3.5.3 Are elliptic curve cryptosystems widely used?
Elliptic curve cryptosystems have emerged as a promising new area in public-key cryptography in recent years due to their potential for offering similar security to established public-key cryptosystems with reduced key sizes. Improvements in various aspects of implementation, including the generation of elliptic curves, have made elliptic curve cryptography more practical than when it was first introduced in the mid 80's.
Elliptic curve cryptosystems are especially useful in applications for which memory, bandwidth, or computational power is limited. It is expected that the use of elliptic curve cryptosystems in these special areas will continue to grow in the future.
Standards efforts for elliptic curve cryptography are well underway. X9.F.1, an ANSI-accredited standards committee for the financial services industry is developing two standards: ANSI X9.62 for digital signatures and ANSI X9.63 for key agreement and key transport. IEEE P1363 is working on a general reference for public-key techniques from several families, including elliptic curves.
Recently, NIST recommended a certain set of elliptic curves for government use. This set of curves can be divided into two classes: curves over a prime field GF(p) and curves over a binary field GF(2m). The curves over GF(p) are of the form
y2 = x3 - 3x + b
with b random, while the curves over GF(2m) are either of the form
y2 + xy = x3 + x2 + b
with b random or Koblitz curves. A Koblitz curve has the form
y2 + xy = x3 + ax2 + 1
with a = 0 or 1.