Independent Submission M. Lochter
Request for Comments: 5639 BSI
Category: Informational J. Merkle
ISSN: 2070-1721 secunet Security Networks
March 2010
Independent Submission M. Lochter
Request for Comments: 5639 BSI
Category: Informational J. Merkle
ISSN: 2070-1721 secunet Security Networks
March 2010
Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation
椭圆曲线密码(ECC)标准曲线和曲线生成
Abstract
摘要
This memo proposes several elliptic curve domain parameters over finite prime fields for use in cryptographic applications. The domain parameters are consistent with the relevant international standards, and can be used in X.509 certificates and certificate revocation lists (CRLs), for Internet Key Exchange (IKE), Transport Layer Security (TLS), XML signatures, and all applications or protocols based on the cryptographic message syntax (CMS).
本备忘录提出了几个有限素数域上的椭圆曲线域参数,用于密码应用。域参数符合相关国际标准,可用于X.509证书和证书吊销列表(CRL)、Internet密钥交换(IKE)、传输层安全(TLS)、XML签名以及基于加密消息语法(CMS)的所有应用程序或协议。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5639.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5639.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Scope and Relation to Other Specifications .................4
1.2. Requirements Language ......................................4
2. Requirements on the Elliptic Curve Domain Parameters ............4
2.1. Security Requirements ......................................5
2.2. Technical Requirements .....................................6
3. Domain Parameter Specification ..................................8
3.1. Domain Parameters for 160-Bit Curves .......................8
3.2. Domain Parameters for 192-Bit Curves .......................9
3.3. Domain Parameters for 224-Bit Curves ......................10
3.4. Domain Parameters for 256-Bit Curves ......................11
3.5. Domain Parameters for 320-Bit Curves ......................12
3.6. Domain Parameters for 384-Bit Curves ......................13
3.7. Domain Parameters for 512-Bit Curves ......................14
4. Object Identifiers and ASN.1 Syntax ............................15
4.1. Object Identifiers ........................................15
4.2. ASN.1 Syntax for Usage with X.509 Certificates ............16
5. Security Considerations ........................................17
6. Intellectual Property Rights ...................................18
7. References .....................................................18
7.1. Normative References ......................................18
7.2. Informative References ....................................19
Appendix A. Pseudo-Random Generation of Parameters ................22
A.1. Generation of Prime Numbers ................................22
A.2. Generation of Pseudo-Random Curves .........................24
1. Introduction ....................................................3
1.1. Scope and Relation to Other Specifications .................4
1.2. Requirements Language ......................................4
2. Requirements on the Elliptic Curve Domain Parameters ............4
2.1. Security Requirements ......................................5
2.2. Technical Requirements .....................................6
3. Domain Parameter Specification ..................................8
3.1. Domain Parameters for 160-Bit Curves .......................8
3.2. Domain Parameters for 192-Bit Curves .......................9
3.3. Domain Parameters for 224-Bit Curves ......................10
3.4. Domain Parameters for 256-Bit Curves ......................11
3.5. Domain Parameters for 320-Bit Curves ......................12
3.6. Domain Parameters for 384-Bit Curves ......................13
3.7. Domain Parameters for 512-Bit Curves ......................14
4. Object Identifiers and ASN.1 Syntax ............................15
4.1. Object Identifiers ........................................15
4.2. ASN.1 Syntax for Usage with X.509 Certificates ............16
5. Security Considerations ........................................17
6. Intellectual Property Rights ...................................18
7. References .....................................................18
7.1. Normative References ......................................18
7.2. Informative References ....................................19
Appendix A. Pseudo-Random Generation of Parameters ................22
A.1. Generation of Prime Numbers ................................22
A.2. Generation of Pseudo-Random Curves .........................24
Although several standards for elliptic curves and domain parameters exist (e.g., [ANSI1], [FIPS], or [SEC2]), some major issues have still not been addressed:
尽管存在几种椭圆曲线和域参数标准(例如[ANSI1]、[FIPS]或[SEC2]),但仍有一些主要问题尚未解决:
o Not all parameters have been generated in a verifiably pseudo-random way. In particular, the seeds from which the curve parameters were derived have been chosen ad hoc, leaving out an essential part of the security proof.
o 并非所有参数都是以可验证的伪随机方式生成的。特别是,从中导出曲线参数的种子是临时选择的,忽略了安全性证明的一个重要部分。
o The primes selected for the base fields have a very special form facilitating efficient implementation. This does not only contradict the approach of pseudo-random parameters, but also increases the risk of implementations violating one of the numerous patents for fast modular arithmetic with special primes.
o 为基本字段选择的素数具有非常特殊的形式,便于高效实现。这不仅与伪随机参数的方法相矛盾,而且增加了实现违反具有特殊素数的快速模运算众多专利之一的风险。
o No proofs are provided that the proposed parameters do not belong to those classes of parameters that are susceptible to cryptanalytic attacks with sub-exponential complexity.
o 没有证据表明所提出的参数不属于易受亚指数复杂度密码分析攻击的参数类。
o Recent research results seem to indicate a potential for new attacks on elliptic curve cryptosystems. At least for applications with the highest security demands or under circumstances that complicate a change of parameters in response to new attacks, the inclusion of a corresponding security requirement for domain parameters (the class group condition, see Section 2) is justified.
o 最近的研究结果似乎表明了对椭圆曲线密码系统的新攻击的可能性。至少对于具有最高安全要求的应用程序,或者在响应新攻击而使参数更改复杂化的情况下,为域参数包含相应的安全要求(类组条件,请参见第2节)是合理的。
o Some of the proposed subgroups have a non-trivial cofactor, which demands additional checks by cryptographic applications to prevent small subgroup attacks (see [ANSI1] or [SEC1]).
o 一些建议的子群具有非平凡的辅因子,这要求加密应用程序进行额外检查,以防止小型子群攻击(请参见[ANSI1]或[SEC1])。
o The domain parameters specified do not cover all bit lengths that correspond to the commonly used key lengths for symmetric cryptographic algorithms. In particular, there is no 512-bit curve defined, but only one with a 521-bit length, which may be disadvantageous for some implementations.
o 指定的域参数不包括与对称加密算法常用密钥长度相对应的所有位长度。特别是,没有定义512位曲线,只有一条长度为521位的曲线,这可能对某些实现不利。
Furthermore, many of the parameters specified by the existing standards are identical (see [SEC2] for a comparison). Thus, there is still a need for additional elliptic curve domain parameters that overcome the above limitations.
此外,现有标准规定的许多参数是相同的(比较见[SEC2])。因此,仍然需要额外的椭圆曲线域参数来克服上述限制。
This RFC specifies elliptic curve domain parameters over prime fields GF(p) with p having a length of 160, 192, 224, 256, 320, 384, and 512 bits. These parameters were generated in a pseudo-random, yet completely systematic and reproducible, way and have been verified to resist current cryptanalytic approaches. The parameters are compliant with ANSI X9.62 [ANSI1] and ANSI X9.63 [ANSI2], ISO/IEC 14888 [ISO1] and ISO/IEC 15946 [ISO2], ETSI TS 102 176-1 [ETSI], as well as with FIPS-186-2 [FIPS], and the Efficient Cryptography Group (SECG) specifications ([SEC1] and [SEC2]).
此RFC指定素数字段GF(p)上的椭圆曲线域参数,其中p的长度为160、192、224、256、320、384和512位。这些参数是以伪随机的方式产生的,但完全是系统的和可重复的,并且已经被证实能够抵抗当前的密码分析方法。这些参数符合ANSI X9.62[ANSI1]和ANSI X9.63[ANSI2]、ISO/IEC 14888[ISO1]和ISO/IEC 15946[ISO2]、ETSI TS 102 176-1[ETSI]以及FIPS-186-2[FIPS]和高效密码组(SECG)规范([SEC1]和[SEC2])。
Furthermore, this document identifies the security and implementation requirements for the parameters, and describes the methods used for the pseudo-random generation of the parameters.
此外,本文件确定了参数的安全性和实现要求,并描述了伪随机生成参数的方法。
Finally, this RFC defines ASN.1 object identifiers for all elliptic curve domain parameter sets specified herein, e.g., for use in X.509 certificates.
