Possibly, but they have reasons to recommend methods that they believe foreign governments cannot break.
The equation of the P-384 curve isy² = x³ + ax + bworking over the field of integers modulo a prime p.
We will go into each of the specific parameters a, b, and p, and discuss how they were chosen.
Modulus pConsisting with the naming conventions for elliptic curves used in cryptography, the name “P-384” tells you that the curve is over a prime field where the prime is a 384-bit integer.
Specifically, the order of the field isp = 2384 – 2128 – 296 + 232 – 1For a given number of bits, in this case 384, you want to pick a prime that’s relatively near the maximum size for that number of bits.
In our case, our prime p is a prime near 2384 with a convenient bit pattern.
Hasse’s theorem says that the number of points on a curve modulo a large prime is on the order of magnitude equal to the prime, so P-384 contains approximately 2384 points.
In fact, the number of points n on the curve is39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643or approximately 2384 – 2190.
The number n is a prime, and so it is the order of P-384 as a group.
Linear coefficient aAccording to a footnote in the standard defining P-384, FIPS PUB 186-4,The selection a ≡ -3 for the coefficient of x was made for reasons of efficiency; see IEEE Std 1363-2000.
Constant coefficient bThe curve P-384 has Weierstrass formy² = x³ – 3x + bwhere b is27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575.
The parameter b is between 2383 and 2384 but doesn’t have any particular binary pattern:101100110011000100101111101001111110001000111110111001111110010010011000100011100000010101101011111000111111100000101101000110010001100000011101100111000110111011111110100000010100000100010010000000110001010000001000100011110101000000010011100001110101101011000110010101100011100110001101100010100010111011010001100111010010101010000101110010001110110111010011111011000010101011101111The specification says that b was chosen at random.
How can you convince someone that you chose a parameter at random?The standard gives a 160-bit seed s, and a hash-based algorithm that s was run through to create a 384-bit parameter c.
Then b is the solution tob² c = -27 mod p.
The algorithm going from the s to c is given in Appendix D.
6 and is a sort of key-stretching algorithm.
The standard cites ANS X9.
62 and IEEE Standard 1363-2000 as the source of the algorithm.
If b was designed to have a back door, presumably a tremendous amount of computation had to go into reverse engineering the seed s.
Koblitz and Menezes wrote a paper in which they suggest a way that the NSA might have picked seeds that lead to weak elliptic curves, but then argue against it.
It is far-fetched to speculate that the NSA would have deliberately selected weak elliptic curves in 1997 for U.
government usage … confident that no one else would be able to discover the weakness in these curves in the ensuing decades.
Such a risky move by the NSA would have been inconsistent with the Agency’s mission.
Related postsWhat is an elliptic curve?Naming elliptic curves used in cryptographyEncryption posts.. More details