多谢！
X962-2005超ECC都公布了。。。。。
看看例子对不对，高斯正规基的为何不对。。。。

a:= FiniteField(2,5);
E:= EllipticCurve([a!1,1,0,0,1]);
E;
Order(E);
Points(E);

a1:= FiniteField(2,5);
E1:= EllipticCurve([a1!11111,0,0,0,11111]);
E1;
Order(E1);
Points(E1);

Elliptic Curve defined by y^2 + x*y = x^3 + x^2 + 1 over GF(2^5)
22
{@ (0 : 1 : 0), (a.1^3 : a.1^15 : 1), (a.1^3 : a.1^26 : 1), (a.1^6 : a.1^21 :
1), (a.1^6 : a.1^30 : 1), (a.1^7 : a.1^8 : 1), (a.1^7 : a.1^25 : 1), (a.1^12 :
a.1^11 : 1), (a.1^12 : a.1^29 : 1), (a.1^14 : a.1^16 : 1), (a.1^14 : a.1^19 :
1), (a.1^17 : a.1^13 : 1), (a.1^17 : a.1^23 : 1), (a.1^19 : a.1^4 : 1), (a.1^19
: a.1^28 : 1), (a.1^24 : a.1^22 : 1), (a.1^24 : a.1^27 : 1), (a.1^25 : a.1^2 :
1), (a.1^25 : a.1^14 : 1), (a.1^28 : a.1 : 1), (a.1^28 : a.1^7 : 1), (0 : 1 : 1)
@}
Elliptic Curve defined by y^2 + x*y = x^3 + 1 over GF(2^5)
44
{@ (0 : 1 : 0), (1 : 0 : 1), (1 : 1 : 1), (a.1 : a.1^14 : 1), (a.1 : a.1^15 :
1), (a.1^2 : a.1^28 : 1), (a.1^2 : a.1^30 : 1), (a.1^4 : a.1^25 : 1), (a.1^4 :
a.1^29 : 1), (a.1^5 : a.1^9 : 1), (a.1^5 : a.1^15 : 1), (a.1^8 : a.1^19 : 1),
(a.1^8 : a.1^27 : 1), (a.1^9 : a.1^10 : 1), (a.1^9 : a.1^27 : 1), (a.1^10 :
a.1^18 : 1), (a.1^10 : a.1^30 : 1), (a.1^11 : a.1^15 : 1), (a.1^11 : a.1^21 :
1), (a.1^13 : a.1^22 : 1), (a.1^13 : a.1^29 : 1), (a.1^15 : a.1^19 : 1), (a.1^15
: a.1^25 : 1), (a.1^16 : a.1^7 : 1), (a.1^16 : a.1^23 : 1), (a.1^18 : a.1^20 :
1), (a.1^18 : a.1^23 : 1), (a.1^20 : a.1^5 : 1), (a.1^20 : a.1^29 : 1), (a.1^21
: a.1^23 : 1), (a.1^21 : a.1^26 : 1), (a.1^22 : a.1^11 : 1), (a.1^22 : a.1^30 :
1), (a.1^23 : a.1^25 : 1), (a.1^23 : a.1^28 : 1), (a.1^26 : a.1^13 : 1), (a.1^26
: a.1^27 : 1), (a.1^27 : a.1^14 : 1), (a.1^27 : a.1^28 : 1), (a.1^29 : a.1^7 :
1), (a.1^29 : a.1^14 : 1), (a.1^30 : a.1^7 : 1), (a.1^30 : a.1^19 : 1), (0 : 1 :
1) @}

推荐就一条P256。。。。。。。。比下：
NIST的：
Curve P-256
P=115792089210356248762697446949407573530086143415290314195533631308867097853951
n=115792089210356248762697446949407573529996955224135760342422259061068512044369
seed =c49d360886e704936a6678e1139d26b7819f7e90
r =7efba1662985be9403cb055c75d4f7e0ce8d84a9c5114abcaf3177680104fa0d
a=-3
b =5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
G x =6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296
G y =4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5
h=1

