errata logo graphic

Found 4 records.

Status: Verified (4)

RFC5639, "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation", March 2010

Source of RFC: INDEPENDENT

Errata ID: 2082

Status: Verified
Type: Technical

Reported By: Alfred Hoenes
Date Reported: 2010-03-21
Verifier Name: Nevil Brownlee
Date Verified: 2013-03-16

Section A.2, pg. 25 says:

|  1.  Set h = find_integer_2(s).
|
|  2.  Convert h to an integer A.

   3.  If -3 = A*Z^4 mod p is not solvable, then set s = update_seed(s)
       and go to Step 1.

   4.  Compute one solution Z of -3 = A*Z^4 mod p.

   5.  Set s = update_seed(s).

   6.  Set B = find_integer_2(s).

   7.  If B is a square mod p, then set s = update_seed(s) and go to
       Step 6.

   8.  If 4*A^3 + 27*B^2 = 0 mod p, then set s = update_seed(s) and go
       to Step 1.

   9.  Check that the elliptic curve E over GF(p) given by y^2 = x^3 +
       A*x + B fulfills all security and functional requirements given
       in Section 3.  If not, then set s = update_seed(s) and go to Step
       1.

   10. Set s = update_seed(s).

   11. Set k = find_integer_2(s).

   12. Determine the points Q and -Q having the smallest x-coordinate in
       E(GF(p)).  Randomly select one of them as point P.


It should say:

|  1.  Set A = find_integer_2(s).
|
   2.  If -3 = A*Z^4 mod p is not solvable, then set s = update_seed(s)
       and go to Step 1.

   3.  Compute one solution Z of -3 = A*Z^4 mod p.

   4.  Set s = update_seed(s).

   5.  Set B = find_integer_2(s).

   6.  If B is a square mod p, then set s = update_seed(s) and go to
       Step 5.

   7.  If 4*A^3 + 27*B^2 = 0 mod p, then set s = update_seed(s) and go
       to Step 1.

   8.  Check that the elliptic curve E over GF(p) given by y^2 = x^3 +
       A*x + B fulfills all security and functional requirements given
       in Section 3.  If not, then set s = update_seed(s) and go to Step
       1.

   9.  Set s = update_seed(s).

   10. Set k = find_integer_2(s).

   11. Determine the points Q and -Q having the smallest x-coordinate in
       E(GF(p)).  Randomly select one of them as point P.


Notes:

Rationale:
According to the first part of A.2, the routine find_integer_2()
returns an integer value (see also original step 6.).
Thus, step 2 should be deleted, and 'h' is not needed.
Note that merely renumbered steps are not taagged with
a change bar above.

Updated 2013-06-06. Thanks to Edward Huff for the correction.


Errata ID: 2071

Status: Verified
Type: Editorial

Reported By: Johannes Merkle
Date Reported: 2010-03-10
Verifier Name: Nevil Brownlee
Date Verified: 2013-03-20

Section A.1 says:

      p_320 = 1763593322239166354161909842446019520889512772719515192772
      9604152886408688021498180955014999035278

It should say:

      p_320 = 1763593322239166354161909842446019520889512772719515192772
      960415288640868802149818095501499903527


Errata ID: 2083

Status: Verified
Type: Editorial

Reported By: Alfred Hoenes
Date Reported: 2010-03-21
Verifier Name: Nevil Brownlee
Date Verified: 2013-03-16

Section 1.1,1st para says:

   This RFC specifies elliptic curve domain parameters over prime fields
   GF(p) with p having a length of 160, 192, 224, 256, 320, 384, and 512
   bits.  These parameters were generated in a pseudo-random, yet
   completely systematic and reproducible, way and have been verified to
   resist current cryptanalytic approaches.  The parameters are
   compliant with ANSI X9.62 [ANSI1] and ANSI X9.63 [ANSI2], ISO/IEC
   14888 [ISO1] and ISO/IEC 15946 [ISO2], ETSI TS 102 176-1 [ETSI], as
|  well as with FIPS-186-2 [FIPS], and the Efficient Cryptography Group
   (SECG) specifications ([SEC1] and [SEC2]).


It should say:

   This RFC specifies elliptic curve domain parameters over prime fields
   GF(p) with p having a length of 160, 192, 224, 256, 320, 384, and 512
   bits.  These parameters were generated in a pseudo-random, yet
   completely systematic and reproducible, way and have been verified to
   resist current cryptanalytic approaches.  The parameters are
   compliant with ANSI X9.62 [ANSI1] and ANSI X9.63 [ANSI2], ISO/IEC
   14888 [ISO1] and ISO/IEC 15946 [ISO2], ETSI TS 102 176-1 [ETSI], as
|  well as with FIPS-186-2 [FIPS], and the Standards for Efficient
   Cryptography Group (SECG) specifications ([SEC1] and [SEC2]).


Notes:

Rationale: incomplete expansion of acronym.

Additional note:
In Section 7.2, two of the references quoted here should perhaps
better point to the current versions of the documents:

[SEC1] "SEC1: Elliptic Curve Cryptography",
Version 2.0, May 2009.

[FIPS] NIST, "Digital Signature Standard (DSS)",
FIPS PUB 186-3, November 2008.


Errata ID: 2084

Status: Verified
Type: Editorial

Reported By: Alfred Hoenes
Date Reported: 2010-03-21
Verifier Name: Nevil Brownlee
Date Verified: 2013-03-16

Section 2.,1st para says:

   Throughout this memo, let p > 3 be a prime and GF(p) a finite field
|  (sometimes also referred to as Galois Field or GF(p)) with p
   elements.  [...]

It should say:

   Throughout this memo, let p > 3 be a prime and GF(p) a finite field
|  (sometimes also referred to as Galois Field or F_p) with p elements.
   [...]

or perhaps more precisely:

   Throughout this memo, let p > 3 be a prime and GF(p) a finite field
|  (Galois Field) with p elements (sometimes also referred to as F_p). 
   [...]


Notes:

Rationale:
... GF(p) ... sometimes also referred to as ... GF(p) ...
does no make sense.
The original version from the draft did make sense -- mentioning
_another_ common notion, "F_p".


Report New Errata