最后,该RFC为本文指定的所有椭圆曲线域参数集定义ASN.1对象标识符,例如,用于X.509证书。
This document does neither address the cryptographic algorithms to be used with the specified parameters nor their application in other standards. However, it is consistent with the following RFCs that specify the usage of elliptic curve cryptography in protocols and applications:
本文件既不涉及与指定参数一起使用的加密算法,也不涉及其在其他标准中的应用。但是,它与以下RFC一致,这些RFC规定了椭圆曲线加密在协议和应用中的使用:
o [RFC5753] for the cryptographic message syntax (CMS)
o [RFC5753]用于加密消息语法(CMS)
o [RFC3279] and [RFC5480] for X.509 certificates and CRLs
o [RFC3279]和[RFC5480]用于X.509证书和CRL
o [RFC4050] for XML signatures
o [RFC4050]用于XML签名
o [RFC4492] for TLS
o [RFC4492]用于TLS
o [RFC4754] for IKE
o [RFC4754]用于IKE
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
Throughout this memo, let p > 3 be a prime and GF(p) a finite field
(sometimes also referred to as Galois Field or GF(p)) with p
elements. For given A and B with non-zero 4*A^3 + 27*B^2 mod p, the
set of solutions (x,y) for the equation E: y^2 = x^3 + A*x + B mod p
Throughout this memo, let p > 3 be a prime and GF(p) a finite field
(sometimes also referred to as Galois Field or GF(p)) with p
elements. For given A and B with non-zero 4*A^3 + 27*B^2 mod p, the
set of solutions (x,y) for the equation E: y^2 = x^3 + A*x + B mod p
over GF(p) together with a neutral element O and well-defined laws for addition and inversion define a group E(GF(p)) -- the group of GF(p) rational points on E. Typically, for cryptographic applications, an element G of prime order q is chosen in E(GF(p)).
GF(p)上的一个中性元素O和定义良好的加法和求逆定律定义了一个群E(GF(p))——E上的GF(p)有理点群。通常,对于密码应用,在E(GF(p))中选择素数阶q的元素G。
A comprehensive introduction to elliptic curve cryptography can be found in [CFDA] and [BSS].
[CFDA]和[BSS]中有对椭圆曲线密码术的全面介绍。
Note 1: We choose {0,...,p-1} as a set of representatives for the elements of GF(p). This choice induces a natural ordering on GF(p).
注1:我们选择{0,…,p-1}作为GF(p)元素的一组代表。这种选择导致了GF(p)上的自然排序。
The following security requirements are either motivated by known cryptographic analysis or aim to enhance trust in the recommended curves. As this specification aims at a particularly high level of security, a restrictive position is taken here. Nevertheless, it may be sensible to slightly deviate from these requirements for certain applications (e.g., in order to achieve higher computational performance). More details on requirements for cryptographically strong elliptic curves can be found in [CFDA] and [BSS].
以下安全要求要么是受已知密码分析的驱动,要么是为了增强对推荐曲线的信任。由于本规范旨在达到特别高的安全级别,因此此处采取了限制性立场。然而,对于某些应用,稍微偏离这些要求可能是明智的(例如,为了实现更高的计算性能)。有关加密强椭圆曲线要求的更多详细信息,请参见[CFDA]和[BSS]。
1. Immunity to attacks using the Weil or Tate Pairing. These attacks allow the embedding of the cyclic subgroup generated by G into the group of units of a degree-l extension GF(p^l) of GF(p), where sub-exponential attacks on the discrete logarithm problem (DLP) exist. Here we have l = min{t | q divides p^t - 1}, i.e., l is the order of p mod q. By Fermat's Little Theorem, l divides q-1. We require (q-1)/l < 100, which means that l is close to the maximum possible value. This requirement is considerably stronger than those of [SEC2] and [ANSI2] and also excludes supersingular curves, as those are the curves of order p+1.
1. 对使用Weil或Tate配对的攻击免疫。这些攻击允许将G生成的循环子群嵌入到GF(p)的l次扩张GF(p^l)的单元组中,其中存在对离散对数问题(DLP)的次指数攻击。这里我们有l=min{t|q除以p^t-1},也就是说,l是p mod q的阶。根据费马的小定理,l除以q-1。我们要求(q-1)/l<100,这意味着l接近最大可能值。这一要求比[SEC2]和[ANSI2]的要求强得多,也不包括超奇异曲线,因为这些曲线是p+1阶曲线。
2. The trace is not equal to one. Trace one curves (or anomalous curves) are curves with #E(GF(p)) = p. Satoh and Araki [SA], Semaev [Sem], and Smart [Sma] independently proposed efficient solutions to the elliptic curve discrete logarithm problem (ECDLP) on trace one curves. Note that these curves are also excluded by requirement 5 of Section 2.2.
2. 轨迹不等于1。迹一曲线(或异常曲线)是#E(GF(p))=p的曲线。Satoh和Araki[SA]、Semaev[Sem]和Smart[Sma]分别提出了迹一曲线上椭圆曲线离散对数问题(ECDLP)的有效解决方案。注意,第2.2节的要求5也排除了这些曲线。
3. Large class number. The class number of the maximal order of the quotient field of the endomorphism ring End(E) of E is larger than 10^7. Generally, E cannot be "lifted" to a curve E' over an algebraic number field L with End(E) = End(E') unless the degree of L over the rationals is larger than the class number of End(E). Although there are no efficient attacks exploiting a small class number, recent work ([JMV] and [HR]) also may be seen as argument for the class number condition.
3. 大班数。E的自同态环端(E)商域的最大阶数大于10^7。通常,E不能“提升”到代数数域L上的曲线E',端点(E)=端点(E'),除非有理数上的L阶大于端点(E)的类数。尽管没有有效的攻击利用较小的类号,但最近的工作([JMV]和[HR])也可能被视为类号条件的依据。
4. Prime group order. The group order #E(GF(p)) shall be a prime number in order to counter small-subgroup attacks (see [HMV]). Therefore, all groups proposed in this RFC have cofactor 1. Note that curves with prime order have no point of order 2 and therefore no point with y-coordinate 0.
4. 素数群序。群序#E(GF(p))应为质数,以抵抗小子群攻击(参见[HMV])。因此,本RFC中提出的所有基团都有辅因子1。请注意,素数阶曲线没有2阶点,因此没有y坐标为0的点。
5. Verifiably pseudo-random. The elliptic curve domain parameters shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way. The methods by which the parameters have been obtained are explained in Appendix A.
5. 可验证的伪随机。椭圆曲线域参数应使用系统和全面生成的种子以伪随机方式生成。附录A中说明了获得参数的方法。
6. Proof of security. For all curves, a proof should be given that all security requirements are met. These proofs are provided in [EBP].
6. 安全证明。对于所有曲线,应证明满足所有安全要求。[EBP]中提供了这些证据。
In [BG], attacks are described that apply to elliptic curve domain parameters where q-1 has a factor u in the order of q^(1/3). However, the circumstances under which these attacks are applicable can be avoided in most applications. Therefore, no corresponding security requirement is stated here. However, it is highly recommended that developers verify the security of their implementations against this kind of attack.
在[BG]中,描述了适用于椭圆曲线域参数的攻击,其中q-1的因子u的顺序为q^(1/3)。然而,在大多数应用中,可以避免这些攻击适用的情况。因此,此处未说明相应的安全要求。但是,强烈建议开发人员针对此类攻击验证其实现的安全性。
Commercial demands and experience with existing implementations lead to the following technical requirements for the elliptic curve domain parameters.
商业需求和现有实现的经验导致对椭圆曲线域参数的以下技术要求。
1. For each of the bit lengths 160, 192, 224, 256, 320, 384, and 512, one curve shall be proposed. This requirement follows from the need for curves providing different levels of security that are appropriate for the underlying symmetric algorithms. The existing standards specify a 521-bit curve instead of a 512-bit curve.
1. 对于比特长度160、192、224、256、320、384和512中的每一个,应提出一条曲线。这一要求源于对曲线的需求,该曲线提供了适用于底层对称算法的不同级别的安全性。现有标准指定521位曲线,而不是512位曲线。
2. The prime number p shall be congruent 3 mod 4. This requirement allows efficient point compression: one method for the transmission of curve points P=(x,y) is to transmit only x and the least significant bit LSB(y) of y. For p = 3 mod 4, we get (y^2)^((p+1)/4) = y*y^((p-1)/2), which is either y or -y by Fermat's Little Theorem; hence, y can be computed very efficiently using the curve equation. This requirement is not always met by the parameters defined in existing standards.