PN=115792089210356248762697446949407573530086143415290314195533631308867097853951
=FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF
P-256: p = 2^256−2^224+2^192+2^96−1, a =−3, h = 1
nN=115792089210356248762697446949407573529996955224135760342422259061068512044369=
FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551

推荐使用素数域256位椭圆曲线。
椭圆曲线方程：y2 = x3 + ax + b。
曲线参数：
p=FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF
=115792089210356248756420345214020892766250353991924191454421193933289684991999----------->也是类梅森数,挑了条大的，P256不多几个类梅森数，能给找出来
a=FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC=-3
b=28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93
n=FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123
Gx=32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7
Gy=BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0

n=FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123=
115792089210356248756420345214020892766061623724957744567843809356293439045923

S:= FiniteField(115792089210356248756420345214020892766250353991924191454421193933289684991999);
E:= EllipticCurve([S|0,0,0,-3,18505919022281880113072981827955639221458448578012075254857346196103069175443]);
E;
Order(E);
Points(E);

Elliptic Curve defined by y^2 = x^3 + 11579208921035624875642034521402089276625\
0353991924191454421193933289684991996*x +
18505919022281880113072981827955639221458448578012075254857346196103069175443
over GF(11579208921035624875642034521402089276625035399192419145442119393328968\
4991999)
115792089210356248756420345214020892766061623724957744567843809356293439045923
>> Points(E);
         ^
Runtime error in 'Points': Cardinality of set is too large

为了约减快，应该就下面式子加减号组合应能出推荐的P：
2^256+2^224+2^192+2^160+2^128+2^96+2^64+2^32-1;

p:=2^256-2^224-2^128+2^96-1+2^64*(2+1)^2*(2^2+1)^2*(2^4+1)^2*(2^8+1)^2*(2^16+1)^2;
p;
p mod 4;
Factorization(p-1);
Factorization(p+1);
Factorization(66013261729388519804782124120027-1);
M :=(p-1)/2;
M;
Factorization(57896044605178124378210172607010446383125176995962095727210596966644842495999
);

pN:=115792089210356248762697446949407573529996955224135760342422259061068512044369;

pN;
pN mod 4;
Factorization(pN-1);
Factorization(pN+1);
Factorization(2624747550333869278416773953-1);
V:=(pN-1)/2;
V;
Factorization(57896044605178124381348723474703786764998477612067880171211129530534256022184
);

115792089210356248756420345214020892766250353991924191454421193933289684991999
3
[ <2, 1>, <43, 1>, <30223, 1>, <348253387243, 1>, <4641351449027, 1>,
<417514796639753, 1>, <66013261729388519804782124120027, 1> ]
[ <2, 64>, <3, 2>, <5, 3>, <11, 1>, <17, 2>, <31, 1>, <41, 1>, <257, 2>, <61681,
1>, <65537, 2>, <414721, 1>, <4278255361, 1>, <44479210368001, 1> ]
[ <2, 1>, <13, 1>, <1213, 1>, <71209, 1>, <6158099, 1>, <4773264379806847, 1> ]
57896044605178124378210172607010446383125176995962095727210596966644842495999
[ <43, 1>, <30223, 1>, <348253387243, 1>, <4641351449027, 1>, <417514796639753,
1>, <66013261729388519804782124120027, 1> ]
115792089210356248762697446949407573529996955224135760342422259061068512044369
1
[ <2, 4>, <3, 1>, <71, 1>, <131, 1>, <373, 1>, <3407, 1>, <17449, 1>, <38189,
1>, <187019741, 1>, <622491383, 1>, <1002328039319, 1>,
<2624747550333869278416773953, 1> ]
[ <2, 1>, <5, 1>, <1879, 1>, <176337611, 1>,
<34946779280882916835155272231706129710560967816144871596921775673, 1> ]
[ <2, 6>, <3, 2>, <1297, 1>, <16879, 1>, <208150935158385979, 1> ]
57896044605178124381348723474703786764998477612067880171211129530534256022184
[ <2, 3>, <3, 1>, <71, 1>, <131, 1>, <373, 1>, <3407, 1>, <17449, 1>, <38189,
1>, <187019741, 1>, <622491383, 1>, <1002328039319, 1>,
<2624747550333869278416773953, 1> ]

