The various elliptic curves used in ellitpic curve cryptography (ECC) have different properties, and we’ve looked at several of them before. For example, Curve25519 is implemented very efficiently, and the parameters were transparently chosen. Curve1174 is interesting because it’s an Edwards curve and has a special addition formula.
This post looks at curve P-384. What’s special about this curve? It’s the elliptic curve that the NSA recommends everyone use until post-quantum methods have been standardized. Do they want everyone to use this method because they know how to get around it? Possibly, but they have reasons to recommend methods that they believe foreign governments cannot break.
The equation of the P-384 curve is
y² = x³ + ax + b
working over the field of integers modulo a prime p. We will go into each of the specific parameters a, b, and p, and discuss how they were chosen.
Consisting with the naming conventions for elliptic curves used in cryptography, the name “P-384” tells you that the curve is over a prime field where the prime is a 384-bit integer. Specifically, the order of the field is
p = 2384 – 2128 – 296 + 232 – 1
For a given number of bits, in this case 384, you want to pick a prime that’s relatively near the maximum size for that number of bits. In our case, our prime p is a prime near 2384 with a convenient bit pattern.
Hasse’s theorem says that the number of points on a curve modulo a large prime is on the order of magnitude equal to the prime, so P-384 contains approximately 2384 points. In fact, the number of points n on the curve is
or approximately 2384 – 2190. The number n is a prime, and so it is the order of P-384 as a group.
Linear coefficient a
According to a footnote in the standard defining P-384, FIPS PUB 186-4,
The selection a ≡ -3 for the coefficient of x was made for reasons of efficiency; see IEEE Std 1363-2000.
Constant coefficient b
The curve P-384 has Weierstrass form
y² = x³ – 3x + b
where b is
The parameter b is between 2383 and 2384 but doesn’t have any particular binary pattern:
The specification says that b was chosen at random. How can you convince someone that you chose a parameter at random?
The standard gives a 160-bit seed s, and a hash-based algorithm that s was run through to create a 384-bit parameter c. Then b is the solution to
b² c = -27 mod p.
The algorithm going from the s to c is given in Appendix D.6 and is a sort of key-stretching algorithm. The standard cites ANS X9.62 and IEEE Standard 1363-2000 as the source of the algorithm.
If b was designed to have a back door, presumably a tremendous amount of computation had to go into reverse engineering the seed s.