# RFC Errata

Found 6 records.

## Status: Verified (6)

#### RFC 5639, "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation", March 2010

Source of RFC: INDEPENDENT
Errata ID: 2082

**Status: Verified
Type: Technical
Publication Format(s) : TEXT**

Reported By: Alfred Hoenes

Date Reported: 2010-03-21

Verifier Name: Nevil Brownlee

Date Verified: 2013-03-16

Section A.2, pg. 25 says:

| 1. Set h = find_integer_2(s). | | 2. Convert h to an integer A. 3. If -3 = A*Z^4 mod p is not solvable, then set s = update_seed(s) and go to Step 1. 4. Compute one solution Z of -3 = A*Z^4 mod p. 5. Set s = update_seed(s). 6. Set B = find_integer_2(s). 7. If B is a square mod p, then set s = update_seed(s) and go to Step 6. 8. If 4*A^3 + 27*B^2 = 0 mod p, then set s = update_seed(s) and go to Step 1. 9. Check that the elliptic curve E over GF(p) given by y^2 = x^3 + A*x + B fulfills all security and functional requirements given in Section 3. If not, then set s = update_seed(s) and go to Step 1. 10. Set s = update_seed(s). 11. Set k = find_integer_2(s). 12. Determine the points Q and -Q having the smallest x-coordinate in E(GF(p)). Randomly select one of them as point P.

It should say:

| 1. Set A = find_integer_2(s). | 2. If -3 = A*Z^4 mod p is not solvable, then set s = update_seed(s) and go to Step 1. 3. Compute one solution Z of -3 = A*Z^4 mod p. 4. Set s = update_seed(s). 5. Set B = find_integer_2(s). 6. If B is a square mod p, then set s = update_seed(s) and go to Step 5. 7. If 4*A^3 + 27*B^2 = 0 mod p, then set s = update_seed(s) and go to Step 1. 8. Check that the elliptic curve E over GF(p) given by y^2 = x^3 + A*x + B fulfills all security and functional requirements given in Section 3. If not, then set s = update_seed(s) and go to Step 1. 9. Set s = update_seed(s). 10. Set k = find_integer_2(s). 11. Determine the points Q and -Q having the smallest x-coordinate in E(GF(p)). Randomly select one of them as point P.

Notes:

Rationale:

According to the first part of A.2, the routine find_integer_2()

returns an integer value (see also original step 6.).

Thus, step 2 should be deleted, and 'h' is not needed.

Note that merely renumbered steps are not taagged with

a change bar above.

Updated 2013-06-06. Thanks to Edward Huff for the correction.

Errata ID: 2071

**Status: Verified
Type: Editorial
Publication Format(s) : TEXT**

Reported By: Johannes Merkle

Date Reported: 2010-03-10

Verifier Name: Nevil Brownlee

Date Verified: 2013-03-20

Section A.1 says:

p_320 = 1763593322239166354161909842446019520889512772719515192772 9604152886408688021498180955014999035278

It should say:

p_320 = 1763593322239166354161909842446019520889512772719515192772 960415288640868802149818095501499903527

Errata ID: 2083

**Status: Verified
Type: Editorial
Publication Format(s) : TEXT**

Reported By: Alfred Hoenes

Date Reported: 2010-03-21

Verifier Name: Nevil Brownlee

Date Verified: 2013-03-16

Section 1.1,1st para says:

This RFC specifies elliptic curve domain parameters over prime fields GF(p) with p having a length of 160, 192, 224, 256, 320, 384, and 512 bits. These parameters were generated in a pseudo-random, yet completely systematic and reproducible, way and have been verified to resist current cryptanalytic approaches. The parameters are compliant with ANSI X9.62 [ANSI1] and ANSI X9.63 [ANSI2], ISO/IEC 14888 [ISO1] and ISO/IEC 15946 [ISO2], ETSI TS 102 176-1 [ETSI], as | well as with FIPS-186-2 [FIPS], and the Efficient Cryptography Group (SECG) specifications ([SEC1] and [SEC2]).