找出来了。。。超长类梅森数？！
2^256-2^224-2^128+2^96-1+2^64*(2+1)^2*(2^2+1)^2*(2^4+1)^2*(2^8+1)^2*(2^16+1)^2=P推;

P推:=115792089210356248756420345214020892766250353991924191454421193933289684991999;
P;
Factorization(P-1);

P0:=2^256-2^224-2^128+2^96-1;
P0;
P-P0;

P1:=2^256-2^224-2^128+2^96-1+2^64*(2+1)^2*(2^2+1)^2*(2^4+1)^2*(2^8+1)^2*(2^16+1)^2;

P1;

Factorization(48);
Factorization(P-1);

Factorization(P-P0);

115792089210356248756420345214020892766250353991924191454421193933289684991999
[ <2, 1>, <43, 1>, <30223, 1>, <348253387243, 1>, <4641351449027, 1>,
<417514796639753, 1>, <66013261729388519804782124120027, 1> ]
115792089210356248756420345214020892765910071625161709315967901256971295129599
340282366762482138453292676318389862400
115792089210356248756420345214020892766250353991924191454421193933289684991999
[ <2, 4>, <3, 1> ]
[ <2, 1>, <43, 1>, <30223, 1>, <348253387243, 1>, <4641351449027, 1>,
<417514796639753, 1>, <66013261729388519804782124120027, 1> ]
[ <2, 64>, <3, 2>, <5, 2>, <17, 2>, <257, 2>, <65537, 2> ]

p:=2^256-2^224-2^128+2^96-1+2^64*(2+1)^2*(2^2+1)^2*(2^4+1)^2*(2^8+1)^2*(2^16+1)^2;
p;
S:= FiniteField(115792089210356248756420345214020892766250353991924191454421193933289684991999);
E:= EllipticCurve([S|0,0,0,-3,18505919022281880113072981827955639221458448578012075254857346196103069175443]);
E;
T := Twists(E);
T;
Q:=QuadraticTwists(E);
Q;
E1:= EllipticCurve([S|0,0,0,3246688514511153932416457520904014993\
    4860148566249859157380725452739373732484,990597980848191035130552872645729525611460241980432846609604900451864807481\
    09 ]);
E1;

E2:= EllipticCurve([S|0,0,0,32466885145111539324164575209040149934860\
148566249859157380725452739373732484,99059798084819103513055287264572952561146024198043284660960490045186480748109
]);
E2;

Order(E)+Order(E1);
Order(E)+Order(E2);
2*p+2;
IsIsomorphic(E, E1);
IsIsomorphic(E, E2);
IsIsomorphic(E1, E2);

115792089210356248756420345214020892766250353991924191454421193933289684991999
Elliptic Curve defined by y^2 = x^3 + 11579208921035624875642034521402089276625\
0353991924191454421193933289684991996*x +
18505919022281880113072981827955639221458448578012075254857346196103069175443
over GF(11579208921035624875642034521402089276625035399192419145442119393328968\
4991999)
[
    Elliptic Curve defined by y^2 = x^3 + 1157920892103562487564203452140208927\
    66250353991924191454421193933289684991996*x +
    185059190222818801130729818279556392214584485780120752548573461961030691754\
    43 over GF(1157920892103562487564203452140208927662503539919241914544211939\
    33289684991999),
    Elliptic Curve defined by y^2 = x^3 + 3055598702044942576893852837786220404\
    3355264779787219082989808059694776059232*x +
    512478505879505245004118884947368501017601900881206906701010266419695148991\
    2 over GF(11579208921035624875642034521402089276625035399192419145442119393\
    3289684991999)
]
[
    Elliptic Curve defined by y^2 = x^3 + 1157920892103562487564203452140208927\
    66250353991924191454421193933289684991996*x +
    185059190222818801130729818279556392214584485780120752548573461961030691754\
    43 over GF(1157920892103562487564203452140208927662503539919241914544211939\
    33289684991999),
    Elliptic Curve defined by y^2 = x^3 + 1864554914043223771557427286849641712\
    6293959261198406709894762666677208384048*x +
    889743930312778083094594540564041748182977088943107511240595212074532156912\
    8 over GF(11579208921035624875642034521402089276625035399192419145442119393\
    3289684991999)
]
Elliptic Curve defined by y^2 = x^3 + 32466885145111539324164575209040149934860\
148566249859157380725452739373732484*x +
99059798084819103513055287264572952561146024198043284660960490045186480748109
over GF(11579208921035624875642034521402089276625035399192419145442119393328968\
4991999)
Elliptic Curve defined by y^2 = x^3 + 32466885145111539324164575209040149934860\
148566249859157380725452739373732484*x +
99059798084819103513055287264572952561146024198043284660960490045186480748109
over GF(11579208921035624875642034521402089276625035399192419145442119393328968\
4991999)
231584178420712497512840690428041785532500707983848382908842387866579369984000
231584178420712497512840690428041785532500707983848382908842387866579369984000
231584178420712497512840690428041785532500707983848382908842387866579369984000
false
false
true

