# Elliptic Curve Cryptography - Implementation Considerations - Domain Parameters

To use ECC all parties must agree on all the elements defining the elliptic curve, that is, the domain parameters of the scheme. The field is defined by p in the prime case and the pair of m and f in the binary case. The elliptic curve is defined by the constants a and b used in its defining equation. Finally, the cyclic subgroup is defined by its generator (aka. base point) G. For cryptographic application the order of G, that is the smallest non-negative number n such that, is normally prime. Since n is the size of a subgroup of it follows from Lagrange's theorem that the number is an integer. In cryptographic applications this number h, called the cofactor, must be small and, preferably, . Let us summarize: in the prime case the domain parameters are and in the binary case they are .

Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters must be validated before use.

The generation of domain parameters is not usually done by each participant since this involves counting the number of points on a curve which is time-consuming and troublesome to implement. As a result several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or by the unique object identifier defined in the standard documents:

• NIST, Recommended Elliptic Curves for Government Use
• SECG, SEC 2: Recommended Elliptic Curve Domain Parameters
• ECC Brainpool, ECC Brainpool Standard Curves and Curve Generation

SECG test vectors are also available. NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be either specified by value or by name.

If one (despite the said above) wants to build one's own domain parameters one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:

• select a random curve and use a general point-counting algorithm, for example, Schoof's algorithm or Schoof–Elkies–Atkin algorithm,
• select a random curve from a family which allows easy calculation of the number of points (e.g., Koblitz curves), or
• select the number of points and generate a curve with this number of points using complex multiplication technique.

Several classes of curves are weak and should be avoided:

• curves over with non-prime m are vulnerable to Weil descent attacks.
• curves such that n divides (where p is the characteristic of the fieldq for a prime field, or for a binary field) for sufficiently small B are vulnerable to MOV attack which applies usual DLP in a small degree extension field of to solve ECDLP. The bound B should be chosen so that discrete logarithms in the field are at least as difficult to compute as discrete logs on the elliptic curve .
• curves such that are vulnerable to the attack that maps the points on the curve to the additive group of