Ieee P1363.3™/D2 Drafttxttrialusetxtgorrporstd For Vartitlepar

1IEEE P1363.
3™/D2
2DrafttxtTrialUsetxtGorRPorSTD for
3varTitlePAR
4
5 Annex A (informative)
6 Number-Theoretic Background
7
8Prepared by the varWorkingGroup Working Group of the
9varCommittee Committee
10Copyright © <year> by the Institute of Electrical and Electronics Engineers, Inc.

11Three Park Avenue
12New York, New York 10016-5997, USA
13All rights reserved.
14This document is an unapproved draft of a proposed IEEE Standard. As such, this document is subject to
15change. USE AT YOUR OWN RISK! Because this is an unapproved draft, this document must not be
16utilized for any conformance/compliance purposes. Permission is hereby granted for IEEE Standards
17Committee participants to reproduce this document for purposes of international standardization
18consideration. Prior to adoption of this document, in whole or in part, by another standards development
19organization, permission must first be obtained from the IEEE Standards Activities Department
20(stds.ipr@ieee.org). Other entities seeking permission to reproduce this document, in whole or in part, must
21also obtain permission from the IEEE Standards Activities Department.
22IEEE Standards Activities Department
23445 Hoes Lane
24Piscataway, NJ 08854, USA
1 1
2 Copyright © <year> IEEE. All rights reserved.
3 This is an unapproved IEEE Standards Draft, subject to change.
4
1Abstract: This standard specifies common identity-based public-key cryptographic techniques that use
2pairings, including mathematical primitives for secret value (key) derivation, public-key encryption, and
3digital signatures, and cryptographic schemes based on those primitives. It also specifies related
4cryptographic parameters, public keys and private keys. The purpose of this standard is to provide a
5reference for specifications of a variety of techniques from which applications may select.
6Keywords: Public-key cryptography, encryption, identity-based encryption, pairing-based encryption,
7pairing-based cryptography.
8
9
1The Institute of Electrical and Electronics Engineers, Inc.

23 Park Avenue, New York, NY 10016-5997, USA
3
4Copyright © 200X by the Institute of Electrical and Electronics Engineers, Inc.
5All rights reserved. Published XX Month XXXX. Printed in the United States of America.
6
7IEEE is a registered trademark in the U.S. Patent & Trademark Office, owned by the Institute of Electrical and Electronics
8Engineers, Incorporated.
9
10PDF: ISBN 978-0-XXXX-XXXX-X STDXXXX
11Print: ISBN 978-0-XXXX-XXXX-X STDPDXXXX
12
13No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written
14permission of the publisher.
15
16
17 2
20
1CONTENTS
2A.1. Integer and Modular Arithmetic: Overview.......................................................................................5

3A.1.1. Modular arithmetic........................................................................................................................5
4A.1.2. Prime finite fields..........................................................................................................................6
5A.1.3. Modular Square Roots...................................................................................................................7
6A.2. Integer and Modular Arithmetic: Algorithms....................................................................................7

7A.2.1. Modular Exponentiation................................................................................................................7
8A.2.2. The Extended Euclidean Algorithm..............................................................................................8
9A.2.3. Evaluating Legendre Symbols......................................................................................................8
10A.2.4. Generating Lucas Sequences.........................................................................................................9
11A.2.5. Finding Square Roots Modulo a Prime.........................................................................................9
12A.2.6. Finding Square Roots Modulo a Power of 2...............................................................................10
13A.2.7. Computing the Order of a Given Integer Modulo a Prime.........................................................11
14A.2.8. Constructing an Integer of a Given Order Modulo a Prime........................................................11
15A.3. Extension Fields: Overview.............................................................................................................11

16A.3.1. Finite Fields.................................................................................................................................11
17A.3.2. Polynomials over Finite Fields....................................................................................................12
18A.3.3. Extension Fields..........................................................................................................................13
19A.3.4. Polynomial Basis Representations..............................................................................................13
20A.3.5. Extension Fields (cont'd).............................................................................................................14
21A.4. Extension Fields: Algorithms...........................................................................................................14

22A.4.1. Exponentiation............................................................................................................................14
23A.4.2. Division.......................................................................................................................................15
24A.4.3. Squares........................................................................................................................................15
25A.4.4. Square Roots...............................................................................................................................15
26A.4.5. Trace in Binary Field Extension..................................................................................................16
27A.4.6. Half-Trace in Binary Fields.........................................................................................................17
28A.4.7. Solving Quadratic Equations over GF (2m).................................................................................17
29A.5. Polynomials over a Finite Field.......................................................................................................18

30A.5.1. Exponentiation Modulo a Polynomial.........................................................................................18
31A.5.2. G.C.D.'s over a Finite Field.........................................................................................................18
32A.5.3. Factoring Polynomials over GF (p) (Special Case)....................................................................18
33A.5.4. Factoring Polynomials over GF (2) (Special Case)....................................................................19
34A.5.5. Checking Polynomials over GF (2r) for Irreducibility................................................................19
35A.5.6. Finding a Root in GF (2m) of an Irreducible Binary Polynomial................................................20
36A.5.7. Embedding in an Extension Field...............................................................................................20
37A.6. Elliptic Curves: Overview................................................................................................................20

38A.6.1. Introduction.................................................................................................................................20
39A.6.2. Operations on Elliptic Curves.....................................................................................................23
40A.6.3. Elliptic Curve Cryptography (ECC)............................................................................................24
41A.6.4. Analogies with DL......................................................................................................................25
42A.6.5. Curve Orders...............................................................................................................................25
43A.6.6. Representation of Points..............................................................................................................26
44A.7. Elliptic Curves: Algorithms............................................................................................................27

45A.7.1. Full Addition and Subtraction (prime case)................................................................................27
46A.7.2. Full Addition and Subtraction (binary case)...............................................................................28
47A.7.3. Full Addition and Subtraction (supersingular curves in Characteristic 2)..................................28
1 3
4
1A.7.4. Elliptic Scalar Multiplication......................................................................................................29
2A.7.5. Projective Elliptic Doubling (prime case)...................................................................................29
3A.7.6. Projective Elliptic Addition (prime case)....................................................................................30
4A.7.7. Projective Elliptic Doubling (binary case)..................................................................................32
5A.7.8. Projective Elliptic Addition (binary case)...................................................................................33
6A.7.9. Projective Full Addition and Subtraction....................................................................................35
7A.7.10. Projective Elliptic Scalar Multiplication.....................................................................................35
8A.7.11. Decompression of y Coordinates (prime case)............................................................................36
9A.7.12. Decompression of y Coordinates (binary case)...........................................................................36
10A.8. Functions for Elliptic Curve Parameter and Key Generation..........................................................36

11A.8.1. Finding a Random Point on an Elliptic Curve (prime case).......................................................36
12A.8.2. Finding a Random Point on an Elliptic Curve (binary case).......................................................37
13A.8.3. Finding a Point of Large Prime Order.........................................................................................37
14A.8.4. Curve Orders over Small Binary Fields......................................................................................38
15A.8.5. Curve Orders over Extension Fields...........................................................................................38
16A.8.6. Curve Orders via Subfields.........................................................................................................38
17A.9. Class Group Calculations.................................................................................................................39

18A.9.1. Overview.....................................................................................................................................39
19A.9.2. Class Group and Class Number..................................................................................................39
20A.9.3. Reduced Class Polynomials........................................................................................................40
21A.10. Complex Multiplication...................................................................................................................43

22A.10.1. Overview.....................................................................................................................................43
23A.10.2. Finding a Nearly Prime Order over GF (p).................................................................................44
24A.10.3. Finding a Nearly Prime Order over GF (2m)...............................................................................46
25A.10.4. Constructing a Curve and Point (prime case)..............................................................................47
26A.10.5. Constructing a Curve and Point (binary case).............................................................................50
27A.11. Pairing-Friendly Elliptic Curves......................................................................................................51

28A.11.1. Curve Families............................................................................................................................52
29A.11.2. Super-Singular Curves................................................................................................................52
30A.11.3. MNT Curves................................................................................................................................53
31A.11.4. Cocks-Pinch Curves....................................................................................................................54
32A.11.5. BN Curves...................................................................................................................................55
33A.11.6. KSS Curves.................................................................................................................................55
34A.12. Pairings.............................................................................................................................................55
35A.12.1. Pairing Types...............................................................................................................................55
36A.12.2. The Miller Loop..........................................................................................................................55
37A.12.3. Pairing Calculations....................................................................................................................56
38A.12.4. The Weil Pairing.........................................................................................................................56
39A.12.5. Tate..............................................................................................................................................56
40A.12.6. Eta................................................................................................................................................56
41A.12.7. Ate...............................................................................................................................................57
42A.12.8. R-Ate...........................................................................................................................................57
43A.13. Choosing a Curve and Pairing.........................................................................................................57

44A.13.1. Recommended Security Parameters............................................................................................57
45A.13.2. Curve-Pairing Compatibility.......................................................................................................57
46
1 4
4
1A.1. Integer and Modular Arithmetic: Overview
2A.1.1. Modular arithmetic
3A.1.1.1. Modular reduction
4Modular arithmetic is based on a fixed integer m > 1 called the modulus. The fundamental operation is
5reduction modulo m. To reduce an integer a modulo m, one divides a by m and takes the remainder r. This
6operation is written
7 r := a mod m.
8The remainder must satisfy 0 £ r < m.

9Examples:
10 11 mod 8 = 3
11 7 mod 9 = 7
12 –2 mod 11 = 9
13 12 mod 12 = 0
14A.1.1.2. Congruences
15Two integers a and b are said to be congruent modulo m if they have the same result upon reduction
16modulo m. This relationship is written
17 a º b (mod m).
18Two integers are congruent modulo m if and only if their difference is divisible by m.
19Example:
20 11 º 19 (mod 8).
21If r = a mod m, then r º a (mod m).
22If a0 º b0 (mod m) and a1 º b1 (mod m), then
23 a0 + a1 º b0 + b1 (mod m)
24 a0 – a1 º b0 – b1 (mod m)
25 a0a1 º b0b1 (mod m).
26A.1.1.3. Integers modulo m
27The integers modulo m are the possible results of reduction modulo m. Thus the set of integers modulo m
28is
29 Zm = {0, 1, …, m – 1}.
30One performs addition, subtraction, and multiplication on the set Zm by performing the corresponding
31integer operation and reducing the result modulo m. For example, in Z7
1 5
4
1 3=6+4
2 5=1–3
3 6 = 4 ´ 5.
4A.1.1.4. Modular exponentiation
5If v is a positive integer and g is an integer modulo m, then modular exponentiation is the operation of
6computing gv mod m (also written exp (g, v) mod m). Section A.2.1. contains an efficient method for
7modular exponentiation.
8A.1.1.5. G.C.D.'s and L.C.M.'s
9If m and h are integers, the greatest common divisor (or G.C.D.) is the largest positive integer d dividing
10both m and h. If d = 1, then m and h are said to be relatively prime (or coprime). Section A.2.2. contains an
11efficient method for computing the G.C.D.
12The least common multiple (or L.C.M.) is the smallest positive integer l divisible by both m and h. The
13G.C.D. and L.C.M. are related by
14 GCD (h, m) ´ LCM (h, m) = hm
15(for h and m positive), so that the L.C.M. is easily computed if the G.C.D. is known.
16A.1.1.6. Modular division
17The multiplicative inverse of h modulo m is the integer k modulo m such that hk º 1 (mod m). The
18multiplicative inverse of h is commonly written h–1 (mod m). It exists if h is relatively prime to m and not
19otherwise.
20If g and h are integers modulo m, and h is relatively prime to m, then the modular quotient g/h modulo m is
21the integer gh–1 mod m. If c is the modular quotient, then c satisfies g º hc (mod m).
22The process of finding the modular quotient is called modular division. Section A.2.2. contains an efficient
23method for modular division.
24A.1.2. Prime finite fields
25A.1.2.1. The field GF (p)
26In the case in which m equals a prime p, the set Zp forms a prime finite field and is denoted GF (p).
27In the finite field GF (p), modular division is possible for any denominator other than 0. The set of nonzero
28elements of GF (p) is denoted GF (p)*.
29A.1.2.2. Orders
30The order of an element c of GF (p)* is the smallest positive integer v such that cv º 1 (mod p). The order
31always exists and divides p – 1. If k and l are integers, then ck º cl (mod p) if and only if k º l (mod v).
32A.1.2.3. Generators
33If v divides p – 1, then there exists an element of GF (p)* having order v. In particular, there always exists
34an element g of order p – 1 in GF (p)*. Such an element is called a generator for GF (p)* because every
1 6
4
1element of GF (p)* is some power of g. In number-theoretic language, g is also called a primitive root for
2p.
3A.1.2.4. Exponentiation and discrete logarithms
4Suppose that the element g of GF (p)* has order v. Then an element h of GF (p)* satisfies
5 h º g l (mod p)
6for some l if and only if h v º 1 (mod p). The exponent l is called the discrete logarithm of h (with respect
7to the base g). The discrete logarithm is an integer modulo v.
8A.1.3. Modular Square Roots
9A.1.3.1. The Legendre symbol
 a
10If p > 2 is prime, and a is any integer, then the Legendre symbol   is defined as follows. If p divides a,
 p
 a  a
11then   = 0. If p does not divide a, then   equals 1 if a is a square modulo p and –1 otherwise.
 p  p
12(Despite the similarity in notation, a Legendre symbol should not be confused with a rational fraction; the
13distinction must be made from the context.)
14Algorithms for computing Legendre symbol are given in A.2.3..
15A.1.3.2. Square roots modulo a prime
16Let p be an odd prime, and let g be an integer with 0 £ g < p. A square root modulo p of g is an integer z
17with 0 £ z < p and
18 z 2 º g (mod p).
 g
19The number of square roots modulo p of g is 1+J, where J is the Jacobi symbol   .
 p
20If g = 0, then there is one square root modulo p, namely z = 0. If g ¹ 0, then g has either 0 or 2 square roots
21modulo p. If z is one square root, then the other is p – z.
22A procedure for computing square roots modulo a prime is given in A.2.5..
1 7
4
1A.2. Integer and Modular Arithmetic: Algorithms
2A.2.1. Modular Exponentiation
3Modular exponentiation can be performed efficiently by the binary method outlined below.
4Input: a positive integer v, a modulus m, and an integer g modulo m.
5Output: gv mod m.
6
71. Let v = vrvr–1...v1v0 be the binary representation of v, where the most significant bit vr of v is 1.
82. Set x ¬ g.
93. For i from r – 1 downto 0 do
10 3.1 Set x ¬ x2 mod m.
11 3.2 If vi = 1 then set x ¬ gx mod m.
124. Output x.
13There are several modifications that improve the performance of this algorithm. These methods are
14summarized in [Gor98].
15A.2.2. The Extended Euclidean Algorithm
16The following algorithm computes efficiently the G.C.D. d of m and h. If m and h are relatively prime, the
17algorithm also finds the quotient g/h modulo m.
18Input: an integer m > 1 and integers g and h > 0. (If only the G.C.D. of m and h is desired, no input g is
19required.)
20Output: the G.C.D. d of m and h and, if d = 1, the integer c with 0 < c < m and c º g/h (mod m).
21
221. If h = 1 then output d := 1 and c := g and stop.
232. Set r0 ¬ m.
243. Set r1 ¬ h mod m.
254. Set s0 ¬ 0.
265. Set s1 ¬ g mod m.
276. While r1 > 0
28 6.1 Set q ¬ ë r0 / r1û.
29 6.2 Set r2 ¬ r0 – qr1 mod m
30 6.3 Set s2 ¬ s0 – qs1 mod m
31 6.4 Set r0 ¬ r1
32 Set r1 ¬ r2
33 Set s0 ¬ s1
34 Set s1 ¬ s2
357. Output d : = r0.
368. If r0 = 1 then output c := s0
37If m is prime, the quotient exists provided that h ( 0 (mod m), and can be found efficiently using
38exponentiation via
39 c := g hm–2 mod m.
1 8
4
1A.2.3. Evaluating Legendre Symbols
2The following algorithm efficiently computes the Legendre symbol.
3Input: an integer a and a prime p.
a
4Output: the Legendre symbol   .
 p
5
61. Set x ¬ a, y ¬ p, L ¬ 1
72. While y > 1
8 2.1 Set x ¬ (x mod y)
9 2.2 If x > y/2 then
10 2.2.1 Set x ¬ y – x.
11 2.2.2 If y º 3(mod 4) then set L ¬ –L
12 2.3 If x = 0 then set x ¬ 1, y ¬ 0, L ¬ 0
13 2.4 While 4 divides x
14 2.4.1 Set x ¬ x/4
15 2.5 If 2 divides x then
16 2.5.1 Set x ¬ x/2.
17 2.5.2 If y º ± 3 (mod 8) then set L¬ –L
18 2.6 If x º 3 (mod 4) and y º 3 (mod 4) then set L ¬ –L
19 2.7 Switch x and y
203. Output L
21The Legendre symbol can also be found efficiently using exponentiation via
 a
22   := a (p – 1)/2 mod p.
 p
23A.2.4. Generating Lucas Sequences
24Let P and Q be nonzero integers. The Lucas sequence Vk for P, Q is defined by
25 V0 = 2, V1 = P, and Vk = PVk–1 – QVk–2 for k ³ 2.
26This recursion is adequate for computing Vk for small values of k. For large k, one can compute Vk modulo
27an odd integer n > 2 using the following algorithm (see [JQ96]). The algorithm also computes the quantity
28Q ëk/2û mod n; this quantity will be useful in the application given in A.2.5..
29Input: an odd integer n > 2, integers P and Q, and a positive integer k.
30Output: Vk mod n and Q ëk/2û mod n.

