Editing Elliptic-curve cryptography (section)

=== Domain parameters === 
To use ECC, all parties must agree on all the elements defining the elliptic curve, that is, the ''domain parameters'' of the scheme. The size of the field used is typically either prime (and denoted as p) or is a power of two (<math>2^m</math>); the latter case is called ''the binary case'', and this case necessitates the choice of an auxiliary curve denoted by ''f''.  Thus the field is defined by ''p'' in the prime case and the pair of ''m'' and ''f''<!--m and f are no longer defined before this in this article, except by me, and I don't know what I'm talking about--> in the binary case. The elliptic curve is defined by the constants ''a'' and ''b'' used in its defining equation. Finally, the cyclic subgroup is defined by its [[Generating set of a group|generator]] (a.k.a. ''base point'') ''G''. For cryptographic application, the [[order (group theory)|order]] of ''G'', that is the smallest positive number ''n'' such that <math>n G = \mathcal{O}</math> (the [[point at infinity]] of the curve, and the [[identity element]]), is normally prime. Since ''n'' is the size of a subgroup of <math>E(\mathbb{F}_p)</math> it follows from [[Lagrange's theorem (group theory)|Lagrange's theorem]] that the number <math>h = \frac{1}{n}|E(\mathbb{F}_p)|</math> is an integer. In cryptographic applications, this number ''h'', called the ''cofactor'', must be small (<math>h \le 4</math>) and, preferably, <math>h = 1</math>. To summarize: in the prime case, the domain parameters are <math>(p,a,b,G,n,h)</math>; in the binary case, they are <math>(m,f,a,b,G,n,h)</math>.

Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters ''must'' be validated before use.<!--TBD: validation procedure-->

The generation of domain parameters is not usually done by each participant because this involves computing [[counting points on elliptic curves|the number of points on a curve]] which is time-consuming and troublesome to implement. As a result, several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or by the unique [[object identifier]] defined in the standard documents:
* [[NIST]], [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf Recommended Elliptic Curves for Government Use]
* [[SECG]], [http://www.secg.org/sec2-v2.pdf SEC 2: Recommended Elliptic Curve Domain Parameters]
* ECC Brainpool ({{IETF RFC|5639}}), [http://www.ecc-brainpool.org/download/Domain-parameters.pdf ECC Brainpool Standard Curves and Curve Generation]<ref>{{Webarchive|url=https://web.archive.org/web/20180417212206/http://www.ecc-brainpool.org/download/Domain-parameters.pdf |date=2018-04-17 }}</ref><ref>{{cite press release|url=https://www.secunet.com/en/about-us/news-events/article/elliptic-curve-cryptography-made-in-germany-1#:~:text=In%20contrast%2C%20the%20Brainpool%20curves,and%20from%20Euler's%20number%20e.|title=Elliptic Curve Cryptography "Made in Germany"|date=2014-06-25}}</ref>
SECG test vectors are also available.<ref>{{cite web |url=http://www.secg.org/download/aid-390/gec2.pdf |title=GEC 2: Test Vectors for SEC 1 |website=www.secg.org |format=PDF download |archive-url=https://web.archive.org/web/20130606004254/http://www.secg.org/download/aid-390/gec2.pdf |archive-date=2013-06-06}}</ref> NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be specified either by value or by name.

If, despite the preceding admonition, one decides to construct one's own domain parameters, one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:
* Select a random curve and use a general point-counting algorithm, for example, [[Schoof's algorithm]] or the [[Schoof–Elkies–Atkin algorithm]],
* Select a random curve from a family which allows easy calculation of the number of points (e.g., [[Koblitz curve]]s), or
* Select the number of points and generate a curve with this number of points using the ''complex multiplication'' technique.<ref>{{Cite book |series=Lecture Notes in Computer Science |volume=877 |pages=250–263 |doi=10.1007/3-540-58691-1_64 |isbn=978-3-540-58691-3 |chapter=Constructing elliptic curves with given group order over large finite fields |title=Algorithmic Number Theory |year=1994 |last1=Lay |first1=Georg-Johann |last2=Zimmer |first2=Horst G. }}</ref>

