import React from "react"; import Entry from "../../components/entry"; import { Styled } from "theme-ui"; import Link from "../../components/Link"; import Pseudocode from "../../components/Pseudocode"; import { InlineMath } from "react-katex"; export default ({ data, location }) => { let rfcCodeCommon = ` \\begin{algorithm} \\caption{RFC5639 UpdateSeed} \\begin{algorithmic} \\PROCEDURE{UpdateSeed}{$s$} \\STATE Convert $s$ to an integer $z$ \\STATE Convert $(z+1) \\mod 2^{160}$ to a bit string $t$ \\RETURN $t$ \\ENDPROCEDURE \\end{algorithmic} \\end{algorithm} `; let rfcCodePrimes = ` \\begin{algorithm} \\caption{RFC5639 Verifiably Random Primes} \\begin{algorithmic} \\INPUT bit size $L$ of the required prime \\INPUT 160 bit-string seed $s$ \\PROCEDURE{GeneratePrime}{$s$} \\STATE Let $c = $ \\CALL{FindInteger}{$s$} \\STATE Let $p$ be the smallest prime $p \\ge c$ with $p \\equiv 3 \\mod 4$ \\IF{$2^{L-1} \\le p \\le 2^L - 1$} \\RETURN $p$ \\ENDIF \\STATE Let $s = $ \\CALL{UpdateSeed}{$s$} and \\textbf{goto} $2$ \\ENDPROCEDURE \\PROCEDURE{FindInteger}{$s$} \\STATE Let $v = \\lfloor (L-1) / 160 \\rfloor$ and $w = L - 160v$ \\STATE Compute $h = \\text{SHA-1}(s)$ \\STATE Let $h_0$ be the bit string obtained by taking the $w$ rightmost bits of $h$ \\STATE Convert $s$ to an integer $z$ \\FOR{$i = 1$ \\textbf{to} $v$} \\STATE Let $z_i = (z + i) \\mod 2^{160}$ \\STATE Convert $z_i$ to bit-string $s_i$ \\STATE Let $h_i = \\text{SHA-1}(s_i)$ \\ENDFOR \\STATE Let $h$ be the string obtained by the concatenation of $h_0 , \\ldots , h_v$ from left to right \\STATE Convert $h$ to an integer $x$ \\RETURN $x$ \\ENDPROCEDURE \\end{algorithmic} \\end{algorithm} `; let rfcCodeCurves = ` \\begin{algorithm} \\caption{RFC5639 Verifiably Random Curves $\\mathbb{F}_p$} \\begin{algorithmic} \\INPUT prime field size $p$ of bit-length $L$ \\INPUT 160 bit-string seed $s$ \\OUTPUT field elements $A, B \\in \\mathbb{F}_p$ which define an elliptic curve $\\mathcal{E}$ \\OUTPUT generator $G$ of the elliptic curve $\\mathcal{E}$ \\PROCEDURE{GenerateCurve}{$p, s$} \\STATE Let $h = $ \\CALL{FindInteger2}{$s$} \\STATE Convert $h$ to an integer $A$ \\IF{$-3 \\equiv A*Z^4 \\mod p$ is not solvable} \\STATE Let $s = $ \\CALL{UpdateSeed}{$s$} and \\textbf{goto} $2$ \\ENDIF \\STATE Compute one solution $Z$ of $-3 \\equiv A*Z^4 \\mod p$ \\STATE Let $s = $ \\CALL{UpdateSeed}{$s$} \\STATE Let $B = $ \\CALL{FindInteger2}{$s$} \\IF{$B$ is a square $\\mod p$} \\STATE Let $s = $ \\CALL{UpdateSeed}{$s$} and \\textbf{goto} $8$ \\ENDIF \\IF{$4*A^3 + 27*B^2 \\equiv 0 \\mod p$} \\STATE Let $s = $ \\CALL{UpdateSeed}{s} and \\textbf{goto} $2$ \\ENDIF \\STATE Check that the elliptic curve $\\mathcal{E}$ over $\\mathbb{F}_p$ given by $y^2 = x^3 + A x + B$ fulfills all security and functional requirements \\STATE Let $s = $ \\CALL{UpdateSeed}{$s$} \\STATE Let $k = $ \\CALL{FindInteger2}{$s$} \\STATE Determine the points $Q$ and $-Q$ having the smallest x-coordinate on $\\mathcal{E}(\\mathbb{F}_p)$. Randomly select one of them as point $P$ \\STATE Compute the base point $G = [k]P$. \\RETURN ($A, B, G$) \\ENDPROCEDURE \\PROCEDURE{FindInteger2}{$s$} \\STATE Let $v = \\lfloor (L-1) / 160 \\rfloor$ and $w = L - 160v - 1$ \\STATE Compute $h = \\text{SHA-1}(s)$ \\STATE Let $h_0$ be the bit string obtained by taking the $w$ rightmost bits of $h$ \\STATE Convert $s$ to an integer $z$ \\FOR{$i = 1$ \\textbf{to} $v$} \\STATE Let $z_i = (z + i) \\mod 2^{160}$ \\STATE Convert $z_i$ to bit-string $s_i$ \\STATE Let $h_i = \\text{SHA-1}(s_i)$ \\ENDFOR \\STATE Let $h$ be the string obtained by the concatenation of $h_0 , \\ldots , h_v$ from left to right \\STATE Convert $h$ to an integer $x$ \\RETURN $x$ \\ENDPROCEDURE \\end{algorithmic} \\end{algorithm}`; return ( Brainpool Technical requirements

For each of the bit-lengths{" "} 160, 192, 224, 256, 320, 384, 512 one curve shall be proposed.
The base field size p should be congruent to{" "} {`3 \\mod 4`}.
The curve should be {`\\mathbb{F}_p`} -isomorphic to a curve with{" "} {`A \\equiv -3 \\mod p`}.
The prime p must not be of a special form in order to avoid patented fast arithmetic on the base field.
The order of the curve{" "} {`\\lvert \\mathcal{E}(\\mathbb{F}_p) \\rvert`}{" "} should be smaller than the size of the base field{" "} p.
The curve coefficient B should be non-square in {`\\mathbb{F}_p`}.

Security requirements

The embedding degree{" "} {`l = \\min\\{t \\vert q \\text{divides} p^t - 1 \\}`}{" "} should be large, where q is the order of the basepoint and p the size of the base field. Specifically, {`(q - 1) / l < 100`}.
The curves are not trace one curves. Specifically{" "} {`\\lvert \\mathcal{E}(\\mathbb{F}_p) \\rvert \\ne p`} .
The class number of the maximal order of the endomorphism ring of the curve is larger than 10000000.
The group order{" "} {`\\lvert \\mathcal{E}(\\mathbb{F}_p) \\rvert`}{" "} should be a prime number q.

Original method Brainpool published their method of generating verifiably random curves in the ECC Brainpool Standard Curves and Curve Generation{" "} [1] document, along with generated domain parameters claimed to be generated using the presented method and seeds. However, the presented curves were (with the exception of the 512-bit curves) not generated using the presented method, as they have properties that can not result from the presented method of generating curves. See the BADA55 paper{" "} [3] for more information. RFC 5639 method Brainpool published an RFC with their fixed method of generating verifiably random curves and generated curves in RFC 5639{" "} [2], which matches the generated curves and seeds.

Generating primes

Generating curves

References

Manfred Lochter:{" "} ECC Brainpool Standard Curves and Curve Generation v. 1.0 ,{" "} [archive]
Manfred Lochter, Johannes Merkle:{" "} Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation (RFC5639)
BADA55 Research Team:{" "} BADA55 Crypto - Brainpool curves

); };