31
321. Set v0 ¬ 2, v1 ¬ P, q0 ¬ 1, q1 ¬ 1
332. Let k = kr kr–1...k1 k0 be the binary representation of k, where the leftmost bit kr of k is 1.
343. For i from r downto 0 do
35 3.1 Set q0 ¬ q0 q1 mod n
36 3.2 If ki = 1 then set
37 q1 ¬ q0 Q mod n
38 v0 ¬ v0 v1 – P q0 mod n
39 v1 ¬ v12 – 2 q1 mod n
1 9
4
1 else set
2 q1 ¬ q0
3 v1 ¬ v0 v1 – P q0 mod n
4 v0 ¬ v02 – 2 q0 mod n
54. Output v0 and q0.
6A.2.5. Finding Square Roots Modulo a Prime
7The following algorithm computes a square root z modulo p of g ¹ 0.

8Input: an odd prime p, and an integer g with 0 < g < p.
9Output: a square root modulo p of g if one exists. (In Case III, the message “no square roots exist” is
10returned if none exists.)
11
12I. p º 3 (mod 4), that is p = 4k + 3 for some positive integer k. (See [Leh69].)
13 1. Compute (via A.2.1.) and output z := g k + 1 mod p.
14II. p º 5 (mod 8), that is p = 8k + 5 for some positive integer k. (See [Atk92].)
15 1. Compute g := (2g)k mod p via A.2.1.
16 2. Compute i := 2gg 2 mod p
17 3. Compute and output z := gg (i – 1) mod p
18III p º 1 (mod 8). (See [Leh69].)
19 1. Set Q ¬ g.
20 2. Generate a value P with 0 < P < p not already chosen.
21 3. Compute via A.2.4. the quantities
22 V := V(p+1)/2 mod p and Q0 := Q (p–1)/4 mod p.

23
24 4. Set z ¬ V / 2 mod p.
25 5. If (z 2 mod p) = g then output z and stop.
26 6. If 1 < Q0 < p – 1 then output the message “no square roots exist” and stop.
27 7. Go to Step 2.
28NOTES
291—To perform the modular division of an integer V by 2 (needed in Step 4 of case III), one can simply divide by 2 the
30integer V or V + p (whichever is even). (The integer division by 2 can be accomplished by shifting the binary
31expansion of the dividend by one bit.)
322—As written, the algorithm for Case III works for all p º 1 (mod 4), although it is less efficient than the algorithm for
33Case II when p º 5 (mod 8).
343—In Case III, a given choice of P will produce a solution if and only if P 2 – 4Q is not a quadratic residue modulo p.
35If P is chosen at random, the probability of this is at least 1/2. Thus only a few values of P will be required. It may
36therefore be possible to speed up the process by restricting to very small values of P and implementing the
37multiplications by P in A.2.4. by repeated addition.
384—In cases I and II, the algorithm produces a solution z provided that one exists. If it is unknown whether a solution
39exists, then the output z should be checked by comparing w := z 2 mod p with g. If w = g, then z is a solution; otherwise
40no solutions exist. In case III, the algorithm performs the determination of whether or not a solution exists.
41A.2.6. Finding Square Roots Modulo a Power of 2
42If r > 2 and a < 2r is a positive integer congruent to 1 modulo 8, then there is a unique positive integer b
43less than 2r–2 such that b2 º a (mod 2r). The number b can be computed efficiently using the following
44algorithm. The binary representations of the integers a, b, h are denoted as
1 10
4
1 a = ar–1...a1a0,
2 b = br–1...b1b0,
3 h = hr–1...h1h0.
4Input: an integer r > 2, and a positive integer a º 1 (mod 8) less than 2r.
5Output: the positive integer b less than 2r–2 such that b2 º a (mod 2r).
6
71. Set h ¬ 1.
82. Set b ¬ 1.
93. For j from 2 to r – 2 do
10 If hj+1 ¹ aj+1 then
11 Set bj ¬ 1.
12 If 2j < r
13 then h ¬ (h + 2j+1b – 22j) mod 2 r.
14 else h ¬ (h + 2j+1b) mod 2 r.
154. If br–2 = 1 then set b ¬ 2r–1 – b.
165. Output b.
17A.2.7. Computing the Order of a Given Integer Modulo a Prime
18Let p be a prime and let g satisfy 1 < g < p. The following algorithm determines the order of g modulo p
19when the factorization of p-1 is known.
20Input: a prime p and an integer g with 1 < g < p.
21Output: the order d of g modulo p.

22
231. Factor p  1  pi
ei
i
242. For all divisors d of p-1

25 For all primes pi | d
d / pi
26 If gd ≡ 1 (mod p) and g ≠ 1 (mod p)
27 Output d.
28A.2.8. Constructing an Integer of a Given Order Modulo a Prime

29Let p be a prime and let T divide p – 1. The following algorithm generates an element of GF (p) of order T
30when the factorization of p-1 is known.
31Input: a prime p and an integer T dividing p – 1.
32Output: an integer u having order T modulo p.

33
341. Generate a random integer g between 1 and p.
352. Compute via A.2.7. the order d of g modulo p.
363. If T does not divide d then go to Step 1.
374. Output u := gd/T mod p.
1 11
4
1A.3. Extension Fields: Overview
2A.3.1. Finite Fields
3A finite field (or Galois field) is a set with finitely many elements in which the usual algebraic operations
4(addition, subtraction, multiplication, division by nonzero elements) are possible, and in which the usual
5algebraic laws (commutative, associative, distributive) hold. The order of a finite field is the number of
6elements it contains. If q > 1 is an integer, then a finite field of order q exists if q is a prime power and not
7otherwise.
8The finite field of a given order is unique, in the sense that any two fields of order q display identical
9algebraic structure. Nevertheless, there are often many ways to represent a field. It is traditional to denote
10the finite field of order q by Fq or GF (q); this Standard uses the latter notation for typographical reasons. It
11should be borne in mind that the expressions “the field GF (q)” and “the field of order q” usually imply a
12choice of field representation.
13In pairing based cryptography one makes use of GF(pn) for various n and p.
14A.3.2. Polynomials over Finite Fields
15A polynomial over GF (q) is a polynomial with coefficients in GF (q). Addition and multiplication of
16polynomials over GF (q) are defined as usual in polynomial arithmetic, except that the operations on the
17coefficients are performed in GF (q).
18A polynomial over the prime field GF (p) is commonly called a polynomial modulo p. Addition and
19multiplication are the same as for polynomials with integer coefficients, except that the coefficients of the
20results are reduced modulo p.
21Example: Over the prime field GF (7),
22 (t 2 + 4t + 5) + (t 3 + t + 3) = t 3 + t 2 + 5t + 1
23 (t 2 + 3t + 4) (t + 4) = t 3 + 2t + 2.
24A binary polynomial is a polynomial modulo 2.
25Example: Over the field GF (2),
26 (t 3 + 1) + (t 3 + t) = t + 1
27 (t 2 + t + 1) (t +1) = t 3 + 1.
28A polynomial over GF (q) is reducible if it is the product of two smaller degree polynomials over GF (q);
29otherwise it is irreducible. For instance, the above examples show that t 3 + 2t + 2 is reducible over GF (7)
30and that the binary polynomial t 3 + 1 is reducible.
31Every nonzero polynomial over GF (q) has a unique representation as the product of powers of irreducible
32polynomials. (This result is analogous to the fact that every positive integer has a unique representation as
33the product of powers of prime numbers.) The degree-1 factors correspond to the roots of the polynomial.
34A.3.2.1. Polynomial Congruences
35Modular reduction and congruences can be defined among polynomials over GF (q), in analogy to the
36definitions for integers given in A.1.1.. To reduce a polynomial a (t) modulo a nonconstant polynomial
37m (t), one divides a (t) by m (t) by long division of polynomials and takes the remainder r (t). This
38operation is written
1 12
4
1 r (t) := a (t) mod m (t).
2The remainder r (t) must either equal 0 or have degree smaller than that of m (t).
3If m (t) = t – c for some element c of GF (q), then a (t) mod m (t) is just the constant a (c).
4Two polynomials a (t) and b (t) are said to be congruent modulo m (t) if they have the same result upon
5reduction modulo m (t). This relationship is written
6 a (t) º b (t) (mod m(t)).
7One can define addition, multiplication, and exponentiation of polynomials (to integral powers) modulo
8m (t), analogously to how they are defined for integer congruences in A.1.1.. In the case of a prime field
9GF (p), each of these operations involves both reduction of the polynomials modulo m (t) and reduction of
10the coefficients modulo p.
11A.3.3. Extension Fields
12If m is a positive integer, the extension field GF (pm) consists of the pm possible m-tuples of integers modulo
13p. Thus, for example,
14 GF (23) = {000, 001, 010, 011, 100, 101, 110, 111}.
15 GF (32) = {00, 01, 02, 10, 11, 12, 20, 21, 22}.
16
17The integer m is called the degree of the field.
18A.3.3.1. Addition
19For m > 1, addition of two elements is implemented by component-wise addition modulo p. Thus, for
20example in GF(25) we have,
21 (11001) + (10100) = (01101)
22and in GF(32) we have,
23 (01) + (22) = (20)
24A.3.3.2. Multiplication
25There is more than one way to implement multiplication in GF (pm). To specify a multiplication rule, one
26chooses a basis representation for the field. The basis representation is a rule for interpreting each m-tuple;
27the multiplication rule follows from this interpretation.
28For the purposes of this standard we focus on polynomial basis representations.
29A.3.4. Polynomial Basis Representations
30In a polynomial basis representation, each element of GF (pm) is represented by a different polynomial
31modulo p of degree less than m. More explicitly, the tuple (am-1 … a2 a1 a0) is taken to represent the binary
32polynomial
1 13
4
1 am–1 tm–1 + … + a2t 2 + a1t + a0.
2The polynomial basis is the set
3 B = {t m–1, …, t2, t, 1}.
4The addition of m-tuples, as defined in A.3.3., corresponds to addition of polynomials modulo p.
5Multiplication is defined in terms of an irreducible binary polynomial f(t) of degree m, called the field
6polynomial for the representation. The product of two elements is simply the product of the corresponding
7polynomials, reduced modulo f(t).
8There is a polynomial basis representation for GF (pm) corresponding to each irreducible polynomial f(t)
9modulo p of degree m. Irreducible polynomials modulo p exist of every degree. Roughly speaking, every
10one out of m polynomials modulo p of degree m is irreducible.
11A.3.5. Extension Fields (cont'd)
12A.3.5.1. Exponentiation
13If k is a positive integer and a is an element of GF (pm), then exponentiation is the operation of computing
14a k. Section A.4.3. contains an efficient method for exponentiation.
15A.3.5.2. Division
16If a and b ¹ 0 are elements of the field GF (pm), then the quotient a /b is the element g such that a = bg.
17In the finite field GF (pm), modular division is possible for any denominator other than 0. The set of
18nonzero elements of GF (pm) is denoted GF (pm)*.
19Section A.4.2. contains an efficient method for division.
20A.3.5.3. Orders
21The order of an element g of GF (pm)* is the smallest positive integer v such that g v = 1. The order always
22exists and divides pm – 1. If k and l are integers, then g k = g l in GF (pm) if and only if k º l (mod v).
23A.3.5.4. Generators
24If v divides pm – 1, then there exists an element of GF (pm)* having order v. In particular, there always
25exists an element g of order pm – 1 in GF (pm)*. Such an element is called a generator for GF (pm)* because
26every element of GF (pm)* is some power of g.
27A.3.5.5. Exponentiation and discrete logarithms
28Suppose that the element g of GF (pm)* has order v. Then an element h of GF (pm)* satisfies h = g l for
29some l if and only if h v = 1. The exponent l is called the discrete logarithm of h (with respect to the base
30g). The discrete logarithm is an integer modulo v.
31A.3.5.6. Field extensions
32Given two extensions K = GF (pn) and L = GF (pm), L is an extension of K if and only if n | m. For pairing
33based cryptography we often require that K be embedded in the extension L. This is defined in A.6.7..
1 14
4
1A.4. Extension Fields: Algorithms
2The following algorithms perform operations in a finite field GF (pm) having pm elements. The elements of
3GF (pm) are represented by a polynomial basis modulo the irreducible polynomial f (t).
4A.4.1. Exponentiation
5Exponentiation can be performed efficiently by the binary method outlined below.
6Input: a positive integer k, a field GF (pm) and a field element a.
7Output: a k.
8
91. Let k = kr kr–1 ... k1 k0 be the binary representation of k, where the most significant bit kr of k is 1.
102. Set x ¬ a.
12 3.1 Set x ¬ x2.
13 3.2 If ki = 1 then set x ¬ a x.
144. Output x.
17A.4.2. Division
18The quotient a /b can be computed directly (i.e. in one step by an algorithm with inputs a and b), or
19indirectly (by computing the multiplicative inverse b –1 and then multiplying it by a). The common method
20of performing division in a finite field GF (pm) is the indirect method using,
21The Extended Euclidean Algorithm.
22Input: two polynomials f(x), g(x) ¹ 0 over GF (pm).

23Output: d(x) = GCD (f(x), g(x)), s(x), t(x) satisfying s(x)f(x)+t(x)g(x) = d(x)
24
251. Set s1(x) ¬ 1, s2(x) ¬ 0, t1(x) ¬ 1, t2(x) ¬ 0
262. While g(x) ¹ 0
27 2.1 Set q(x) ¬ f(t) / g(t), r(x) ¬ f(x) – g(x)q(x).
28 2.2 Set s(x) ¬ s2(x) – q(x)s1(x), t(x) ¬ t2(x) – q(x)t1(x)
29 2.3 Set f(x) ¬ g(x), g(x) ¬ r(x)
30 2.4 Set s2(x) ¬ s1(x), s1(x) ¬ s(x), t2(x) ¬ t1(x), t1(x) ¬ t(x)
313. Set d(x) ¬ f(x), s(x) ¬ s2(x) , t(x) ¬ t2(x).
324. Output d(x), s(x), t(x)
33This algorithm produces the t(x), the multiplicative inversion of g(x) modulo f(x). By ë f(x) / g(x)û is meant
34the quotient upon polynomial division, dropping any remainder.
35A.4.3. Squares
36To determine whether a given element is a square, the Legendre symbol can be computed as follows:
37Input: f(x), g(x) ¹ 0  GF (pm) where g(x) is irreducible

1 15
4
1Output: the Legendre-Kronecker-Jacobi symbol (f(x) / g(x))
2
31. Set k ¬ 1
42. While deg(m) ≠ 0
5 2.1. if f(x) = 0, return 0
6 2.2. a  the leading coefficient of f(x)
7 2.3. f(x)  f(x) / a
a
8 2.4. if deg(m)  1 (mod 2) then k  k  
 p
9 2.5. if p deg(m)
 3 (mod 4) and deg (m) deg (f)  1 (mod 2) then k  -k
10 2.6. r(x)  f(x), f(x)  m(x) mod r(x), m(x)  r(x)
113. return k
1 16
4
1A.5. Square Roots
2To compute a square root in a finite field, the Tonelli-Shanks algorithm is used.
3Input: an element a  GF (q) where q = pk
4Output: an element x  GF (q) such that a = x2 or ‘quadratic non-residue’ if a is not a square.

5
61. Write q – 1 = 2ev
n
72. Choose n  GF (q) until   = -1. Set z ← nv
q
((v-1)/2)
83. Set y ← z, r ← e, x ← a , b ← ax2, x ← ax
94. if b = 1, return x
10 m
otherwise find the smallest integer m such that b 2  1 . If m = r return 'a is a quadratic non-
11residue'
r  m 1
125. Set t ← y 2 , y ← t2, r ← m, x ← xt, b ← by and go to (4)
13Notes: p, k, q, e, v, r, m are integers
14a, x, n, z, y, b, t are elements  GF (q)
n
15   can be computed by forming n(q-1)/2
q
16A.5.1. Trace in Binary Field Extension
17If  is an element of GF (2m), the trace of  is
18 Tr() =  + 2 + 22 + ... + 2m–1.
19The value of Tr () is 0 for half the elements of GF (2m), and 1 for the other half.
20The trace can be computed efficiently as follows.
21The basic algorithm inputs ÎGF (2m) and outputs T = Tr ().

