4

Why there are abnormal field size like 521, 571, 233, 283 bits in prime and binary fields that are defined by NIST?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Venkatesh
  • 502
  • 1
  • 8
  • 18

1 Answers1

1

There are some good answers in the comments, let me summarize and add a comment at the end.

Binary fields

For fields of the form $\mathbb{F}_{2^m}$, so field with $2^m$ elements, there are attacks which use the fact that $m$ is a composite number. So in practice you would want $m$ to be prime, and in particular not a multiple of 8. Therefore in this case you're out of luck, you can't have a "byte-aligned" field. This is what poncho mentions.

Prime fields

For fields of the form $\mathbb{F}_p$, you would want to choose a prime such that you can efficiently do field arithmetic. In other words, you want to give the prime some structure such that the modular reduction becomes easy. Examples are:

  • Mersenne primes, i.e. primes of the form $2^n-1$. This makes the modular reduction extremely fast. Unfortunately there don't exist many, and the smallest one which achieves a $256$-bit security level is $2^{521}-1$. This is what SEJPM remarks.
  • Since there are not many Mersenne prime, you want to choose something a little different. In the NIST documents, they use so-called Solinas primes. An example is the prime for P-256, which is $p=2^{256}-2^{224}+2^{192}+2^{96}-1$.
  • Any other structure. A commonly used one is $2^{255}-19$.

What is important, is that being "byte-aligned" is not necessarily useful. In fact, there are many implementation tricks which use the fact that it is not. Take for example $p=2^{127}-1$. Any integer mod $p$ fits in four 32-bit registers, but only needs 127 bits. There is one extra bit which is "free", and there are circumstances where you can use this bit to speed things up. This is usually what is referred to as using a "redundant representation".

A note: this is kind of an ongoing discussion, but there are arguments why primes with any kind of structure are less preferred. The reason is that the structure of the prime will in some sense be carried over the elliptic curve group. This can have downsides, for example it makes "additive scalar blinding" harder, which results in a slow-down. I'm not saying one way or the other is better, but be aware that there are different opinions on this.

Community
  • 1
CurveEnthusiast
  • 3,534
  • 16
  • 21