From 752b8244b973b849beebf76c2e3df2a0bc5189b0 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 30 Oct 2007 10:49:40 +0000
Subject: [PATCH] ectab.in: Add previously unacceptable curves from X9.62.

Previously we rejected curves with large cofactors.  We've now
recognized that this was unnecessary.  This change includes the curves
from X9.62 which were previously omitted for having large cofactors.

The curve c2onb239v2 seems incorrect as specified.  In particular, the
specified base point G isn't in the prime-order subgroup -- in fact, it
seems as if the curve group E is cyclic and G is primitive in E.  The
base point included in the table is actually P = 6 G, which does
correctly generate the prime-order subgroup.
---
 ectab.in | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 72 insertions(+), 16 deletions(-)

diff --git a/ectab.in b/ectab.in
index 0a8899e..238accb 100644
--- a/ectab.in
+++ b/ectab.in
@@ -315,8 +315,6 @@ curve ansi-c2pnb163v3 binpoly
   gx 0x02f9f87b7c574d0bdecf8a22e6524775f98cdebdcb
   gy 0x05b935590c155e17ea48eb3ff3718b893df59a05d0
 
-# ansi-c2pnb176w1 has an unacceptable cofactor; and 176 isn't prime anyway
-
 curve ansi-c2tnb191v1 binpoly
   p 0x800000000000000000000000000000000000000000000201
   a 0x2866537b676752636a68f56554e12640276b649ef7526267
@@ -333,7 +331,14 @@ curve ansi-c2tnb191v2 binpoly
   h 4
   gx 0x3809b2b7cc1b28cc5a87926aad83fd28789e81e2c9e3bf10
   gy 0x17434386626d14f3dbf01760d9213a3e1cf37aec437d668a
-# ansi-c2tnb191v3 and ansi-c2onb191v2 have unacceptable cofactor
+curve ansi-c2tnb191v3 binpoly
+  p 0x800000000000000000000000000000000000000000000201
+  a 0x6c01074756099122221056911c77d77e77a777e7e7e77fcb
+  b 0x71fe1af926cf847989efef8db459f66394d90f32ad3f15e8
+  r 0x155555555555555555555555610c0b196812bfb6288a3ea3
+  h 6
+  gx 0x375d4ce24fde434489de8746e71786015009e66e38a926dd
+  gy 0x545a39176196575d985999366e6ad34ce0a77cd7127b06be
 curve ansi-c2onb191v1 binnorm
   p 0x800000000000000000000000000000000000000000000201
   beta 0x19c409a7f85383bf0ef72b097a5c7398013a2dba6269292d
@@ -343,8 +348,15 @@ curve ansi-c2onb191v1 binnorm
   h 2
   gx 0x5a2c69a32e8638e51ccefaad05350a978457cb5fb6df994a
   gy 0x0f32fe0fa0e902f19b17d363c269f4f5cfe8087618569954
-
-# ansi-c2pnb208v1 has an unacceptable cofactor; and 208 isn't prime anyway
+curve ansi-c2onb191v2 binnorm
+  p 0x800000000000000000000000000000000000000000000201
+  beta 0x19c409a7f85383bf0ef72b097a5c7398013a2dba6269292d
+  a 0x25f8d06c97c822536d469cd5170cdd7bb9f500bd6db110fb
+  b 0x75ff570e35ca94fb3780c2619d081c17aa59fbd5e591c1c4
+  r 0x0fffffffffffffffffffffffeeb354b7270b2992b7818627
+  h 8
+  gx 0x2a16910e8f6c4b199be24213857abc9c992edfb2471f3c68
+  gy 0x1592dbfebeb81a7c071b744d5e2f9e242ea65b81138a3468  
 