22
231. Set T ¬.
242. For i from 1 to m – 1 do
25 2.1 T ¬ T 2 +.
263. Output T.
27If many traces are to be computed with respect to a fixed polynomial basis
28 {t m–1, …, t, 1},
29then it is more efficient to compute and store the element
30 t = (tm–1…t1t0)
31where each coordinate
1 17
4
1 tj = Tr (t j)
2is computed via the basic algorithm. Subsequent traces can be computed via
3 Tr (a) = a × t,
4where the “dot product” of the bit strings is given by bitwise AND (or bitwise multiplication).
5A.5.2. Half-Trace in Binary Fields
6If m is odd, the half-trace of  Î GF (2m) is
7 HfTr () = + 22 + 24 + ... + 2m–1.
8The following algorithm inputs ÎGF (2m) and outputs H = HfTr ()

9
101. Set H ¬.
112. For i from 1 to (m – 1) /2 do
12 2.1 H ¬ H 2.
13 2.2 H ¬ H 2 +.
143. Output H.
15A.5.3. Solving Quadratic Equations over GF (2m)
16If  is an element of GF (2m), then the equation
17 z2 + z = 
18has 2 – 2T solutions over GF (2m), where T = Tr (). Thus, there are either 0 or 2 solutions. If z is one
19solution, then the other solution is z + 1. In the case  = 0, the solutions are 0 and 1.
20The following algorithms compute a solution if one exists.
21Input: a field GF (2m) along with a polynomial or normal basis for representing its elements; an element 
22¹ 0.
23Output: an element z for which z 2 + z = , if such an element exists.
24If m is odd, then compute z := half-trace of  via A.5.2.. For m even, proceed as follows.
25
261. Choose random r Î GF (2m)
272. Set z ¬ 0 and w ¬r.
283. For i from 1 to m – 1 do
29 3.1 Set z ¬ z2 + w 2.
30 3.2 Set w ¬ w2 + r.
314. If w = 0 then go to Step 1
325. Output z.
33If the latter algorithm is to be used repeatedly for the same field, and memory is available, then it is more
34efficient to precompute and store r and the values of w. Any element of trace 1 will serve as r, and the
35values of w depend only on r and not on 
1 18
4
1The above algorithm produces a solution z provided that one exists. If it is unknown whether a solution
2exists, then the output z should be checked by comparing g := z2 + z with b. If g = b, then z is a solution;
3otherwise no solutions exist.
1 19
4
1A.6. Polynomials over a Finite Field
2The computations below can take place either over a prime field (having a prime number p of elements) or
3over a binary field (having 2m elements).
4A.6.1. Exponentiation Modulo a Polynomial
5If k is a positive integer and f(t) and m(t) are polynomials with coefficients in the field GF (q), then f(t)k
6mod m(t) can be computed efficiently by the binary method outlined below.
7Input: a positive integer k, a field GF (q), and polynomials f(t) and m(t) with coefficients in GF (q).
8Output: the polynomial f(t)k mod m(t).

9
101. Let k = kr kr–1 ... k1 k0 be the binary representation of k, where the most significant bit kr of k is 1.
112. Set u(t) ¬ f(t) mod m(t).
13 3.1 Set u(t) ¬ u(t)2 mod m(t).
14 3.2 If ki = 1 then set u(t) ¬ u(t) f(t) mod m(t).
154. Output u(t).
18A.6.2. G.C.D.'s over a Finite Field
19If f(t) and g(t) ¹ 0 are two polynomials with coefficients in the field GF (q), then there is a unique monic
20polynomial d(t) of largest degree which divides both f(t) and g(t). The polynomial d(t) is called the
21greatest common divisor or G.C.D. of f(t) and g(t). The following algorithm computes the G.C.D. of two
22polynomials.
23Input: a finite field GF (q) and two polynomials f(t), g(t) ¹ 0 over GF (q).
24Output: d(t) = GCD( f(t), g(t)).
25
261. Set a(t) ¬ f(t), b(t) ¬ g(t).
272. While b(t) ¹ 0
28 2.1 Set c(t) ¬ the remainder when a(t) is divided by b(t).
29 2.2 Set a(t) ¬ b(t).
30 2.3 Set b(t) ¬ c(t).
313. Set  ¬ the leading coefficient of a(t).
324. Set d(t) ¬ a –1 a(t).
335. Output d(t).
34A.6.3. Factoring Polynomials over GF (p) (Special Case)
35Let f(t) be a polynomial with coefficients in the field GF (p), and suppose that f(t) factors into distinct
36irreducible polynomials of degree d. (This is the special case needed in A.10..) The following algorithm
37finds a random degree-d factor of f(t) efficiently.
38Input: a prime p > 2, a positive integer d, and a polynomial f(t) which factors modulo p into distinct
39irreducible polynomials of degree d.
1 20
4
1Output: a random degree-d factor of f(t).
2
31. Set g(t) ¬ f(t).
42. While deg(g) > d
5 2.1 Choose u(t) ¬ a random monic polynomial of degree 2d – 1.
6 2.2 Compute via A.6.1.
d
1)/ 2
7 c(t) := u( t )( p mod g(t).
8 2.3 Set h(t) ¬ GCD(c(t) – 1, g(t)).
9 2.4 If h(t) is constant or deg(g) = deg(h) then go to Step 2.1.
10 2.5 If 2 deg(h) > deg(g) then set g(t) ¬ g(t) / h(t); else g(t) ¬ h(t).
113. Output g(t).
12A.6.4. Factoring Polynomials over GF (2) (Special Case)
13Let f(t) be a polynomial with coefficients in the field GF (2), and suppose that f(t) factors into distinct
14irreducible polynomials of degree d. (This is the special case needed in A.10..) The following algorithm
15finds a random degree-d factor of f(t) efficiently.
16Input: a positive integer d, and a polynomial f(t) which factors modulo 2 into distinct irreducible
17polynomials of degree d.
18Output: a random degree-d factor of f(t).

19
201. Set g(t) ¬ f(t).
212. While deg(g) > d
22 2.1 Choose u(t) ¬ a random monic polynomial of degree 2d – 1.
23 2.2 Set c(t) ¬ u(t).
24 2.3 For i from 1 to d – 1 do
25 2.3.1 c(t) ¬ c(t)2 + u(t) mod g(t).
26 2.4 Compute h(t) := GCD(c(t), g(t)) via A.6.2..
293. Output g(t).
30A.6.5. Checking Polynomials over GF (2r) for Irreducibility
31If f(t) is a polynomial with coefficients in the field GF (2r), then f(t) can be tested efficiently for
32irreducibility using the following algorithm.
33Input: a polynomial f(t) with coefficients in GF (2r).
34Output: the message “True” if f(t) is irreducible; the message “False” otherwise.
35
361. Set d ¬ degree of f(t).
372. Set u(t) ¬ t.
383. For i from 1 to ëd/2û do
39 3.1 For j from 1 to r do
40 Set u(t) ¬ u(t)2 mod f(t)
41 Next j
42 3.2 Set g(t) ¬ GCD(u(t) + t, f(t)).
43 3.3 If g(t) ¹ 1 then output “False” and stop.
443. Output “True.”
1 21
4
1A.6.6. Finding a Root in GF (2m) of an Irreducible Binary Polynomial
2If f(t) is an irreducible polynomial modulo 2 of degree d dividing m, then f(t) has d distinct roots in the field
3GF (2m). A random root can be found efficiently using the following algorithm.
4Input: an irreducible polynomial modulo 2 of degree d, and a field GF (2m), where d divides m.
5Output: a random root of f(t) in GF (2m).

6
71. Set g(t) ¬ f(t) (g(t) is a polynomial over GF (2m)).
82. While deg(g) > 1
9 2.1 Choose random u Î GF (2m).
10 2.2 Set c(t) ¬ ut.
11 2.3 For i from 1 to m – 1 do
12 2.3.1 c(t) ¬ c(t)2 + ut mod g(t).
13 2.4 Set h(t) ¬ GCD(c(t), g(t)).
163. Output g(0).
17A.6.7. Embedding in an Extension Field
18Given a field F = GF (pd), the following algorithm embeds F into an extension field K = GF (pde).
19Input: integers d and e; a polynomial basis B for F = GF (pd) with field polynomial f(t); a polynomial
20basis for K = GF (pde).
21Output: an embedding of F into K; that is a function taking each a Î F to a corresponding element b of

22K.
23
241. Compute via A.6.6. a root l Î K of f(t).
252. Output
26 b := am–1 l m–1 + … + a2l 2 + a1l + a0,
27 where (am–1 … a1 a0) is the m-tuple representing a with respect to B.

28
1 22
4
1A.7. Elliptic Curves: Overview
2A.7.1. Introduction
3A plane curve is defined to be the set of points satisfying an equation F (x, y) = 0. The simplest plane
4curves are lines (whose defining equation has degree 1 in x and y) and conic sections (degree 2 in x and y).
5The next simplest are the cubic curves (degree 3). These include elliptic curves, so called because they
6arose historically from the problem of computing the circumference of an ellipse. This Standard restricts its
7attention to cubic plane curves, although other representations could be defined. The coefficients of such a
8curve must satisfy a side condition to guarantee the mathematical property of nonsingularity. The side
9condition is given below for each family of curves.)
10An elliptic curve is a non-singular (smooth) algebraic curve of genus one with a defined point. The set of
11points on an elliptic curve is topologically equivalent to a torus - a surface with one hole in it – and,
12simplistically, the number of holes in a surface is the definition of the term genus. Elliptic curves should
13strictly be written as a pair (E, O) where E is the curve and O the defined point. However, O is invariably
14taken to be the point at infinity and the elliptic curve is often simply referred to as E. (Note: see [Sil86] for
15a mathematically precise definition of “elliptic curve.”)
16In cryptography, the elliptic curves of interest are those defined over finite fields. That is, the coefficients
17of the defining equation F (x, y) = 0 are elements of GF (q), and the points on the curve are of the form P =
18(x, y), where x and y are elements of GF (q). Examples are given below.
19A.7.1.1. The Weierstrass equation
20There are several kinds of defining equations for elliptic curves, but the most common are the Weierstrass
21equations. This standard will be concerned with both ordinary and supersingular curves. The general
22equation of an elliptic curve is
23 y2 + a1xy +a3y = x3 +a2x2 +a4x + a6
24If we let p denote the characteristic of K, the equation can be simplified for different values of p.
25— For the finite fields GF (pm) with p > 3, the standard Weierstrass equation for ordinary curves is
26 y 2 = x 3 + ax + b
27 where a and b are integers modulo p for which 4a 3 + 27b 2 ( 0 (mod p).
28
29— For the binary finite fields GF (2m), the standard Weierstrass equation for ordinary curves is
30 y 2 + xy = x 3 + ax 2 + b
31 where a and b are elements of GF (2m) with b ¹ 0.

32
33— One can also define the following supersingular curves. We define these by giving the base field,
34 then the “embedding degree” k (which will be used later), followed by the equation of the curve. We
35 will only be interested in even embedding degree curves.
36  GF (2s), k=2, s even
37 y 2 + y = x 3 + δx
38 where Tr δ ≠0
39  GF (2s), k=2, s odd
40 y2 + y = x3
41  GF (3s) with k=2
1 23
4
1 y 2 = x 3 + ax + b if j = 0
2 y 2 = x 3 + ax2 + b if j ≠ 0
3  GF (p) with p > 3, k=2
4 y 2 = x 3 + ax + b
5 o
If p ≡3 (mod 4) then b=0 and –a is not a square mod p
6 o
If p ≡5 (mod 6) then a=0
7 o
If p ≡1 (mod 12) then a = 3mc2, b = 2mc3, where m = j / (1728 – j) and c  GF (p)×
8  GF (2s), k=4
9 y2 + y = x3 + x + b
10 for b=0 or 1
11  GF (3s), k=6
12 y2 = x3 - x + b
13 for b= 0 or 1
14
15[NB. Include the SS forms here]
16Given a Weierstrass equation, the elliptic curve E consists of the solutions (x, y) over GF (q) to the defining
17equation, along with an additional element called the point at infinity (denoted O). The points other than O
18are called finite points. The number of points on E (including O) is called the order of E and is denoted by
19#E (GF (q)).
20Example: Let E be the curve
21 y 2 = x 3 + 10 x + 5
22over the field GF (13). Then the points on E are
23 {O, (1,4), (1,9), (3,6), (3,7), (8,5), (8,8), (10,0), (11,4), (11,9)}.
24Thus the order of E is #E (GF (13)) = 10.
25Example: Let E be the curve
26 y 2 + xy = x 3 + (t + 1) x 2 + 1
27over the field GF (23) given by the polynomial basis with field polynomial t 3 + t + 1 = 0. Then the points
28on E are
29 {O, ((000), (001)),

30 ((010), (100)), ((010), (110)), ((011), (100)), ((011), (111)),
31 ((100), (001)), ((100), (101)), ((101), (010)), ((101), (111)),
32 ((110), (000)), ((110), (110)), ((111), (001)), ((111), (110))}.
33Thus the order of E is #E (GF (23)) = 14.
34For more information on elliptic curve cryptography, see [Bla99].
1 24
4
1A.7.1.2. Orders
2The order of a point P on an elliptic curve is the smallest positive integer r such that rP = O. The order
3always exists and divides the order of the curve #E(GF (q)). If k and l are integers, then kP = lP if and only
4if k º l (mod r).
5A.7.1.3. Pairings
6The primitives defined in the body of this standard use the general concept of a pairing. Here, we define a
7pairing e as a bilinear map between elements of two finite, cyclic, additive groups, G1 and G2 to a third
8finite, cyclic group GT defined multiplicatively:
9 e:G1 × G2  GT
10Both of G1 and G2 are of prime order r, as is GT. The bilinear property is such that
11 For all P, P’  G1 and all Q, Q’  G2, e(P + P’,Q) = e(P,Q)e(P’,Q) and e(P,Q + Q’) = e(P,Q) e(P,Q’)
12We also impose the condition that the map be non-degenerate, i.e:
13 For all 0 ≠ P  G1 there exists Q  G2 such that e(P,Q) ≠ 1 and
14 For all 0 ≠ Q  G2 there exists P  G1 such that e(P,Q) ≠ 1
15For cryptographic use, the groups G1 and G2 over which the pairings are defined are sub-groups of points
16on an elliptic curve.
17Elliptic curves fall into two general categories: supersingular curves and ordinary curves. The former are
18curves where the kernel of the ‘multiplication by p’ map (where p is the characteristic of K) is trivial.
19Supersingular curves were the first to be considered for use in pairing-based cryptography because they
20possess maps (non F_q-rational endomorphisms) that prove useful in constructing the Tate pairing.
21The first pairing-based cryptosystems used the Weil and Tate pairings on supersingular curves. Further
22research in pairing-based cryptography has led to a range of suitable pairings and families of curves. Apart
23from super-singular curves, all the curve families are of ordinary curves. The primary factors that dictate
24which pairing and curve to use are the efficiency of computations and the security level. As with most
25cryptography, increasing levels of security can be obtained by increasing the size of the field over which
26the operations are defined, but not all curve-pairing combinations have the same relationship between
27security and efficiency. To give some guidance for the best choices, section A.13.1. suggests some
28appropriate system parameters for different levels of security and section A.13.2. suggests appropriate
29combinations of pairings and curves.
30A.7.1.4. Twists
31For a field K, if char (K) ≠ 2,3 we define quadratic, quartic and sextic twists of E(K) as follows. Let
32 E: y 2 = x 3 + Ax + B
33Case 1: if A, B ≠ 0, there are Quadratic Twists only, one can define the twist by giving a value and D
34 givingto produce the curve
35 E': y 2 = x 3 + D2Ax +D3B
36 Essentially there are two such values of D, one producing the original curve and one producing the
37 quadratic twist.
38Case 2: if B = 0, there are Quartic Twists and Quadratic Twistsonly and D giving. By giving a value D
39 one can define the quartic twists by
1 25
4
1 E': y 2 = x 3 + DAx
2 There are essentially four such values of D, which produce non-isomorphic curves over the base
3 field. One of these produces the same curve, two the quartic twists and the remaining one produces
4 the quadratic twist of E.
5Case 2: if A = 0, there are Sextic Twists and Quadratic twistsonly and D giving. By giving a suitable value
6 of D one can define the twists via
7 E': y 2 = x 3 + DB
8 There are essentially six such values of D, one produces the curve itself, one produces the quadratic
9 twist, two produce a cubic twist, whilst the remaining two produce sextic twists.
10A.7.2. Operations on Elliptic Curves
11There is an addition operation on the points of an elliptic curve which possesses the algebraic properties of
12ordinary addition (e.g. commutativity and associativity). This operation can be described geometrically as
13follows.
14Define the inverse of the point P = (x, y) to be
 ( x, y ) if p  3

15  P  ( x, x  y ) if q = 2m and E is ordinary
 ( x, c  y )
 m
if q = 2 and E is supersingular
16Then the sum P + Q of the points P and Q is the point R with the property that P, Q, and –R lie on a
17common line.
18A.7.2.1. The point at infinity
19The point at infinity O plays a role analogous to that of the number 0 in ordinary addition. Thus
20 P + O = P,
21 P + (– P) = O
22for all points P.
23A.7.2.2. Full addition
24When implementing the formulae for elliptic curve addition, it is necessary to distinguish between
25doubling (adding a point to itself) and adding two distinct points that are not inverses of each other,
26because the formulae are different in the two cases. Besides this, there are also the special cases involving
27O. By full addition is meant choosing and implementing the appropriate formula for the given pair of
28points. Algorithms for full addition are given in A.8.1., A.8.2., A.8.3. and A.8.9..
29A.7.2.3. Scalar multiplication
30Elliptic curve points can be added but not multiplied. It is, however, possible to perform scalar
31multiplication, which is another name for repeated addition of the same point. If n is a positive integer and
32P a point on an elliptic curve, the scalar multiple nP is the result of adding n copies of P. Thus, for
33example, 5P = P + P + P + P + P.
34The notion of scalar multiplication can be extended to zero and the negative integers via
35 0P = O, (–n) P = n (–P).
1 26
4
1A.7.3. Curve Orders
2Finding a base point of prime order requires knowledge of the curve order n = #E(GF (q)). Since r must
3divide n, one has the following problem: given a field F = GF (q), find an elliptic curve defined over F
4whose order is divisible by a sufficiently large prime r. (Note that “sufficiently large” is defined in terms of
5the desired security; see A.13.1..) This section discusses this problem.
6A.7.3.1. Basic facts

7— If n is the order of an elliptic curve over GF (q), then the Hasse bound is
8 q–2 q + 1 £ n £ q + 2 q + 1.
9 Thus the order of an elliptic curve over GF (q) is approximately q.

