January 12, 1998
PKCS #13: Elliptic Curve Cryptography Standard is a new document being developed by RSA Laboratories as part of its Public-Key Cryptography Standards (PKCS) series, covering public-key techniques based on elliptic curve cryptography.
Elliptic curve cryptography has emerged as a promising new branch of public-key cryptography in recent years, due to its potential for offering similar security to established public-key cryptosystems at reduced key sizes. Improvements in various aspects of implementation, including the generation of elliptic curves, have made elliptic curve cryptography more practical than it was when first introduced in the 1980's. As security of elliptic curve cryptography becomes better understood, an opportunity is available is develop standards for this technology, thereby promoting interoperability at the same time as implementations are being deployed.
Standards efforts for elliptic curve cryptography are already underway. X9.F.1, an ANSI-accredited standards committee for the financial services industry , is developing two standards: ANSI X9.62 for digital signatures and ANSI X9.63 for key agreement and key transport. IEEE P1363  is working on a general reference for public-key techniques from several families, including elliptic curves. PKCS #13 will complement the others, providing a profile of the other standards in the PKCS format and giving guidance for incorporating elliptic curve cryptography into other PKCS #based applications such as those based on PKCS #11  or PKCS #7 .
For more information on elliptic curve cryptosystems, see the survey article by Matt Robshaw and Yiqun Lisa Yin  or the CryptoBytes article by Alfred Menezes .
PKCS #13 will address the following aspects of elliptic curve cryptography:
- parameter generation and validation
- key generation and validation
- digital signatures
- public-key encryption
- key agreement
- ASN.1 syntax for parameters, keys, and scheme identification
- security considerations
The document will follow a similar format to other PKCS documents such as PKCS #1.
PKCS #13 will generally track X9.62, X9.63 and P1363 with some degree of balance among the specifications given in the other documents. Some particular points of note are as follows:
Parameters and keys: Same general definitions as X9.62 and P1363. Types of finite field may be limited.
Signature schemes: ECDSA, as in X9.62, possibly with an arbitrary hash function as in P1363.
Encryption schemes: To be determined. Some work is underway in X9.63. P1363 does not specify an elliptic curve encryption scheme. An important technical issue is how to encrypt a message which, when appropriately padded, is larger than the underlying "block size" (i.e., key size) of the elliptic curve.
Key agreement schemes: To be determined. P1363 specifies an elliptic curve key agreement scheme, and some work is underway in X9.63 as well.
PKCS #13 will be developed according to the usual PKCS process, which is an informal, open process moderated by RSA Laboratories and benefiting from the contributions of many security developers and users. Discussions will conducted initially on the email@example.com list. To subscribe, send a message with the body
For more information, contact the PKCS Editor at firstname.lastname@example.org .
The PKCS #13 project is just started as of this writing (January 1998).
Accredited Standards Committee X9 - Financial Services. http://www.x9.org/.
IEEE P1363: Standard Specifications for Public-Key Cryptography. http://grouper.ieee.org/groups/1363/.
PKCS #7: Cryptographic Message Syntax Standard, version 1.5. RSA Laboratories, November 1993. http://www.rsasecurity.com/rsalabs/pkcs/.
PKCS #11: Cryptographic Token Interface Standard (Cryptoki), version 2.01. RSA Laboratories, December 1997. http://www.rsasecurity.com/rsalabs/pkcs/.
M.J.B. Robshaw and Yiqun Lisa Yin. Elliptic Curve Cryptosystems. RSA Laboratories, June 27, 1997.
Alfred Menezes. Elliptic curve cryptosystems. RSA Laboratories' CryptoBytes , vol. 1, no. 2, Summer 1995. http://www.rsasecurity.com/rsalabs/cryptobytes/.