 curve ansi-c2tnb239v1 binpoly
   p 0x800000000000000000000000000000000000000000000000001000000001
@@ -354,7 +366,22 @@ curve ansi-c2tnb239v1 binpoly
   h 4
   gx 0x57927098fa932e7c0a96d3fd5b706ef7e5f5c156e16b7e7c86038552e91d
   gy 0x61d8ee5077c33fecf6f1a16b268de469c3c7744ea9a971649fc7a9616305
-# ansi-c2tnb239v{2,3} and ansi-c2onb239v2 have unacceptable cofactors
+curve ansi-c2tnb239v2 binpoly
+  p 0x800000000000000000000000000000000000000000000000001000000001
+  a 0x4230017757a767fae42398569b746325d45313af0766266479b75654e65f
+  b 0x5037ea654196cff0cd82b2c14a2fcf2e3ff8775285b545722f03eacdb74b
+  r 0x1555555555555555555555555555553c6f2885259c31e3fcdf154624522d
+  h 6
+  gx 0x28f9d04e900069c8dc47a08534fe76d2b900b7d7ef31f5709f200c4ca205
+  gy 0x5667334c45aff3b5a03bad9dd75e2c71a99362567d5453f7fa6e227ec833
+curve ansi-c2tnb239v3 binpoly
+  p 0x800000000000000000000000000000000000000000000000001000000001
+  a 0x01238774666a67766d6676f778e676b66999176666e687666d8766c66a9f
+  b 0x6a941977ba9f6a435199acfc51067ed587f519c5ecb541b8e44111de1d40
+  r 0x0cccccccccccccccccccccccccccccac4912d2d9df903ef9888b8a0e4cff
+  h 10
+  gx 0x70f6e9d04d289c4e89913ce3530bfde903977d42b146d539bf1bde4e9c92
+  gy 0x2e5a0eaf6e5e1305b9004dce5c0ed7fe59a35608f33837c816d80b79f461
 curve ansi-c2onb239v1 binnorm
   p 0x800000000000000000000000000000000000000000000000001000000001
   beta 0x3b5ce9846911b248f9347018a7ac8cce3662cee952ba45becd02d4b903ec
@@ -364,16 +391,45 @@ curve ansi-c2onb239v1 binnorm
   h 4
   gx 0x4912ad657f1d1c6b32edb9942c95e226b06fb012cd40fdea0d72197c8104
   gy 0x01f1fbc3d21168fd3f66c441c2b5c6cfdcd9ed3e13646b7a4db9a3b0c286
-
-# ansi-c2pnb272w1 has an unacceptable cofactor; and 272 isn't prime anyway
-
-# ansi-c2pnb304w1 has an unacceptable cofactor; and 304 isn't prime anyway
-
-# ansi-c2tnb359v1 has an unacceptable cofactor
-
-# ansi-c2pnb368w1 has an unacceptable cofactor; and 368 isn't prime anyway
-
-# ansi-c2tnb431v1 has an unacceptable cofactor
+curve ansi-c2onb239v2 binnorm
+  p 0x800000000000000000000000000000000000000000000000001000000001
+  beta 0x3b5ce9846911b248f9347018a7ac8cce3662cee952ba45becd02d4b903ec
+  a 0x1ecf1b9d28d8017505e17475d3df2982e243ca5cb5e9f94a3f36124a486e
+  b 0x3ee257250d1a2e66cef23aa0f25b12388de8a10ff9554f90afbaa9a08b6d
+  r 0x1555555555555555555555555555558cf77a5d0589d2a9340d963b7ad703
+  h 6
+  gx 0x5f949ccb694f26b96d191e8925205a719929e93c37174cb6c7f659a37b85
+  gy 0x2d788d605ac81069e9964fd6edbae8bbf582a5c409a1078cf487a147ceb2
+  ## The spec seems bogus: the suggested base point G isn't in the
+  ## subgroup!  The point above is h G.
+  ##gx 0x193279fc543e9f5f7119189785b9c60b249be4820baf6c24bdfa2813f8b8
+  ##gy 0x5da021e5af77604051fc5c38da8293c1eeeaa00f046eeb93b6c8b774bb9b
+
+curve ansi-c2tnb359v1 binpoly
+  p 0x800000000000000000000000000000000000000000000000000000000000000000000000100000000000000001
+  a 0x5667676a654b20754f356ea92017d946567c46675556f19556a04616b567d223a5e05656fb549016a96656a557
+  b 0x2472e2d0197c49363f1fe7f5b6db075d52b6947d135d8ca445805d39bc345626089687742b6329e70680231988
+  r 0x01af286bca1af286bca1af286bca1af286bca1af286bc9fb8f6b85c556892c20a7eb964fe7719e74f490758d3b
+  h 76
+  gx 0x3c258ef3047767e7ede0f1fdaa79daee3841366a132e163aced4ed2401df9c6bdcde98e8e707c07a2239b1b097
+  gy 0x53d7e08529547048121e9c95f3791dd804963948f34fae7bf44ea82365dc7868fe57e4ae2de211305a407104bd
+
+curve ansi-c2tnb431v1 binpoly
+  p 0x800000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000001
+  a 0x1a827ef00dd6fc0e234caf046c6a5d8a85395b236cc4ad2cf32a0cadbdc9ddf620b0eb9906d0957f6c6feacd615468df104de296cd8f
+  b 0x10d9b4a3d9047d8b154359abfb1b7f5485b04ceb868237ddc9deda982a679a5a919b626d4e50a8dd731b107a9962381fb5d807bf2618
+  r 0x000340340340340340340340340340340340340340340340340340340323c313fab50589703b5ec68d3587fec60d161cc149c1ad4a91
+  h 10080
+  gx 0x120fc05d3c67a99de161d2f4092622feca701be4f50f4758714e8a87bbf2a658ef8c21e7c5efe965361f6c2999c0c247b0dbd70ce6b7
+  gy 0x20d0af8903a96f8d5fa2c255745d3c451b302c9346d9b7e485e7bce41f6b591f3e8f6addcbb0bc4c2f947a7de1a89b625d6a598b3760
+
+# These curves aren't included because their degree isn't prime (so they
+# may be vulnerable to Weil descent)
+# ansi-c2pnb176w1 is bad: 176 isn't prime
+# ansi-c2pnb208v1 is bad: 208 isn't prime
+# ansi-c2pnb272w1 is bad: 272 isn't prime
+# ansi-c2pnb304w1 is bad: 304 isn't prime
+# ansi-c2pnb368w1 is bad: 368 isn't prime
 
 alias ansi-prime192v1 secp192r1
 curve ansi-prime192v2 niceprime
-- 
2.11.0