10
11— If q is a prime p, let n be the order of the curve y 2 = x 3 + ax + b, where a and b are both nonzero.
12 Then if l ¹ 0, the order of the curve y 2 = x 3 + al 2x + bl 3 is n if l is a square modulo p and
13 2p + 2 – n otherwise. (This fact allows one to replace a given curve by one with the same order and
14 satisfying some extra condition, such as a = p – 3 which will be used in A.8.5..) In the case b = 0,
15 there are four possible orders; in the case a = 0, there are six. (The formulae for these orders can be
16 found in Step 6 of A.10.2.3..)
17— If q = 2m, let n be the order of the curve y 2 + xy = x 3 + ax 2 + b, where a and b are both nonzero.
18 Then if l ¹ 0, the order of the curve y 2 + xy = x 3 + (a + l) x 2 + b is n if l has trace 0 and
19 2m+1 + 2 – n otherwise (see A.5.1.). (This fact allows one to replace a given curve by one with the
20 same order and satisfying some extra condition, such as a = 0 which will be used in A.8.8..)
21— If q = 2m, then the curves y 2 + xy = x 3 + ax 2 + b and y 2 + xy = x 3 + a 2 x 2 + b 2 have the same order.
22A.7.3.2. Near primality
23Given a trial division bound lmax, the positive integer k is called smooth if every prime divisor of k is at most
24lmax. Given large positive integers rmin and rmax, u is called nearly prime if u = kr for some prime r in the
25interval rmin £ r £ r max and some smooth integer k. (The requirement that k be smooth is omitted in most
26definitions of near primality. It is included here to guarantee that there exists an efficient algorithm to
27check for near primality.) In the case in which a prime order curve is desired, the bound lmax is set to 1.
28NOTE—since all elliptic curves over GF (q) have order at most umax = q + 2 q + 1, then rmax should be no greater
29than umax. (If no maximum is desired, e.g., as in draft ANSI X9.62 [ANS98e], then one takes rmax ¬ umax.) Moreover, if
30rmin is close to umax, then there will be a small number of possible curves to choose from, so that finding a suitable one
31will be more difficult. If a prime-order curve is desired, a convenient choice is rmin = q + q.
32A.7.4. Representation of Points
33This section discusses the issues involved in choosing representations for points on elliptic curves, for
34purposes of internal computation and for external communication.
35A.7.4.1. Affine coordinates
36A finite point on E is specified by two elements x, y in GF (q) satisfying the defining equation for E. These
37are called the affine coordinates for the point. The point at infinity O has no affine coordinates. For
38purposes of internal computation, it is most convenient to represent O by a pair of coordinates (x, y) not on
39E. For q = 2 m, the simplest choice is O = (0,0). For q = pm, one chooses O = (0, 0) unless b = 0, in which
40case O = (0, 1).
1 27
4
1A.7.4.2. Coordinate compression
2The affine coordinates of a point require 2ml bits to store and transmit where q itself requires l bits to
3represent it. This is far more than is needed, however. For purposes of external communication, therefore,
4it can be advantageous to compress one or both of the coordinates.
5The y coordinate can always be compressed. The compressed y coordinate, denoted ~y , is a single bit,
6defined as follows.
7
8— if q is a power of an odd prime, then ~
y := y mod 2, where y is interpreted as a positive integer less
9 ~
than q. Put another way, y is the rightmost bit of y.
10— ~
if q is a power of 2, then y is the rightmost bit of the field element y x –1 (except when x = 0, in
11 ~
which case y := 0).
12NOTES
131—Algorithms for decompressing coordinates are given in A.8.11. and A.8.12..
142—There are many other possible ways to compress coordinates; the methods given here are the ones that have
15appeared in the literature (see [Men95], [Ser98]).
16A.7.4.3. Projective coordinates
17If division within GF (q) is relatively expensive, then it may pay to keep track of numerators and
18denominators separately. In this way, one can replace division by  with multiplication of the denominator
19by . This is accomplished by the projective coordinates X, Y , and Z, given by
X Y
20 x 2
,y  3.
Z Z
21The projective coordinates of a point are not unique because
22 (X, Y, Z) = ( 2X,  3Y,  Z)
23for every nonzero  Î GF (q).
24The projective coordinates of the point at infinity are ( 2,  3, 0), where  ¹ .

25Other kinds of projective coordinates exist, but the ones given here provide the fastest arithmetic on elliptic
26curves. (See [CC87].)
27The formulae above provide the method for converting a finite point from projective coordinates to affine.
28To convert from affine to projective, one proceeds as follows.
29 X ¬ x, Y ¬ y, Z ¬ 1.
30Projective coordinates are well suited for internal computation, but not for external communication since
31they require so many bits. They are more common over GF (p) since division tends to be more expensive
32there.
1 28
4
1A.8. Elliptic Curves: General Algorithms
2A.8.1. Full Addition and Subtraction (prime case)
3The following algorithm implements a full addition (on a curve modulo p) in terms of affine coordinates.
4Note that this algorithm can also be used for supersingular curves of characteristic 3.
5Input: a field K = GF(pn) for p > 3; coefficients a, b for an elliptic curve E: y 2 = x 3 + ax + b over K;
6points P0 = (x0, y0) and P1 = (x1, y1) on E.
7Output: the point P2 := P0 + P1.

8
91. If P0 = O then output P2 ¬ P1 and stop
102. If P1 = O then output P2 ¬ P0 and stop
113. If x0 ¹ x1 then
12 3.1 set l ¬ (y0 – y1) / (x0 – x1) mod p
13 3.2 go to step 7
144. If y0 ¹ y1 then output P2 ¬ O and stop
155. If y1 = 0 then output P2 ¬ O and stop
166 Set l ¬ (3 x12 + a) / (2y1) mod p
177. Set x2 ¬ l 2 – x0 – x1 mod p
188. Set y2 ¬ (x1 – x2) l – y1 mod p
199. Output P2 ¬ (x2, y2)
20The above algorithm requires 3 or 4 modular multiplications and a modular inversion.
21To subtract the point P = (x, y), one adds the point –P = (x, –y).
22A.8.2. Full Addition and Subtraction (binary case)
23The following algorithm implements a full addition (on an ordinary curve over GF (2m)) in terms of affine
24coordinates.
25Input: a field GF (2m); coefficients a, b for an elliptic curve E: y 2 + xy = x 3 + ax 2 + b over GF (2m); points
26P0 = (x0, y0) and P1 = (x1, y1) on E.

28
291. If P0 = O, then output P2 ¬ P1 and stop
32 3.1 set l ¬ (y0 + y1) / (x0 + x1)
33 3.2 set x2 ¬ a + l 2 + l + x0 + x1
34 3.3 go to step 7
365. If x1 = 0 then output P2 ¬ O and stop
376. Set
38 6.1 l ¬ x1 + y1 / x1
39 6.2 x2 ¬ a + l 2 + l
407. y2 ¬ (x1 + x2) l + x2 + y1
418. P2 ¬ (x2, y2)
1 29
4
1The above algorithm requires 2 general multiplications, a squaring, and a multiplicative inversion.
2To subtract the point P = (x, y), one adds the point –P = (x, x + y).
3A.8.3. Full Addition and Subtraction (supersingular curves in

4 Characteristic 2)
5The following algorithm implements a full addition (on a supersingular curve over GF (2m)) in terms of
6affine coordinates.
7Input: a field GF (2m); coefficients a, b for an elliptic curve E: y 2 + y = x 3 + ax + b over GF (2m); points
8P0 = (x0, y0) and P1 = (x1, y1) on E.

10
14 3.1 set l ¬ (y0 + y1) / (x0 + x1)
15 3.2 set x2 ¬ l 2 + x0 + x1
16 3.3 go to step 7
185. If x1 = 0 then output P2 ¬ O and stop
196. Set
20 6.1 l ¬ a + x02
21 6.2 x2 ¬ l 2
227. y2 ¬ (x1 + x2) l + y1 + 1
238. P2 ¬ (x2, y2)
24The above algorithm requires 2 general multiplications, a squaring, and a multiplicative inversion.
25To subtract the point P = (x, y), one adds the point –P = (x, x + y).
26A.8.4. Elliptic Scalar Multiplication
27Scalar multiplication can be performed efficiently by the addition-subtraction method outlined below.
28Input: an integer n and an elliptic curve point P.
29Output: the elliptic curve point nP.

30
311. If n = 0 then output O and stop.
322. If n < 0 the set Q ¬ (–P) and k ¬ (–n), else set Q ¬ P and k ¬ n.
333. Let hl hl–1 ...h1 h0 be the binary representation of 3k, where the most significant bit hl is 1.
344. Let kl kl–1...k1 k0 be the binary representation of k.
355. Set S ¬ Q.
366. For i from l – 1 downto 1 do
37 Set S ¬ 2S.
38 If hi = 1 and ki = 0 then compute S ¬ S + Q via A.8.1., A.8.2. or A.8.3..
39 If hi = 0 and ki = 1 then compute S ¬ S – Q via A.8.1., A.8.2. or A.8.3..
407. Output S.
1 30
4
1A.8.5. Projective Elliptic Doubling (prime case)
2The projective form of the doubling formula on the curve y 2 = x 3 + ax + b over GF(pm) for p > 3 is
3 2 (X1, Y1, Z1) = (X2, Y2, Z2),
4where
5 M = 3 X 12 + a Z14 ,
6 Z2 = 2Y1Z1,
7 S = 4X1 Y12 ,
8 X2 = M 2 – 2S,
9 T = 8 Y14 ,
10 Y2 = M (S – X2) – T.
11The algorithm Double given below performs these calculations.
12Input: a modulus p; the coefficients a and b defining a curve E modulo p; projective coordinates (X1, Y1,
13Z1) for a point P1 on E.
14Output: projective coordinates (X2, Y2, Z2) for the point P2 = 2P1.
15
161. T1 ¬ X1
172. T2 ¬ Y1
183. T3 ¬ Z1
194. If T2 = 0 or T3 = 0 then output (1, 1, 0) and stop.
205. If a = p – 3 then
21 T4 ¬ T32
22 T5 ¬ T1 – T4
23 T4 ¬ T1 + T4
24 T5 ¬ T4 ´ T5
25 T4 ¬ 3 ´ T5
26 =M
27 else
28 T4 ¬ a
29 T5 ¬ T32
30 T5 ¬ T52
31 T5 ¬ T4 ´ T5
32 T4 ¬ T12
33 T4 ¬ 3 ´ T4
34 T4 ¬ T4 + T5
35 =M
366. T3 ¬ T2 ´ T3
377. T3 ¬ 2 ´ T3 = Z2
388. T2 ¬ T22
399. T5 ¬ T1 ´ T2
4010. T5 ¬ 4 ´ T5 =S
4111. T1 ¬ T42
1 31
4
112. T1 ¬ T1 – 2 ´ T5
2 = X2
313. T2 ¬ T22
414. T2 ¬ 8 ´ T2 =T
515. T5 ¬ T5 – T1
616. T5 ¬ T4 ´ T5
717. T2 ¬ T5 – T2
8 = Y2
918. X2 ¬ T 1
1019. Y2 ¬ T2
1120. Z2 ¬ T3
12This algorithm requires 10 field multiplications and 5 temporary variables. If a is small enough that
13multiplication by a can be done by repeated addition, only 9 field multiplications are required. If a = p – 3,
14then only 8 field multiplications are required (see [CC87]). The proportion of elliptic curves modulo p that
15can be rescaled so that a = p – 3 is about 1/4 if p º 1 (mod 4) and about 1/2 if p º 3 (mod 4). (See Annex
16A.7.3., Basic Facts.)
17A.8.6. Projective Elliptic Addition (prime case)
18The projective form of the adding formula on the curve y 2 = x 3 + ax + b over GF(pm) for p > 3, is
19 (X0, Y0, Z0) + (X1, Y1, Z1) = (X2, Y2, Z2),
20where
21 U0 = X0 Z12 ,
22 S0 = Y0 Z13 ,
23 U1 = X1 Z 02 ,
24 S1 = Y1 Z 03 ,
25 W = U0 – U1,
26 R = S0 – S1,
27 T = U0 + U1,
28 M = S0 + S1,
29 Z2 = Z0Z1W,
30 X2 = R 2 – TW 2,
31 V = TW 2 – 2X2,
32 2Y2 = VR – MW 3.
33The algorithm Add given below performs these calculations.
34Input: a modulus p; the coefficients a and b defining a curve E modulo p; projective coordinates (X0, Y0,
35Z0) and (X1, Y1, Z1) for points P0 and P1 on E, where Z0 and Z1 are nonzero.
36Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1, unless P0 = P1. In this case, the
37triplet (0, 0, 0) is returned. (The triplet (0, 0, 0) is not a valid projective point on the curve, but rather a
38marker indicating that routine Double should be used.)
39
401. T1 ¬ X0 = U0 (if Z1 = 1)
412. T2 ¬ Y0 = S0 (if Z1 = 1)
423. T3 ¬ Z0
434. T4 ¬ X1
1 32
4
15. T5 ¬ Y1
26. If Z1 ¹ 1 then
3 T6 ¬ Z1
4 T7 ¬ T62
5 T1 ¬ T1 ´ T7 = U0 (if Z1 ¹ 1)
6 T7 ¬ T6 ´ T7
7 T2 ¬ T2 ´ T7 = S0 (if Z1 ¹ 1)
87. T7 ¬ T32
98. T4 ¬ T4 ´ T7 = U1
109. T7 ¬ T3 ´ T7
1110. T5 ¬ T5 ´ T7 = S1
1211. T4 ¬ T1 – T4 =W
1312. T5 ¬ T2 – T5 =R
1413. If T4 = 0 then
15 If T5 = 0 then output (0,0,0) and stop
16 else output (1, 1, 0) and stop
1714. T1 ¬ 2 ´ T1 – T4 =T
1815. T2 ¬ 2 ´ T2 – T5 =M
1916. If Z1 ¹ 1 then
20 T3 ¬ T3 ´ T6
2117. T3 ¬ T3 ´ T4 = Z2
2218. T7 ¬ T42
2319. T4 ¬ T4 ´ T7
2420. T7 ¬ T1 ´ T7
2521. T1 ¬ T52
2622. T1 ¬ T1 – T7 = X2
2723. T7 ¬ T7 – 2 ´ T1 =V
2824. T5 ¬ T5 ´ T7
2925. T4 ¬ T2 ´ T4
3026. T2 ¬ T5 – T4
3127. T2 ¬ T2 / 2 = Y2
3228. X2 ¬ T 1
3329. Y2 ¬ T2
3430. Z2 ¬ T3
35NOTE—the modular division by 2 in Step 27 can be carried out in the same way as in A.2.4..
36This algorithm requires 16 field multiplications and 7 temporary variables. In the case Z1 = 1, only 11 field
37multiplications and 6 temporary variables are required. (This is the case of interest for elliptic scalar
38multiplication.)
39A.8.7. Projective Elliptic Doubling (binary case)
40The projective form of the doubling formula on the curve y 2 + xy = x 3 + ax 2 + b over GF (2m) uses, not the
41coefficient b, but rather the field element
m 2
42 c := b2 ,
43computed from b by m – 2 squarings. (Thus b = c 4.) The formula is
44 2 (X1, Y1, Z1) = (X2, Y2, Z2),

