Representation of ECC domain parameters

Elliptic curve domains are represented as one of two possibilities.

For curves over prime fields:

Curve = S(type) || S(field.type) || S(field.bitsize) ||

B(p) ||

B(a) || B(b) || B(G.x) || B(G.y) || B(r) || B(h)

For curves over binary polynomial fields:

Curve = S(type) || S(field.type) || S(field.bitsize) ||

S(num_terms) || S(T₁) || … || S(T_{num_terms}) ||

B(a) || B(b) || B(G.x) || B(G.y) || B(r) || B(h)

In binary fields, field elements are represented as integers. Bit i of the integer is the coefficient of xⁱ.

Component Field type Meaning

Component	Field type	Meaning
`B(a)`	both	Curve parameter `a`
`B(b)`	both	Curve parameter `b`
`B(G.x)`	both	`x` coordinate of `G`, the subgroup generator (also known as the base point)
`B(G.y)`	both	`y` coordinate of `G`
`B(h)`	both	`h`, the cofactor (that is, curve order divided by subgroup order)
`B(p)`	prime	The prime modulus `p`, for a prime field
`B(r)`	both	The name `r` is used in nCore and corresponds to FIPS 186-2. In FIPS 186-4 this parameter is called `n`.
`S(field.bitsize)`	both	An indicator of the the field size: `field.bitsize=bitlen(p)` for a prime field `field.bitsize` the highest power in the irreducible polynomial, for a binary field. For example, `409` in the polynomial `x⁴⁰⁹+x⁸⁷+1`.
`S(field.type)`	both	The field type: `field.type=0` for a prime field `field.type=1` for a binary field with polynomial basis
`S(num_terms)`	binary	The number of nonzero terms in the irreducible polynomial, for a binary field. For example, `3` for the polynomial `x⁴⁰⁹+x⁸⁷+1` example above.
`S(T_i)`	binary	The indices of the nonzero terms T_i in ascending order of the irreducible polynomial, for a binary field. For example, the polynomial `x⁴⁰⁹+x⁸⁷+1` is represented by the ordered list of indices `S(0) \|\| S(87) \|\| S(409)`
`S(type)`	both	The curve type: `type=0` for prime field `type=1` for binary field

B(a)

both

Curve parameter a

B(b)

both

Curve parameter b

B(G.x)

both

x coordinate of G, the subgroup generator (also known as the base point)

B(G.y)

both

y coordinate of G

B(h)

both

h, the cofactor (that is, curve order divided by subgroup order)

B(p)

prime

The prime modulus p, for a prime field

B(r)

both

The name r is used in nCore and corresponds to FIPS 186-2. In FIPS 186-4 this parameter is called n.

S(field.bitsize)

both

An indicator of the the field size:

field.bitsize=bitlen(p) for a prime field
field.bitsize the highest power in the irreducible polynomial, for a binary field. For example, 409 in the polynomial x⁴⁰⁹+x⁸⁷+1.

S(field.type)

both

The field type:

field.type=0 for a prime field
field.type=1 for a binary field with polynomial basis

S(num_terms)

binary

The number of nonzero terms in the irreducible polynomial, for a binary field. For example, 3 for the polynomial x⁴⁰⁹+x⁸⁷+1 example above.

S(T_i)

binary

The indices of the nonzero terms T_i in ascending order of the irreducible polynomial, for a binary field. For example, the polynomial x⁴⁰⁹+x⁸⁷+1 is represented by the ordered list of indices S(0) || S(87) || S(409)

S(type)

both

The curve type:

type=0 for prime field
type=1 for binary field