2. 质数p应为3模4全等。这一要求允许有效的点压缩:传输曲线点P=(x,y)的一种方法是仅传输x和y的最低有效位LSB(y)。对于p=3 mod 4,我们得到(y^2)^((p+1)/4)=y*y^((p-1)/2),根据费马小定理,这是y或-y;因此,可以使用曲线方程非常有效地计算y。现有标准中定义的参数并不总是满足这一要求。
3. The curves shall be GF(p)-isomorphic to a curve E': y^2 = x^3 + A'*x + B' mod p with A' = -3 mod p. This property permits the use of the arithmetical advantages of curves with A = -3, as shown by Brier and Joyce [BJ]. For p = 3 mod 4, approximately half of the isomorphism classes of elliptic curves over GF(p) contain a curve E' with A' = -3 mod p. Precisely, if a curve is given by E: y^2 = x^3 + A*x + B mod p with -3 = A*u^4 being solvable in GF(p) and u=Z is a solution to this equation, then the requirement is fulfilled by means of the quadratic twist E': y^2 = x^3 + Z^4*A*x + Z^6*B mod p, and the GF(p)-isomorphism is given by F(x,y) := (x*Z^2, y*Z^3). Due to this isomorphism, E(GF(p)) and E'(GF(p)) have the same number of points, share the same algebraic structure, and hence offer the same level of security. This constraint has also been used by [SEC2] and [FIPS].
3. 曲线应为GF(p)-同构于曲线E':y^2=x^3+a'*x+B'模p和a'=-3模p。该性质允许使用A=-3曲线的算术优势,如Brier和Joyce[BJ]所示。对于p=3模4,GF(p)上的椭圆曲线的同构类中大约有一半包含一条曲线E',其中a'=-3模p。精确地说,如果一条曲线由E:y^2=x^3+a*x+B mod p给出,其中-3=a*u^4可在GF(p)中求解,且u=Z是该方程的解,则该要求通过二次扭曲E:y^2=x^3+Z^4*a*x+Z^6*B mod p得到满足,而GF(p)同构由F(x,y):=(x*Z^2,y*Z^3)给出。由于这种同构,E(GF(p))和E’(GF(p))具有相同的点数,共享相同的代数结构,因此提供了相同级别的安全性。[SEC2]和[FIPS]也使用了此约束。
4. The prime p must not be of any special form; this requirement is met by a verifiably pseudo-random generation of the parameters (see requirement 5 in Section 2.1). Although parameters specified by existing standards do not meet this requirement, the need for such curves over (pseudo-)randomly chosen fields has already been foreseen by the Standards for Efficient Cryptography Group (SECG), see [SEC2].
4. 素数p不能是任何特殊形式;通过可验证的伪随机生成参数来满足该要求(见第2.1节中的要求5)。尽管现有标准规定的参数不符合这一要求,但高效密码组(SECG)标准(见[SEC2])已经预见到(伪)随机选择字段上的此类曲线的需要。
5. #E(GF(p)) < p. As a consequence of the Hasse-Weil Theorem, the number of points #E(GF(p)) may be greater than the characteristic p of the prime field GF(p). In some cases, even the bit-length of #E(GF(p)) can exceed the bit-length of p. To avoid overruns in implementations, we require that #E(GF(p)) < p. In order to thwart attacks on digital signature schemes, some authors propose to use q > p, but the attacks described, e.g., in [BRS], appear infeasible in a well-designed Public Key Infrastructure (PKI).
5. #E(GF(p))<p。作为Hasse-Weil定理的结果,点的数量#E(GF(p))可能大于素域GF(p)的特征p。在某些情况下,甚至#E(GF(p))的位长度也可能超过p的位长度。为了避免实现中的溢出,我们要求#E(GF(p))<p。为了阻止对数字签名方案的攻击,一些作者建议使用q>p,但在[BRS]中描述的攻击在设计良好的公钥基础设施(PKI)中似乎不可行。
6. B shall be a non-square mod p. Otherwise, the compressed representations of the curve-points (0,0) and (0,X), with X being the square root of B with a least significant bit of 0, would be identical. As there are implementations of elliptic curves that encode the point at infinity as (0,0), we try to avoid ambiguities. Note that this condition is stable under quadratic twists as described in condition 3 above. Condition 6 makes the attack described in [G] impossible. It can therefore also be seen as a security requirement. This constraint has not been specified by existing standards.
6. B应为非方形模p。否则,曲线点(0,0)和(0,X)的压缩表示(X是B的平方根,最低有效位为0)将是相同的。由于存在将无穷远处的点编码为(0,0)的椭圆曲线实现,因此我们尝试避免歧义。注意,如上述条件3所述,该条件在二次扭转下是稳定的。条件6使得[G]中描述的攻击不可能发生。因此,也可以将其视为安全要求。现有标准尚未指定此约束。
In this section, the elliptic curve domain parameters proposed are specified in the following way.
在本节中,建议的椭圆曲线域参数按以下方式指定。
For all curves, an ID is given by which it can be referenced.
对于所有曲线,都会给出一个ID,通过该ID可以引用该曲线。
p is the prime specifying the base field.
p是指定基字段的素数。
A and B are the coefficients of the equation y^2 = x^3 + A*x + B mod p defining the elliptic curve.
A和B是定义椭圆曲线的方程y^2=x^3+A*x+B mod p的系数。
G = (x,y) is the base point, i.e., a point in E of prime order,
with x and y being its x- and y-coordinates, respectively.
G = (x,y) is the base point, i.e., a point in E of prime order,
with x and y being its x- and y-coordinates, respectively.
q is the prime order of the group generated by G.
q是由G生成的群的素数阶。
h is the cofactor of G in E, i.e., #E(GF(p))/q.
h是G在E中的辅因子,即#E(GF(p))/q。
For the twisted curve, we also give the coefficient Z that defines the isomorphism F (see requirement 3 in Section 2.2).
对于扭曲曲线,我们还给出了定义同构F的系数Z(参见第2.2节中的要求3)。
The methods for the generation of the parameters are given in Appendix A. Proofs for the fulfillment of the security requirements specified in Section 2.1 are given in [EBP].
附录A中给出了生成参数的方法。第2.1节中规定的安全要求的证明见[EBP]。
Curve-ID: brainpoolP160r1
曲线ID:brainpoolP160r1
p = E95E4A5F737059DC60DFC7AD95B3D8139515620F
p = E95E4A5F737059DC60DFC7AD95B3D8139515620F
A = 340E7BE2A280EB74E2BE61BADA745D97E8F7C300
A = 340E7BE2A280EB74E2BE61BADA745D97E8F7C300
B = 1E589A8595423412134FAA2DBDEC95C8D8675E58
B = 1E589A8595423412134FAA2DBDEC95C8D8675E58
x = BED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3
x = BED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3
y = 1667CB477A1A8EC338F94741669C976316DA6321
y = 1667CB477A1A8EC338F94741669C976316DA6321
q = E95E4A5F737059DC60DF5991D45029409E60FC09
q = E95E4A5F737059DC60DF5991D45029409E60FC09
h = 1
h = 1
#Twisted curve
#扭曲曲线
Curve-ID: brainpoolP160t1
曲线ID:brainpoolP160t1
Z = 24DBFF5DEC9B986BBFE5295A29BFBAE45E0F5D0B
Z = 24DBFF5DEC9B986BBFE5295A29BFBAE45E0F5D0B
A = E95E4A5F737059DC60DFC7AD95B3D8139515620C
A = E95E4A5F737059DC60DFC7AD95B3D8139515620C
B = 7A556B6DAE535B7B51ED2C4D7DAA7A0B5C55F380
B = 7A556B6DAE535B7B51ED2C4D7DAA7A0B5C55F380
x = B199B13B9B34EFC1397E64BAEB05ACC265FF2378
x = B199B13B9B34EFC1397E64BAEB05ACC265FF2378
y = ADD6718B7C7C1961F0991B842443772152C9E0AD
y = ADD6718B7C7C1961F0991B842443772152C9E0AD
q = E95E4A5F737059DC60DF5991D45029409E60FC09
q = E95E4A5F737059DC60DF5991D45029409E60FC09
h = 1
h = 1
Curve-ID: brainpoolP192r1
曲线ID:brainpoolP192r1
p = C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297
p = C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297
A = 6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF
A = 6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF
B = 469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9
B = 469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9
x = C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6
x = C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6
y = 14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F
y = 14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F
q = C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1
q = C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1
h = 1
h = 1
#Twisted curve
#扭曲曲线
Curve-ID: brainpoolP192t1
曲线ID:brainpoolP192t1
Z = 1B6F5CC8DB4DC7AF19458A9CB80DC2295E5EB9C3732104CB
Z = 1B6F5CC8DB4DC7AF19458A9CB80DC2295E5EB9C3732104CB
A = C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86294
A = C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86294
B = 13D56FFAEC78681E68F9DEB43B35BEC2FB68542E27897B79
B = 13D56FFAEC78681E68F9DEB43B35BEC2FB68542E27897B79
x = 3AE9E58C82F63C30282E1FE7BBF43FA72C446AF6F4618129
x = 3AE9E58C82F63C30282E1FE7BBF43FA72C446AF6F4618129
y = 097E2C5667C2223A902AB5CA449D0084B7E5B3DE7CCC01C9
y = 097E2C5667C2223A902AB5CA449D0084B7E5B3DE7CCC01C9
q = C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1
q = C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1
h = 1
h = 1
Curve-ID: brainpoolP224r1
曲线ID:brainpoolP224r1
p = D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF
p = D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF
A = 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43
A = 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43
B = 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B
B = 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B
x = 0D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D
x = 0D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D
y = 58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD
y = 58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD
q = D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F
q = D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F
h = 1
h = 1
#Twisted curve
#扭曲曲线
Curve-ID: brainpoolP224t1
曲线ID:brainpoolP224t1
Z = 2DF271E14427A346910CF7A2E6CFA7B3F484E5C2CCE1C8B730E28B3F
Z = 2DF271E14427A346910CF7A2E6CFA7B3F484E5C2CCE1C8B730E28B3F
A = D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FC
A = D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FC
B = 4B337D934104CD7BEF271BF60CED1ED20DA14C08B3BB64F18A60888D
B = 4B337D934104CD7BEF271BF60CED1ED20DA14C08B3BB64F18A60888D
x = 6AB1E344CE25FF3896424E7FFE14762ECB49F8928AC0C76029B4D580
x = 6AB1E344CE25FF3896424E7FFE14762ECB49F8928AC0C76029B4D580
