defined as:
14 e: E(GF(p))[r] × E’(GF(pε)[r]  GF*(pk)[r]
k
1) / r
15 such that e( P, Q )  f P ,r (Q ' ) ( p
16Where Q’ is the image of Q under ζ
17b) The line function l used in the construction of the Tate pairing algorithm is
18Input A, B  E(GF(p))[r], Q  E(GF(pk))[r]
19Output: lA,B(Q)
20If A = -B,
21 Return Qx – Ax
22 1) If A = B,
23 Set λ = 3Ax2 / 2Ay
24 2) Else
25 Set λ = (By – Ay) / (Bx – Ax)
26 3) Return λ(Qx – Ax) + Ay - Qy
27c) [Proposal: Define this generally in terms of the Miller loop and a generic line function]
28d) The Tate pairing may then be computed by the following:
29e) Input: P  E(GF(p))[r], Q  E’(GF(pε)[r], k the k-th cyclotomic polynomial

30f) Output: e(P,Q)
31g) Set T  P, f  1
32h) Let s = r – 1
1 58
4
1i) Loop for i = (lg(s)) – 1 down to 0
2 v. Set f  f.2lT,T(Q)
3 vi. Set T  2T
4 vii. If si (the ith bit, 0-relative, of s) = 1 then,
5 a. Set f  f.lT,P(Q)
6 b. Set T  T + P
7 viii. End if
8j) End loop
p 1
9k) Set f  f

1) / k ( p )
10l) Set f  f ( p
11m) Set f  f k ( p ) / r
12n) Return f
13o) Eta
14[TBA]
15The Eta-Pairing is only defined for supersingular elliptic curves and is given by, where again Q’ is the
16image of Q under ζ,
k
1) / r
17 e( P, Q)  f P ,t 1 (Q ' ) ( p
18A.12.4. Ate
19The Ate pairing may be computed as follows, where again Q’ is the image of Q under ζ,
20by reversing the roles of P and Q in the Tate pairing, giving the following:
( p k 1) / r
21 e( P, Q)  f Q ',t 1 ( P) where t is the trace of E/K
22 [Proposal: Define this generally in terms of the Miller loop and a generic line
23function]
24 Input: P  E(GF(pε))[r], Q  E(GF(p)[r], k the k-th cyclotomic polynomial
25 Output: e(P,Q)
26 Set T  P, f  1
27 Let s = t – 1
1 59
4
1 Loop for i = (lg(s)) – 1 down to 0
2 Set f  f.2lT,T(Q)
3 Set T  2T
4 If si (the ith bit, 0-relative, of s) = 1 then,
5 Set f  f.lT,P(Q)
6 Set T  T + P
7 End if
8 End loop
p 1
9 Set f  f

1) / k ( p )
10 Set f  f ( p
k ( p ) / r
11 Set f  f
12 Return f
13A.12.5. R-Ate
14[MRC: This has quickly been taken from Scott: pairings in software section 2.3. Is the Q,P order consistent
15with the above? What is z? Is this formulation particular to BN curves?]
16 
e Q, P   f   f  l aQ,Q  P    l   aQQ  ,aQ  P 
P
 ( p12 1) / r
17 where a = 6z + 2, f = fa,Q(P) and ∏ is the Frobenius map
18A.13. Choosing a Curve and Pairing
19A.13.1. Recommended Security Parameters

20[MRC: Discuss rho and k and present results / suggestions in a table]
1 60
4
1A.13.2. Curve-Pairing Compatibility
2[MRC: Shall we drop KSS since they’re not mentioned above?]
Pairing Curve Family
Super-Singular MNT CP BN KSS
Weil     ?
Tate     ?
Eta     ?
Ate   ?  ?
R-Ate  ? ?  
1 61
4

Ieee P1363.3™/D2 Drafttxttrialusetxtgorrporstd For Vartitlepar

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ieee P1363.3™/D2 Drafttxttrialusetxtgorrporstd For Vartitlepar

Загружено:

Авторское право:

Доступные форматы

1IEEE P1363.

8Prepared by the varWorkingGroup Working Group of the

10Copyright © <year> by the Institute of Electrical and Electronics Engineers, Inc.

1The Institute of Electrical and Electronics Engineers, Inc.

2A.1. Integer and Modular Arithmetic: Overview.......................................................................................5

6A.2. Integer and Modular Arithmetic: Algorithms....................................................................................7

15A.3. Extension Fields: Overview.............................................................................................................11

21A.4. Extension Fields: Algorithms...........................................................................................................14

29A.5. Polynomials over a Finite Field.......................................................................................................18

37A.6. Elliptic Curves: Overview................................................................................................................20

44A.7. Elliptic Curves: Algorithms............................................................................................................27

10A.8. Functions for Elliptic Curve Parameter and Key Generation..........................................................36

17A.9. Class Group Calculations.................................................................................................................39

21A.10. Complex Multiplication...................................................................................................................43

27A.11. Pairing-Friendly Elliptic Curves......................................................................................................51

43A.13. Choosing a Curve and Pairing.........................................................................................................57

3A.1.1.1. Modular reduction

8The remainder must satisfy 0 £ r < m.

21If r = a mod m, then r º a (mod m).

22If a0 º b0 (mod m) and a1 º b1 (mod m), then

26A.1.1.3. Integers modulo m

4A.1.1.4. Modular exponentiation

8A.1.1.5. G.C.D.'s and L.C.M.'s

14 GCD (h, m) ´ LCM (h, m) = hm

16A.1.1.6. Modular division

24A.1.2. Prime finite fields

25A.1.2.1. The field GF (p)

3A.1.2.4. Exponentiation and discrete logarithms

8A.1.3. Modular Square Roots

9A.1.3.1. The Legendre symbol

14Algorithms for computing Legendre symbol are given in A.2.3..

15A.1.3.2. Square roots modulo a prime

23A.2. Integer and Modular Arithmetic: Algorithms

26Input: a positive integer v, a modulus m, and an integer g modulo m.

8A.2.2. The Extended Euclidean Algorithm

33A.2.3. Evaluating Legendre Symbols

34The following algorithm efficiently computes the Legendre symbol.

35Input: an integer a and a prime p.

14A.2.4. Generating Lucas Sequences

15Let P and Q be nonzero integers. The Lucas sequence Vk for P, Q is defined by

16 V0 = 2, V1 = P, and Vk = PVk–1 – QVk–2 for k ³ 2.

21Output: Vk mod n and Q ëk/2û mod n.

36A.2.5. Finding Square Roots Modulo a Prime

37The following algorithm computes a square root z modulo p of g ¹ 0.

12 V := V(p+1)/2 mod p and Q0 := Q (p–1)/4 mod p.

31A.2.6. Finding Square Roots Modulo a Power of 2

6A.2.7. Computing the Order of a Given Integer Modulo a Prime

9Input: a prime p and an integer g with 1 < g < p.

10Output: the order d of g modulo p.

132. For all divisors d of p-1

17A.2.8. Constructing an Integer of a Given Order Modulo a Prime

20Input: a prime p and an integer T dividing p – 1.

21Output: an integer u having order T modulo p.

27A.3. Extension Fields: Overview

8Example: Over the prime field GF (7),

11A binary polynomial is a polynomial modulo 2.

12Example: Over the field GF (2),

21A.3.2.1. Polynomial Congruences

26 r (t) := a (t) mod m (t).

31 a (t) º b (t) (mod m(t)).

4 GF (23) = {000, 001, 010, 011, 100, 101, 110, 111}.

7The integer m is called the degree of the field.

11 (11001) + (10100) = (01101)