ANSI X9.62 : 2005

Foreword
Figures
Tables
Introduction
1 Scope
2 Conformance
3 Normative references
4 Terms and definitions
5 Symbols and abbreviated terms
6 Cryptographic Ingredients
  6.1 Security Levels
  6.2 Cryptographic Hash Functions
7 The Elliptic Curve Digital Signature Algorithm (ECDSA)
  7.1 Overview
  7.2 Setup Process
  7.3 Signing Process
  7.4 Verifying Process
       7.4.1 Verification with the Public Key
       7.4.2 Verification with the Private Key
Annex A (normative) Normative Number-Theoretic Algorithms
  A.1 Primality
       A.1.1 A Probabilistic Primality Test
       A.1.2 Checking for Near Primality
  A.2 Finite Fields
       A.2.1 Overview
       A.2.2 Prime Fields
       A.2.3 Characteristic Two Fields
  A.3 Elliptic Curve Domain Parameters
       A.3.1 Preliminaries
       A.3.2 Necessary Conditions for Secure Elliptic Curves
       A.3.3 Elliptic Curve Selection
       A.3.4 Base Point (Generator) Selection
       A.3.5 Selection of Elliptic Curve Domain Parameters
  A.4 Elliptic Curve Key Pairs
       A.4.1 Preliminaries
       A.4.2 Elliptic Curve Public Key Validation
       A.4.3 Elliptic Curve Key Pair Generation
  A.5 Data Conversions
       A.5.1 Overview
       A.5.2 Integer to Octet String
       A.5.3 Octet String to Integer
       A.5.4 Field Element to Octet String
       A.5.5 Octet String to Field Element
       A.5.6 Field Element to Integer
       A.5.7 Point to Octet String
       A.5.8 Octet String to Point
Annex B (normative) Recommended Elliptic Curve Domain
                    Parameters
Annex C (normative) Assurances
Annex D (normative) Random Number Generation
  D.1 Generation of Elliptic Curve Private Keys
  D.2 A DRBG Using HMAC
       D.2.1 Overview
       D.2.2 Instantiation of the HMAC_DRBG
       D.2.3 Reseeding a HMAC_DRBG Instantiation
       D.2.4 Pseudorandom Bit Generation Using the HMAC_DRBG
       D.2.5 Using HMAC_DRBG to Generate Elliptic Curve
             Private Keys
  D.3 Requirements on Deterministic Random Number Generators
Annex E (normative) ASN.1 Syntax for ECDSA
  E.1 Introduction
  E.2 Common Object Identification
  E.3 Algorithm Identification
  E.4 Hash Functions
  E.5 Finite Fields
  E.6 Elliptic Curve Points
  E.7 Elliptic Curve Domain Parameters
  E.8 Digital Signatures
  E.9 Elliptic Curve Public Keys
  E.10 ASN.1 Module
Annex F (normative) Backwards Compatibility with Legacy
                    Implementations of ECDSA
Annex G (informative) Mathematical Background and Examples
  G.1 The Finite Field F[p]
  G.2 The Finite Field F[2]m
       G.2.1 Overview
       G.2.2 Polynomial Bases
       G.2.3 Trinomial and Pentanomial Bases
       G.2.4 Normal Bases
       G.2.5 Gaussian Normal Bases
  G.3 Elliptic Curves over F[p]
  G.4 Elliptic Curves over F[2]m
  G.5 Model for ECDSA Signatures
       G.5.1 System Setup
       G.5.2 Key Pair Generation
       G.5.3 Signature Generation for ECDSA
       G.5.4 Signature Verification for ECDSA
Annex H (informative) Tables of Trinomials, Pentanomials
                      and Gaussian Normal Bases
  H.1 Tables of GNB for F[2]m
  H.2 Irreducible Trinomials over F[2]
  H.3 Irreducible Pentanomials over F[2]
  H.4 Table of Fields F[2]m which have both an ONB and
       a TPB over F[2]
Annex I (informative) Informative Number-Theoretic Algorithms
  I.1 Finite Fields and Modular Arithmetic
       I.1.1 Exponentiation in a Finite Field
       I.1.2 Inversion in a Finite Field
       I.1.3 Generating Lucas Sequences
       I.1.4 Finding Square Roots Modulo a Prime
       I.1.5 Trace and Half-Trace Functions
       I.1.6 Solving Quadratic Equations over F[2]m
       I.1.7 Checking the Order of an Integer Modulo a Prime
       I.1.8 Computing the Order of an Integer Modulo a Prime
       I.1.9 Constructing an Integer of a Given Order Modulo
             a Prime
  I.2 Polynomials over a Finite Field
       I.2.1 The GCD of Polynomials over a Finite Field