y = 0374E9F5143E568CD23F3F4D7C0D4B1E41C8CC0D1C6ABD5F1A46DB4C
y = 0374E9F5143E568CD23F3F4D7C0D4B1E41C8CC0D1C6ABD5F1A46DB4C
q = D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F
q = D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F
h = 1
h = 1
Curve-ID: brainpoolP256r1
曲线ID:brainpoolP256r1
p =
A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
p =
A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
A =
7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
A =
7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
B =
26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
B =
26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
x =
8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262
x =
8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262
y =
547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997
y =
547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997
q =
A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
q =
A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
h = 1
h = 1
#Twisted curve
#扭曲曲线
Curve-ID: brainpoolP256t1
曲线ID:brainpoolP256t1
Z =
3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0
Z =
3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0
A =
A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374
A =
A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374
B =
662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04
B =
662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04
x =
A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4
x =
A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4
y =
2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE
y =
2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE
q =
A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
q =
A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
h = 1
h = 1
Curve-ID: brainpoolP320r1
曲线ID:brainpoolP320r1
p = D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC 28FCD412B1F1B32E27
p=D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC 28FCD412B1B32E27
A = 3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9 F492F375A97D860EB4
A=3EE30B568FBAB0F883CCEBD46D3F3BB8A2A7351F5EB79DA66190EB085FFA9 F492F375A97D860EB4
B = 520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539 816F5EB4AC8FB1F1A6
B=520883949DFDBC42D3AD198640688A6FE13F41349554B49AC31DCCD884539 816F5EB4AC8FB1F1A6
x = 43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599 C710AF8D0D39E20611
x=43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599 C710AF8D0D39E20611
y = 14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6A C7D35245D1692E8EE1
y=14FDD05545EC1CC8AB4093247F777275E0743FFED117182EAA9C77877AAAC6A C7D35245D1692E8EE1
q = D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658 E98691555B44C59311
q=D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658 E98691555B44C59311
h = 1
h = 1
#Twisted curve
#扭曲曲线
Curve-ID: brainpoolP320t1
曲线ID:brainpoolP320t1
Z = 15F75CAF668077F7E85B42EB01F0A81FF56ECD6191D55CB82B7D861458A18F EFC3E5AB7496F3C7B1
Z=15F75CAF668077F7E85B42EB01F0A81FF56ECD6191D55CB82B7D861458A18F EFC3E5AB7496F3C7B1
A = D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC 28FCD412B1F1B32E24
A=D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC 28FCD412B1B32E24
B = A7F561E038EB1ED560B3D147DB782013064C19F27ED27C6780AAF77FB8A547 CEB5B4FEF422340353
B=A7F561E038EB1ED560B3D147DB782013064C19F27ED27C6780AAF77FB8A547 CEB5B4FEF422340353
x = 925BE9FB01AFC6FB4D3E7D4990010F813408AB106C4F09CB7EE07868CC136F FF3357F624A21BED52
x=925BE9FB01AFC6FB4D3E7D49010F813408AB106C4F09CB7EE07868CC136F FF3357F624A21BED52
y = 63BA3A7A27483EBF6671DBEF7ABB30EBEE084E58A0B077AD42A5A0989D1EE7 1B1B9BC0455FB0D2C3
y=63BA3A7A27483EBF6671DBEF7ABB30EBEE084E58A0B077AD42A5A0989D1EE7 1B1B9BC0455FB0D2C3
q = D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658 E98691555B44C59311
q=D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658 E98691555B44C59311
h = 1
h = 1
Curve-ID: brainpoolP384r1
曲线ID:brainpoolP384r1
p = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711
23ACD3A729901D1A71874700133107EC53
p = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711
23ACD3A729901D1A71874700133107EC53
A = 7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F9
0F8AA5814A503AD4EB04A8C7DD22CE2826
A = 7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F9
0F8AA5814A503AD4EB04A8C7DD22CE2826
B = 04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62
D57CB4390295DBC9943AB78696FA504C11
B = 04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62
D57CB4390295DBC9943AB78696FA504C11
x = 1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10
E8E826E03436D646AAEF87B2E247D4AF1E
x = 1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10
E8E826E03436D646AAEF87B2E247D4AF1E
y = 8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129
280E4646217791811142820341263C5315
y = 8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129
280E4646217791811142820341263C5315
q = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425
A7CF3AB6AF6B7FC3103B883202E9046565
q = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425
A7CF3AB6AF6B7FC3103B883202E9046565
h = 1
h = 1
#Twisted curve
#扭曲曲线
Curve-ID: brainpoolP384t1
曲线ID:brainpoolP384t1
Z = 41DFE8DD399331F7166A66076734A89CD0D2BCDB7D068E44E1F378F41ECBAE
97D2D63DBC87BCCDDCCC5DA39E8589291C
Z = 41DFE8DD399331F7166A66076734A89CD0D2BCDB7D068E44E1F378F41ECBAE
97D2D63DBC87BCCDDCCC5DA39E8589291C
A = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711
23ACD3A729901D1A71874700133107EC50
A = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711
23ACD3A729901D1A71874700133107EC50
B = 7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE
1D2074AA263B88805CED70355A33B471EE
B = 7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE
1D2074AA263B88805CED70355A33B471EE
x = 18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AAB
FFC4FF191B946A5F54D8D0AA2F418808CC
x = 18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AAB
FFC4FF191B946A5F54D8D0AA2F418808CC
y = 25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CC
FE469408584DC2B2912675BF5B9E582928
y = 25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CC
FE469408584DC2B2912675BF5B9E582928
q = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425
A7CF3AB6AF6B7FC3103B883202E9046565
q = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425
A7CF3AB6AF6B7FC3103B883202E9046565
h = 1
h = 1
Curve-ID: brainpoolP512r1
曲线ID:brainpoolP512r1
p = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308
717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3
p = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308
717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3
A = 7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863
BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA
A = 7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863
BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA
B = 3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117
A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723
B = 3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117
A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723
x = 81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D009
8EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822
x = 81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D009
8EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822
y = 7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F81
11B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892
y = 7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F81
11B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892
q = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308
70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069
q = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308
70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069
h = 1
h = 1
#Twisted curve
#扭曲曲线
Curve-ID: brainpoolP512t1
曲线ID:BRAINP512T1
Z = 12EE58E6764838B69782136F0F2D3BA06E27695716054092E60A80BEDB212B
64E585D90BCE13761F85C3F1D2A64E3BE8FEA2220F01EBA5EEB0F35DBD29D922AB
Z = 12EE58E6764838B69782136F0F2D3BA06E27695716054092E60A80BEDB212B
64E585D90BCE13761F85C3F1D2A64E3BE8FEA2220F01EBA5EEB0F35DBD29D922AB
A = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308
717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F0
A = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308
717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F0
B = 7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36
A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E
B = 7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36
A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E
x = 640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C031
3D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA
x = 640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C031
3D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA
y = 5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CE
E9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332
y = 5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CE
E9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332
q = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308
70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069
q = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308
70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069
h = 1
h = 1
The root of the tree for the object identifiers defined in this specification is given by:
本规范中定义的对象标识符的树根如下所示:
ecStdCurvesAndGeneration OBJECT IDENTIFIER::= {iso(1)
identified-organization(3) teletrust(36) algorithm(3) signature-
algorithm(3) ecSign(2) 8}
ecStdCurvesAndGeneration OBJECT IDENTIFIER::= {iso(1)
identified-organization(3) teletrust(36) algorithm(3) signature-
algorithm(3) ecSign(2) 8}
The object identifier ellipticCurve represents the tree for domain parameter sets. It has the following value:
对象标识符ellipticCurve表示域参数集的树。它具有以下值:
ellipticCurve OBJECT IDENTIFIER ::= {ecStdCurvesAndGeneration 1}
ellipticCurve OBJECT IDENTIFIER ::= {ecStdCurvesAndGeneration 1}
The tree containing the object identifiers for each set of domain parameters defined in this RFC is:
包含此RFC中定义的每组域参数的对象标识符的树是:
versionOne OBJECT IDENTIFIER ::= {ellipticCurve 1}
versionOne OBJECT IDENTIFIER ::= {ellipticCurve 1}
The following object identifiers represent the domain parameter sets defined in this RFC:
以下对象标识符表示此RFC中定义的域参数集:
brainpoolP160r1 OBJECT IDENTIFIER ::= {versionOne 1}
brainpoolP160r1 OBJECT IDENTIFIER ::= {versionOne 1}
brainpoolP160t1 OBJECT IDENTIFIER ::= {versionOne 2}
brainpoolP160t1 OBJECT IDENTIFIER ::= {versionOne 2}
brainpoolP192r1 OBJECT IDENTIFIER ::= {versionOne 3}
brainpoolP192r1 OBJECT IDENTIFIER ::= {versionOne 3}
brainpoolP192t1 OBJECT IDENTIFIER ::= {versionOne 4}
brainpoolP192t1 OBJECT IDENTIFIER ::= {versionOne 4}
brainpoolP224r1 OBJECT IDENTIFIER ::= {versionOne 5}
brainpoolP224r1 OBJECT IDENTIFIER ::= {versionOne 5}
brainpoolP224t1 OBJECT IDENTIFIER ::= {versionOne 6}
brainpoolP224t1 OBJECT IDENTIFIER ::= {versionOne 6}
brainpoolP256r1 OBJECT IDENTIFIER ::= {versionOne 7}
brainpoolP256r1 OBJECT IDENTIFIER ::= {versionOne 7}
brainpoolP256t1 OBJECT IDENTIFIER ::= {versionOne 8}
brainpoolP256t1 OBJECT IDENTIFIER ::= {versionOne 8}
brainpoolP320r1 OBJECT IDENTIFIER ::= {versionOne 9}
brainpoolP320r1 OBJECT IDENTIFIER ::= {versionOne 9}
brainpoolP320t1 OBJECT IDENTIFIER ::= {versionOne 10}
brainpoolP320t1 OBJECT IDENTIFIER ::= {versionOne 10}
brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11}
brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11}
brainpoolP384t1 OBJECT IDENTIFIER ::= {versionOne 12}
brainpoolP384t1 OBJECT IDENTIFIER ::= {versionOne 12}
brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13}
brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13}
brainpoolP512t1 OBJECT IDENTIFIER ::= {versionOne 14}
brainpoolP512t1 OBJECT IDENTIFIER ::= {versionOne 14}
The domain parameters specified in this RFC SHALL be used with X.509 certificates in accordance with [RFC5480]. In particular,
根据[RFC5480],本RFC中规定的域参数应与X.509证书一起使用。特别地,
o the algorithm field of subjectPublicKeyInfo MUST be set to:
o subjectPublicKeyInfo的算法字段必须设置为:
* id-ecPublicKey, if the algorithms that can be used with the subject public key are not restricted, or
* id ecPublicKey,如果可与主题公钥一起使用的算法不受限制,或
* id-ecDH to restrict the usage of the subject public key to Elliptic Curve Diffie-Hellman (ECDH) key agreement, or
* id ecDH将主题公钥的使用限制为椭圆曲线Diffie-Hellman(ecDH)密钥协议,或
* id-ecMQV to restrict the usage of the subject public key to Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement, and
* id ecMQV将主题公钥的使用限制为椭圆曲线Menezes Qu Vanstone(ecMQV)密钥协议,以及
o the field algorithm.parameter of subjectPublicKeyInfo MUST be of type:
o subjectPublicKeyInfo的字段algorithm.parameter必须为以下类型:
* namedCurve to specify the domain parameters by one of the Object Identifiers (OIDs) defined in Section 4.1, or
* namedCurve通过第4.1节中定义的对象标识符(OID)之一指定域参数,或
* specifiedCurve to specify the domain parameters explicitly as defined in [RFC5480], or
* specifiedCurve按照[RFC5480]中的定义明确指定域参数,或
* implicitCurve, if the domain parameters are found in an issuer's certificate.
* 隐式曲线,如果在颁发者的证书中找到域参数。
If the domain parameters are explicitly specified using the type specifiedCurve in the field algorithm.parameter of subjectPublicKeyInfo, ANSI X9.62 [ANSI1] and [RFC5480] allow indicating whether or not a curve and base point have been generated verifiably in a pseudo-random way. Although the parameters specified in Section 3 have all been generated by the pseudo-random methods described in Appendix A, these algorithms deviate from those mandated in ANSI X9.62, A.3.3.1. Consequently, applications following ANSI X9.62 or [RFC5480] will not be able to verify the pseudo-randomness of the parameters. In order to avoid rejection of the parameters, the ASN.1 encoding SHOULD NOT specify that the curve or base point has been generated verifiably at random. In particular, certification authorities (CAs) SHOULD set the contents of specifiedCurve in the following way:
如果使用subjectPublicKeyInfo的algorithm.parameter字段中的type specifiedCurve明确指定域参数,ANSI X9.62[ANSI1]和[RFC5480]允许指示是否以伪随机方式以可验证的方式生成曲线和基点。尽管第3节中规定的参数均由附录A中描述的伪随机方法生成,但这些算法与ANSI X9.62,A.3.3.1中规定的算法不同。因此,遵循ANSI X9.62或[RFC5480]的应用程序将无法验证参数的伪随机性。为了避免拒绝参数,ASN.1编码不应该指定曲线或基点是随机生成的。特别是,认证机构(CA)应按以下方式设置特定曲线的内容:
o version is set to ecpVer1(1).
o 版本设置为ecpVer1(1)。
o fieldId includes the fieldType prime-field and as parameter the value p of the selected domain parameters as specified in Section 3.
o fieldId包括fieldType prime字段和第3节中指定的选定域参数的值p作为参数。
o curve includes the values a and b of the selected domain parameters as specified in Section 3, but seed is absent.
o 曲线包括第3节中指定的选定域参数的值a和b,但缺少种子。
o base is the octet string representation of the base point G of the selected domain parameters as specified in Section 3.
o base是第3节中指定的选定域参数的基点G的八进制字符串表示形式。
o order is set to q of the selected domain parameters as specified in Section 3.
o 顺序设置为第3节中指定的选定域参数的q。
o cofactor is set to 1.
o 辅因子设置为1。
o hash is absent.
o 散列不存在。
The level of security provided by symmetric ciphers and hash functions used in conjunction with the elliptic curve domain parameters specified in this RFC should roughly match or exceed the level provided by the domain parameters. The following table indicates the minimum key sizes for symmetric ciphers and hash functions providing at least (roughly) comparable security.
与此RFC中指定的椭圆曲线域参数一起使用的对称密码和哈希函数提供的安全级别应大致匹配或超过域参数提供的级别。下表显示了对称密码和哈希函数的最小密钥大小,提供了至少(大致)可比的安全性。
+--------------------+--------------------+-------------------------+
| elliptic curve | minimum length of | hash functions |
| domain parameters | symmetric keys | |
+--------------------+--------------------+-------------------------+
| brainpoolP160r1 | 80 | SHA-1, SHA-224, |
| | | SHA-256, SHA-384, |
| | | SHA-512 |
| | | |
| brainpoolP192r1 | 96 | SHA-224, SHA-256, |
| | | SHA-384, SHA-512 |
| | | |
| brainpoolP224r1 | 112 | SHA-224, SHA-256, |
| | | SHA-384, SHA-512 |
| | | |
| brainpoolP256r1 | 128 | SHA-256, SHA-384, |
| | | SHA-512 |
| | | |
| brainpoolP320r1 | 160 | SHA-384, SHA-512 |
| | | |
| brainpoolP384r1 | 192 | SHA-384, SHA-512 |
| | | |
| brainpoolP512r1 | 256 | SHA-512 |
+--------------------+--------------------+-------------------------+
+--------------------+--------------------+-------------------------+
| elliptic curve | minimum length of | hash functions |
| domain parameters | symmetric keys | |
+--------------------+--------------------+-------------------------+
| brainpoolP160r1 | 80 | SHA-1, SHA-224, |
| | | SHA-256, SHA-384, |
| | | SHA-512 |
| | | |
| brainpoolP192r1 | 96 | SHA-224, SHA-256, |
| | | SHA-384, SHA-512 |
| | | |
| brainpoolP224r1 | 112 | SHA-224, SHA-256, |
| | | SHA-384, SHA-512 |
| | | |
| brainpoolP256r1 | 128 | SHA-256, SHA-384, |
| | | SHA-512 |
| | | |
| brainpoolP320r1 | 160 | SHA-384, SHA-512 |
| | | |
| brainpoolP384r1 | 192 | SHA-384, SHA-512 |
| | | |
| brainpoolP512r1 | 256 | SHA-512 |
+--------------------+--------------------+-------------------------+
Table 1
表1
Security properties of the elliptic curve domain parameters specified in this RFC are discussed in Section 2.1. Further security discussions specific to elliptic curve cryptography can be found in [ANSI1] and [SEC1].