1 33
4
1where
2 Z2 = X1 Z12 ,
3 X2 = (X1 + c Z12 )4,
4 U = Z2 + X 12 + Y1Z1,
5 Y2 = X 14 Z2 + UX2.
6The algorithm Double given below performs these calculations.
7Input: a field of 2m elements; the field elements a and c specifying a curve E over GF (2m); projective
8coordinates (X1, Y1, Z1) for a point P1 on E.
9Output: projective coordinates (X2, Y2, Z2) for the point P2 = 2P1.
10
111. T1 ¬ X1
122. T2 ¬ Y1
133. T3 ¬ Z1
144. T4 ¬ c
155. If T1 = 0 or T3 = 0 then output (1, 1, 0) and stop.
166. T2 ¬ T2 ´ T3
177. T3 ¬ T32
188. T4 ¬ T3 ´ T4
199. T3 ¬ T1 ´ T3 = Z2
2010. T2 ¬ T2 + T3
2111. T4 ¬ T1 + T4
2212. T4 ¬ T42
2313. T4 ¬ T42 = X2
2414. T1 ¬ T12
2515. T2 ¬ T1 + T2 =U
2616. T2 ¬ T2 ´ T4
2717. T1 ¬ T12
2818. T1 ¬ T1 ´ T3
2919. T2 ¬ T1 + T2 = Y2
3020. T1 ¬ T4
3121. X2 ¬ T 1
3222. Y2 ¬ T2
3323. Z2 ¬ T3
34This algorithm requires 5 field squarings, 5 general field multiplications, and 4 temporary variables.
35A.8.8. Projective Elliptic Addition (binary case)
36The projective form of the adding formula on the curve y 2 + xy = x 3 + ax2 + b over GF (2m) is
37 (X0, Y0, Z0) + (X1, Y1, Z1) = (X2, Y2, Z2),
38where
1 34
4
1 U0 = X0 Z12 ,
2 S0 = Y0 Z13 ,
3 U1 = X1 Z 02 ,
4 W = U0 + U1,
5 S1 = Y1 Z 03 ,
6 R = S0 + S1,
7 L = Z0 W
8 V = RX1 + LY1,
9 Z2 = LZ1,
10 T = R + Z 2,
11 X2 = a Z22 + TR + W 3,
12 Y2 = TX2 + VL 2.
13The algorithm Add given below performs these calculations.
14Input: a field of 2m elements; the field elements a and b defining a curve E over GF (2m); projective
15coordinates (X0, Y0, Z0) and (X1, Y1, Z1) for points P0 and P1 on E, where Z0 and Z1 are nonzero.
16Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1, unless P0 = P1. In this case, the
17triplet (0, 0, 0) is returned. (The triplet (0, 0, 0) is not a valid projective point on the curve, but rather a
18marker indicating that routine Double should be used.)
19
201. T1 ¬ X0 = U0 (if Z1 = 1)
212. T2 ¬ Y0 = S0 (if Z1 = 1)
223. T3 ¬ Z0
234. T4 ¬ X1
245. T5 ¬ Y1
256. If a ¹ 0 then
26 T9 ¬ a
277. If Z1 ¹ 1 then
28 T6 ¬ Z1
29 T7 ¬ T62
30 T1 ¬ T1 ´ T7 = U0 (if Z1 ¹ 1)
31 T7 ¬ T6 ´ T7
32 T2 ¬ T2 ´ T7 = S0 (if Z1 ¹ 1)
338. T7 ¬ T32
349. T8 ¬ T4 ´ T7 = U1
3510. T1 ¬ T1 + T8 =W
3611. T7 ¬ T3 ´ T7
3712. T8 ¬ T5 ´ T7 = S1
3813. T2 ¬ T2 + T8 =R
3914. If T1 = 0 then
40 If T2 = 0 then output (0, 0, 0) and stop
41 else output (1, 1, 0) and stop
4215. T4 ¬ T2 ´ T4
4316. T3 ¬ T1 ´ T3 = L (= Z2 if Z1 =
44 1)
4517. T5 ¬ T3 ´ T5
4618. T4 ¬ T4 + T5 =V
4719. T5 ¬ T32
1 35
4
120. T7 ¬ T4 ´ T5
221. If Z1 ¹ 1 then
3 T3 ¬ T3 ´ T6 = Z2 (if Z1 ¹ 1)
422. T4 ¬ T2 + T3 =T
523. T2 ¬ T2 ´ T4
624. T5 ¬ T12
725. T1 ¬ T1 ´ T5
826. If a ¹ 0 then
9 T8 ¬ T32
10 T9 ¬ T8 ´ T9
11 T1 ¬ T1 + T9
1227. T1 ¬ T1 + T2 = X2
1328. T4 ¬ T1 ´ T4
1429. T2 ¬ T4 + T7 = Y2
1530. X2 ¬ T 1
1631. Y2 ¬ T2
1732. Z2 ¬ T3
18This algorithm requires 5 field squarings, 15 general field multiplications and 9 temporary variables. If
19a = 0, then only 4 field squarings, 14 general field multiplications and 8 temporary variables are required.
20(About half of the elliptic curves over GF (2m) can be rescaled so that a = 0. They are precisely the curves
21with order divisible by 4. See Annex A.7.3., Basic Facts.)
22In the case Z1 = 1, only 4 field squarings, 11 general field multiplications, and 8 temporary variables are
23required. If also a = 0, then only 3 field squarings, 10 general field multiplications, and 7 temporary
24variables are required. (These are the cases of interest for elliptic scalar multiplication.)
25A.8.9. Projective Full Addition and Subtraction
26The following algorithm FullAdd implements a full addition in terms of projective coordinates.
27Input: a field of q elements; the field elements a and b defining a curve E over GF (q); projective
28coordinates (X0, Y0, Z0) and (X1, Y1, Z1) for points P0 and P1 on E.
29Output: projective coordinates (X2, Y2, Z2) for the point P2 = P0 + P1.
30
311. If Z0 = 0 then output (X2, Y2, Z2) ¬ (X1, Y1, Z1) and stop.
322. If Z1 = 0 then output (X2, Y2, Z2) ¬ (X0, Y0, Z0) and stop.
333. Set (X2, Y2, Z2) ¬ Add[(X0, Y0, Z0), (X1, Y1, Z1)].
344. If (X2, Y2, Z2) = (0, 0, 0) then set (X2, Y2, Z2) ¬ Double[(X1, Y1, Z1)]
355. Output (X2, Y2, Z2).
36An elliptic subtraction is implemented as follows:
37 Subtract[(X0, Y0, Z0), (X1, Y1, Z1)] = FullAdd[(X0, Y0, Z0), (X1, U, Z1)]
38where
  Y1 mod p if q  p
39 U= 
 X 1Z1  Y1 if q  2 m
1 36
4
1A.8.10. Projective Elliptic Scalar Multiplication
2Input: an integer n and an elliptic curve point P = (X, Y, Z).
3Output: the elliptic curve point nP = (X*, Y*, Z*).

4
51. If n = 0 or Z = 0 then output (1, 1, 0) and stop.
62. Set
7 2.1 X* ¬ X
8 2.2 Z* ¬ Z
9 2.3 Z1 ¬ 1
103. If n < 0 then go to Step 6
114. Set
12 4.1 k ¬ n
13 4.2 Y* ¬ Y
145. Go to Step 8
156. Set k ¬ (–n)
167. If q = p then set Y* ¬ –Y (mod p); else set Y* ¬ XZ +Y
178. If Z* = 1 then set X1 ¬ X*, Y1 ¬ Y*; else set X1 ¬ X* / (Z*)2, Y1 ¬ Y* / (Z*)3
189. Let hl hl–1 ...h1 h0 be the binary representation of 3k, where the most significant bit hl is 1.
1910. Let kl kl–1...k1 k0 be the binary representation of k.
2011. For i from l – 1 downto 1 do
21 11.1 Set (X*, Y*, Z*) ¬ Double[(X*, Y*, Z*)].
22 11.2 If hi = 1 and ki = 0 then set (X*, Y*, Z*) ¬ FullAdd[(X*, Y*, Z*), (X1, Y1, Z1)].
23 11.3 If hi = 0 and ki = 1 then set (X*, Y*, Z*) ¬ Subtract[(X*, Y*, Z*), (X1, Y1, Z1)].
2412. Output (X*, Y*, Z*).
27A.8.11. Decompression of y Coordinates (prime case)
28The following algorithm recovers the y coordinate of an elliptic curve point from its compressed form.
29Input: a prime number p, an elliptic curve E defined over K = GF(pm) for p > 3, the x coordinate of a point
30(x, y) on E, and the compressed representation ~y of the y coordinate.
31Output: the y coordinate of the point.

32
331. Compute g := x3 + ax + b over K
342. Find a square root z of g modulo p via A.5.. If the output of A.5. is “no square roots exist,” then
35 return an error message and stop.
363. Let ~z be the rightmost bit of z (in other words, z mod 2).
374. If ~ ~
z = y then y ¬ z, else y ¬ p – z.
385. Output y.
39NOTE—when implementing the algorithm from A.2.5., the existence of modular square roots should be checked.
40Otherwise, a value may be returned even if no modular square roots exist.
41A.8.12. Decompression of y Coordinates (binary case)
42The following algorithm recovers the y coordinate of an elliptic curve point from its compressed form.
1 37
4
1Input: a field GF (2m), an elliptic curve E defined over GF (2m), the x coordinate of a point (x, y) on E, and
2the compressed representation ~y of the y coordinate.
3Output: the y coordinate of the point.

4
51. If x = 0 then compute y := b via A.5. and go to Step 7.
62. Compute the field element a := x3 + ax2 + b in GF (2m)
73. Compute the element b := a (x2)–1 via A.4.2.
84. Find a field element z such that z2 + z = b via A.5.3.. If the output of A.5.3. is “no solutions exist,”
9 then return an error message and stop.
105. Let ~z be the rightmost bit of z
116. Compute y := (z + ~ ~
z + y )x
127. Output y.
13NOTES
141—When implementing the algorithm from A.5.3., the existence of solutions to the quadratic equation should be
15checked. Otherwise, a value may be returned even if no solutions exist.
16A.8.13. Finding a Random Point on an Elliptic Curve (prime case)
17The following algorithm provides an efficient method for finding a random point (other than O) on a given
18elliptic curve over the finite field GF (p).
19Input: a field K = GF(pm) where p > 3 and the parameters a, b of an elliptic curve E over K.
20Output: a randomly generated point (other than O) on E.

21
221. Choose random x  K.
232. Set  ¬ x3 + ax + b.
243. If  = 0 then output (x, 0) and stop.
254. Apply the appropriate technique from A.5. to find a square root modulo p of  or determine that
26 none exist.
275. If the result of Step 4 indicates that no square roots exist, then go to Step 1. Otherwise the output of
28 Step 4 is an element b with 0 < b < p such that
29 b 2 º .
30
316. Generate a random bit m and set y ¬ (–1) m b.
327. Output (x, y).
33A.8.14. Finding a Random Point on an Elliptic Curve (binary case)
34The following algorithm provides an efficient method for finding a random point (other than O) on a given
35elliptic curve over the finite field GF (2m).
36Input: a field GF (2m) and the parameters a, b of an elliptic curve E over GF (2m).
37Output: a randomly generated point (other than O) on E.

38
391. Choose random x in GF (2m).
402. If x = 0 then output (0, b2m–1) and stop.
413. Set  ¬ x3 + ax2 + b.
424. If  = 0 then output (x, 0) and stop.
1 38
4
15. Set  ¬ x – 2 .
26. Apply the appropriate technique from A.5.3. to find an element z for which z2 + z =  or determine
3 that none exist.
47. If the result of Step 6 indicates that no solutions exist, then go to Step 1. Otherwise the output of
5 Step 6 is a solution z.
68. Generate a random bit m and set y ¬ (z + m) x.
79. Output (x, y).
8A.8.15. Finding a Point of Large Prime Order
9If the order #E(GF (q)) = u of an elliptic curve E is nearly prime, the following algorithm efficiently
10produces a random point on E whose order is the large prime factor r of u = kr. (See A.7.3. for the
11definition of nearly prime.)
12Input: a prime r, a positive integer k not divisible by r, and an elliptic curve E over the field GF (q).
13Output: if #E(GF (q)) = kr, a point G on E of order r. If not, the message “wrong order.”
14
151. Generate a random point P (not O) on E via A.8.13. or A.8.14..
162. Set G ¬ kP.
173. If G = O then go to Step 1.
184. Set Q ¬ rG.
195. If Q ¹ O then output “wrong order” and stop.
206. Output G.
21A.8.16. Curve Orders over Small Binary Fields
22If d is “small” (i.e. it is feasible to perform 2 d arithmetic operations), then the order of the curve y2 + xy = x3
23+ ax2 + b over GF (2d) can be calculated directly as follows. Let
24 m = (–1) Tr (a).
25For each nonzero x Î GF (2d), let
26 l (x) = Tr (x + b/x2).
27Then
28 #E(GF (2d)) = 2d + 1 +   ( 1)
x 0
(x)
.
29A.8.17. Curve Orders over Extension Fields
30Given the order of an elliptic curve E over a finite field GF (2d), the following algorithm computes the
31order of E over the extension field GF (2de).
32Input: positive integers d and e, an elliptic curve E defined over GF (2d), and the order w of E over
33GF (2d).
34Output: the order u of E over GF (2de).

35
361. Set P ¬ 2d + 1 – w and Q ¬ 2d.
372. Compute via A.2.4. the Lucas sequence element Ve.
383. Compute u := 2de + 1 – Ve.
1 39
4
14. Output u.
2A.8.18. Curve Orders via Subfields
3The algorithms of A.8.16. and A.8.17. allow construction of elliptic curves with known orders over
4GF (2m), provided that m is divisible by an integer d that is small enough for A.8.16.. The following
5algorithm finds such curves with nearly prime orders when such exist. (See Annex A.7.3. for the definition
6of nearly prime.)
7Input: a field GF (2m); a subfield GF (2d) for some (small) d dividing m; lower and upper bounds rmin and
8rmax for the base point order.
9Output: elements a, b Î GF (2m) specifying an elliptic curve E, along with the nearly prime order n =
10#E(GF (2m)), if one exists; otherwise, the message “no such curve.”
11
121. Select elements a0, b0 Î GF (2d) such that b0 has not already been selected. (If all of the b0’s have
13 already been tried, then output the message “no such curve” and stop.) Let E be the elliptic curve y2
14 + xy = x3 + a0 x2 + b0.
152. Compute the order w = #E(GF (2d)) via A.8.16..
163. Compute the order u = #E(GF (2m)) via A.8.17..
174. Test u for near-primality using the techniques in [ANS98g].
185. If u is nearly prime, then set l ¬ 0 and n ¬ u and go to Step 9.
196. Set u¢ = 2m+1 + 2 – u.
207. Test u¢ for near-primality using the techniques in [ANS98g].
218. If u¢ is nearly prime, then set l ¬ 1 and n ¬ u¢, else go to Step 1.
229. Find the elements a1, b1 Î GF (2m) corresponding to a0 and b0 via A.6.7..
2310. If l = 0 then set t ¬ 0. If l = 1 and m is odd, then set t ¬ 1. Otherwise, find an element t Î
24 GF (2m) of trace 1 by trial and error using A.5.1..
2511. Set a ¬ a1 + t and b ¬ b1
2612. Output n, a, b.
27NOTE—It follows from the Basic Facts of A.7.3. that any a0 can be chosen at any time in Step 1.
1 40
4
1A.9. Class Group Calculations
2The following computations are necessary for the complex multiplication technique described in A.10..
3A.9.1. Overview
4A reduced symmetric matrix is one of the form
 A B
5 S  
 B C
6where the integers A, B, C satisfy the following conditions:

7
8i) GCD (A, 2B, C) = 1,
9ii) |2B| £ A £ C,
10iii) If either A = |2B| or A = C, then B ³ 0.
11The matrix S will be abbreviated as [A, B, C] when typographically convenient.
12The determinant D := AC – B 2 of S will be assumed throughout this section to be positive and squarefree
13(i.e., containing no square factors).
14Given D, the class group H (D) is the set of all reduced symmetric matrices of determinant D. The class
15number h(D) is the number of matrices in H(D).
16The class group is used to construct the reduced class polynomial. This is a polynomial wD (t) with integer
17coefficients of degree h (D). The reduced class polynomial is used in A.10. to construct elliptic curves with
18known orders.
19A.9.2. Class Group and Class Number
20The following algorithm produces a list of the reduced symmetric matrices of a given determinant D. See
21[Bue89].
22Input: a squarefree determinant D > 0.
23Output: the class group H (D).

24
251. Let s be the largest integer less than D/3.
262. For B from 0 to s do
27 2.1 List the positive divisors A1, …, Ar of D + B 2 that satisfy 2B £ A £ D  B2 .
28 2.2 For i from 1 to r do
29 2.2.1 Set C ¬ (D + B 2) / Ai
30 2.2.2 If GCD (Ai, 2B, C) = 1 then
31 list [Ai, B, C].
32 if 0 < 2B < Ai < C then list [Ai, – B, C].
333. Output list.
34Example: D = 71. The values of B that need to be checked are 0 £ B < 5.