Several classes of curves are weak and should be avoided:
* Curves over <math>\mathbb{F}_{2^m}</math> with non-prime ''m'' are vulnerable to [[Weil descent]] attacks.<ref>{{cite book |first1=S. D. |last1=Galbraith |first2=N. P. |last2=Smart |s2cid=15134380 |title=A cryptographic application of the Weil descent |year=1999 |series=Lecture Notes in Computer Science |volume=1746 |pages=799 |doi=10.1007/3-540-46665-7_23 |chapter=A Cryptographic Application of Weil Descent |isbn=978-3-540-66887-9 }}</ref><ref>{{cite web |first1=P. |last1=Gaudry |first2=F. |last2=Hess |first3=N. P. |last3=Smart |url=http://www.hpl.hp.com/techreports/2000/HPL-2000-10.pdf |title=Constructive and destructive facets of Weil descent on elliptic curves |work=Hewlett Packard Laboratories Technical Report |year=2000 |access-date=2006-01-02 |archive-date=2006-12-06 |archive-url=https://web.archive.org/web/20061206133559/http://hpl.hp.com/techreports/2000/HPL-2000-10.pdf |url-status=dead }}</ref>
* Curves such that ''n'' divides <math>p^B-1</math> (where ''p'' is the characteristic of the field: ''q'' for a prime field, or <math>2</math> for a binary field) for sufficiently small ''B'' are vulnerable to Menezes–Okamoto–Vanstone (MOV) attack<ref>{{cite journal |first1=A. |last1=Menezes |first2=T. |last2=Okamoto |first3=S. A. |last3=Vanstone |title=Reducing elliptic curve logarithms to logarithms in a finite field |journal=IEEE Transactions on Information Theory |volume=39 |issue=5 |year=1993 | doi =  10.1109/18.259647 |pages=1639–1646}}</ref><ref>{{cite journal |first=L. |last=Hitt |url=http://eprint.iacr.org/2006/415 |title=On an Improved Definition of Embedding Degree |journal=IACR ePrint Report |year=2006 |volume=415 }}</ref> which applies usual [[discrete logarithm problem]] (DLP) in a small-degree extension field of <math>\mathbb{F}_p</math> to solve ECDLP.  The bound ''B'' should be chosen so that [[discrete logarithm]]s in the field <math>\mathbb{F}_{p^B}</math> are at least as difficult to compute as discrete logs on the elliptic curve <math>E(\mathbb{F}_q)</math>.<ref>IEEE [http://grouper.ieee.org/groups/1363/P1363/index.html P1363] {{Webarchive|url=https://web.archive.org/web/20070213061138/http://grouper.ieee.org/groups/1363/P1363/index.html |date=2007-02-13 }}, section A.12.1</ref>
* Curves such that <math>|E(\mathbb{F}_q)| = q</math> are vulnerable to the attack that maps the points on the curve to the additive group of <math>\mathbb{F}_q</math>.<ref>{{cite journal |first=I. |last=Semaev |title=Evaluation of discrete logarithm in a group of ''p''-torsion points of an elliptic curve in characteristic ''p'' |journal=Mathematics of Computation |volume=67 |issue=221 |year=1998 |pages=353–356 |doi=10.1090/S0025-5718-98-00887-4 |bibcode=1998MaCom..67..353S |doi-access=free }}</ref><ref>{{cite journal |first=N. |last=Smart |title=The discrete logarithm problem on elliptic curves of trace one |journal=Journal of Cryptology |volume=12 |year=1999 |issue=3 |pages=193–196 |doi=10.1007/s001459900052 |url=http://www.hpl.hp.com/techreports/97/HPL-97-128.ps |citeseerx=10.1.1.17.1880 |s2cid=24368962 }}</ref><ref>{{cite journal |first1=T. |last1=Satoh |first2=K. |last2=Araki |title=Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves |journal=Commentarii Mathematici Universitatis Sancti Pauli |volume=47 |year=1998 }}</ref>