1

I'm looking at the FIPS-186 standard. On page 88, it gives a table recommending the size of the base field for the elliptic curve versus the order $n$ of a point on the curve. The numbers don't seem to make sense. For example it says if the bit length of $n$ is between $161$ and $223$, then the bit length of the ambient finite field should be $192$. But if you go off these numbers, there's a good chance that $n$ will be bigger than the size of the elliptic curve group itself. For example, say $p \approx 2^{192}$ and the bit length of $n$ equals $223$. Then by Hasse's theorem, the number of points on the elliptic curve will be less than $2^{192} + 1 + 2^{96}$, which is much smaller than $n$.

Can someone explain to me what the table in the standard means?

Ievgeni
  • 2,653
  • 1
  • 13
  • 35
cryptolearner
  • 11
  • 1

1 Answers1

2

SP 800-57, Table 2 (on page 54) defines five levels of security. For each of these levels of security, this table provides recommended ranges for the size of $n$, the order of the elliptic curve group used.

Table D-1 in FIPS 186 suggests appropriate base field sizes to meet each of the ranges.

For example, SP 800-57 suggests that curve orders of $160$-$223$ bits should only be used when less than $80$-bit security is required. FIPS 186 then suggests using $192$-bit $p$ in this case.

You are correct that a base field with order $p$ of bitlength $192$ would never give rise to an elliptic curve group with $223$-bit order. This is the reverse of how the table should be interpreted.

meshcollider
  • 1,603
  • 1
  • 11
  • 15