35
36— B = 0 gives A = 1, leading to [1,0,71].
1 41
4
1— B = 1 gives A = 2,3,4,6,8, leading to [3, ±1,24] and [8, ±1,9].
2— B = 2 gives A = 5, leading to [5, ±2, 15].
3— B = 3 gives A = 8, but no reduced matrices.
4— B = 4 gives no divisors A in the right range.
5Thus the class group is
6 H (71) = {[1,0,71], [3, ±1,24], [8, ±1,9], [5, ±2, 15]} .
7and the class number is h (71) = 7.
8A.9.3. Reduced Class Polynomials
9Let
 (1)  z 

( 3 j 2  j )/ 2 2
10 F(z) = 1 +
j
 z (3 j  j )/ 2
j 1
11 = 1 – z – z2 + z5 + z7 – z12 – z15 + ...
12and
  D  Bi 
13 q = exp   .
 A 
14Let
15 ƒ0(A, B, C) = q –1/24 F(–q) / F(q 2),

16 ƒ1(A, B, C) = q –1/24 F(q) / F(q 2),
17 ƒ2(A, B, C) = 2 q 1/12F(q 4) / F(q 2).
18NOTE—since
19 | |  e   3/ 2
 0.0658287 ,
20the series F (z) used in computing the numbers ƒJ(A, B, C) converges as quickly as a power series in e   3/2 .
21If [A, B, C] is a matrix of determinant D, then its class invariant is
G
22 C(A, B, C) = (N BL 2–I/6 (ƒJ (A, B, C))K) ,
23where:
24 G = GCD(D,3),
3 if D  1,2,6,7 (mod 8),

0 if D  3 (mod 8) and D  0 (mod 3),

25 I
2 if D  3 (mod 8) and D  0 (mod 3),
6 if D  5 (mod 8 ),
1 42
4
0 for AC odd,

1 J  1 for C even,
2 for A even ,

2 if D  1,2,6 (mod 8),


2 K  1 if D  3,7 (mod 8),
4 if D  5 (mod 8),

 A  C  A2 C if AC odd or D  5 (mod 8) and C even,


 A  2C  AC
2
if D  1,2,3,6,7 (mod 8) and C even,
3L  
 A  C  5 AC
2
if D  3 (mod 8) and A even,
 A  C  AC 2 if D  1,2,5,6,7 (mod 8) and A even,
( 1)( A 1)/ 8

2
if A odd,
5 M 2
( 1)( C 1)/ 8 if A even,
1 if D  5 (mod 8)
 or D  3 (mod 8) and AC odd

 or D  7 (mod 8) and AC even,


6 N  M if D  1,2,6 (mod 8)
 or D  7 (mod 8) and AC odd,

 M if D  3 (mod 8) and AC even,



7 = e p iK/24.
8If [A1, B1, C1], ..., [Ah ,Bh ,Ch] are the reduced symmetric matrices of (positive squarefree) determinant D,
9then the reduced class polynomial for D is
h
10 wD(t) =  (t  C( A , B , C )) .
j 1
j j j
11The reduced class polynomial has integer coefficients.
12NOTE—The above computations must be performed with sufficient accuracy to identify each coefficient of the
13polynomial wD (t). Since each such coefficient is an integer, this means that the error incurred in calculating each
14coefficient should be less than 1/2.
15Example.
1 43
4
 1 
1w71(t)= t  f0  1,0,71  
 2 
 e  i / 8  e i / 8 
2 t  f1  31
, ,24   t  f1  3,1,24 
 2  2 
 e 23i / 24   e 23i / 24 
3 t  f2  8,1,9   t  f2  8,1,9 
 2  2 
 e 5i /12   e 5i /12 

4  t  f0  5,2,15 t  f0  5,2,15 
 2  2 
5= (t – 2.13060682983889533005591468688942503...)
6 (t – (0.95969178530567025250797047645507504...) +
7 (0.34916071001269654799855316293926907...) i)
8 (t – (0.95969178530567025250797047645507504...) –
9 (0.34916071001269654799855316293926907...) i)
10 (t + (0.7561356880400178905356401098531772...) +
11 (0.0737508631630889005240764944567675...) i)
12 (t + (0.7561356880400178905356401098531772...) –
13 (0.0737508631630889005240764944567675...) i)
14 (t + (0.2688595121851000270002877100466102...) –
15 (0.84108577401329800103648634224905292...) i)
16 (t + (0.2688595121851000270002877100466102...) +
17 (0. 84108577401329800103648634224905292...) i)
18= t 7 – 2t 6 – t 5 + t 4 + t 3 + t 2 – t – 1.
1 44
4
1A.10. Complex Multiplication
2A.10.1. Overview
3If E is a non-supersingular elliptic curve over GF (q) of order u, then
4 Z = 4q – (q + 1 – u)2
5is positive by the Hasse bound (see Annex A.7.3.). Thus there is a unique factorization
6 Z = DV 2
7where D is squarefree (i.e. contains no square factors). Thus, for each non-supersingular elliptic curve over
8GF (q) of order u, there exists a unique squarefree positive integer D such that
9(*) 4q = W 2 + DV 2,
10(**) u=q+1±W
11for some W and V.
12It is said that E has complex multiplication by D (or, more properly, by  D ). D is called a CM
13discriminant for q.
14If one knows D for a given curve E, one can compute its order via (*) and (**). As will be demonstrated
15below, one can construct the curves with CM by small D. Therefore one can obtain curves whose orders u
16satisfy (*) and (**) for small D. The near-primes are plentiful enough that one can find curves of nearly
17prime order with small enough D to construct.
18Over GF (p), the CM technique is also called the Atkin-Morain method (see [Mor91]); over GF (2m), it is
19also called the Lay-Zimmer method (see [LZ94]). Although it is possible (over GF (p)) to choose the order
20first and then the field, it is preferable to choose the field first since there are fields in which the arithmetic
21is especially efficient.
22There are two basic steps involved: finding an appropriate order, and constructing a curve having that
23order. More precisely, one begins by choosing the field size q, the minimum point order rmin, and trial
24division bound lmax. Given those quantities, D is called appropriate if there exists an elliptic curve over
25GF (q) with CM by D and having nearly prime order.
26
27Step 1 (A.10.2. and A.10.3., Finding a Nearly Prime Order):
28 Find an appropriate D. When one is found, record D, the large prime r, and the positive integer k
29 such that u = kr is the nearly prime curve order.
30
31Step 2 (A.10.4. and A.10.5., Constructing a Curve and Point):
32 Given D, k and r, construct an elliptic curve over GF (q) and a point of order r.
1 45
4
1A.10.2. Finding a Nearly Prime Order over GF (p)
2A.10.2.1. Congruence Conditions
3A squarefree positive integer D can be a CM discriminant for p only if it satisfies the following congruence
4conditions. Let

 
p  1 
2
5 K   .
rmin 
 
6
7— If p º 3 (mod 8), then D º 2, 3, or 7 (mod 8).
8— If p º 5 (mod 8), then D is odd.
9— If p º 7 (mod 8), then D º 3, 6, or 7 (mod 8).
10— If K = 1, then D º 3 (mod 8).
11— If K = 2 or 3, then D ( 7 (mod 8).
12Thus the possible squarefree D's are as follows:
13If K = 1, then
14 D = 3, 11, 19, 35, 43, 51, 59, 67, 83, 91, 107, 115, ….
15If p º 1 (mod 8) and K = 2 or 3, then

16 D = 1, 2, 3, 5, 6, 10, 11, 13, 14, 17, 19, 21, ….
17If p º 1 (mod 8) and K ³ 4, then

18 D = 1, 2, 3, 5, 6, 7, 10, 11, 13, 14, 15, 17, ….

20 D = 2, 3, 10, 11, 19, 26, 34, 35, 42, 43, 51, 58, ….

22 D = 2, 3, 7, 10, 11, 15, 19, 23, 26, 31, 34, 35, ….

24 D = 1, 3, 5, 11, 13, 17, 19, 21, 29, 33, 35, 37, ….

26 D = 1, 3, 5, 7, 11, 13, 15, 17, 19, 21, 23, 29, ….

28 D = 3, 6, 11, 14, 19, 22, 30, 35, 38, 43, 46, 51, ….

1 46
4
1 D = 3, 6, 7, 11, 14, 15, 19, 22, 23, 30, 31, 35, ….
2A.10.2.2. Testing for CM Discriminants (prime case)
3Input: a prime p and a squarefree positive integer D satisfying the congruence conditions from A.10.2.1..
4Output: if D is a CM discriminant for p, an integer W such that
5 4p = W 2 + DV 2
6for some V. [In the cases D = 1 or 3, the output also includes V.] If not, the message “not a CM
7discriminant.”
8
91. Apply the appropriate technique from A.2.5. to find a square root modulo p of –D or determine that
10 none exist.
112. If the result of Step 1 indicates that no square roots exist, then output “not a CM discriminant” and
12 stop. Otherwise, the output of Step 1 is an integer B modulo p.
133. Let A ¬ p and C ¬ (B 2 + D) / p.
 A B  1
144. Let S    and U    .
 B C  0
155. Until |2B| £ A £ C, repeat the following steps.
 B 1
16 5.1 Let     .
C 2
 0  1
17 5.2 Let T   .
1  
18 5.3 Replace U by T –1U.
19 5.4 Replace S by T t S T, where T t denotes the transpose of T.
206. If D = 11 and A = 3, let d ¬ 0 and repeat 5.2, 5.3, 5.4.
217. Let X and Y be the entries of U. That is,
 X
22 U   .
Y
23
248. If D = 1 or 3 then output W ¬ 2X and V ¬ 2Y and stop.
259. If A = 1 then output W ¬ 2X and stop.
2610. If A = 4 then output W ¬ 4X + BY and stop.
2711. Output “not a CM discriminant.”
28A.10.2.3. Finding a Nearly Prime Order (prime case)
29Input: a prime p, a trial division bound lmax, and lower and upper bounds rmin and rmax for base point order.
30Output: a squarefree positive integer D, a prime r in the interval rmin £ r £ rmax, and a smooth integer k
31such that u = kr is the order of an elliptic curve modulo p with complex multiplication by D.
32
331. Choose a squarefree positive integer D, not already chosen, satisfying the congruence conditions of
34 A.10.2.1..
  D
352. Compute via A.2.3. the Jacobi symbol J =   . If J = –1 then go to Step 1.
 p 
363. List the odd primes l dividing D.
1 47
4
 p
14. For each l, compute via A.2.3 the Jacobi symbol J =   . If J = –1 for some l, then go to Step 1.
l
25. Test via A.10.2.2. whether D is a CM discriminant for p. If the result is “not a CM discriminant,” go
3 to Step 1. (Otherwise, the result is the integer W, along with V if D = 1 or 3.)
46. Compile a list of the possible orders, as follows.
5 — If D = 1, the orders are
6 p + 1 ± W, p + 1 ± V.
7
8 — If D = 3, the orders are
9 p + 1 ± W, p + 1 ± (W + 3V)/2, p + 1 ± (W – 3V)/2.
10
11 — Otherwise, the orders are p + 1 ± W.
127. Test each order for near-primality. If any order is nearly prime, output (D, k, r) and stop.
138. Go to Step 1.
14Example: Let p = 2192 – 264 – 1. Then
1 D 2
15 p = 4X 2 – 2XY + Y and p + 1 – (4X – Y) = r
4
16where D = 235,
17 X = –31037252937617930835957687234,
18 Y = 5905046152393184521033305113,
19and r is the prime
20 r = 6277101735386680763835789423337720473986773608255189015329.
21Thus there is a curve modulo p of order r having complex multiplication by D.
22A.10.3. Finding a Nearly Prime Order over GF (2m)
23A.10.3.1. Testing for CM Discriminants (binary case)
24Input: a field degree d and a squarefree positive integer D º 7 (mod 8).

25Output: if D is a CM discriminant for 2 d, an odd integer W such that
26 2 d+2 = W 2 + DV 2,
27for some odd V. If not, the message “not a CM discriminant.”

28
291. Compute via A.2.6. an integer B such that B 2 º –D (mod 2d+2).
302. Let A ¬ 2d+2 and C ¬ (B 2 + D) / 2d+2 (Note: the variables A and C will remain positive throughout the
31 algorithm.)
 A B  1
323. Let S    and U    .
 B C  0
334. Until |2B| £ A £ C, repeat the following steps.
1 48
4
 B 1
1 4.1 Let     .
C 2
 0  1
2 4.2 Let T   
1  
3 4.3 Replace U by T –1U.
4 4.4 Replace S by T t S T, where T t denotes the transpose of T.
55. Let X and Y be the entries of U. That is,
 X
6 U   .
Y
7
86. If A = 1, then output W ¬ X and stop.
97. If A = 4 and Y is even, then output W ¬ (4X + BY) / 2 and stop.
108. Output “not a CM discriminant.”
11A.10.3.2. Finding a Nearly Prime Order (binary case)
12Input: a field degree d, a trial division bound lmax, and lower and upper bounds rmin and rmax for base point
13order.
14Output: a squarefree positive integer D, a prime r in the interval rmin £ r £ rmax, and a smooth integer k
15such that u = kr is the order of an elliptic curve over GF (2d) with complex multiplication by D.
16
171. Choose a squarefree positive integer D º 7 (mod 8), not already chosen.
182. Compute H ¬ the class group for D via A.9.2..
193. Set h ¬ the number of elements in H.
204. If d does not divide h, then go to Step 1.
215. Test via A.14.3.1 whether D is a CM discriminant for 2 d. If the result is “not a CM discriminant,” go
22 to Step 1. (Otherwise, the result is the integer W.)
236. The possible orders are 2d + 1 ± W.
247. Test each order for near-primality. If any order is nearly prime, output (D, k, r) and stop.
258. Go to Step 1.
26Example: Let q = 2155. Then
27 4q = X 2 + DY 2 and q + 1 – X = 4r
28where D = 942679, X = 229529878683046820398181, Y = –371360755031779037497, and r is the prime
29 r = 11417981541647679048466230373126290329356873447.
30Thus there is a curve over GF (q) of order 4r having complex multiplication by D.
31A.10.4. Constructing a Curve and Point (prime case)
32A.10.4.1. Constructing a Curve with Prescribed CM (prime case)
33Given a prime p and a CM discriminant D, the following technique produces an elliptic curve y2 º x3 + a0 x
34+ b0 (mod p) with CM by D. (Note that there are at least two possible orders among curves with CM by D.
35The curve constructed here will have the proper CM, but not necessarily the desired order. This curve will
36be replaced in A.10.4.2. by one of the desired order.)
1 49
4
1For nine values of D, the coefficients of E can be written down at once:
D a0 b0
1 1 0
2 –30 56
3 0 1
7 –35 98
11 –264 1694
19 –152 722
43 –3440 77658
67 –29480 1948226
163 –8697680 9873093538
2For other values of D, the following algorithm may be used.
3Input: a prime modulus p and a CM discriminant D > 3for p.
4Output: a0 and b0 such that the elliptic curve
5 y 2 º x 3 + a0x + b0 (mod p)
6has CM by D.
7
81. Compute w(t) ¬ wD(t) mod p via A.9.3..
92. Let W be the output from A.10.2.2..
103. If W is even, then use A.6.3. with d = 1 to compute a linear factor t – s of wD(t) modulo p. Let
11 V := (–1)D 2 4I/K s 24/(GK) mod p,
12 where G, I and K are as in A.9.3.. Finally, let
13 a0 := –3(V + 64)(V + 16) mod p,

14 b0 := 2(V + 64)2 (V – 8) mod p.
15
164. If W is odd, then use A.6.3. with d = 3 to find a cubic factor g (t) of wD(t) modulo p. Perform the
17 following computations, in which the coefficients of the polynomials are integers modulo p.
  t 24 mod g ( t ) if 3 | D,
18 V ( t ):  
 256t mod g ( t ) if 3 | D,
8
19 a1(t) := –3(V(t) + 64) (V(t) + 256) mod g(t),

20 b1(t) := 2(V(t) + 64)2 (V(t) – 512) mod g(t),
21 a3(t) := a1(t)3 mod g(t),

22 b2(t) := b1(t)2 mod g(t).
1 50
4
1 Now let s be a nonzero coefficient from a3(t), and let t be the corresponding coefficient from b2(t).
2 Finally, let
3 a0 := st mod p,
4 b0 := st 2 mod p.
5
65. Output (a0, b0).
7Example: If D = 235, then
8 wD (t) = t 6 – 10 t 5 + 22 t 4 – 24 t 3 + 16 t 2 – 4 t + 4.
9If p = 2192 – 264 – 1, then
10 wD (t) º (t 3 – (5 + f)t 2 + (1 – f)t – 2) (t 3 – (5 – f)t 2 + (1 + f)t – 2) (mod p),
11where f = 1254098248316315745658220082226751383299177953632927607231. The resulting

12coefficients are
13 a0 = –2089023816294079213892272128,
14 b0 = –36750495627461354054044457602630966837248.
15Thus the curve y 2 º x 3 + a0x + b0 modulo p has CM by D = 235.

16A.10.4.2. Choosing the Curve and Point (prime case)
17Input: EC parameters p, k, and r, and coefficients a0, b0 produced by A.10.4..
18Output: a curve E modulo p and a point G on E of order r, or a message “wrong order.”