第2.1节讨论了本RFC中指定的椭圆曲线域参数的安全性。有关椭圆曲线密码的进一步安全性讨论,请参见[ANSI1]和[SEC1]。
The authors have no knowledge about any intellectual property rights that cover the usage of the domain parameters defined herein. However, readers should be aware that implementations based on these domain parameters may require use of inventions covered by patent rights.
作者不了解涉及本文定义的域参数使用的任何知识产权。然而,读者应该知道,基于这些领域参数的实现可能需要使用专利权涵盖的发明。
[ANSI1] American National Standards Institute, "Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI X9.62, 2005.
[ANSI1]美国国家标准协会,“金融服务业的公钥加密:椭圆曲线数字签名算法(ECDSA)”,ANSI X9.622005。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, March 2009.
[RFC5480]Turner,S.,Brown,D.,Yiu,K.,Housley,R.,和T.Polk,“椭圆曲线加密主题公钥信息”,RFC 54802009年3月。
[ANSI2] American National Standards Institute, "Public Key Cryptography For The Financial Services Industry: Key Agreement and Key Transport Using The Elliptic Curve Cryptography", ANSI X9.63, 2001.
[ANSI2]美国国家标准协会,“金融服务业的公钥加密:使用椭圆曲线加密的密钥协议和密钥传输”,ANSI X9.632001。
[BJ] Brier, E. and M. Joyce, "Fast Multiplication on Elliptic Curves through Isogenies", Applied Algebra Algebraic Algorithms and Error-Correcting Codes, Lecture Notes in Computer Science 2643, Springer Verlag, 2003.
[BJ]Brier,E.和M.Joyce,“通过同素在椭圆曲线上的快速乘法”,应用代数算法和纠错码,计算机科学2643讲稿,Springer Verlag,2003年。
[BG] Brown, J. and R. Gallant, "The Static Diffie-Hellman Problem", Centre for Applied Cryptographic Research, University of Waterloo, Technical Report CACR 2004-10, 2005.
[B]布朗,J和R. Gallant,“静态Diffie-Hellman问题”,滑铁卢大学应用密码学研究中心,技术报告CAACR 2004—10,2005。
[BRS] Bohli, J., Roehrich, S., and R. Steinwandt, "Key Substitution Attacks Revisited: Taking into Account Malicious Signers", International Journal of Information Security Volume 5, Issue 1, January 2006.
[BRS]Bohli,J.,Roehrich,S.,和R.Steinwandt,“重温关键替换攻击:考虑恶意签名者”,《国际信息安全杂志》第5卷,第1期,2006年1月。
[BSS] Blake, I., Seroussi, G., and N. Smart, "Elliptic Curves in Cryptography", Cambridge University Press, 1999.
[BSS]Blake,I.,Seroussi,G.,和N.Smart,“密码学中的椭圆曲线”,剑桥大学出版社,1999年。
[EBP] ECC Brainpool, "ECC Brainpool Standard Curves and Curve Generation", October 2005, <http://www.ecc-brainpool.org/ download/Domain-parameters.pdf>.
[EBP]ECC Brainpool,“ECC Brainpool标准曲线和曲线生成”,2005年10月<http://www.ecc-brainpool.org/ 下载/Domain parameters.pdf>。
[ETSI] European Telecommunications Standards Institute (ETSI), "Algorithms and Parameters for Secure Electronic Signatures, Part 1: Hash Functions and Asymmetric Algorithms", TS 102 176-1, July 2005.
[ETSI]欧洲电信标准协会(ETSI),“安全电子签名的算法和参数,第1部分:散列函数和非对称算法”,TS 102 176-11905年7月。
[FIPS] National Institute of Standards and Technology, "Digital Signature Standard (DSS)", FIPS PUB 186-2, December 1998.
[FIPS]国家标准与技术研究所,“数字签名标准(DSS)”,FIPS PUB 186-2,1998年12月。
[G] Goubin, L., "A Refined Power-Analysis-Attack on Elliptic Curve Cryptosystems", Proceedings of Public-Key-Cryptography - PKC 2003, Lecture Notes in Computer Science 2567, Springer Verlag, 2003.
[G] Goubin,L.,“对椭圆曲线密码系统的改进功率分析攻击”,《公钥密码术学报-PKC 2003》,计算机科学讲稿2567,Springer Verlag,2003年。
[CFDA] Cohen, H., Frey, G., Doche, C., Avanzi, R., Lange, T., Nguyen, K., and F. Vercauteren, "Handbook of Elliptic and Hyperelliptic Curve Cryptography", Chapman & Hall CRC Press, 2006.
[CFDA]Cohen,H.,Frey,G.,Doche,C.,Avanzi,R.,Lange,T.,Nguyen,K.,和F.Vercauteren,“椭圆曲线和超椭圆曲线密码术手册”,查普曼和霍尔CRC出版社,2006年。
[HMV] Hankerson, D., Menezes, A., and S. Vanstone, "Guide to Elliptic Curve Cryptography", Springer Verlag, 2004.
[HMV]Hankerson,D.,Menezes,A.,和S.Vanstone,“椭圆曲线密码术指南”,Springer Verlag,2004年。
[HR] Huang, M. and W. Raskind, "Signature Calculus and the Discrete Logarithm Problem for Elliptic Curves (Preliminary Version)", Unpublished Preprint, 2006, <http://www-rcf.usc.edu/~mdhuang/mypapers/062806dl3.pdf>.
[HR]Huang,M.和W.Raskind,“椭圆曲线的签名演算和离散对数问题(初步版本)”,未出版预印本,2006年<http://www-rcf.usc.edu/~mdhuang/mypapers/062806dl3.pdf>。
[ISO1] International Organization for Standardization, "Information Technology - Security Techniques - Digital Signatures with Appendix - Part 3: Discrete Logarithm Based Mechanisms", ISO/IEC 14888-3, 2006.
[ISO1]国际标准化组织,“信息技术-安全技术-带附录的数字签名-第3部分:基于离散对数的机制”,ISO/IEC 14888-3,2006年。
[ISO2] International Organization for Standardization, "Information Technology - Security Techniques - Cryptographic Techniques Based on Elliptic Curves - Part 2: Digital signatures", ISO/IEC 15946-2, 2002.
[ISO2]国际标准化组织,“信息技术-安全技术-基于椭圆曲线的密码技术-第2部分:数字签名”,ISO/IEC 15946-22002。
[ISO3] International Organization for Standardization, "Information Technology - Security Techniques - Prime Number Generation", ISO/IEC 18032, 2005.
[ISO3]国际标准化组织,“信息技术-安全技术-素数生成”,ISO/IEC 180322005。
[JMV] Jao, D., Miller, SD., and R. Venkatesan, "Ramanujan Graphs and the Random Reducibility of Discrete Log on Isogenous Elliptic Curves", IACR Cryptology ePrint Archive 2004/312, 2004.
[JMV]Jao,D.,Miller,SD.,和R.Venkatesan,“Ramanujan图和同构椭圆曲线上离散对数的随机可约性”,IACR密码ePrint存档2004/312,2004年。
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002.
[RFC3279]Bassham,L.,Polk,W.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件的算法和标识符”,RFC 3279,2002年4月。
[RFC4050] Blake-Wilson, S., Karlinger, G., Kobayashi, T., and Y. Wang, "Using the Elliptic Curve Signature Algorithm (ECDSA) for XML Digital Signatures", RFC 4050, April 2005.
[RFC4050]Blake Wilson,S.,Karlinger,G.,Kobayashi,T.,和Y.Wang,“将椭圆曲线签名算法(ECDSA)用于XML数字签名”,RFC 4050,2005年4月。
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, May 2006.
[RFC4492]Blake Wilson,S.,Bolyard,N.,Gupta,V.,Hawk,C.,和B.Moeller,“用于传输层安全(TLS)的椭圆曲线密码(ECC)密码套件”,RFC 4492,2006年5月。
[RFC4754] Fu, D. and J. Solinas, "IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 4754, January 2007.
