X9.62, which was finalized in 1999, is notable for being the first standard in the world to specify an elliptic curve cryptographic protocol. It includes a detailed description of the finite field and elliptic curve parameters, and how they are to be represented. There are many possible representations for these parameters, and therefore fixing a particular representation is crucial for interoperability. Also included are detailed descriptions of the key generation and validation procedures, and the ECDSA signature generation and verification routines. There are extensive appendices that provide the relevant mathematics background, present algorithms for implementing finite field and elliptic curve operations, generation of elliptic curve parameters, and discuss various issues regarding the secure use of ECDSA. These appendices are a valuable resource to security engineers wishing to understand and implement elliptic curve cryptography.

A primary objective of the X9.62 standard was to achieve high degrees of security and interoperability. For this reason the finite fields were restricted to being either a prime field or a binary field. Moreover, preferred representations for the elements of these fields are given. A minimum field size of 160 bits is mandated, which translates to an 80-bit security level (equivalent to the security afforded by 1024-bit RSA or 160-bit ECC).

The early adoption of X9.62 had a strong influence on the progression of other standards for elliptic curve signature schemes. Many other standards for ECDSA were subsequently developed which, with a judicious choice of parameters, are compliant with X9.62. These include IEEE 1363-2000, FIPS 186-2, and ISO 15946-2. In fact, the FIPS 186-2 standard, which is part of the suite of cryptographic standards crafted by the US government’s National Institute for Standards and Technology (NIST), specifies ECDSA simply by providing a pointer to ANSI X9.62. In addition, it lists a set of 15 elliptic curves that are recommended (but not mandated) for US federal government use.

ANSI X9.62 is presently going through the last stages of its first five-year review. The major changes proposed for the revision are (i) the inclusion of the SHA-224, SHA-256, SHA-384 and SHA-512 variants of the hash function SHA-1 that provide greater levels of security; (ii) the exclusion of binary fields of order 2m for composite m to circumvent potential attacks on the elliptic curve discrete logarithm problem in this case; and (iii) the inclusion of the 15 elliptic curves from FIPS 186-2 as sample parameter sets. The revision to ANSI X9.62 is expected to be ratified in late 2004.

ANSI X9.63: Key Agreement And Key Transport Using Elliptic Curve Cryptography

Another elliptic curve cryptographic standard, ANSI X9.63, was finalized in 2001 and specifies several protocols for key establishment. There are protocols for key transport and key agreement, including one-pass, two-pass and three-pass variants of the MQV key agreement protocol. There is an extensive treatment of the security attributes possessed by each protocol so that users can make an informed choice of the protocol most suitable for their application. The representations of data elements in X9.63 are consistent with those in X9.62. The description of MQV is consistent with other standards including ISO 15946-3, IEEE 1363-2000, and NIST’s Special Publication 800-56 (Recommendation on key establishment schemes).

Other ANSI ECC Standards

The X9F1 working group is finalizing drafts of two other standards that use elliptic curve cryptography. X9.82 specifies several methods for generating pseudorandom numbers, including techniques that use elliptic curve operations. X9.92 describes the Pintsov-Vanstone signature scheme – an elliptic curve-based digital signature mechanism that has short signatures and is especially well suited for environments such as digital postal marks where bandwidth is severely limited.

For Further Information:

To purchase ANSI standards: http://www.ansi.org 
X9 committee: http://www.x9.org