19
201. Select an integer x with 0 < x < p.
212. If D = 1 then set a ¬ a0x mod p and b ¬ 0.
22 If D = 3 then set a ¬ 0 and b ¬ b0x mod p.
23 Otherwise, set a ¬ a0x 2 mod p and b ¬ b0x 3 mod p.
243. Look for a point G of order r on the curve
25 y2 º x3 + ax + b (mod p)
26 via A.8.15..
27
284. If the output of A.8.15. is “wrong order” then output the message “wrong order” and stop.
295. Output the coefficients a, b and the point G.
30The method of selecting x in the first step of this algorithm depends on the kind of coefficients desired.
31Two examples follow.
32
33— If D ¹ 1 or 3, and it is desired that a = –3 (see A.8.6.), then take x to be a solution of the congruence
34 a0x 2 º –3 (mod p), provided one exists. If one does not exist, or if this choice of x leads to the
35 message “wrong order,” then select another curve as follows. If p º 3 (mod 4) and the result was
36 “wrong order,” then choose p – x in place of x; the result leads to a curve with a = –3 and the right
37 order. If no solution x exists, or if p º 1 (mod 4), then repeat A.10.4. with another root of the
38 reduced class polynomial. The proportion of roots leading to a curve with a = –3 and the right order
39 is roughly one-half if p º 3 (mod 4), and one-quarter if p º 1 (mod 4).
1 51
4
1— If there is no restriction on the coefficients, then choose x at random. If the output is the message
2 “wrong order,” then repeat the algorithm until a set of parameters a, b G is obtained. This will
3 happen for half the values of x, unless D = 1 (one-quarter of the values) or D = 3 (one-sixth of the
4 values).
5A.10.5. Constructing a Curve and Point (binary case)
6A.10.5.1. Constructing a Curve with Prescribed CM (binary case)
7Input: a field GF (2m), a CM discriminant D for 2m, and the desired curve order u.
8Output: a and b such that the elliptic curve
9 y2 + xy = x3 + ax2 + b
10over GF (2m) has order u.

11
121. Compute w (t) ¬ wD(t) mod 2 via A.9.3..
132. Use A.10.3.1. to find the smallest divisor d of m greater than (log2 D) – 2 such that D is a CM
14 discriminant for 2d.
153. Compute p (t) := a degree d factor modulo 2 of w (t). (If d = h, then p (t) is just w (t) itself. If d < h,
16 p(t) is found via A.6.4..)
174. Compute a := a root in GF (2m) of p (t) = 0 via A.6.6..
185. If 3 divides D
19 then set b ¬ a
20 else set b ¬ a 3
216. If u is divisible by 4, then set a ¬ 0
22 else if m is odd, then set a ¬ 1
23 else generate (by trial and error using A.5.1.) a random element a Î GF (2m) of trace 1.
247. Output (a, b).
25Example: If D = 942679, then
26wD(t) º 1 + t 2 + t 6 + t 10 + t 12 + t 13 + t 16 + t 17 + t 20 + t 22 + t 24 + t 27 + t 30 + t 33 + t 35 + t 36 + t 37 + t 41 + t 42 + t 43 +
27t 45 + t 49 + t 51 + t 54 + t 56 + t 57 + t 59 + t 61 + t 65 + t 67 + t 68 + t 69 + t 70 + t 71 + t 72 + t 74 + t 75 + t 76 + t 82 + t 83 + t 87
28+ t 91 + t 93 + t 96 + t 99 + t 100 + t 101 + t 102 + t 103 + t 106 + t 108 + t 109 + t 110 + t 114 + t 117 + t 119 + t 121 + t 123 + t 125 +
29t 126 + t 128 + t 129 + t 130 + t 133 + t 134 + t 140 + t 141 + t 145 + t 146 + t 147 + t 148 + t 150 + t 152 + t 154 + t 155 + t 157 + t 158 +
42t 616 + t 620 (mod 2).
43This polynomial factors into 4 irreducibles over GF (2), each of degree 155. One of these is
1 52
4
1p(t) = 1 + t + t 2 + t 6 + t 9 + t 10 + t 11 + t 13 + t 14 + t 15 + t 16 + t 18 + t 19 + t 22 + t 23 + t 26 + t 27 + t 29 + t 31 + t 49 + t 50
2+ t 51 + t 54 + t 55 + t 60 + t 61 + t 62 + t 64 + t 66 + t 70 + t 72 + t 74 + t 75 + t 80 + t 82 + t 85 + t 86 + t 88 + t 89 + t 91 + t 93 +
4t 131 + t 132 + t 134 + t 136 + t 137 + t 138 + t 139 + t 140 + t 143 + t 145 + t 154 + t 155.
5If t is a root of p(t), then the curve
6 y 2+xy = x 3 + t 3
7over GF (2155) has order 4r, where r is the prime
8 r = 11417981541647679048466230373126290329356873447.
9A.10.5.2. Choosing the Curve and Point (binary case)
10Input: a field size GF (2m), an appropriate D, the corresponding k and r from A.10.3.2..
11Output: a curve E over GF (2m) and a point G on E of order r.

12
131. Compute a and b via A.10.5.1. with u = kr.
142. Find a point G of order r via A.8.15..
153. Output the coefficients a, b and the point G.
1 53
4
1A.11. Pairings for Cryptography
2All pairing algorithms defined here are based on the Miller algorithm [Mil86]. We consider only those
3algorithms which are practical for use in the cryptographic algorithms presented in the main body.
4A.11.1. Pairing-Friendly Elliptic Curves

5To be useful for pairing-based cryptography a notion of ‘pairing-friendly’ curves has become established
6and this may be formalized by the following conditions. First we define the embedding degree of E with
7respect to r be defined as the smallest integer k such that r | qk – 1. Then an elliptic curve is pairing-friendly
8if:
9 There is a prime r | #E (GF (q)) such that r > q
10 k < log2(r) /8
11A.11.2. Curve Families

12All the curves we consider are defined over a finite field K = GF (q). For cryptographic use we also need a
13suitable subgroup of E(K) of size r. If #E(K) is the order of the group of K-rational points of E, the trace t
14of E/K is t = q + 1 - #E(K). Note that r | #E(K) and for h = #E(K) / r we define GT to be the subgroup of
15order r of GF(qh).
16The search for, and analysis of, pairing-friendly curves has led to a grouping of curves into families, which
17can often be described by equations in the parameters t, r, and q.
18If k is the embedding degree of E, we let  be the degreesize of the maximal twist of E, which we denote E'.
19Note that  | k so we define the degree of field over which we consider the twist to be d = k/.
20Curves may then be classified as follows:
21 E1 = E(GF(q))
22 E2 = E(GF(qk))
23 E3 = E'(GF(qd))
24Note that for E2, r | qk – 1 and for E3, r | #E'(GF(q)).
25The elements of E1 of order r form the 1-eigenspace of the Frobenius map with respect to r. This will in all
26cases be equal to the pairing group G1. The r-eigenspace of Frobenius lies in E2.
27Pairings may be classified into 3 different types according to the curve types. In particular the types depend
28on how the group G2 is represented.
29In all cases there is a map ζ:G2 → E2 and the Miller loop is always applied to ζ(Q), rather than the element
30Q itself.
31A.11.2.1. Type 1 (E Supersingular)

32G1 = G2 = a subgroup of E1 of order r
1 54
4
1A.11.2.2. Type 2 (E Ordinary)
2G1 = a subgroup of E1 of order r
3G2 = a subgroup of E2 of order r which is distinct from both the 1-eigenspace and the q-eigenspace of
4Frobenius.
5A.11.2.3. Type 3 (E Ordinary)

8Pairings may be classified into 3 different types according to the curve types (see A.11.2.) they are defined
9upon. In all cases there is a map ζ:G2 → E2 and the Miller loop is always applied to ζ(Q).
10Type 1 (E Supersingular)
11G1 = G2 = a subgroup of E1 of order r
12Type 2 (E Ordinary)
15Note that G2 ≠ G1 nor an image of a subgroup of E3.
16Type 3 (E Ordinary)
19The Miller Loop
20The Miller Loop is a function,
21 fP',n(Q)
22where P is on the base curve G1, Q' = ζ(Q)  E1 and Q is on the extension G1, Q' = ζ(Q)  E2. In defining
23the Miller loop we consider two arbitrary points on the curve and an arbitrary loop length n. When using
24this loop within a pairing calculation we will specify more precisely the values of P, Q and n. There are
25various optimizations, e.g. for specific curves or by utilizing properties of twisted curves within the
26algorithm, but only the basic algorithm is given here.
27The basic algorithm is as follows:
28Input: P  E1 , Q  E2
29Output: fP,n(Q)
30 1) Set T  P, f  1
1 55
4
m 1
1 2) Write n as n 2
i 0
i
i
with ni  {0,1}
2 3) Loop for i from m – 1 down to 0

3 i. Set f  f.2lT,T(Q) / v2T(Q)
4 ii. Set T  2T
5 iii. If ni = 1 then,
6 a. Set f  f.lT,P(Q) / vT+P(Q)
7 b. Set T  T + P
8 iv. End if
9 4) End loop
10 5) Return f
11[Nb. It is probably worth defining a general line function and restricting ourselves to even k, we may
12also wish to refine the basic Miller function below, e.g. to reflect the more common implantation in
13Tate algorithms etc.]
14The line functions lA,B(Q) and vA+B(Q) are the functions obtained by substituting the coordinates of Q into
15the equations for the lines used in the standard formation of A+B. l is the straight line y-mx-c which passes
16through the points A and B and v is the vertical line passing through A+B.
17Hence if Q = (x, y), A = (x1, y1), B = (x2, y2) and A+B = (x3, y3) then
( y 2  y1 ) ( x y  x 2 y1 )
18 l A, B (Q)  y  x 1 2
( x 2  x1 ) ( x1  x 2 )
19 vA+B(Q) = Input: a prime t > 2; a curve E; finite points Q', P on E with tQ' = tP = O , a
20 line function lA,B(V).
21 Output: the Miller function fQ',t(P).
22
23 1. Set A ¬ Q', B ¬ Q', f ¬ 1, n ¬ t.
24 2. Set n ¬ ën / 2û.
25 3. Set f ¬ lB,B (P) n ´ f.
26 4. Set B ¬ 2B.
27 5. If n is odd then
28 5.1 If n = 1
29 then f ¬ lA,-A (P) ´ f
30 else f ¬ lA,B (P) ´ f.
31 5.2 Set A ¬ A + B.
1 56
4
1 6. If n > 1 then go to Step 2.
2 7. Output fx – x3
3See §A.7.2. for details of how to compute these operations.
4A.11.3. Pairing Calculations
5In the main document we consider two pairings:

6 e1: G1 × G2 → GT
7and
8 e2: G2 × G1 → GT.
9The pairing e2 is computed from e1 via e2 (P,Q) = e1 (Q,P) so from now on we shall only consider e1 which
10we will denote e (P,Q). In all cases, the algorithms and primitives in the main body utilize pairings with
11parameters derived from the generators Q1 of G1 and Q2 of G2. We therefore define the pairings below with
12parameters in curves E1, E2, or E3. When the domain parameters are defined, the choice of curve and
13generators ensures these definitions are consistent.
14A.11.4. Pairings
15For all of the pairings defined in this section, r is the order of G1, G2 and P, t is the trace of E over K and k
16is the embedding degree of E, all as defined in §A.11.1..
1 57
4
1A.11.4.1. Let t > 2 be prime, and let P and Q be points on E with tP = tQ = O.
2 The following procedure computes the Weil pairing.
3A.11.4.2.
4A.11.4.3. Given three points (x0, y0), (x1, y1), (u, v) on E, define the function
5 g ((x0, y0), (x1, y1), (u, v)) by
u  x1 if x0  x1 and y0   y1
 2
6A.11.4.4. (3x1  a )( u  x1 )  2 y1 ( v  y1 ) if x0  x1 and y0  y1
( x  x )v  ( y  y )u  ( x y  x y ) if x  x
 0 1 0 1 0 1 1 0 0 1
7A.11.4.5. if E is the curve y2 = x3 + ax + b over GF (p), and
u  x1 if x 0  x1 and y 0  x1  y1
 3
8A.11.4.6.  x1  ( x1  y1 )u  x1 v
2
if x 0  x1 and y 0  y1
( x  x )v  ( y  y )u  ( x y  x y ) if x  x
 0 1 0 1 0 1 1 0 0 1
9A.11.4.7. if E is the curve y2 + xy = x3 + ax2 + b over GF (2m).
10A.11.4.8.
11A.11.4.9. — Given points A, B, C on E, let
12A.11.4.10. lA,B (C):= g(A, B, C) / g(A + B, – A – B, C).
13A.11.4.11.
14A.11.4.12. — Given points R and S on E, let
15A.11.4.13. j (R, S) := fR,l (S) / fS,l (R) from .
16A.11.4.14.
17A.11.4.15. — Given points P and Q on E with lP = lQ = O, the Weil

18 pairing <P, Q> is computed as follows:
19A.11.4.16. Choose random points T, U on E and let
20A.11.4.17. V = P + T, W = Q + U.
21A.11.4.18. Then
22A.11.4.19. <P, Q> = j (T, U) j (U, V) j (V, W) j (W, T).
23A.11.4.20. If, in evaluating <P, Q>, one encounters g((x0, y0), (x1, y1), (u, v)) =

24 0, then the calculation fails. In this (unlikely) event, repeat the
25 calculation with newly chosen T and U.
1 58
4
1A.11.4.21. In the case t = 2, the Weil pairing is easily computed as follows:
2 <P, Q> equals 1 if P = Q and –1 otherwise.
3A.11.4.22. Define <P, O> =1 for all points P.
4A.11.4.23. Tate
5The (reduced) Tate Pairing is defined as:
6 e: E(GF(p))[r] × E’(GF(pε)[r]  GF*(pk)[r]
k
1) / r
7such that e( P, Q )  f P , r (Q ) ( p
8where P  E1 , Q  E2.
1 59
4
1A.11.4.24. The line function l used in the construction of the Tate pairing
2 algorithm is
3A.11.4.25. Input A, B  E(GF(p))[r], Q  E(GF(pk))[r]
4A.11.4.26. Output: lA,B(Q)
5A.11.4.27. If A = -B,
6 Return Qx – Ax
7A.11.4.28. If A = B,
8 Set λ = 3Ax2 / 2Ay
9A.11.4.29. Else
10 Set λ = (By – Ay) / (Bx – Ax)
11A.11.4.30. Return λ(Qx – Ax) + Ay - Qy
12A.11.4.31. [Proposal: Define this generally in terms of the Miller loop and a
13 generic line function]
14A.11.4.32. The Tate pairing may then be computed by the following:
15A.11.4.33. Input: P  E(GF(p))[r], Q  E’(GF(pε)[r], k the k-th cyclotomic

16 polynomial
17A.11.4.34. Output: e(P,Q)
18A.11.4.35. Set T  P, f  1
19A.11.4.36. Let s = r – 1
20A.11.4.37. Loop for i = (lg(s)) – 1 down to 0
21A.11.4.38. Set f  f.2lT,T(Q)
22A.11.4.39. Set T  2T
23A.11.4.40. If si (the ith bit, 0-relative, of s) = 1 then,
24A.11.4.41. Set f  f.lT,P(Q)
25A.11.4.42. Set T  T + P
26A.11.4.43. End if
27A.11.4.44. End loop

p 1
28A.11.4.45. Set f  f

29A.11.4.46. Set f  f ( p 1) / k ( p )
1 60
4
1A.11.4.47. Set f  f k ( p ) / r
2A.11.4.48. Return f
3A.11.4.49. Eta
4[TBA]
5The Eta-Pairing is only defined for supersingular elliptic curves and is given by,
k
1) / r
6 e( P, Q )  f P , t 1 (Q ) ( p
7where P  E1 , Q  E2.
8A.11.4.50. Ate
9The Ate pairing may be computed as follows,
10 by reversing the roles of P and Q in the Tate pairing, giving the following:
k
1) / r
11 e( P, Q)  f Q ,t 1 ( P) ( p where t is the trace of E/K
12[Proposal: Define this generally in terms of the Miller loop and a generic line function]
13Input: P  E(GF(pε))[r], Q  E(GF(p)[r], k the k-th cyclotomic polynomial
14Output: e(P,Q)
15Set T  P, f  1
16Let s = t – 1
17Loop for i = (lg(s)) – 1 down to 0
18Set f  f.2lT,T(Q)
19Set T  2T
20If si (the ith bit, 0-relative, of s) = 1 then,
21Set f  f.lT,P(Q)
1 61
4
1Set T  T + P
2End if
3End loop
p 1
4Set f  f

5Set f  f ( p 1) / k ( p )
6Set f  f k ( p ) / r
7Return f
8where P  E1 , Q  E2.
9A.11.4.51. R-Ate
10[MRC: To define]
11 
e Q, P   f   f  l aQ,Q  P    l   aQQ  ,aQ  P 
P
 ( p12 1) / r
12 where a = 6z + 2, f = fa,Q(P) and ∏ is the Frobenius map
1 62
4
1A.12. Elliptic Curves for Pairing Based Cryptography
2A.12.1. Super-Singular Curves

3Supersingular curves have embedding degree k  {1, 2, 3, 4, 6}. We only consider those with even
4embedding degree.
5A.12.1.1. Super-Singular Curves with Embedding Degree 2

6In fields GF (2s) of characteristic 2, curves with k = 2 are of the form
7E1: y2 + y = x3 +x where s is even and Tr  ≠ 0 (see A.5.1.)