支持楼主········学习了··········

Mark一下~，感谢LZ的分享

没给HASH的种子，比比和NIST的有何不同：

D.1.1 Fp上椭圆曲线方程参数的拟随机生成
方式1：
输入：素域的规模p。
输出：比特串SEED及Fp中的元素a;b。
a) 任意选择长度至少为192的比特串SEED；
b) 计算H = H256(SEED)，并记H = (h255;h254; · · · ;h0)；
c) 置R =
255
Σ
i=0
hi2i；
d) 置r = R modp；
e) 任意选择Fp中的元素a和b，使r · b2 ≡ a3 (modp)；
f) 若(4a3+27b2) modp=0，则转步骤a)；
g) 所选择的Fp上的椭圆曲线为E：y2 = x3+ax+b；
h) 输出(SEED;a;b)。
方式2：
输入：素域的规模p。
输出：比特串SEED及Fp中的元素a;b。
a) 任意选择长度至少为192的比特串SEED；
b) 计算H = H256(SEED)，并记H = (h255;h254; · · · ;h0)；
c) 置R =
255
Σ
i=0
hi2i；
d) 置r = R modp；
e) 置b = r；
f) 取Fp中的元素a为某固定值；
g) 若(4a3+27b2) modp=0，则转步骤a)；
h) 所选择的Fp上的椭圆曲线为E：y2 = x3+ax+b；
i) 输出(SEED;a;b)。
D.1.2 F2m上椭圆曲线方程参数的拟随机生成
输入：域的规模q = 2m，F2m的约化多项式f (x) = xm + fm−1xm−1 +· · ·+ f2x2 + f1x+ f0(其中fi ∈ F2，
i = 0
D.2 椭圆曲线方程参数的验证
D.2.1 Fp上椭圆曲线方程参数的验证
方式1：
输入：比特串SEED及Fp中的元素a;b。
输出：输入参数“有效”或“无效”。
a) 计算H′ = H256(SEED)，并记H′ = (h255;h254; · · · ;h0)；
b) 置R′ =
255
Σ
i=0
hi2i；
c) 置r′ = R′ modp；
d) 若r′ · b2 ≡ a3 (modp)，则输出“有效”；否则输出“无效”。
方式2：
输入：比特串SEED及Fp中的元素b。
输出：输入参数“有效”或“无效”。
a) 计算H′ = H256(SEED)，并记H′ = (h255;h254; · · · ;h0)；
b) 置R′ =
255
Σ
i=0
hi2i；
c) 置r′ = R′ modp；
d) 若r′ = b，则输出“有效”；否则输出“无效”。
D.2.2 F2m上椭圆曲线方程参数的验证
输入：比特串SEED及F2m中的元素b。
输出：输入参数“有效”或“无效”。
a) 计算H′ = H256(SEED)，并记H′ = (h255;h254; · · · ;h0)；
b) 若i ≥ 256，令hi = 1，置比特串HH′ = (hm−1;hm−2; · · · ;h0)，b′为与HH′对应的F2m中的元素；
c) 若b′ = b，则输出“有效”；否则输出“无效”。
注：本附录中的函数H256( )是输出长度为256比特的密码杂凑函数。