It should say:

This RFC specifies elliptic curve domain parameters over prime fields GF(p) with p having a length of 160, 192, 224, 256, 320, 384, and 512 bits. These parameters were generated in a pseudo-random, yet completely systematic and reproducible, way and have been verified to resist current cryptanalytic approaches. The parameters are compliant with ANSI X9.62 [ANSI1] and ANSI X9.63 [ANSI2], ISO/IEC 14888 [ISO1] and ISO/IEC 15946 [ISO2], ETSI TS 102 176-1 [ETSI], as | well as with FIPS-186-2 [FIPS], and the Standards for Efficient Cryptography Group (SECG) specifications ([SEC1] and [SEC2]).

Notes:

Rationale: incomplete expansion of acronym.

Additional note:

In Section 7.2, two of the references quoted here should perhaps

better point to the current versions of the documents:

[SEC1] "SEC1: Elliptic Curve Cryptography",

Version 2.0, May 2009.

[FIPS] NIST, "Digital Signature Standard (DSS)",

FIPS PUB 186-3, November 2008.

Errata ID: 2084

**Status: Verified
Type: Editorial
Publication Format(s) : TEXT**

Reported By: Alfred Hoenes

Date Reported: 2010-03-21

Verifier Name: Nevil Brownlee

Date Verified: 2013-03-16

Section 2.,1st para says:

Throughout this memo, let p > 3 be a prime and GF(p) a finite field | (sometimes also referred to as Galois Field or GF(p)) with p elements. [...]

It should say:

Throughout this memo, let p > 3 be a prime and GF(p) a finite field | (sometimes also referred to as Galois Field or F_p) with p elements. [...] or perhaps more precisely: Throughout this memo, let p > 3 be a prime and GF(p) a finite field | (Galois Field) with p elements (sometimes also referred to as F_p). [...]

Notes:

Rationale:

... GF(p) ... sometimes also referred to as ... GF(p) ...

does no make sense.

The original version from the draft did make sense -- mentioning

_another_ common notion, "F_p".

Errata ID: 4701

**Status: Verified
Type: Editorial
Publication Format(s) : TEXT**

Reported By: Mirko Dressler

Date Reported: 2016-05-25

Verifier Name: Nevil Brownlee

Date Verified: 2016-06-08

Section A.2 says:

Seed_ab_384 for brainpoolP384r1: BCFBFA1C877C56284DAB79CD4C2B3293D20E9E5E | Seed_ab_512 for brainpoolP384r1: AF02AC60ACC93ED874422A52ECB238FEEE5AB6AD

It should say:

Seed_ab_384 for brainpoolP384r1: BCFBFA1C877C56284DAB79CD4C2B3293D20E9E5E | Seed_ab_512 for brainpoolP512r1: AF02AC60ACC93ED874422A52ECB238FEEE5AB6AD

Notes:

Copy/Paste-Error, change noted as correct by Manfred Lochter

Errata ID: 5075

**Status: Verified
Type: Editorial
Publication Format(s) : TEXT**

Reported By: Taylor R Campbell

Date Reported: 2017-08-01

Verifier Name: RFC Editor

Date Verified: 2017-08-01

Section 2.2 and 7.2 says:

2.2. Technical Requirements [...] This property permits the use of the arithmetical advantages of curves with A = -3, as shown by Brier and Joyce [BJ]. 7.2. Informative References [...] [BJ] Brier, E. and M. Joyce, "Fast Multiplication on Elliptic Curves through Isogenies", Applied Algebra Algebraic Algorithms and Error-Correcting Codes, Lecture Notes in Computer Science 2643, Springer Verlag, 2003.

It should say:

2.2. Technical Requirements [...] This property permits the use of the arithmetical advantages of curves with A = -3, as shown by Brier and Joye [BJ]. 7.2. Informative References [...] [BJ] Brier, E. and M. Joye, "Fast Multiplication on Elliptic Curves through Isogenies", Applied Algebra Algebraic Algorithms and Error-Correcting Codes, Lecture Notes in Computer Science 2643, Springer Verlag, 2003.

Notes:

The author's name is Marc Joye, not Marc Joyce. See the original paper here: https://link.springer.com/chapter/10.1007/3-540-44828-4_6