       I.2.2 Finding a Root in F[2]m of an Irreducible Binary
             Polynomial
       I.2.3 Change of Basis
       I.2.4 Checking Binary Polynomials for Irreducibility
  I.3 Elliptic Curve Algorithms
       I.3.1 Scalar Multiplication (Computing a Multiple of
             a Elliptic Curve Point)
       I.3.2 Verifying the Order of an Elliptic Curve Point
Annex J (informative) Complex Multiplication (CM) Elliptic
                      Curve Generation Method
  J.1 Overview
  J.2 Miscellaneous Number-Theoretic Algorithms
       J.2.1 Overview
       J.2.2 Evaluating Jacobi Symbols
       J.2.3 Finding Square Roots Modulo a Power of Two
       J.2.4 Exponentiation Modulo a Polynomial
       J.2.5 Factoring Polynomials over F[p] (Special Case)
       J.2.6 Factoring Polynomials over F[2] (Special Case)
  J.3 Class Group Calculations
       J.3.1 Overview
       J.3.2 Class Group and Class Number
       J.3.3 Reduced Class Polynomial
  J.4 Complex Multiplication
       J.4.1 Overview
       J.4.2 Finding a Nearly Prime Order over F[p]
       J.4.3 Finding a Nearly Prime Order over F[2]m
       J.4.4 Constructing a Curve and Point (Prime Case)
       J.4.5 Constructing a Curve and Point (Binary Case)
Annex K (informative) Security Considerations
  K.1 Overview
  K.2 Elliptic Curve Discrete Logarithm Problem
       K.2.1 Overview
       K.2.2 Software Attacks
       K.2.3 Hardware Attacks
       K.2.4 Key Length Considerations
  K.3 Elliptic Curve Domain Parameters
  K.4 Key Pairs
  K.5 ECDSA
Annex L (informative) Examples of ECDSA and Elliptic Curves
  L.1 Overview
  L.2 Examples of Data Conversion Methods
       L.2.1 Overview
       L.2.2 Example of Integer-to-Octet-String Conversion
       L.2.3 Example of Octet-String-to-Integer Conversion
       L.2.4 Two Examples of Field-Element-to-Octet-String
             Conversion
       L.2.5 Two Examples of Octet-String-to-Field-Element
             Conversion
       L.2.6 Two Examples of Field-Element-to-Integer Conversion
       L.2.7 Two Examples of Point-to-Octet-String Conversion
       L.2.8 Two Examples of Octet-String-to-Point Conversion
  L.3 Examples of ECDSA over the Field F[2]m
       L.3.1 Example of ECDSA over a 233-bit Binary Field
       L.3.2 Example of ECDSA over a 283-bit Binary Field
       L.3.3 Example of ECDSA over a 571-bit Binary Field
       L.4 Examples of ECDSA over the Field F[p]
       L.4.1 Example of ECDSA over a 224-bit Prime Field
       L.4.2 Example of ECDSA over a 256-bit Prime Field
       L.4.3 Example of ECDSA over a 521-bit Prime Field
  L.5 Examples of Elliptic Curves over the Field F[2]m
       L.5.1 Overview
       L.5.2 Three Example Curves over F[2]163
       L.5.3 Two Example Curves over F[2]233
       L.5.4 Two Example Curves over F[2]283
       L.5.5 Two Example Curves over F[2]409
       L.5.6 Two Example Curves over F[2]571
  L.6 Examples of Elliptic Curves over the Field F[p]
       L.6.1 Overview
       L.6.2 Two Example Curves over 192-bit Prime Fields
       L.6.3 Two Example Curves over 224-bit Prime Fields
       L.6.4 Two Example Curves over 256-bit Prime Fields
       L.6.5 An Example Curve over a 384-bit Prime Field
       L.6.6 An Example Curves over a 521-bit Prime Field
Annex M (informative) ECDSA in Selected Other Standards
  M.1 Introduction
  M.2 Other Specifications of ECDSA
       M.2.1 Introduction
       M.2.2 Previous 1998 Version of this Standard ANS X9.62
       M.2.3 NIST Publication FIPS 186-2
       M.2.4 IEEE Std 1363-2000
       M.2.5 SEC 1 and SEC 2
       M.2.6 IS 14888-3 and IS 15946-2
       M.2.7 NESSIE
  M.3 Applications of ECDSA in Other Standards
       M.3.1 Introduction
       M.3.2 American National Standards Institute
       M.3.3 Internet Engineering Task Force
Bibliography

Defines methods for digital signature (signature) generation and verification for the protection of messages and data using the Elliptic Curve Digital Signature Algorithm (ECDSA).