Algorithm 4.17 Generating a random elliptic curve over a prime field Fp
INPUT: A prime p > 3, and an l-bit hash function H.
OUTPUT: A seed S, and a,b ∈ Fp defining an elliptic curve E : y2 = x3 +ax +b.
1. Set t←log2 p, s←(t −1)/l, v←t −sl.
2. Select an arbitrary bit string S of length g ≥ l bits.
3. Compute h = H(S), and let r0 be the bit string of length v bits obtained by taking
the v rightmost bits of h.
4. Let R0 be the bit string obtained by setting the leftmost bit of r0 to 0.
5. Let z be the integer whose binary representation is S.
6. For i from 1 to s do:
6.1 Let si be the g-bit binary representation of the integer (z+i ) mod 2g.
6.2 Compute Ri = H(si ).
7. Let R = R0  R1  ···Rs .
8. Let r be the integer whose binary representation is R.
9. If r = 0 or if 4r +27 ≡ 0 (mod p) then go to step 2.
10. Select arbitrary a,b ∈ Fp, not both 0, such that r · b2 ≡ a3 (mod p).
11. Return(S,a,b).

Verifying that an elliptic curve over Fp was randomly generated
INPUT: Prime p > 3, l-bit hash function H, seed S of bitlength g ≥ l, and a,b ∈ Fp
defining an elliptic curve E : y2 = x3 +ax +b.
OUTPUT: Acceptance or rejection that E was generated using Algorithm 4.17.
1. Set t←log2 p, s←(t −1)/l, v←t −sl.
2. Compute h = H(S), and let r0 be the bit string of length v bits obtained by taking
the v rightmost bits of h.
3. Let R0 be the bit string obtained by setting the leftmost bit of r0 to 0.
4. Let z be the integer whose binary representation is S.
5. For i from 1 to s do:
5.1 Let si be the g-bit binary representation of the integer (z+i ) mod 2g.
5.2 Compute Ri = H(si ).
6. Let R = R0  R1  ···Rs .
7. Let r be the integer whose binary representation is R.
8. If r · b2 ≡ a3 (mod p) then return(“Accept”); else return(“Reject”).

P-192: p = 2192−264−1, a =−3, h = 1
S = 0x 3045AE6F C8422F64 ED579528 D38120EA E12196D5
r = 0x 3099D2BB BFCB2538 542DCD5F B078B6EF 5F3D6FE2 C745DE65
b = 0x 64210519 E59C80E7 0FA7E9AB 72243049 FEB8DEEC C146B9B1
n = 0x FFFFFFFF FFFFFFFF FFFFFFFF 99DEF836 146BC9B1 B4D22831
x = 0x 188DA80E B03090F6 7CBF20EB 43A18800 F4FF0AFD 82FF1012
y = 0x 07192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1E794811

Generating a random elliptic curve over a binary field F2m
INPUT: A positive integer m, and an l-bit hash function H.
OUTPUT: Seed S, and a,b ∈ F2m defining an elliptic curve E : y2+xy = x3+ax2+b.
1. Set s←(m −1)/l, v←m −sl.
2. Select an arbitrary bit string S of length g ≥ l bits.
3. Compute h = H(S), and let b0 be the bit string of length v bits obtained by taking
the v rightmost bits of h.
4. Let z be the integer whose binary representation is S.
5. For i from 1 to s do:
5.1 Let si be the g-bit binary representation of the integer (z+i ) mod 2g.
5.2 Compute bi = H(si ).
6. Let b = b0 b1  · · · bs .
7. If b = 0 then go to step 2.
8. Select arbitrary a ∈ F2m .
9. Return(S,a,b).

Verifying that an elliptic curve over F2m was randomly generated
INPUT: Positive integer m, l-bit hash function H, seed S of bitlength g ≥ l, and a,b ∈
F2m defining an elliptic curve E : y2 +xy = x3 +ax2 +b.
OUTPUT: Acceptance or rejection that E was generated using Algorithm 4.19.
1. Set s←(m −1)/l, v←m −sl.
2. Compute h = H(S), and let b0 be the bit string of length v bits obtained by taking
the v rightmost bits of h.
3. Let z be the integer whose binary representation is S.
4. For i from 1 to s do:
4.1 Let si be the g-bit binary representation of the integer (z+i ) mod 2g.
4.2 Compute bi = H(si ).
5. Let b = b0 b1  ···bs .
6. If b = b then return(“Accept”); else return(“Reject”).