[RFC4754]Fu,D.和J.Solinas,“使用椭圆曲线数字签名算法(ECDSA)的IKE和IKEv2认证”,RFC 4754,2007年1月。
[RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)", RFC 5753, January 2010.
[RFC5753]Turner,S.和D.Brown,“加密消息语法(CMS)中椭圆曲线加密(ECC)算法的使用”,RFC 5753,2010年1月。
[SA] Satoh, T. and K. Araki, "Fermat Quotients and the Polynomial Time Discrete Log Algorithm for Anomalous Elliptic Curves", Commentarii Mathematici Universitatis Sancti Pauli 47, 1998.
[SA]Satoh,T.和K.Araki,“Fermat商和异常椭圆曲线的多项式时间离散对数算法”,评论:Mathematic Universitatis Santi Pauli 47,1998年。
[SEC1] Certicom Research, "Elliptic Curve Cryptography", Standards for Efficient Cryptography (SEC) 1, September 2000.
[SEC1]Certicom Research,“椭圆曲线密码术”,高效密码标准(SEC)1,2000年9月。
[SEC2] Certicom Research, "Recommended Elliptic Curve Domain Parameters", Standards for Efficient Cryptography (SEC) 2, September 2000.
[SEC2]Certicom Research,“推荐的椭圆曲线域参数”,高效密码标准(SEC)2,2000年9月。
[Sem] Semaev, I., "Evaluation of Discrete Logarithms on Some Elliptic Curves", Mathematics of Computation 67, 1998.
[Sem]Semaev,I.,“某些椭圆曲线上离散对数的计算”,计算数学67,1998年。
[Sma] Smart, N., "The Discrete Logarithm Problem on Elliptic Curves of Trace One", Journal of Cryptology 12, 1999.
[Sma]Smart,N.,“迹1椭圆曲线上的离散对数问题”,密码学杂志,1999年12月。
In this appendix, the methods used for pseudo-random generation of the elliptic curve domain parameters are described. A comprehensive description is given in [EBP].
在本附录中,描述了椭圆曲线域参数的伪随机生成方法。[EBP]中给出了全面的描述。
Throughout this section the following conventions are used:
在本节中,使用了以下约定:
The conversion between integers x in the range 0 <= x <= 2^L - 1 and bit strings of length L is given by x <--> {x_1,...,x_L} and the binary expansion x = x_1 * 2^(L-1) + x_2 * 2^(L-2) + ... + x_(L-1)*2 + x_L, i.e., the first bit of the bit string corresponds to the most significant bit of the corresponding integer and the last bit to the least significant bit.
范围为0<=x<=2^L-1的整数x与长度为L的位字符串之间的转换由x<-->{x_1,…,x_L}和二进制展开式x=x_1*2^(L-1)+x_2*2^(L-2)+…+给出x_(L-1)*2+x_L,即,位串的第一位对应于相应整数的最高有效位,最后一位对应于最低有效位。
For a real number x, let floor(x) denote the highest integer less than or equal to x.
对于实数x,让floor(x)表示小于或等于x的最高整数。
For updating the seed s of 160-bit length we use the following function update_seed(s):
为了更新160位长度的种子,我们使用以下函数更新种子:
1. Convert s to an integer z.
1. 将s转换为整数z。
2. Convert (z+1) mod 2^160 to a bit string t and output t.
2. 将(z+1)模2^160转换为位字符串t并输出t。
This section describes the systematic selection of the base fields GF(p) proposed in this specification. The prime generation method is similar to the method given in FIPS 186-2 [FIPS], Appendix 6.4, and ANSI X9.62 [ANSI1], A.3.2. It is a modification of the method "incremental search" given in Section 8.2.2 of [ISO3].
本节描述了本规范中建议的基本字段GF(p)的系统选择。素数生成方法类似于FIPS 186-2[FIPS],附录6.4和ANSI X9.62[ANSI1]A.3.2中给出的方法。这是对[ISO3]第8.2.2节中给出的“增量搜索”方法的修改。
For computing an integer x in the range 0 <= x <= 2^L - 1 from a seed s of 160-bit length, we use the following algorithm find_integer(s):
为了从160位长度的种子s计算范围0<=x<=2^L-1的整数x,我们使用以下算法find_integer(s):
1. Set v = floor((L-1)/160) and w = L - 160*v.
1. 设置v=地板((L-1)/160)和w=L-160*v。
2. Compute h = SHA-1(s).
2. 计算h=SHA-1(s)。
3. Let h_0 be the bit string obtained by taking the w rightmost bits of h.
3. 设h_0为通过取h的w个最右边位获得的位串。
4. Convert s to an integer z.
4. 将s转换为整数z。
5. For i from 1 to v do:
5. 对于i从1到v do:
A. Set z_i = (z+i) mod 2^160.
A. Set z_i = (z+i) mod 2^160.
B. Convert z_i to a bit string s_i.
B.将z_i转换为位字符串s_i。
C. Set h_i = SHA-1(s_i).
C.设置h_i=SHA-1(s_i)。
6. Let h be the string obtained by the concatenation of h_0,...,h_v from left to right.
6. 设h是由h_0,…,h_v从左到右串联得到的字符串。
7. Convert h to an integer x and output x.
7. 将h转换为整数x并输出x。
The following procedure is used to generate an L bit prime p from a 160-bit seed s.
以下过程用于从160位种子s生成L位素数p。
1. Set c = find_integer(s).
1. 设置c=查找整数。
2. Let p be the smallest prime p >= c with p = 3 mod 4.
2. 设p是p=3模4的最小素数p>=c。
3. If 2^(L-1) <= p <= 2^L - 1 output p and stop.
3. 如果2^(L-1)<=p<=2^ L-1输出p并停止。
4. Set s = update_seed(s) and go to Step 1.
4. 设置s=更新_种子并转至步骤1。
For the generation of the primes p used as base fields GF(p) for the curves defined in this specification (and the corresponding twisted curves), the following values (in hexadecimal representation) have been used as initial seed s:
为了生成用作本规范中定义的曲线(以及相应的扭曲曲线)基场GF(p)的素数p,以下值(十六进制表示)已用作初始种子s:
Seed_p_160 for brainpoolP160r1:
3243F6A8885A308D313198A2E03707344A409382
Seed_p_160 for brainpoolP160r1:
3243F6A8885A308D313198A2E03707344A409382
Seed_p_192 for brainpoolP192r1:
2299F31D0082EFA98EC4E6C89452821E638D0137
Seed_p_192 for brainpoolP192r1:
2299F31D0082EFA98EC4E6C89452821E638D0137
Seed_p_224 for brainpoolP224r1:
7BE5466CF34E90C6CC0AC29B7C97C50DD3F84D5B
Seed_p_224 for brainpoolP224r1:
7BE5466CF34E90C6CC0AC29B7C97C50DD3F84D5B
Seed_p_256 for brainpoolP256r1:
5B54709179216D5D98979FB1BD1310BA698DFB5A
Seed_p_256 for brainpoolP256r1:
5B54709179216D5D98979FB1BD1310BA698DFB5A
Seed_p_320 for brainpoolP320r1:
C2FFD72DBD01ADFB7B8E1AFED6A267E96BA7C904
Seed_p_320 for brainpoolP320r1:
C2FFD72DBD01ADFB7B8E1AFED6A267E96BA7C904
Seed_p_384 for brainpoolP384r1:
5F12C7F9924A19947B3916CF70801F2E2858EFC1
Seed_p_384 for brainpoolP384r1:
5F12C7F9924A19947B3916CF70801F2E2858EFC1
Seed_p_512 for brainpoolP512r1:
6636920D871574E69A458FEA3F4933D7E0D95748
Seed_p_512 for brainpoolP512r1:
6636920D871574E69A458FEA3F4933D7E0D95748
These seeds have been obtained as the first 7 substrings of 160-bit length each of Q = Pi*2^1120, where Pi is the constant 3.14159..., also known as Ludolph's number, i.e.,
这些种子作为前7个子串获得,每个子串的长度为160位,Q=Pi*2^1120,其中Pi是常数3.14159…,也称为Ludolph数,即。,
Q = Seed_p_160||Seed_p_192||...||Seed_p_512||Remainder, where || denotes concatenation.
