IEEE P1363: Standard Specifications For Public Key Cryptography
Submissions for revised standard
- A proposal of ESIGN-PSS to
IEEE P1363(.pdf), NTT Information Sharing Platform Laboratories,
August 24 2006. Included in D1-pre.
- A proposal of PSEC-KEM to
IEEE P1363 (.pdf), NTT Information Sharing Platform Laboratories,
August 24 2006. Included in D1-pre.
- Use of the RSA-KEM Key Transport
Algorithm in CMS(.doc), RSA Labs, July 2006. Included in
D1-pre.
- HMQV in IEEE P1363
(.pdf), Hugo Krawczyk, IBM. Included in D1-pre.
- Updated standards for validating
elliptic curves, Laura Hitt, University of Texas.
We give a concise statement of a test for security of elliptic curves that
should be inserted into the standards for elliptic curve cryptography. In
particular, current validation for parameters related to the MOV condition
that appears in the latest draft of the IEEE P1363 standard [3, Section
A.12.1, Section A.16.8] should be replaced with our subfield-adjusted MOV
condition. Similarly, the Standards for Efficient Cryptography Group’s
document SEC 1 [4] should make adjustments accordingly.
Included in D1-pre.
Supporting documentation
- Letter from Hugo Krawczyk re HMQV, 2008-07-28 (.pdf)
- On the Minimal Embedding
Field, Laura Hitt, University of Texas.
Let C be a curve of genus g, defined over a finite field
Fq, where q = pm for a prime p. Let N be a
large integer coprime to p, dividing the order of the Jacobian
variety associated to C. Pairings can transport the discrete
logarithm problem (DLP) from the curve to a finite field where
there are more e?cient methods for solving the discrete logarithm.
The embedding degree is de?ned to be the smallest positive integer
k such that N divides qk - 1. We show that the minimal
embedding field is not necessarily Fq^k , as is
traditionally understood, but rather is Fp^{ord}N^p =
Fq^{ord}N^p/m, which can be a field of significantly
smaller size. This fact reveals that attacks on the DLP can be
dramatically faster than otherwise expected, so a parameter
separate from the embedding degree k needs to be used to indicate
security.
Back to 1363 Revision home page.