B-163: m = 163, f (z) = z163+z7+z6+z3 +1, a = 1, h = 2
S = 0x 85E25BFE 5C86226C DB12016F 7553F9D0 E693A268
b = 0x 00000002 0A601907 B8C953CA 1481EB10 512F7874 4A3205FD
n = 0x 00000004 00000000 00000000 000292FE 77E70C12 A4234C33
x = 0x 00000003 F0EBA162 86A2D57E A0991168 D4994637 E8343E36
y = 0x 00000000 D51FBC6C 71A0094F A2CDD545 B11C5C0C 797324F1

p:=2^192-2^64-1;
p;
p192 := 6277101735386680763835789423207666416083908700390324961279;
p192;

Ilog2(p192);
Ilog(10, p192);
Ilog(2, p192);        
E192 := EllipticCurve([GF(p192) | -3, 2455155546008943817740293915197451784769108058161191238065]);
E192;
FactoredOrder(E192);
S := 0x3045AE6FC8422F64ED579528D38120EAE12196D5;
IntegerToString(S);
Ilog(2, S);        

6277101735386680763835789423207666416083908700390324961279
6277101735386680763835789423207666416083908700390324961279
191
57
191
Elliptic Curve defined by y^2 = x^3 + 62771017353866807638357894232076664160839\
08700390324961276*x + 245515554600894381774029391519745178476910805816119123806\
5 over GF(6277101735386680763835789423207666416083908700390324961279)
[ <6277101735386680763835789423176059013767194773182842284081, 1> ]
275585503993527016686210752207080241786546919125
157

test  P-192:

t=ceil(191)

s=froor(191-1/160)

u=t-sl=191-190*30/160=

Hash(S)=
MD5: 67cd91412092c44a78c2f5110d16c5ac
SHA1: bf1da9fc74ff59197c611b7bc2596e493ef90c26
CRC32: 27FA8000

