Cryptographic applications based on elliptic curves over finite fields currently represent the most efficient asymmetric cryptography method. This is because, with elliptic curves, by contrast with the first-generation asymmetric cryptography method, there are no known methods of attack with a subexponential running time. Consequently the security gain per bit of the security parameter used is greater, so that significantly shorter key lengths can be used for practical applications. The resulting methods perform better and need a smaller bandwidth for transmission of the system parameters than other asymmetric cryptography methods with comparable security.
To operate such methods different data must be stored. These include on the one hand the key material which is assigned to each user of the system individually, and also the general system parameters. These system parameters are publicly known and all users of the cryptographic methods employ the same system parameters. Parts of the system parameters are implicitly known to all users through the cryptographic methods used or through their implementation, other values must be permanently stored by each user, for example in a non-volatile memory (PROM, EEPROM, flash, other data media etc.).
With cryptographic methods based on the point group of an elliptic curve over a finite field these general system parameters at least consist of data for definition of the finite field used (prime number, prime number power and/or irreducible polynomial) and the curve parameters for defining the elliptic curve used. If necessary there is also further data for definition of the coordinates of a base point or the power of the point group and/or a subgroup.
With low-cost cryptographic products for mass application, such as RFIDs or special ICs for protecting against plagiarism for example, there is already the requirement to reduce the unit price costs as far as possible. The manufacturing costs of such semiconductor products are primarily governed by the chip surface needed which in its turn depends on the capacity required for non-volatile memory. To this extent a need exists to further reduce the required storage capacity for system parameters to be stored permanently in such methods.