In NIST FIPS 186-4 (page 90), it is said that $c$ is the output of SHA-1 on a seed that was chosen randomly. Then the parameter $b$ of the EC is chosen, according to the formula: $$b^2 \times c \equiv -27 \pmod p$$ Why choose $b$ this way? Why, as an example, couldn't $b = c$?
Asked
Active
Viewed 2,115 times
1 Answers
4
The algorithm for generating EC curve is in appendix D.5 of NIST FIPS 186-4, and the verification algorithm is in D.6. They are taken from ANSI X9.62, which justified the rationale as the following:
In order to verify that a given elliptic curve was indeed generated at random, the defining parameters of the elliptic curve are defined to be outputs of the hash function SHA-1 (as specified in ANSI X9.30 Part 2 [4]). The input (SEED) to SHA-1 then serves as proof (under the assumption that SHA-1 cannot be inverted) that the parameters were indeed generated at random.
The curve generation algorithm requires $a,b$ to satisfy $b^2\cdot c \equiv a^3 \bmod p$, and it is not necessary that $a$ and $b$ be chosen at random. In the case of NIST Prime curves, they all use fixed $a=-3$, so $b^2\cdot c \equiv -27 \bmod p$.
As to the question why $b$ cannot equal to $c$, note if $a$ is not fixed then it is actually valid to choose $a=b=c$. But $a=-3$ is chosen by NIST, so this is not possible because the seed does not hash to $-3$.
Changyu Dong
- 4,198
- 15
- 15