A.3.3 Selecting an Elliptic Curve Verifiably at Random
In order to verify that a given elliptic curve was indeed generated at random, the defining parameters of the elliptic
curve are defined to be outputs of the hash function SHA-1 (as specified in ANSI X9.30 Part 2 [4]). The input
(SEED) to SHA-1 then serves as proof (under the assumption that SHA-1 cannot be inverted) that the parameters
were indeed generated at random. (See Annex A.3.4.) The algorithms in this section are used in Annex A.3.2.
A.3.3.1 Elliptic curves over F2m
Input: A field size q = 2m.
Output: A bit string SEED and field elements a, b Î F2m which define an elliptic curve over F2m.
© 1998 American Bankers Association X9.62-1998
- 32 -
Let t = m, s = ë(t -1)/160û, and h = t -160.s.
1. Choose an arbitrary bit string SEED of bit length at least 160 bits. Let g be the length of SEED in bits.
2. Compute H = SHA-1(SEED), and let b0 denote the bit string of length h bits obtained by taking the h
rightmost bits of H.
3. For i from 1 to s do:
Compute bi = SHA-1((SEED + i) mod 2g).
4. Let b be the field element obtained by the concatenation of b0,b1,…,bs as follows:
b = b0 || b1 || ... || bs.
5. If b = 0, then go to step 1.
6. Let a be an arbitrary element in F2m.
7. The elliptic curve chosen over F2m is:
E: y2+xy = x3+ax2+b.
8. Output (SEED, a, b).
A.3.3.2 Elliptic curves over Fp
Input: A prime field size p.
Output: A bit string SEED and field elements a, b Î Fp which define an elliptic curve over Fp.
Let t = ëlog2 pû, s = ë(t -1)/160û, and h = t -160.s.
1. Choose an arbitrary bit string SEED of bit length at least 160 bits. Let g be the length of SEED in bits.
2. Compute H = SHA-1(SEED), and let c0 denote the bit string of length h bits obtained by taking the h
rightmost bits of H.
3. Let W0 denote the bit string of length h bits obtained by setting the leftmost bit of c0 to 0. (This ensures that
r < p.)
4. For i from 1 to s do:
Compute Wi = SHA-1((SEED + i) mod 2g).
5. Let W be the bit string obtained by the concatenation of W0, W1,…, Ws as follows:
W = W0 || W1 || ... || Ws.
6. Let w1, w2, . . . , wt be the bits of W from leftmost to rightmost. Let r be the integer r wi
t i
i
t
= -
= å
2
1
.
7. Choose integers a, b Î Fp such that r.b2 º a3 (mod p). (It is not necessary that a and b be chosen at
random.)
8. If 4a3+27b2 º 0 (mod p), then go to step 1.
9. The elliptic curve chosen over Fp is:
E : y2 = x3+ax+b.
10. Output (SEED, a, b).
A.3.4 Verifying that an Elliptic Curve was Generated at Random
The technique specified in this section verifies that the defining parameters of an elliptic curve were indeed selected
using the method specified in Annex A.3.3.
A.3.4.1 Elliptic curves over F2m
Input: A bit string SEED and a field element bÎ F2m.
Output: Acceptance or rejection of the input parameters.
Let t = m, s = ë(t -1)/160û, and h = t -160.s.
1. Compute H = SHA-1(SEED), and let b0 denote the bit string of length h bits obtained by taking the h
rightmost bits of H.
2. For i from 1 to s do:
Compute bi = SHA-1((SEED + i) mod 2g).
3. Let b’ be the field element obtained by the concatenation of b0,b1,…,bs as follows:
© 1998 American Bankers Association X9.62-1998
- 33 -
b’ = b0 || b1 || ... || bs.
4. If b = b’ , then accept; otherwise reject.
A.3.4.2 Elliptic curves over Fp
Input: A bit string SEED and field elements a, bÎ Fp.
Output: Acceptance or rejection of the input parameters.
Let t = ëlog2 pû, s = ë(t -1)/160û, and h = t -160.s.
1. Compute H = SHA-1(SEED) and let c0 denote the bit string of length h bits obtained by taking the h
rightmost bits of H.
2. Let W0 denote the bit string of length h bits obtained by setting the leftmost bit of c0 to 0.
3. For i from 1 to s do:
Compute Wi = SHA-1((SEED + i) mod 2g).
4. Let W’ be the bit string obtained by the concatenation of W0, W1,…, Ws as follows:
W’ = W0 || W1 || ... || Ws.
5. Let w1, w2, . . . , wt be the bits of W from leftmost to rightmost. Let r’ be the integer ¢ = -
= å
r wi
t i
i
t
2
1
.
6. If r’.b2 º a3 (mod p), then accept; otherwise reject.
A.4 Pseudorandom Number Generation
Any implementation of the ECDSA requires the ability to generate random or pseudorandom integers. Such numbers