Q=种子| p | u 160 |种子| p | u 192 | | | | |种子| p | u 512 | |余数,其中| |表示串联。
Using these seeds and the above algorithm the following primes are obtained:
使用这些种子和上述算法可获得以下素数:
p_160 = 1332297598440044874827085558802491743757193798159
p_160 = 1332297598440044874827085558802491743757193798159
p_192 = 4781668983906166242955001894344923773259119655253013193367
p_192 = 4781668983906166242955001894344923773259119655253013193367
p_224 = 2272162293245435278755253799591092807334073214594499230443 5472941311
p_224=227262932454352777525379959510928073340733214594499230443 5472941311
p_256 = 7688495639704534422080974662900164909303795020094305520373 5601445031516197751
p_256=768849563970453442208097466290016490930379502009430520373 5601445031516197751
p_320 = 1763593322239166354161909842446019520889512772719515192772
9604152886408688021498180955014999035278
p_320 = 1763593322239166354161909842446019520889512772719515192772
9604152886408688021498180955014999035278
p_384 = 2165927077011931617306923684233260497979611638701764860008
1618503821089934025961822236561982844534088440708417973331
p_384 = 2165927077011931617306923684233260497979611638701764860008
1618503821089934025961822236561982844534088440708417973331
p_512 = 8948962207650232551656602815159153422162609644098354511344 597187200057010413552439917934304191956942765446530386427345937963 894309923928536070534607816947
p_512=8948962207650325516566028151591534221626096644098354511344 5971872000570104113552439917934304191956942765446530386427345937963 894309923928536070534607816947
The generation procedure is similar to the procedure given in FIPS PUB 186-2 [FIPS], Appendix 6.4, and ANSI X9.62 [ANSI1], A.3.2.
生成程序类似于FIPS PUB 186-2[FIPS],附录6.4和ANSI X9.62[ANSI1]A.3.2中给出的程序。
For computing an integer x in the range 0 <= x <= 2^(L-1) - 1 from a seed s of 160-bit length, we use the algorithm find_integer_2(s), which slightly differs from the method used for the generation of the primes.
为了从160位长度的种子s计算范围为0<=x<=2^(L-1)-1的整数x,我们使用find_integer_2(s)算法,该算法与用于生成素数的方法略有不同。
1. Set v = floor((L-1)/160) and w = L - 160*v - 1.
1. 设置v=地板((L-1)/160)和w=L-160*v-1。
2. Compute h = SHA-1(s).
2. 计算h=SHA-1(s)。
3. Let h_0 be the bit string obtained by taking the w rightmost bits of h.
3. 设h_0为通过取h的w个最右边位获得的位串。
4. Convert s to an integer z.
4. 将s转换为整数z。
5. For i from 1 to v do:
5. 对于i从1到v do:
A. Set z_i = (z+i) mod 2^160.
A. Set z_i = (z+i) mod 2^160.
B. Convert z_i to a bit string s_i.
B.将z_i转换为位字符串s_i。
C. Set h_i = SHA-1(s_i).
C.设置h_i=SHA-1(s_i)。
6. Let h be the string obtained by the concatenation of h_0,...,h_v from left to right.
6. 设h是由h_0,…,h_v从左到右串联得到的字符串。
7. Convert h to an integer x and output x.
7. 将h转换为整数x并输出x。
The following procedure is used to generate the parameters A and B of a suitable elliptic curve over GF(p) and a base point G from a prime p of bit length L and a 160-bit seed s.
以下过程用于从位长为L的素数p和160位种子s生成GF(p)和基点G上的合适椭圆曲线的参数A和B。
1. Set h = find_integer_2(s).
1. 设置h=find_integer_2(s)。
2. Convert h to an integer A.
2. 将h转换为整数A。
3. If -3 = A*Z^4 mod p is not solvable, then set s = update_seed(s) and go to Step 1.
3. 如果-3=A*Z^4 mod p不可解,则设置s=update_seed并转至步骤1。
4. Compute one solution Z of -3 = A*Z^4 mod p.
4. 计算一个解Z=A*Z^4 mod p。
5. Set s = update_seed(s).
5. 设置s=更新种子。
6. Set B = find_integer_2(s).
6. 设置B=查找整数2(s)。
7. If B is a square mod p, then set s = update_seed(s) and go to Step 6.
7. 如果B是一个方形模式p,则设置s=update_seed(s)并转至步骤6。
8. If 4*A^3 + 27*B^2 = 0 mod p, then set s = update_seed(s) and go to Step 1.
8. 如果4*A^3+27*B^2=0 mod p,则设置s=update_seed并转至步骤1。
9. Check that the elliptic curve E over GF(p) given by y^2 = x^3 + A*x + B fulfills all security and functional requirements given in Section 3. If not, then set s = update_seed(s) and go to Step 1.
9. 检查y^2=x^3+A*x+B给出的GF(p)上的椭圆曲线E是否满足第3节给出的所有安全和功能要求。如果没有,则设置s=update_seed并转至步骤1。
10. Set s = update_seed(s).
10. 设置s=更新种子。
11. Set k = find_integer_2(s).
11. 设置k=find_integer_2(s)。
12. Determine the points Q and -Q having the smallest x-coordinate in E(GF(p)). Randomly select one of them as point P.
12. 确定在E(GF(p))中具有最小x坐标的点Q和-Q。随机选择其中一个作为P点。
13. Compute the base point G = k * P.
13. 计算基点G=k*P。
14. Output A, B, and G.
14. 输出A、B和G。
Note: Of course P could also be used as a base point. However, the small x-coordinate of P could possibly render the curve vulnerable to side-channel attacks.
注:当然P也可以用作基点。然而,P的小x坐标可能使曲线容易受到侧通道攻击。
For the generation of curve parameters A and B, and the base points G defined in this specification, the following values (in hexadecimal representation) have been used as initial seed s:
为了生成本规范中定义的曲线参数A和B以及基点G,以下值(十六进制表示)已用作初始种子s:
Seed_ab_160 for brainpoolP160r1:
2B7E151628AED2A6ABF7158809CF4F3C762E7160
Seed_ab_160 for brainpoolP160r1:
2B7E151628AED2A6ABF7158809CF4F3C762E7160
Seed_ab_192 for brainpoolP192r1:
F38B4DA56A784D9045190CFEF324E7738926CFBE
Seed_ab_192 for brainpoolP192r1:
F38B4DA56A784D9045190CFEF324E7738926CFBE
Seed_ab_224 for brainpoolP224r1:
5F4BF8D8D8C31D763DA06C80ABB1185EB4F7C7B5
Seed_ab_224 for brainpoolP224r1:
5F4BF8D8D8C31D763DA06C80ABB1185EB4F7C7B5
Seed_ab_256 for brainpoolP256r1:
757F5958490CFD47D7C19BB42158D9554F7B46BC
Seed_ab_256 for brainpoolP256r1:
757F5958490CFD47D7C19BB42158D9554F7B46BC
Seed_ab_320 for brainpoolP320r1:
ED55C4D79FD5F24D6613C31C3839A2DDF8A9A276
Seed_ab_320 for brainpoolP320r1:
ED55C4D79FD5F24D6613C31C3839A2DDF8A9A276
Seed_ab_384 for brainpoolP384r1:
BCFBFA1C877C56284DAB79CD4C2B3293D20E9E5E
Seed_ab_384 for brainpoolP384r1:
BCFBFA1C877C56284DAB79CD4C2B3293D20E9E5E
Seed_ab_512 for brainpoolP384r1:
AF02AC60ACC93ED874422A52ECB238FEEE5AB6AD
Seed_ab_512 for brainpoolP384r1:
AF02AC60ACC93ED874422A52ECB238FEEE5AB6AD
These seeds have been obtained as the first 7 substrings of 160-bit length each of R = floor(e*2^1120), where e denotes the constant 2.71828..., also known as Euler's number, i.e.,
这些种子作为前7个子串获得,每个子串的长度为160位,R=floor(e*2^1120),其中e表示常数2.71828…,也称为Euler数,即。,
R = Seed_ab_160||Seed_ab_192||...||Seed_ab_512||Remainder, where || denotes concatenation.
R=种子| ab | U 160 |种子| ab | U 192 | | | | |种子| ab | U 512 | |余数,其中| |表示串联。
Authors' Addresses
作者地址
Manfred Lochter Bundesamt fuer Sicherheit in der Informationstechnik (BSI) Postfach 200363 53133 Bonn Germany
德国波恩信息技术学院(BSI)Postfach 200363 53133的Manfred Lochter Bundesamt fuer Sicherheit
Phone: +49 228 9582 5643
EMail: manfred.lochter@bsi.bund.de
Phone: +49 228 9582 5643
EMail: manfred.lochter@bsi.bund.de
Johannes Merkle secunet Security Networks Mergenthaler Allee 77 65760 Eschborn Germany
Johannes Merkle Secune安全网络Mergenthaler Allee 77 65760 Eschborn Germany
Phone: +49 201 5454 2021
EMail: johannes.merkle@secunet.com
Phone: +49 201 5454 2021
EMail: johannes.merkle@secunet.com