8E2: y2 + y = x3 where s is odd.
9In fields of prime characteristic q = p > 3 supersingular curves with k = 2 can be defined by:
10If q ≡ 3 (mod 4), y2 = x3 + ax, where –a  (GF× (q))2 [define]

11If q ≡ 5 (mod 6), y2 = x3 + b
12If q ≡ 1 (mod 12), curves may be computed by:
13Input: q
14Output: An elliptic curve E parameterized in integers m and c
15 1) Find D, the smallest prime such that D ≡3 (mod 4) and (-D / q) = -1

16 2) Compute a root j  GF (q) of the reduced class polynomial HD (mod q) using algorithm A.9.3.
17 3) Set m = j / (1728 – j)
18 4) Return E: y2 = x3 + 3mc2x + 2mc3 for any c

20There are only two forms of supersingular curve with k = 4 and they only exist over field of characteristic
212.
22E1: y2 + y = x3 + x and E2: y2 + y = x3 + x + 1

24Supersingular curves with k = 6 only exist over fields of characteristic 3, i.e. GF (3s) and have the form
25E: y2 = x3 – x  d where d  GF (q) with Tr d = 1 (see A.5.1.)
26A.12.2. MNT Curves

27The Miyaji, Nakabayashi and Takano (MNT) technique for finding ordinary pairing-friendly curves relies
28on the complex multiplication technique of A.10.4.. A resulting curve defined over GF(p) has its order
29divisible by a large prime r where the r-torsion group of E is defined over an extension field GF(pk).
30Input: k = 3, 4, or 6, a maximal cofactor cmax, and the maximum discriminant Dmax
1 63
4
1Output: GF(q), and elliptic curve E such that |E(GF(q))| = cr where c ≤ cmax and r is prime
2 1. λ ← -2k/2 + 4
3 2. For c from 1 to cmax do
4 i. For c' from 1 to 4c – 1 do
5 a. nk ← λc + c'
6 b. m ← 4c – c'
7 c. fk ← nk2 – m2
8 d. for squarefree D = 1 to Dmax do
9 1. s ← c'mD
10 2. for each solution of y2 – sv2 = fk do
11 i. t ← (y – nk)/m + 1
12 ii. r ← Φk(t – 1) / c'
13 iii. q ← cr + t – 1
14 iv. if tℤ, r is prime and q is prime,
15 v. return q, and E computed by A.10.4., using p = q, t, D
16 3. return ‘fail’
17A.12.3. Cocks-Pinch Curves

18Input: k, D squarefree
19Output: GF(q), and elliptic curve E
D
20 1. Choose a prime r such that k | r – 1 and   1
 r 
21 2. Find z a kth root of unity in (ℤ/rℤ)×
22 3. t' ← z + 1
23 4. y' ← (t'-2)/(-D) (mod r)
24 5. Choose t  ℤ such that t ≡ t' (mod r)'
25 6. Choose y  ℤ such that y ≡ y' (mod r)'
26 7. q ← (t2 + Dy2)/4
1 64
4
1 8. if q is prime and an integer and D ≤ 1012, construct E by A.10.4., using p = q, D
2A.12.4. BN Curves
3Barreto Naehrig Curves are of the form E: y2 = x3+b, parameterised by
4 r(x) = 36x4 - 36x3 + 18x2 - 6x + 1
5 q(x) = 36x4 - 36x3 + 24x2 - 6x + 1
6 t(x) = 6x2 + 1
7where r and q are both prime. For such curves, k = 12. To find a BN curve, choose random values for x
8until r and q are both prime then choose b  GF(q) such that #E(GF(p)) = r.
9A.12.5. KSS Curves

10To be defined and / or any others
1 65
4
1A.13. Choosing a Curve and Pairing
2A.13.1. Recommended Security Parameters

3[MRC: Discuss rho and k and present results / suggestions in a table]
4A.13.2. Curve-Pairing Compatibility

Pairing Curve Family
Super-Singular MNT CP BN KSS
Tate     ?
Eta     
Ate   ?  ?
R-Ate  ? ?  
5A.13.3. Suitable Domain Parameters

6The preceding sections have defined various curves and pairings and presented algorithms for their
7construction and computation. For each pairing and each curve, specific optimizations of the Miller
8algorithm can be made to produce efficient computations. Such optimizations have been omitted from this
9document in the interests of simplicity and practicality. Instead, all pairings are defined in terms of a
10common, basic Miller loop with P  E1, Q′  E2. This means that, in many cases, maps from E1 to E2 or E3
11to E2 are required to form Q′ for use in the pairings. In practice, when implementing cryptographic schemes
12using these algorithms, optimized Miller loops may be preferred.
Curve Curve k Pairing Order Map of Q  Q′

Type
SS E1: y2 = x3 + x over GF(p), 2 Tate (x,y)  (ζx,y) where ζ is a cube

p  3 mod 4 root of unity
SS E1: y2 = x3 + x over GF(p), 2 Tate (x,y)  (x,iy) where i2 = -1

p  2 mod 3
SS E1: y2 + y = x3 + x + a, 4 Tate (x,y)  (u2x + s2, y + u2sx + s)

a = {1,2} over GF(2) where u  GF(22), s  GF(24),
& u2+u+1= 0, s2+(u+1)s = 0
SS E1: y2 = x3 - x + b, 6 Tate (x,y)  (α – x, iy)

b = ±1 over GF(3) where i  GF(32), α  GF(33), &
i2= -1, α3- α - b = 0
SS E1: y2 = x3 - x + b, 6 eta 3m ± 3(m+1)/2 + 1 (x,y)  (ρ – x, iy)

b = ±1 over GF(3m) where i2= -1, ρ3 = ρ + b
1 66
4
SS E1: y2 + y = x3 + x + b, 4 eta 2m ± 2(m+1)/2 + 1 (x,y)  (x – s2, y + sx + t)
b  {0,1} over GF(2m) where s,t  GF(24)
& s2+s+1 = 0, t2+t+s = 0
BN E1: y2 = x3 + b over GF(p) 12 Tate Q′ = Q

E2: y2 = x3 + b over GF(pk)
BN E1: y2 = x3 + b over GF(p) 12 Ate Q′ = Q

E2: y2 = x3 + b over GF(pk)
BN E1: y2 = x3 + b over GF(p) 12 Ate (x,y)  (xv1/3, yv1/2)

E3: y2 = x3 + bv-1 over
GF(pk)
where 3 | (p-1) & v is a
cubic and quadratic non-
residue in GF(p2)
1A.13.4. Example Curves

2At the 128-bit security level, writing  = 5, we have the following:
3
4E: y2 = x3 + 5
5
6E6: y2 = x3 + 
7
8k = 12
9
10q = 0xB640D86C60602B112028B881BF7FD34C078201004C25FFFDBFFF550000000001
11
12 p = 0xB640D86C60602B112028B881BF7FD34B2F8180C0391C7FFDBFFF550000000001
13
14t – 1 = 0xD8008040130980000000000000000000
15
16P1 = (0x1, 0x18B96D0423CDF2FCEE2CFC51E55988BA58044548921C53F778DD1DFE3BA7CE22)
17
18P2 = (0x3E010C633DEB0E3A31B5185D0FDB9A936AF0E26164A830CB5E26B70E6DAFB860 +
190x5B3A6D5A50174E41C25954EE86180B8EF649B35A9F7D95D3D56A9A6B98D0EC9D,
200x29700D3295327C272AB24323CF7E2BBFDFE243164692CBDED142729801A9801A +
210x54616AEB636A2296799010D3E4DA893ABBE752502D70B1062313580A88BB452E)
22
23At the 192-bit security level, writing  = 32, we have the following:
24
25E: y2 = x3 + 2
26
27E6: y2 = x3 + 
28
29k = 18
30
31q =
320x6B5A6E1D00FF3E57F01A85E93A632A698EBC0675342E193F88B71E95084EF791BD996806FB1E
33AFE66EDC2FB8568A06924CC5FBB83EB5F97E1A909DC4AB6194331D
34
35 p =
360xF42FC00001B36F25E0014387354424803422547260939EE8E63BADEEBAFEAD48BBEF389BF4EE
37B7E91CCA352A00000001
1 67
4
1
2t – 1 = 0x6C8700000081047D000039842039A00B6558628750D8C256DCC31700001C88000
3
4P1 =
5(0x16E41EDDFEC88FCC60A040689E1D1234A0A805C54CB7FFDFB18893EB3C545C511061FDCCA
61AE6B686CEF2BB9854DEC2857FC9F1DD0B2280201F5C9D1D5C84425B9,
70x2789E25971C895E57E37A9FFE864A83FE5C8BC4CE589C4C7151A133F8A6E41822C0EE0F46D25
8291B9CE8BB0EB15BC22145CD1C5780EFEF6091B4386C3D8F93247A)
9
10P2 =
11(0x14984D6199AED6782375E3175C1E25E4D24C4CD3AE6E65430AE14751D6695D1D6AABBE5702
1292300B3AD4C176DDCA9A4C8B1747CF098B081787430645C0A8A2A56D +
130x3D0324C329EAC589DE8552005D76A6A7A7638D7165CD392921CFE4BB96C32C2C5D6D0B8A91
1447D77119FDA42594DDA0B670366CB76A209346AC0C3310BE3DD4657  +
150x4518D02BD8D4CB75DEC343027DC71A513EEBDE1AA232EC7CEBADF2E3F7E1D7AE4344F5A6
16717E78001BD5EAD462DC791F360567B251CF2C8E770D185E0794A67194 2,
170x3A6D0FB82C81845322F3880BA86628BFC9716EF028AB41D6F3D107F5858F12DBA5579146743A8
18EC57660B22B77CD6D7ADD1A0ECD0DD322738420FA1FFF24BC7958 +
190x227E11E448F0200195795700E03F14F3F2D3412C784E26D1D00F60FF8B6725CCB049641F24C8822
20E73435C3B82762A032359458C56D75C29ED466D7EC277A5BCAA  +
210x411974A2922DC7804CB921C316B42E203E71DBEBE3BA8DD95B9356025A6F00916C18934B0C5
22A5362C6F5C5A29C6EF5D14DF4BC067A9C261C114E9EFE3EB991AE22 2)
23
24At the 256-bit security level, writing 1 = 2 and 2 = 42, we have the following:
25
26E: y2 = x3 + 1
27
28E6: y2 = x3 + 1/2
29
30k = 24
31
32q =
330x2CC1038ECBEEB01BECF95968F21A7FB9121D72014EA0BDD7B906F8C7D2FB362C5A12FDACB
34D5E2C42413D4CF74198E2693978D6FE97ABD52B562FF98DBF0D1EE01DA3CEDBD7F54F6F2F1EE
35158774A67B5
36
37 p =
380x98C29B81028BC6F535C95626C60D06F9042850D631FCFBBC585F647DE763E467FF0AD1A96885
39B7A27118F357E6E6E8E06158E0EFEFFE5F7E6B1984C3BA05F371
40
41t – 1 = 0xF000000000800005
42
43P1 =
44(0x647BCE704B0A7F30676B57261DA029E090748839F7DD739AC95F52033FE2C1BDEDFF6DE9F7F
45368934A26573B05FC529201ECFF3076E03545F5622550475BCB0B945B9A2D17D7E08390AC72C659
46608AE,
470xB82BB0F6F5C80E4C76C78A286AF059440FDFCB15366121F983C323CA63595913EEFF37CCC7E8
48933D924F1EA43F561B1838A0B8F0B3CBA1C4B5761E60940EDF6CE251C77C7117E64C4D2B5FF03
494B926C)
50
51P2 =
52(0x1FB74F74231E64ADE2E02714FBEE28A84791F927A18FEF5421CDD753DE3E10330C1FC1E59F3
53D33550CEF3EBD14042323076FF6E0D3DAE864E028DCFF11C87179E9027DD0658B44E5F86B9BCB
5414216807 +
550x1D971D94A7B12E869B0D7997AE345821C791AAE001766216446085479A5CB5459CB07D719DFD
1 68
4
191DD4689763E57C3A2314AD3022830387AC5F96100BDC1B0EDBD841A7F2C4E3C2BFE76B9626C5
201F2A34 1
3+
42(0x227A454F6E97C31B9EBCB192B87A6713885218FBE4F332F9C476DC0FB8FC1CAA0DD73C803
5A88DCD30E52CC255FFFE526BD6D356D5C54CDAD6B67078B0940C2846D547213365D0C6AACDB
6C64228C444E4 +
70x133EA14E90C5373B20CCE3CB6B5FA14B6C48B6B2B34EDDF645CD02B9D0E88DFB3A9A2E38F
88FFD7C2F1A8C3008B31D4A49A94A40A64D978C46051A523381478588F4D8678948C97AA25DCEF
9ACBE2FAC64 1),
100x456EFA04B448C5B338306BEE2D62D352B63DF8DB308E9B880504D749868586947CD83D1EAEF6
111860B0225EB5E128A807F2F23188CDFC56F4356C90BAF57082F2DD963ADABA7FAD05853D79566
12F42A07 +
130x2B50BC53A508122622D565EDD8AEE8B9B2E6F5F173D68E065C8DF05732173F9015DCEDE8F9B
147D7898B049E392CA40453BCE2005ED89562AB47290D2EE2BD38D43688AA52DEF25C304D809E68
15C7883DC0 1
16+ (0x1C6E29D93DF19ACF3B0F6695F4E577C0F47FD2AFFD359056929D5C4D62E55
1782E547BA9E33729147346DCE49F76E4DA790B173902403327539FF2B7045B24AEDAA61
180D98F8B96F4947B0E86D06DFCF7BD +
190x2C7C3508D8CB4E0D4FEE1A9DDE53244C4E18192D0A389E8DBFC83AB1014A63E57BD0D18A8
208D53C4AA330DA1A2B07E11FE652FBA96C232D4EC14A5727461333614ACB54BBBB4B3E91D8A1
215B8E5500AB3D 1))
22
23
1 69
4

Ieee P1363.3™/D2 Drafttxttrialusetxtgorrporstd For Vartitlepar

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ieee P1363.3™/D2 Drafttxttrialusetxtgorrporstd For Vartitlepar

Загружено:

Авторское право:

Доступные форматы

1IEEE P1363.

8Prepared by the varWorkingGroup Working Group of the

10Copyright © <year> by the Institute of Electrical and Electronics Engineers, Inc.

1The Institute of Electrical and Electronics Engineers, Inc.

2A.1. Integer and Modular Arithmetic: Overview.......................................................................................5

6A.2. Integer and Modular Arithmetic: Algorithms....................................................................................7

15A.3. Extension Fields: Overview.............................................................................................................11

21A.4. Extension Fields: Algorithms...........................................................................................................14

29A.5. Polynomials over a Finite Field.......................................................................................................18

37A.6. Elliptic Curves: Overview................................................................................................................20

44A.7. Elliptic Curves: Algorithms............................................................................................................27

10A.8. Functions for Elliptic Curve Parameter and Key Generation..........................................................36

17A.9. Class Group Calculations.................................................................................................................39

21A.10. Complex Multiplication...................................................................................................................43

27A.11. Pairing-Friendly Elliptic Curves......................................................................................................51

43A.13. Choosing a Curve and Pairing.........................................................................................................57

3A.1.1.1. Modular reduction

8The remainder must satisfy 0 £ r < m.

21If r = a mod m, then r º a (mod m).

22If a0 º b0 (mod m) and a1 º b1 (mod m), then

26A.1.1.3. Integers modulo m

4A.1.1.4. Modular exponentiation

8A.1.1.5. G.C.D.'s and L.C.M.'s

14 GCD (h, m) ´ LCM (h, m) = hm

16A.1.1.6. Modular division

24A.1.2. Prime finite fields

25A.1.2.1. The field GF (p)

3A.1.2.4. Exponentiation and discrete logarithms

8A.1.3. Modular Square Roots

9A.1.3.1. The Legendre symbol

14Algorithms for computing Legendre symbol are given in A.2.3..

15A.1.3.2. Square roots modulo a prime

4Input: a positive integer v, a modulus m, and an integer g modulo m.

15A.2.2. The Extended Euclidean Algorithm

2The following algorithm efficiently computes the Legendre symbol.

3Input: an integer a and a prime p.

23A.2.4. Generating Lucas Sequences

24Let P and Q be nonzero integers. The Lucas sequence Vk for P, Q is defined by

25 V0 = 2, V1 = P, and Vk = PVk–1 – QVk–2 for k ³ 2.

30Output: Vk mod n and Q ëk/2û mod n.

6A.2.5. Finding Square Roots Modulo a Prime

7The following algorithm computes a square root z modulo p of g ¹ 0.

22 V := V(p+1)/2 mod p and Q0 := Q (p–1)/4 mod p.

41A.2.6. Finding Square Roots Modulo a Power of 2

17A.2.7. Computing the Order of a Given Integer Modulo a Prime

20Input: a prime p and an integer g with 1 < g < p.

21Output: the order d of g modulo p.

242. For all divisors d of p-1

28A.2.8. Constructing an Integer of a Given Order Modulo a Prime

31Input: a prime p and an integer T dividing p – 1.

32Output: an integer u having order T modulo p.

14A.3.2. Polynomials over Finite Fields

21Example: Over the prime field GF (7),

24A binary polynomial is a polynomial modulo 2.

25Example: Over the field GF (2),

34A.3.2.1. Polynomial Congruences

6 a (t) º b (t) (mod m(t)).

11A.3.3. Extension Fields

14 GF (23) = {000, 001, 010, 011, 100, 101, 110, 111}.

17The integer m is called the degree of the field.

21 (11001) + (10100) = (01101)

22and in GF(32) we have,

23 (01) + (22) = (20)