are used to derive a user’s private key, d, and a user’s per-message secret number k. These randomly or
pseudorandomly generated integers are selected to be between 1 and n-1 inclusive, where n is a prime number. If
pseudorandom numbers are desired, they shall be generated by the techniques given in this section or in an ANSI X9
approved standard.
A.4.1 Algorithm Derived from FIPS 186
The algorithm described in this section employs a one-way function G(t, c), where t is 160 bits, c is b bits (160 £ b £
512), and G(t, c) is 160 bits. One way to construct G is via the Secure Hash Algorithm (SHA-1), as defined in ANSI
X9.30 Part 2 [4]. A second method for constructing G is to use the Data Encryption Algorithm (DEA) as specified in
ANSI X3.92 [1]. The construction of G by these techniques is described in Annexes A.4.1.1 and A.4.1.2,
respectively.
In the algorithm specified below, a secret b-bit seed-key XKEY is used. If G is constructed via SHA-1 as defined in
Annex A.4.1.1, then b shall be between 160 and 512. If DEA is used to construct G as defined in Annex A.4.1.2,
then b shall be equal to 160. The algorithm optionally allows the use of a user provided input.
Input: A prime number n, positive integer l, and integer b (160 £ b £ 512).
Output: l pseudorandom integers k1, k2, . . . , kl in the interval [1, n-1].
1. Let s = ëlog2 nû + 1 and f = és /160ù.
2. Choose a new, secret value for the seed-key, XKEY. (XKEY is of length b bits.)
3. In hexadecimal notation, let:
t = 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0.
This is the initial value for H0 || H1 || H2 || H3 || H4 in SHA-1.
4. For i from 1 to l do the following:
4.1. For j from 1 to f do the following:
4.1.1. XSEEDi,j = optional user input.
4.1.2. XVAL = (XKEY + XSEEDi,j) mod 2b.
4.1.3. xj = G(t, XVAL).
4.1.4. XKEY = (1 + XKEY + xj) mod 2b.
4.2. Set ki = ((x1 || x2 || … || xf) mod (n - 1)) +1.
5. Output (k1, k2, . . . , kl).
© 1998 American Bankers Association X9.62-1998
- 34 -
NOTE— The optional user input XSEEDi,j in step 4.1.1 permits a user to augment the seed-key XKEY with random or
pseudorandom numbers derived from alternate sources. The values of XSEEDi,j must have the same security requirements as the
seed-key XKEY. That is, they must be protected from unauthorized disclosure and be unpredictable.
A.4.1.1 Constructing the Function G from the SHA-1
G(t,c) may be constructed using steps (a)-(e) in Annex 3.3 of ANSI X9.30 Part 2 [4]. Before executing these steps,
{Hj} and M1 must be initialized as follows:
1. Initialize the {Hj} by dividing the 160-bit value t into five 32-bit segments as follows:
t = t0 || t1 || t2 || t3 || t4.
Then Hj = tj for j = 0 through 4.
2. There will be only one message block, M1, which is initialized as follows:
M1 = c || 0512-b.
(The first b bits of M1 contain c, and the remaining (512-b) bits are set to zero.)
Then steps (a) through (e) of Section 3.3 of ANSI X9.30 Part 2 [4] are executed, and G(t,c) is the 160-bit string
represented by the five words:
H0 || H1 || H2 || H3 || H4
at the end of step (e).
A.4.1.2 Constructing the Function G from the DEA
G(t, c) may be constructed using the DEA (Data Encryption Algorithm) as specified in ANSI X3.92 [1].
Let a Å b denote the bitwise exclusive-or of bit strings a and b, and let a || b denote the concatenation of bit strings.
If b1 is a 32-bit string, then b1¢ denotes the 24 least significant bits of b1.
In the following, DEAK (A) represents ordinary DEA encryption of the 64-bit block A using the 56-bit key K. Now
suppose t and c are each 160 bits. To compute G(t,c):
1. Write:
t = t1 || t2 || t3 || t4 || t5.
c = c1 || c2 || c3 || c4 || c5.
In the above, ti and ci are each 32 bits in length.
2. For i from 1 to 5 do:
xi = ti Å ci.
3. For i from 1 to 5 do:
b1 = c((i+3) mod 5)+1
b2 = c((i+2) mod 5)+1
a1 = xi
a2 = x(i mod 5)+1 Å x((i+3) mod 5)+1
yi,1 || yi,2 = DEAb1’ || b2(a1|| a2),
where yi,1 and yi,2 are each 32 bits in length.
4. For i from 1 to 5 do:
zi = yi,1 Å y((i+1) mod 5)+1,2 Å y((i+2) mod 5)+1,1.
5. Let G(t,c) = z1 || z2 || z3 || z4 || z5.

X962-1998

上传的附件：

• X9[1].62-1998_ECDSA.pdf （743.26kb，37次下载）

算法好复杂啊！

太高深了.理解不了.
不知道国内多少家有过FIPS认证的产品.目前所在的公司两个产品过了fips.可惜是基于rsa,不过是ecc就牛了.

其实，想看密码学方面的资料最好看年会发表的文章，

好高深啊，小菜鸟表示看不懂啊

主化低了，看不懂，最好是中文的，要好一些