NIST: FIPS 186
In 1994, the National Institute of Standards and Technology (NIST), in collaboration with the National Security Agency (NSA), proposed a Federal Information Processing Standard (FIPS 186) with the title Specifications for the Digital Signature Standard (DSS) [1]. This document standardized the Digital Signature Algorithm (DSA) as the only option for digital signatures. Since then, four revisions have been released FIPS 186–1 in 1998 [2], FIPS 186–2 in 2000 [3], FIPS 186–3 in 2009 [4], and FIPS 186–4 in 2013 [5]. Furthermore, a draft of FIPS-5 was released in 2019 [6].
The first revision that approved ECDSA was FIPS 186-2 with a short commentary, a reference to X9.62 (1998), and recommended elliptic curves in an appendix. This was historically the first standardization of elliptic curve parameters. The curves were divided into two categories: pseudorandom curves (coefficients are generated from the output of a seeded hash) and special curves (coefficients are selected to optimize the efficiency). The standard recommends for each bit-length of a prime, a pseudorandom curve: P-192, P-224, P-256, P-384, P-521. The standard specifies all the parameters, including the seeds, but for the method of generation, the reader is referenced to X9.62 (1998) and IEEE P1363 (with a brief summary in the appendix). All the curves have cofactor one, which is not a necessary condition in X9.62. The FIPS 186-3 revision keeps following the X9.62 (2005) standard but further specifies the size of the cofactor for five ranges of order. The recommended elliptic curves remain the same. The current FIPS 186-4 revision didn't change any recommendations about the proposed elliptic curves.
The sources of the curves are not fully explained. The curves themselves were suggested by Jerry Solinas, a former employee of NSA [7], and firstly appeared in the SEC 2 standard in 2000. Two of the curves (P-192 and P-256) already appeared in X9.62 (1998) but only as samples of curves that may be used to ensure the correct implementation of the standard (X9.62 1998 did not standardize any elliptic curves).
The draft of FIPS 186-5 proposes major changes. Firstly, since X9.62 was withdrawn in 2015 [8], the details of the generation of elliptic curves have been added to the draft of Special Publication 800-186 [9] (this document also recommends the Brainpool curves). The P-192 is no longer recommended and can be used only for legacy use. The standard proposes EdDSA as a signature algorithm with two curves Edwards25519 and Edwards448 [10].
- FIPS 186: Digital Signature Standard (DSS)
- FIPS 186-1: Digital Signature Standard (DSS)
- FIPS 186-2: Digital Signature Standard (DSS)
- FIPS 186-3: Digital Signature Standard (DSS)
- FIPS 186-4: Digital Signature Standard (DSS)
- FIPS 186-5: Digital Signature Standard (DSS)
- Michael Scott article
- IETF mail archive
- Recommendations for Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters
- NIST status update on Elliptic Curves and Post-Quantum Crypto