Naming Elliptic Curves Used in Cryptography
Learn more about cryptography and naming elliptic curves.
Join the DZone community and get the full member experience.
Join For FreeThere is an infinite number of elliptic curves, but a small number are used in cryptography, and these special curves have names. Apparently, there are no hard and fast rules for how the names are chosen, but there are patterns.
The named elliptic curves are over a prime field, i.e. a finite field, with a prime number of elements p. The number of points on the elliptic curve is on the order of p [1].
The curve names usually contain a number, which is the number of bits in the binary representation of p. Let’s see how that plays out with a few named elliptic curves.
| Curve name | Bits in p |
|---|---|
| ANSSI FRP256v1 | 256 |
| BN(2, 254) | 254 |
| brainpoolP256t1 | 256 |
| Curve1174 | 251 |
| Curve25519 | 255 |
| Curve383187 | 383 |
| E-222 | 222 |
| E-382 | 382 |
| E-521 | 521 |
| Ed448-Goldilocks | 448 |
| M-211 | 221 |
| M-383 | 383 |
| M-511 | 511 |
| NIST P-224 | 224 |
| NIST P-256 | 256 |
| secp256k1 | 256 |
In Curve25519, p = 2 255 - 19 and in Curve 383187, p = 2 383 - 187. Here, the number of bits in p is part of the name but another number is stuck on.
The only mystery on the list is Curve1174 where p has 251 bits. The equation for the curve is:
x² + y² = 1 – 1174 x²y²
And so, the 1174 in the name comes from a coefficient rather than from the number of bits in p.
Edwards Curves
The equation for Curve1174 doesn't look like an elliptic curve. It doesn't have the familiar (Weierstrass) form:
y² = x³ + ax + b
It is an example of an Edwards curve, named after Harold Edwards. So are all the curves above whose names start with "E". These curves have the form
x² + y² = 1 + dx² y².
where d is not 0 or 1. So, some Edwards curves are named after their d parameter and some are named after the number of bits in p.
It's not obvious that an Edwards curve can be changed into Weierstrass form, but apparently, it's possible; this paper goes into the details.
The advantage of Edwards curves is that the elliptic curve group addition has a simple, convenient form. Also, when d is not a square in the underlying field, there are no exceptional points to consider for group addition.
Is d = -1174 a square in the field underlying Curve1174? For that curve, p = 2 251 - 9, and we can use the Jacobi symbol code from earlier this week to show that d is not a square.
p = 2**251 - 9
d = p-1174
print(jacobi(d, p))This prints -1, indicating that d is not a square. Note that we set d to p - 1174 rather than -1174 because our code assumes the first argument is positive, and -1174 and p - 1174 are equivalent mod p.
[1] It is difficult to compute the exact number of points on an elliptic curve over a prime field. However, the number is roughly p ± 2√ p. More precisely, Hasse's theorem says
Published at DZone with permission of John Cook, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments