<?xml version="1.0" encoding="US-ASCII"?>

<!--
    XML2RFC offers an include feature described in the XML2RFC README
    file.  That syntax, however, contradicts the DTD requirements to
    have <reference> elements within the <references> element, so an 
    XML parser is likely to find your XML file invalid.  It may be
    possible that XML2RFC will change their DTD so that the XML file
    remains valid when their style of include is used.

    In the meantime therefore, we use an alternative valid-XML approach
    to includes, which unfortunately require that define your includes
    at the beginning of the file. Since the biggest benefit of includes
    is for references, this requires that your references be defined in
    ENTITY clauses here before being "included" and cited elsewhere in
    the file.
  -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
	  <!ENTITY rfc2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">
	  <!ENTITY rfc2863 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2863.xml">
	  <!ENTITY rfc3418 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3418.xml">
	  <!ENTITY rfc4181 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4181.xml">
	  <!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
	  <!ENTITY rfc2578 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2578.xml">
	  <!ENTITY rfc2579 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2579.xml">
	  <!ENTITY rfc2580 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2580.xml">
	  <!ENTITY rfc3410 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3410.xml">
	  <!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
	  ]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc symrefs="no"?>
<?rfc compact="no"?>
<?rfc subcompact="no"?>
<?rfc strict="no"?>
<?rfc rfcedstyle="yes"?>
<?rfc compact="yes"?>
<!--
    This template is for authors of IETF specifications containing MIB
    modules.  This template can be used as a starting point to produce
    specifications that comply with the Operations &amp; Management Area
    guidelines for MIB module documents.
  -->
<!--
    Throughout this template, the marker "<xref target='TODO' />" is used to indicate an
    element or text that requires replacement or removal.
  -->
<!-- Intellectual Property section -->
<!--
    The Intellectual Property section will be generated automatically by
    XML2RFC, based on the ipr attribute in the rfc element.
  -->
<!-- 

     <xref target='TODO' />For Internet-drafts, indicate which intellectual property notice 
     to use per the rules of RFC3978.
     Specify this in the ipr attribute.  The value can be:
     full3978 -
     noModification3978 -
     noDerivatives3978 -
     <xref target='TODO' /> Specify the category attribute per RFC2026 
     options are info, std, bcp, or exp.
     <xref target='TODO' /> if this memo updates an RFC, specify the RFC in the 
     "updates" attribute
     -->

<rfc category="info" submissionType="IETF" consensus="no" ipr="trust200902" docName="draft-kato-fsu-key-exchange-01" >
  
  <front>
    
    <title abbrev="FSU Key Exchange">FSU Key Exchange</title>

    
    <!-- see RFC2223 for guidelines regarding author names -->
 
    <author fullname="Akihiro Kato" initials="A." 
            surname="Kato">
      <organization>NTT Software Corporation</organization>

      <address>
	<!--
            <postal>
              <street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>

              <city>Yokohama-shi, Kanagawa 231-8551</city>

              <country>Japan</country>
            </postal>

            <phone>+81 45 212 7908</phone>
	    -->
        <email>kato.akihiro-at-po.ntts.co.jp</email>
      </address>
    </author>
    <author fullname="Thomas Hardjono" initials="T." 
            surname="Hardjono">

      <organization>MIT</organization>

      <address>
	<!--
            <postal>
              <street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>

              <city>Yokohama-shi, Kanagawa 231-8551</city>

              <country>Japan</country>
            </postal>

            <phone>+81 45 212 7908</phone>
	    -->
        <email>hardjono-at-mit.edu</email>
      </address>
    </author>    
        <author fullname="Tetsutaro Kobayashi" initials="T." 
            surname="Kobayashi">

      <organization>NTT</organization>

      <address>
	<!--
            <postal>
              <street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>

              <city>Yokohama-shi, Kanagawa 231-8551</city>

              <country>Japan</country>
            </postal>

            <phone>+81 45 212 7908</phone>
	    -->
        <email>kobayashi.tetsutaro-at-lab.ntt.co.jp</email>
      </address>
    </author>
    <author fullname="Tsunekazu Saito" initials="T." 
            surname="Saito">

      <organization>NTT</organization>

      <address>
	<!--
            <postal>
              <street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>

              <city>Yokohama-shi, Kanagawa 231-8551</city>

              <country>Japan</country>
            </postal>

            <phone>+81 45 212 7908</phone>
	    -->
        <email>saito.tsunekazu-at-lab.ntt.co.jp</email>
      </address>
    </author>
    <author fullname="Koutarou Suzuki" initials="K." 
            surname="Suzuki">

      <organization>NTT</organization>

      <address>
	<!--
            <postal>
              <street>Teisan Kannai Bldg. 209 Yamashita-cho, Naka-ku</street>

              <city>Yokohama-shi, Kanagawa 231-8551</city>

              <country>Japan</country>
            </postal>

            <phone>+81 45 212 7908</phone>
	    -->
        <email>suzuki.koutarou-at-lab.ntt.co.jp</email>
      </address>
    </author>

    <!-- <xref target='TODO' />: month and day will be generated automatically by XML2RFC; 
	 be sure the year is current.
      -->

    <date year="2016" />


    <workgroup></workgroup>

    <keyword>Optimal Ate Pairing, Elliptic Curve Cryptography, Barreto-Naehrig Curve</keyword>

    

    <abstract>
       <t>
This draft proposes an identity-based authenticated key exchange 
protocol following the extended Canetti-Krawczyk (id-eCK) model. The 
protocol is currently the most efficient among the id-eCK protocols.
</t>
    </abstract>

  </front>

  
  <middle>
    <section title="Introduction" anchor="introduction">
       <t>

Authenticated key exchange (AKE) is a core security function within many 
deployed systems today. It is a foundational function that allows 
end-users and systems alike to be authenticated prior to access to 
resource and services. Over the past two decades key exchange schemes 
have been proposed, based on symmetric and asymmetric key cryptography.

</t>

<t>A more recent approach to AKE protocol has been the introduction of 
identity binding to the exchange  <xref target='IBE' />  
<xref target='BONE_FRANKLIN' />, obviating the need to rely on a public key 
infrastructure in which digital certificates need to be exchanged by 
users or end-points that wish to communicate signed and/or encrypted 
messages.</t>

<t>Identity-based AKE (ID-AKE) schemes rely on the use of the trusted 
intermediary referred to as the Key Generation Center (KGC). The role of 
the KGC, among others, is to generate a pair of master public and secret 
keys based on the user's identity and to extract a user's secret key 
corresponding to his or her identity.</t>

<t>In a 2-pass ID-AKE scheme, an "initiator" entity wishing to share a key 
with a second entity (referred to as the "responder") sends ephemeral 
public information to the responder. In its turn, the responder sends 
another ephemeral public information to the initiator entity. Following 
this, each entity would then generate a session from a number of 
parameters, notably their respective secret keys (given by the KGC), 
their own secret values of the ephemeral information, the identity of 
the peer they're communicating with, and the ephemeral information they 
received from that peer.</t>

<t>We propose a provably secure ID-AKE scheme called "FSU" <xref 
target='FHKSUY' /> <xref target='FSU2010' /> <xref 
target='ISO_IEC11770_3' /> based on the previous model of  <xref 
target='HUANG_CAO' />  and which builds on the previous efforts in  
<xref target='CK2001' /> 
 <xref target='LLM2007' /> . 
The model underlying the FSU was chosen due to the merit of provable 
security based on an adversarial model in which the adversary has the 
freedom to choose keys reveal.
</t>

   <section title="Our Motivation" anchor="Motivation">
<t>
In order to establish secure communications, the encryption is used, and a
key exchange protocol is necessary to use the encryption.

If the key exchange protocol has vulnerability, an attacker can intercept
all messages, so encrypted session becomes meaningless.

In practice, man in the middle attack and a forward security of key exchange
protocol are serious issues.
</t>

<t>
In recent years, IoT technology gathers many attentions.

It is expected that 26-30 billion devices will be wirelessly connected by
2020.
And to set up a huge number of devices with certificates or passwords for
key exchange and to maintain the certificates or passwords require many
costs.

Furthermore, the leakage of a secret key for key exchange and a session key
for encryption likely to occur because of resource restriction of device and
installation environment of device.
</t>

<t>
To resolve above problems, we propose an ID-based authenticated key exchange
protocol FSU.

In usual PKI based cryptography, a device must set up password or generate
own secret key.

On the other hand, in the FSU protocol the trusted third party generate the
secret key for a huge number of IoT devices, so the manufacture and users of
the devices can maintain secret key for the devices unitarily.

The FSU Protocol use existing ID, which can be any string, e.g., e-mail
address and serial number, as public key instead of certificate or password.

Thus, the authentication server is not required to manage the certificates
and the passwords of device any more.

Finally, the FSU protocol provides the highest security against leakages of
secret keys.
Thus, security of a session key is preserved even if some secret keys are
leaked because of resource restriction and installation environment of
devices.
</t>
</section>

    </section>
    <section title="Requirements Terminology">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 
	and "OPTIONAL" in this memo are to be interpreted as described in <xref target="RFC2119"/>. </t>
    </section>

    <section anchor="notation" title="Notation">
      <t>This section shows notation used in this memo.</t>

      <t>Let F_q be a finite field with q = p^n elements for a prime p and an integer n and let E(F_q) be an elliptic curve with an order r and an embedding degree k defined over F_q. An embedding degree k is defined as a minimum integer k such that r is a divisor of q^k - 1.</t>

      <t>Let G_1 (resp.  G_2) be an additive group with an order r generated
   by E(F_q) (resp.  E'(F_q)).  Let G_T be multiplicative groups with
   the same order r.  Let P_1, P_2 be generators of G_1, G_2 respectively.
   We say that (G_1, G_2, G_T) are bilinear map groups if there exists a
   pairing e: (G_1, G_2) -> G_T satisfying the following properties: </t>
      <t>
	<list style="numbers">
	  <t> Bilinearity: for any Q_1 in G_1, for any Q_2 in G_2, for any a, b in
       Z_r, we have the relation e(aQ_1, bQ_2) = e(Q_1,Q_2)^{ab}.</t>
	  <t>Non-degeneracy: for any Q_1 in G_1, e(Q_1,Q_2) = 1 only if Q_2 = O_{G_2}
       and for any Q_2 in G_2, e(Q_1,Q_2) = 1 only if Q_1 = O_{G_1}.</t>
	  <t>Computability: for any Q_1 in G_1, for any Q_2 in G_2, the bilinear
       map is efficiently computable.</t>
	  <!--<t>There exists an efficient, publicly computable isomorphism I: G_2 -> G_1 such that I(Q) = P.</t>-->
	</list>
      </t>

	<t>This pairing is described in specification of optimal ate pairing 
specification<xref target="draft-kato-optimal-ate" />. It is 
defined by Pairing-Parm-ID following way.

	</t>
	<figure>
	<artwork>
   Pairing-Param-ID = {
       G1-Curve-ID,
       G2-Curve-ID
       GT-Field-ID
   }</artwork>
	</figure>
	    <t>G1-Curve-ID and G2-Curve-ID is an identifiers of elliptic curve. And
GT-Field-ID is an identifier of the G_T range of finite 
field. G1-Curve-ID , G2-Curve-ID and GT-Field-ID are described in <xref target="draft-kasamatsu-bncurves" /> the 
following way.</t>
	<figure>
	  <artwork>
   G1-Curve-ID = {
       p_b    : A prime specifying base field F_p.
       A, B   : The coefficients of the equation y^2 = x^3 A * x + B
               defining E.
       G = (x, y) : The base point, i.e., a point with x and y
                being its x- and y-coordinates in E, respectively.
       r      : The prime order of the group generated by G.
       h      : The cofactor of G in E.
  }
   G2-Curve-ID = {
       p_b    : A prime specifying base field F_p.
       e2     : The constant of an irreducible polynomial specifying
                extension field F_{p^2} = Fp[u] / (u^2 - e2).
       A', B' : The coefficients of the equation y^2 = x^3 A' * x + 
                  B' defining E'.
       G' = (x', y') : The base point, i.e., a point with x' and y'
                being its x- and y-coordinates in E', respectively.
       r'      : The prime order of the group generated by G'.
       h'      : The cofactor of G' in E'.
  }

  GT-Filed-ID = {
       p_b    : A prime specifying base field.
       r      : The prime order of the subgroup of F_{p^12}.
       e2     : The constant of the irreducible polynomial of F_{p^2} =
                F_p [u] / (u^2 - e2).
       e6     : The constant of the irreducible polynomial of F_{p^6} =
                F_{p^2}[v] / (v^3 - e6).
       e12    : The constant of the irreducible polynomial of F_{p^12}
                = F_{p^6}[w] / (w^2 - e12).
       h''    : The cofactor of G_T
   }</artwork>
	</figure>

      <t>In addition, this memo uses the following functions.</t>
      <t>floor(x) : The function returning an integer such that max{x' in Z | x' &lt;= x}.</t>
      <t>ceil(x) : The function returning an integer such that min{x' in Z | x' &gt;= x}.</t>
      <t>O_E : The point at infinity over elliptic curve E.</t>
    </section>

    <section anchor="parameter-requirements" title="Data Type and Its Conversions">
      <t>This section describes data type and its conversion used in this memo.</t>
      <section anchor="bs2osp" title="BitString-to-OctetString Conversion (BS2OSP)">
	<t>This memo uses conversion from bit strings to octet strings. Informally, the idea is to pad the bit string with 0's on the left to make its length a multiple of 8, then chop the result up into octets. Formally, the conversion routine, BS2OSP(B), is specified in <xref target="construction-of-bs2osp"/></t>
      </section>

      <section anchor="os2bsp" title="OctetString-to-BitString Conversion (OS2BSP)">
	<t>This memo uses conversion from octet strings to bit strings. Informally, the idea is simply to view the octet string as a bit string. Formally, the conversion routine, OS2BSP(M), is specified in <xref target="construction-of-os2bsp" /></t>
      </section>

      <section anchor="fe2ip" title="FieldElement-to-Integer Conversion (FE2IP)">
	<t>This memo uses conversion from field elements to integers. An finite field element should be represented as a polynomial with subfield coefficients, which can be represented as a sequence of the coefficients. Informally, the idea is simply to view the sequence of the coefficients as the radix-p^m representation of the base field elements, where p^m is the number of the subfield elements. Formally, the conversion routine, FE2IP(a), is specified in <xref target="construction-of-fe2ip" /></t>
      </section>

      <section anchor="i2fep" title="Integer-to-FieldElement Conversion (I2FEP)">
	<t>This memo uses conversion from integers to field elements. A field element should be represented as a polynomial with subfield coefficients, and it can be represented as a sequence of the coefficients. Informally, the idea is to represent the integer with radix-p^m positional number system where p^m is the number of the subfield element, and then convert the each digit to the each coefficient of the polynomial. Formally, the conversion routine, I2FEP(x), is specified in <xref target="construction-of-i2fep" />:</t>
      </section>

      <section anchor="fe2osp" title="FieldElement-to-OctetString Conversion (FE2OSP)">
	<t>This memo uses conversion from field elements to octet strings. This conversion is constructed by using FE2IP and I2SOP conversions. Formally, the conversion routine, FE2OSP(a), is specified in <xref target="construction-of-fe2osp" />.</t>

      </section>

      <section anchor="os2fep" title="OctetString-to-FieldElement Conversion (OS2FEP)">
	<t>This memo uses conversion from octet strings to field elements. This conversion is constructed by using OS2IP and I2FEP conversions. Formally, the conversion routine, OS2FEP(M), is specified in <xref target="construction-of-os2fep" />.</t>
      </section>

      <section anchor="ecp2osp" title="EllipticCurvePoint-to-OctetString Conversion (ECP2OSP)">
	<t>This memo uses conversion from elliptic curve points to octet strings. Informally the idea is that, if point compression is being used, the compressed y-coordinate is placed in the leftmost octet of the octet string along with an indication that point compression is on, and the x-coordinate is placed in the remainder of the octet string; otherwise if point compression is off, the leftmost octet indicates that point compression is off, and remainder of the octet string contains the x-coordinate followed by the y-coordinate. Formally, the conversion routine, ECP2OSP(P,R), is specified in <xref target="construction-of-ecp2osp" />.</t>
      </section>

      <section anchor="os2ecpp" title="OctetString-to-EllipticCurvePoint Conversion (OS2ECPP)">
	<t>This memo uses conversion from octet strings to elliptic curve points. Informally, the idea is that, if the octet string represents a compressed point, the compressed y-coordinate is recovered from the leftmost octet, the x-coordinate is recovered from the remainder of the octet string, and then the point compression process is reversed; otherwise the leftmost octet of the octet string is removed, the x-coordinate is recovered from the left half of the remaining octet string, and the y-coordinate is recovered from the right half of the remaining octet string. Formally, the conversion routine, OS2ECPP(M), is specified in <xref target="construction-of-os2ecpp" />.</t>
      </section>

    </section>
    
    <section anchor="building-block" title="Building Block of FSU Key Exchange">
      <t>This section describes building block for constructing FSU Key Exchange.</t>
      <section anchor="key-derivation-function" title="Key Derivation Function">
	<t>MGF1 is a mask generation function, parameterized by a hash function. MGF1(M,n) is defined as follows:</t>
	<t>System parameters:</t>
	<t>
	  <list style="symbols">
	    <t>Hash : a hash function</t>
	    <t>hashLen : the length in octets of the hash function output</t>
	  </list>
	</t>
	<t>Input: </t>
	<t>
	  <list style="symbols">
	    <t>M : a seed from which a mask is generated, an octet string</t>
	    <t>n : the octet length of the output, a positive integer</t>
	  </list>
	</t>
	<t>Output: </t>
	<t>
	  <list style="symbols">
	    <t>mask : a mask, an octet string of length n</t>
	  </list>
	</t>

	<t>Method: </t>
	<t>
	  <list style="numbers">
	    <t>Let n_0 be the octet length of M. If n_0 + 4 is greater than the input limitation for the hash function, output INVALID and stop.</t>
	    <t>Set cThreshold = ceil(n / hashLen)</t>
	    <t>If cThreshold > 2^32, output INVALID and stop</t>
	    <t>Let M' be the empty octet string</t>
	    <t>Set counter = 0</t>
	    <t>B = B_{0}, ..., B{31} such that counter = B_{31} + B_{30}*2 + ... + B_{0}*2^{31}</t>
	    <t>Compute C = BS2OSP(B)</t>
	    <t>Compute H = Hash(M||C)</t>
	    <t>Set M' = M'||H</t>
	    <t>Set counter = counter + 1</t>
	    <t>If counter &lt; cThreshold, go back to step 6.</t>
	    <t>Set mask = M'_0M'_1...M'_{n-1} where M' = M'_0M'_1M'_2...</t>
	    <t>Output mask</t>
	  </list>
	</t>
      </section>
      <section anchor="hashing-to-point" title="Hashing to Point">
	<t>Hashed value should be converted to elliptic curve point as described in this section. Formally, the conversion routine, HASHINGTOPOINT(Curve-ID, Hash, M), is specified as follows:</t>
	<t>Input: </t>
	<t>
	  <list style="symbols">
	    <t>Curve-ID : an elliptic curve parameter</t>
	    <t>Hash : a hash function</t>
	    <t>M : an octet string</t>
	  </list>
	</t>
	<t>Output: </t>
	<t>
	  <list style="symbols">
	    <t>P : an elliptic curve point</t>	    
	  </list>
	</t>
	<t>Method: </t>
	<t>
	  <list style="numbers">
	    <t>Set i = 0</t>
	    <t>B = B_{0}, ..., B{15} such that counter = B_{15} + B_{14}*2 + ... + B_{0}*2^{15}</t>
	    <t>Compute C = BS2OSP(B)</t>
	    <t>x_0 = OS2FQE(C||M, Hash, F_{p^m}) in F_{p^m}</t>
	    <t>t = x_0^3 + A * x_0 + B</t>
	    <t>If t=0, set P =(x_0, 0) and output h'*P</t>
	    <t>If t is not square in F_{p^m}, set i = i + 1 and go back to step 2</t>
	    <t>Set alpha be one of square roots of t. Then, -alpha is another square root of t.</t>
	    <t>Set y_1 = FE2IP(alpha)</t>
	    <t>Set y_2 = FE2IP(-alpha)</t>
	    <t>If y_1 &gt; y_2, set y_0 = -alpha</t>
	    <t>Else (i.e. y_1 &lt;= y_2), set y_0 = alpha</t>
	    <t>Set P = (x_0, y_0)</t>
	    <t>Output h * P</t>
	  </list>
	</t>
	<section anchor="ihf1" title="IHF1">
	  <t>Bit string should be converted to hashed non-negative integer less than an assigned integer as described in this section. Formally, the conversion routine, IHF1(s,n,Hash) is defined as follows:</t>
	<t>Input: </t>
	<t>
	  <list style="symbols">
	    <t>s: an octet string</t>
	    <t>n : an integer</t>
	    <t>Hash : a hash function</t>
	  </list>
	</t>
	<t>Output: </t>
	<t>
	  <list style="symbols">
	    <t>v in Z_n</t>
	  </list>
	</t>
	<t>Method: </t>
	<t>
	  <list style="numbers">
	    <t>Set hashLen be the length of the output of the hash function Hash</t>
	    <t>Set h_0 be the zero string of length hashLen</t>
	    <t>h_1 = Hash(h_0 || s)</t>
	    <t>B = B_0,...,B_{l-1} = OS2BSP(h_1)</t>
	    <t>a_1 = sum_{i = 0}^{l-1} 2^{l-1-i} * B_{i}</t>
	    <t>h_2 = Hash(h_1 || s)</t>
	    <t>B = B_0,...,B_{l-1} = OS2BSP(h_2)</t>
	    <t>a_2 = sum_{i=0}^{l-1} 2^{l-1-i} * B_{i}</t>
	    <t>v = 2^{hashLen} * a_1 + a_2 mod n</t>
	    <t>Output v</t>
	  </list>
	</t>
	</section>
	<section anchor="os2fqe" title="OS2FQE">
	  <t>Octet string should be converted to hashed finite field element as described in this section. Formally, the conversion routine, OS2FQE(s,Hash,F_{p^m}) is defined as follows:</t>
	  <t>Input: </t>
	  <t>
	    <list style="symbols">
	      <t>s: an octet string</t>
	      <t>Hash : a hash function</t>
	      <t>F_{p^m} : a finite field with p^m elements where p is a prime, and m > 0 is an integer</t>
	    </list>
	  </t>
	  <t>Output: </t>
	  <t>
	    <list style="symbols">
	      <t>a: an element in F_{p^m}</t>
	    </list>
	  </t>
	  <t>Method: </t>
	  <t>
	    <list style="numbers">
	      <t>Set i = 0</t>
	      <t>B = B_{0}, ..., B{31} such that counter = B_{31} + B_{30}*2 + ... + B_{0}*2^{31}</t>
	      <t>Compute C =  BS2OSP(B)</t>
	      <t>Compute t_i = IHF1(C||s,p,Hash)</t>
	      <t>If i &lt; m, set i = i + 1 and go back to step2</t>
	      <t>Compute a = sum_{i=0}^{m-1} t_i * beta^i where beta is the variable of the polynomial</t>
	      <t>Output a</t>
	    </list>
	  </t>
	</section>
      </section>
      <section anchor="group-membership-test" title="Group Membership Test Function">
	<t>GROUPMEMBERSHIPTEST(Curve-ID, P) is a test function that an elliptic curve
   point is on the correct curve and group.  GROUPMEMBERSHIPTEST is
   defined as follows:</t>
	  <t>Input: </t>
	  <t>
	    <list style="symbols">
	      <t>Curve-ID : an elliptic curve identifier</t>
	      <t>P = (x,y) : an elliptic curve point</t>
	    </list>
	  </t>
	  <t>Output: </t>
	  <t>
	    <list style="symbols">
	      <t>boolean : an integer in {0,1}</t>
	    </list>
	  </t>
	  <t>Method: </t>
	  <t>
	    <list style="numbers">
	      <t>If P = O_E, then output 1</t>
	      <t>If y^2 != x^3 + A * x + B, then output 0</t>
	      <t>If h != 1 &amp;&amp; r * P != O_E, then output 0</t>
	      <t>Output 1</t>
	    </list>
	  </t>
      </section>
    </section>

    <section anchor="method-fse-key-exchange" title="FSU Key Exchange">
<t>
      This section provides the specification of ID-based 
      authenticated key exchange protocol FSU <xref target = "FHKSUY"/> that is an
       extension of FSU (Fujioka-Suzuki-Ustaoglu) protocol 
       standardized in ISO/IEC11770-3 <xref target = "FSU2010"/> <xref target = "ISO_IEC11770_3"/>.
</t>
      <section anchor="setup" title="System Parameter Setup">
	<t>Key Generation Center (KGC) defines the following system parameters in FSU:</t>
	<t>
	  <list style="symbols">
	    <t>Pairing-Param-ID : An identifier for showing asymmetric pairing. i.e., G1-Curve-ID, G2-Curve-ID and GT-Filed-ID. </t>
	    <t>G1-Curve-ID is an identifier for showing an elliptic curve which defines 
	    cyclic groups G_1 with prime p_b_1, 
      coefficients A_1 and B_1, generator P_1, order r, and cofactor h_1.</t>
      <t> G2-Curve-ID is an identifier for showing an elliptic curve which
      defines cyclic groups G_2 with prime p_b_2, irreducible polynomial
      e2_2, coefficients A_2 and B_2, generator P_2, order r, and
      cofactor h_2.</t>
      <t> GT-Field-ID is an identifier for showing a pairing co-domain group 
      which is subgroup of order r in G_{phi_12(p)}.  G_{phi_12(p)} is 
      the 12-th cyclotomic subgroup of order p^4-p^2+1 in F_{p^12}^*.</t>
	    <t>HASH-ID : An identifier for showing a hash function i,e., Hash : {0,1}^* -> {0,1}^hashLen.</t>
		<t>hashLen : Length of output by Hash. </t>

	    <t>KDF-ID : An identifier for showing key derivation function, i.e., MGF1: {0,1}^* -> {0,1}^n.</t>
	    
		<t>n : Length of output by key derivation function. </t>
	    
	    <t>R : A point compression type of conversion between elliptic curve point and octet string specifically &quot;Compressed&quot;, &quot;Uncompressed&quot;, or &quot;Hybrid&quot;. </t>
	  </list>
	</t>
	<t>KGC generates the master secret key MSK and master public key MPK from system parameters as following.</t>
	<t>
	  <list style="numbers">
	    <t>KGC selects a random integer z in Z_r.</t>
	    <t>KGC computes Z_v = z * P_v for v is in {1, 2}.</t>
	    <t>KGC sets MSK = z and MPK = (Z_1, Z_2).</t>
	  </list>
	</t>
	<t> Hash function H_v are defined as H_v(M) = HASHINGTOPOINT(Gv-Curve-ID, Hash, "FSU"||ECP2OSP(Z_1, R)||ECP2OSP(Z_2, R)||M) for v in {1, 2}. Hash function H is defined as H(M) = MGF1("FSU"||ECP2OSP(Z_1, R)||ECP2OSP(Z_2, R)||M, n).</t>
      </section>
      <section anchor="key-distribution" title="Key Distribution by KGC">
	<t>This subsection explains operations of key distribution by KGC. There are two types of static secret key in FSU Key Exchange, respectively static secret key based on cyclic groups in G_1 and in G_2. FSU Key Exchange requires that an initiator and a responder use static secret key with different types, respectively. Hence, KCG needs to define a rule for key distribution for users. For example, clients use static secret keys in G_1 and servers use them in G_2.</t>
	<t>KGC generates static secret key D_{i, v} for an identifier ID_i for i in {A, B} of user in G_v as following.</t>
	<t>
	  <list style="numbers">
	    <t>Let MPK be (Z_1, Z_2) and MSK be z.</t>
	    <t>KGC Compute D_{i ,v} = z*H_v(ID_i).</t>
	    <t>Distribute D_{i ,v} to a user with ID_i.</t>
	  </list>
	</t>
      </section>
      <section anchor="key-exchange-protocol" title="FSU Key Exchange Protocol">
	<t>This subsection describes FSU Key Exchange Protocol in an initiator U_A with an identifier ID_A and static secret key D_{A,1} and a responder U_B with an identifier ID_B and static secret key D_{B,2}.</t>

	<t>Computation of ephemeral public key by U_A</t>
	<t>
	  <list style="numbers">	
	    <t>U_A selects a random integer x_A in Z_r.</t>
	    <t>U_A computes the ephemeral public key X_{A,v} = x_A * P_v for v in {1,2}.</t>
	    <t>U_A computes XOS_{A,v} = ECP2OSP(X_{A,v}, R) for v in {1,2}.</t>
	    <t>U_A sends (ID_A, ID_B, XOS_{A,1}, XOS_{A,2}) to U_B.</t>
	  </list>
	</t>
	<t>Computation of ephemeral public key by U_B</t>
	<t>
	  <list style="numbers">	
	    <t>U_B receives (ID_A, ID_B, XOS_{A,1}, XOS_{A,2}).</t>
	    <t>U_B computes X_{A,v} = OS2ECPP(XOS_{A,v}) for v in {1,2}.</t>
	    <t> If (GROUPMEMBERSHIPTEST(G1-Curve-ID, X_{A,1}) = 0  || 
       GROUPMEMBERSHIPTEST(G2-Curve-ID, X_{A,2}) = 0 || e(X_{A,1},
       P_2) != e(P_1, X_{A,2})), then abort.</t>
	    <t>U_B selects a random ephemeral secret key x_B in Z_r.</t>
	    <t>U_B computes the ephemeral public key X_{B,v} = x_B * P_v for v in {1,2}.</t>
	    <t>U_B computes XOS_{B,v} = ECP2OSP(X_{B,v}, R) for v in {1,2}.</t>
	    <t>U_B sends (ID_B, ID_A, XOS_{B,1}, XOS_{B,2}) to U_A.</t>
	  </list>
	</t>
	<t>Computation of session key by U_B</t>
	<t>
	  <list style="numbers">
	    <t>U_B computes sigma_1 = e(H_1(ID_A), D_{B,2}).</t>
	    <t>U_B computes sigma_2 = e(H_1(ID_A) + X_{A,1}, D_{B,2} + x_B * Z_2).</t>
	    <t>U_B computes sigma_3 = x_B * X_{A,1}.</t>
	    <t>U_B computes sigma_4 = x_B * X_{A,2}.</t>
	    <t>U_B computes sigmaOS_j = FE2OSP(sigma_j) for j in {1,2}.</t>
	    <t>U_B computes sigmaOS_j' = ECP2OSP(simga_j',R) for j' in {3,4}.</t>
	    <t>Set sid = (ID_A||ID_B||XOS_{A,1}||XOS_{A,2}||XOS_{B,1}||XOS_{B,2}).</t>
	    <t>U_B computes session key K = H(sigmaOS_1||sigmaOS_2||sigmaOS_3||sigmaOS_4||sid).</t>
	  </list>
	</t>
	
	<t>Computation of session key by U_A</t>
	<t>
	  <list style="numbers">
	    <t>U_A computes X_{B,v} = OS2ECPP(XOS_{B,v}) for v in {1,2}.</t>
	    <t>  If (GROUPMEMBERSHIPTEST(G1-Curve-ID, X_{B,1}) = 0 || 
       GROUPMEMBERSHIPTEST(G2-Curve-ID, X_{B, 2}) = 0 || e(X_{B,1},
        P_2) != e(P_1, X_{B,2})), then abort.</t>
	    <t>U_A computes sigma_1 = e(D_{A,1}, H_2(ID_B)).</t>
	    <t>U_A computes sigma_2 = e(D_{A,1} + x_A * Z_1, H_2(ID_B) + X_{B,2}).</t>
	    <t>U_A computes sigma_3 = x_A * X_{B,1}.</t>
	    <t>U_A computes sigma_4 = x_A * X_{B,2}.</t>
	    <t>U_A computes sigmaOS_j = FE2OSP(sigma_j) for j in {1,2}.</t>
	    <t>U_A computes sigmaOS_j' = ECP2OSP(simga_j',R) for j' in {3,4}.</t>
	    <t>Set sid = (ID_A||ID_B||XOS_{A,1}||XOS_{A,2}||XOS_{B,1}||XOS_{B,2}).</t>
	    <t>U_A compute session key K = H(sigmaOS_1||sigmaOS_2||sigmaOS_3||sigmaOS_4||sid).</t>
	  </list>
	</t>

      </section>
    </section>

    <section anchor="Security" title="Security Considerations">
      <t>This memo specifies identity-based authenticated key exchange protocol
   FSU <xref target="FHKSUY"/> <xref target="ISO_IEC11770_3"/> <xref target="FSU2010"/> 
	which is secure in  the id-eCK(id-based extended Canetti-Krawczyk)
   security model under the GBDH(gap bilinear DH) assumption <xref target="FHKSUY"/>.</t>
      <t>id-eCK security model is the most strong security model in the meaning of that it ensures the
   	safety of session key if any non-trivial combinations of master key, 
	static key, and ephemeral key are leaked.</t>
      <t>And id-eCK security model guarantees following 4 security notions:</t>
      <t>
	<list style="empty">
	  <t>MitM(resistance to man in the middle attacks),</t>
	  <t>wPFS(weak perfect forward security),</t>
	  <t>KCI(resistance to key compromise impersonation attacks),</t>
	  <t>RLE(resilience to leakage of ephemeral private keys).</t>
	</list>
      </t>
    </section>
    <section title="Acknowledgements">
      <t>TBD</t>
    </section>


    <section title="Algorithm Identifiers" anchor="aid">
      <t>TBD</t>

      <!--
	  <t>We need to define the following algorithm identifiers.
	    Which organization is suitable for the allotment of these object identifiers?
	  </t>

	  <t>The root of the tree for the object identifiers defined in this
	    specification is given by:</t>
	  <t>
	    <list style="empty">
	      <t>
		OBJECT IDENTIFIER::= {TBD}
	      </t>
	    </list>
	  </t>
	  <t> The object identifier ellipticCurve represents the tree for domain
	    parameter sets.  It has the following value:</t>
	  <t>
	    <list style="empty">
	      <t>
		OBJECT IDENTIFIER ::= {TBD}
	      </t>
	    </list>
	  </t>
	  <t>
	    The tree containing the object identifiers for each set of domain
	    parameters defined in this RFC is:</t>
	  <t>
	    <list style="empty">
	      <t>
		OBJECT IDENTIFIER ::= {TBD}
	      </t>
	    </list>
	  </t>
	  <t>
	    The following object identifiers represent the domain parameter sets
	    defined in this RFC:
	  </t>
	  -->
    </section>

    <section title="Change log">
      <t>NOTE TO RFC EDITOR: Please remove this section in before final RFC publication.</t>
    </section>
    <section anchor="test-vectors" title="Test Vectors">
      <t>TBD</t>
    </section>
    <!--
	<section title="Intellectual Property Rights">
	  <t>The authors have no knowledge about any intellectual property rights
	    that cover the usage of the domain parameters defined herein.
	    However, readers should be aware that implementations based on these
	    domain parameters may require use of inventions covered by patent
	    rights.</t>
	</section>
	-->      
    <!-- The Author's Addresses section will be generated automatically by XML2RFC from the front information -->

  </middle>
  <back>
    <!-- References Section -->

    <!-- Section 4.7f of <xref target='RFC2223bis' /> specifies the requirements for the
	 references sections.  In particular, there MUST be separate lists of
	 normative and informative references, each in a separate section.
	 The style SHOULD follow that of recently published RFCs.

	 The standard MIB boilerplate available at
	 http://www.ops.ietf.org/mib-boilerplate.html includes lists of
	 normative and informative references that MUST appear in all IETF
	 specifications that contain MIB modules.  If items from other MIB
	 modules appear in an IMPORTS statement in the Definitions section,
	 then the specifications containing those MIB modules MUST be included
	 in the list of normative references.  When items are imported from an
	 IANA-maintained MIB module the corresponding normative reference
	 SHALL point to the on-line version of that MIB module.  It is the
	 policy of the RFC Editor that all references must be cited in the
	 text;  such citations MUST appear in the overview section where
	 documents containing imported definitions (other those already
	 mentioned in the MIB boilerplate) are required to be mentioned (cf.
	 Section 3.2).

	 In general, each normative reference SHOULD point to the most recent
	 version of the specification in question.
      -->
    <references title="Normative References">
      <reference anchor="RFC2119">
	<front>
	  <title>Key words for use in RFCs to Indicate Requirement Levels</title>
	  <author initials='S.' surname='Bradner'>
	    <organization /></author>
	  <date year='1997' month='March' />
	</front>
	<seriesInfo name='RFC' value='2119' />
	<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc2119.txt' />
      </reference>
      <reference anchor="draft-kasamatsu-bncurves">
	<front>
	  <title>Barreto-Naehrig Curves</title>
	  <author initials='K.' surname='Kasamatsu'>
	    <organization /></author>
	  <author initials='S.' surname='Kanno'>
	    <organization /></author>
	  <author initials='A.' surname='Kato'>
	    <organization /></author>
	  <author initials='M.' surname='Scott'>
	    <organization /></author>
	  <author initials='T.' surname='Kobayashi'>
	    <organization /></author>
	  <author initials='Y.' surname='Kawahara'>
	    <organization /></author>
	  <date year='2015' month='' />
	</front>
	<seriesInfo value="draft-kasamatsu-bncurves-02" name="Internet-Draft"/>
	<format target="http://tools.ietf.org/id/draft-kasamatsu-bncurves-02.txt" type="TXT"/>
      </reference>

      <reference anchor="draft-kato-optimal-ate">
	<front>
	  <title>Barreto-Naehrig Curves</title>
	  <author initials='A.' surname='Kato'>
	    <organization /></author>
	  <author initials='M.' surname='Scott'>
	    <organization /></author>
	  <author initials='T.' surname='Kobayashi'>
	    <organization /></author>
	  <author initials='Y.' surname='Kawahara'>
	    <organization /></author>
	  <date year='2015' month='' />
	</front>
	<seriesInfo value="draft-kato-optimal-ate-pairings-01" name="Internet-Draft"/>
	<format target="http://tools.ietf.org/id/draft-kato-optimal-ate-pairings-01.txt" type="TXT"/>
      </reference>     </references>
    <references title="Informative References">
	<reference anchor="FHKSUY">
          <front>
            <title>id-eCK Secure ID-Based Authenticated Key Exchange on Symmetric and Asymmetric Pairing</title>
            <author initials="A." surname="Fujioka">
	      <organization></organization> 
 		</author>
            <author initials="F." surname="Hoshino">
	      <organization></organization> 
		</author>
            <author initials="T." surname="Kobayashi">
	      <organization></organization> 
 		</author>
            <author initials="K." surname="Suzuki">
	      <organization></organization> 
 		</author>
            <author initials="B." surname="Ustaglu">
	      <organization></organization> 
 		</author>
            <author initials="K." surname="Yoneyama">
	      <organization></organization> 
 		</author>
           <date month="" year="2013"/>
          </front>
	  <seriesInfo name="Proceedings" value="IEICE Transactions 96-A(6): 1139-1155"/>
	</reference>

	<reference anchor="FSU2010">
          <front>
            <title>Ephemeral Key Leakage Resilient and Efficient ID-AKEs That Can Share Identities, Private and Master Keys</title>
            <author initials="A." surname="Fujioka">
	      <organization></organization> 
 		</author>
            <author initials="K." surname="Suzuki">
	      <organization></organization> 
 		</author>
            <author initials="B." surname="Ustaglu">
	      <organization></organization> 
 		</author>
           <date month="" year="2010"/>
          </front>
	  <seriesInfo name="Proceedings" value="Pairing 2010 Lecture Notes in Computer Science Volume 6487, pp 187-205"/>
	</reference>

     <reference anchor="ISO_IEC11770_3">
	<front>
	  <title>Information technology -- Security techniques -- Key management -- Part 3: Mechanisms using asymmetric techniques.</title>
	   <author fullname="ISO/IEC"><organization></organization> 
 		</author>
	  <date year='2015'/>
	</front>
	  <seriesInfo name="ISO/IEC" value="11770-3: 2015"/>      
	</reference>


	<reference anchor="IBE">
          <front>
            <title> Identity-based Cryptosystems and Signature Schemes</title>
            <author initials="A." surname="Shamir">
	      <organization></organization>
		</author>
            <date month="" year="1984"/>
          </front>
	  <seriesInfo name="Proceedings" value="CRYPTO '84, LNCS 196, pages 47-53, Springer-Verlag"/>
	</reference>

	<reference anchor="BONE_FRANKLIN">
          <front>
            <title>Identity-Based Encryption from the Weil Pairing</title>
            <author initials="D." surname="Boneh">
	      <organization></organization>
 		</author>
            <author initials="M." surname="Franklin">
	      <organization></organization> 
 		</author>
           <date month="" year="2001"/>
          </front>
	  <seriesInfo name="Proceedings" value="CRYPTO 2001, LNCS 2139, pages 213-229, Springer-Verlag"/>
	</reference>
	<reference anchor="HUANG_CAO">
          <front>
            <title>An ID-based Authenticated Key Exchange Protocol Based on Bilinear Diffie-Hellman Problem</title>
            <author initials="H." surname="Huang">
	      <organization></organization>
 		</author>
            <author initials="Z." surname="Cao">
	      <organization></organization>
 		</author>
            <date month="" year="2009"/>
          </front>
	  <seriesInfo name="Proceedings" value="the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS '09)
pp. 333-342, ACM"/>
	</reference>
	<reference anchor="CK2001">
          <front>
            <title>Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels</title>
            <author initials="R." surname="Canetti">
	      <organization></organization>
 		</author>
            <author initials="H." surname="Krawczyk">
	      <organization></organization>
 		</author>
            <date month="" year="2001"/>
          </front>
	  <seriesInfo name="Proceedings" value="Eurocrypt 2001 (LNCS2015), pp. 453-474, Springer-Verlag"/>
	</reference>
	<reference anchor="LLM2007">
          <front>
            <title>Stronger Security of Authenticated Key Exchange</title>
            <author initials="B." surname="LaMacchia">
	      <organization></organization>
 		</author>
            <author initials="K." surname="Lauter">
	      <organization></organization>
 		</author>
            <author initials="A." surname="Mityagin">
	      <organization></organization>
 		</author>
            <date month="" year="2007"/>
          </front>
	  <seriesInfo name="Proceedings" value="in Provable Security (LNCS 4784), pp. 1-16, Springer"/>
	</reference>
<!--
	<reference anchor="UW2014" target="https://eprint.iacr.org/2014/800.pdf">
	  <front>
	    <title>Efficient Pairings and ECC for Embedded Systems</title>
	    <author initials="T." surname="Unterluggauer"><organization abbrev="Graz University of Technology"/></author>
	    <author initials="E." surname="Wenger"><organization abbrev="Graz University of Technology"/></author>
	    <date year="2014"/>
	  </front>
	</reference>
-->
      </references>
<!--
<section anchor="Perfomance" title="Estimated Perfomance">

<t>
T. Unterluggauer and E. Wenger computed the running time of optimal ate paring
on an ARM Coretex-M0+ that is small and energy efficient microprocessor <xref target="UW2014" />.
By their result, optimal ate pairing's running time  on Coretex-M0+ is 1 sec.</t>
<t>
By Unterluggauer and Wenger's result, FSU's running time is estimated about 4
sec on Coretex-M0+.
</t>
</section>
-->
    <section anchor="constru" title="Construction of Data Conversion">
      <section anchor="construction-of-bs2osp" title="Construction of BS2OSP">
	<t>Concrete construction of BS2OSP(B) is specified as follows:</t>
	<t>Input:</t>
	<t>
	  <list style="symbols">
	    <t>B = B_0 B_1 ... B_{l-1} : a bit string of length l</t>
	  </list>
	</t>
	<t>Output:</t>
	<t>
	  <list style="symbols">
	    <t>M = M_0 M_1 ... M_{n-1}: an octet string of length n = ceil(l/8).</t>
	  </list>
	</t>
	<t>Method:</t>
	<t>
	  <list style="numbers">
	    <t>If l = 0, then output empty octet string and stop.</t>
	    <t>For j in {0,...,8n-1}, if j &gt;= 8n - l, set B'_j = B_{j-(8n-l)}, otherwise set B'_j = 0. </t>
	    <t>For i in {0,...,n-1}, set M_i = B'_{8i} B'_{8i+1}...B'_{8i+7}.</t>
	    <t>Output M = M_0 M_1 ... M_{n-1}.</t>
	  </list>
	</t>
      </section>

      <section anchor="construction-of-os2bsp" title="Construction of OS2BSP">
	<t>Concrete construction of OS2BSP(M) is specified as follows:</t>
	<t>Input:</t>
	<t>
	  <list style="symbols">
	    <t>M = M_0M_1...M{n-1}: an  octet string of length n.</t>
	  </list>
	</t>
	<t>Output:</t>
	<t>
	  <list style="symbols">
	    <t>B = B_0B_1...B_{l-1} : a  bit string of lenth l =  8*n</t>
	  </list>
	</t>
	<t>Method:</t>
	<t>
	  <list style="numbers">
	    <t>If l = 0, then output empty octet string and stop.</t>
	    <t>For i in {0, ..., n-1} , j in {0,...,7}, set B_{8i + j} in {0,1} as M_i = B_{8i} B_{8i+1}...B_{8i+7}.</t>
	    <t>Output B = B_0 B_1 ... B_{l-1}.</t>
	  </list>
	</t>
      </section>

      <section anchor="construction-of-fe2ip" title="Construction of FE2IP">
	<t>Concrete construction of FE2IP(a) is specified as follows:</t>
	<t>System parameters:</t>
	<t>
	  <list style="symbols">
	    <t>F_{p^{m_2}}/F_{p^{m_1}}: a field extension with an irreducible polynomial Irr(F_{p^m_2} / F_{p^m_1};beta)</t>
	  </list>
	</t>
	<t>Input:</t>
	<t>
	  <list style="symbols">
	    <t>a : a field element in F_{p^m_2}</t>
	  </list>
	</t>
	<t>Output:</t>
	<t>
	  <list style="symbols">
	    <t>x : an integer in {0,...,p^{m_2} - 1}</t>
	  </list>
	</t>
	<t>Method:</t>
	<t>
	  <list style="numbers">
	    <t>If m_2 = 1 (i.e. F_{p^m_2} is prime field)
	      <list style="empty">
		<t>A field element of F_{p^{m_2}} must be represented an an integer in {0, ..., p-1}</t>
		<t>(A) Set x = a</t>
		<t>(B) Output x</t>
	      </list>
	    </t>
	    <t>Else (i.e. m_2 > 1)
	      <list style="empty">
		<t>(A) Let the coefficients a_i in F_{p^m_1} for i in {0,...,m_2 / m_1 - 1} such that a = sum_{i=0}^{m_2 / m_1 - 1} a_i * beta^i</t>
		<t>(B) Compute x = sum_{i=0}^{m_2 / m_1 - 1} FE2IP(a_i) * (p^{m_1})^i</t>
		<t>(C) Output x</t>
	      </list>
	    </t>
	  </list>
	</t>
      </section>

      <section anchor="construction-of-i2fep" title="Construction of I2FEP">
	<t>Concrete construction of I2FEP(x) is specified as follows:</t>

	<t>System parameters:</t>
	<t>
	  <list style="symbols">
	    <t>F_{p^{m_2}}/F_{p^{m_1}}: a field extension with an irreducible polynomial Irr(F_{p^m_2} / F_{p^m_1};beta)</t>
	  </list>
	</t>
	<t>Input:</t>
	<t>
	  <list style="symbols">
	    <t>x : an integer in {0,...,p^{m_2} - 1}</t>
	  </list>
	</t>
	<t>Output:</t>
	<t>
	  <list style="symbols">
	    <t>a : a field element in F_{p^m_2}</t>
	  </list>
	</t>
	<t>Method:</t>
	<t>
	  <list style="numbers">
	    <t>If m_2 = 1 (i.e. F_{p^m_2} is prime field)
	      <list style="empty">
		<t>A field element of F_{p^{m_2}} must be represented an an integer in {0, ..., p-1}</t>
		<t>(A) Set a = x</t>
		<t>(B) Output a</t>
	      </list>
	    </t>
	    <t>Else (i.e. m_2 > 1)
	      <list style="empty">
		<t>(A) Let x_i be an element in {0,...,p^{m_1}-1} for i in {0,...,m_2 / m_1 - 1} such that x = sum_{i=0}^{m_2 / m_1 -1} x_i * p^{m_1}^i</t>
		<t>(B) Compute a = sum_{i=0}^{m_2 / m_1 - 1} I2FEP(x_i) * beta^i</t>
		<t>(C) Output a</t>
	      </list>
	    </t>
	  </list>
	</t>
      </section>

      <section anchor="construction-of-fe2osp" title="Construction of FE2OSP">
	<t>System parameter:</t>
	<t>
	  <list style="symbols">
	    <t>F_{p^m} : a finite field with p^m elements where p is a prime, and m > 0 is an integer</t>
	    <t>n : an integer equivalent to ceil(m * log_2 p / 8)</t>
	  </list>
	</t>
	<t>Input:</t>
	<t>
	  <list style="symbols">
	    <t>a : a field element in F_{p^m}</t>
	  </list>
	</t>
	<t>Output:</t>
	<t>
	  <list style="symbols">
	    <t>M : an octet string</t>
	  </list>
	</t>
	<t>Method:</t>
	<t>
	  <list style="numbers">
	    <t>Compute I = FE2IP(a)</t>
	    <t>Compute X = x_{0}, ..., X_{n-1} such that I = x_{n-1} + x_{n-2}*2 + ... + x_{1}*2^{n-2} + x_{0}*2^{n-1}</t>
	    <t>Compute M = BS2OSP(X)</t>
	    <t>Output M</t>
	  </list>
	</t>
      </section>

      <section anchor="construction-of-os2fep" title="Construction of OS2FEP">
	<t>System parameter:</t>
	<t>
	  <list style="symbols">
	    <t>F_{p^m} : a finite field with p^m elements where p is a prime, and m > 0 is an integer</t>
	    <t>n : an integer equivalent to ceil(m * log_2 p / 8)</t>
	  </list>
	</t>
	<t>Input:</t>
	<t>
	  <list style="symbols">
	    <t>M : an octet string</t>
	  </list>
	</t>
	<t>Output:</t>
	<t>
	  <list style="symbols">
	    <t>a : a field element in F_{p^m}</t>
	  </list>
	</t>
	<t>Method:</t>
	<t>
	  <list style="numbers">
	    <t>Compute X = OS2BSP(M)</t>
	    <t>Let X be x_0,...,x_{l-1}</t>
	    <t>Compute I = sum_{i=0}^{l-1} 2^{l-1-i} * x_{i}</t>
	    <t>Compute a = I2FEP(I)</t>
	    <t>Output a</t>
	  </list>
	</t>
      </section>

      <section anchor="construction-of-ecp2osp" title="Construction of ECP2OSP">
	<t>Concrete construction of ECP2OSP(P,R), is specified as follows:</t>

	<t>System parameters:</t>
	<t>
	  <list style="symbols">
	    <t>Curve-ID : an elliptic curve parameter</t>
	  </list>
	</t>
	<t>Input:</t>
	<t>
	  <list style="symbols">
	    <t>P : a point on an elliptic curve over F_{p^m}</t>
	    <t>R : compression type specifically &quot;Compressed&quot;, &quot;Uncompressed&quot;, or &quot;Hybrid&quot;</t>
	  </list>
	</t>
	<t>Output:</t>
	<t>
	  <list style="symbols">
	    <t>M : an octet string of length n</t>
	  </list>
	</t>
	<t>Method:</t>
	<t>
	  <list style="numbers">
	    <t>If P = O_E
	      <list style="empty">
		<t>(A) Compute M = BS2OSP(00000000)</t>
		<t>(B) Output M</t>
	      </list>
	    </t>

	    <t>If P = (x,y) != O_E &amp;&amp; R = Compressed
	      <list style="empty">
		<t>(A) Set X = FE2OSP(x)</t>
		<t>(B) If p is odd &amp;&amp; y = 0 , set y' = 0</t> 
		<t>(C) Else if p is odd &amp;&amp; y != 0, set y' = y_i mod 2 such that y = y_{m-1} * beta^{m-1} + ... + y_1 * beta + y_0 and i is the smallest integer such that y_i != 0</t>
		<t>(D) If y' = 0, compute L = BS2OSP(00000100)</t>
		<t>(E) If y' = 1, compute L = BS2OSP(00000101)</t>
		<t>(F) Output M = L || X</t>
	      </list>
	    </t>

	    <t>If P = (x,y) != O_E &amp;&amp; R = Uncompressed
	      <list style="empty">
		<t>(A) Set X = FE2OSP(x)</t>
		<t>(B) Set Y = FE2OSP(y)</t>
		<t>(C) Compute L = BS2OSP(00000100)</t>
		<t>(D) Output M = L || X || Y</t>
	      </list>
	    </t>

	    <t>If P = (x,y) != O_E &amp;&amp; R = Hybrid
	      <list style="empty">
		<t>(A) Set X = FE2OSP(x)</t>
		<t>(B) Set Y = FE2OSP(y)</t>
		<t>(C) If y = 0, set y' = 0</t>
		<t>(D) Else (i.e. y != 0) y' = y_i mod 2 such that y = y_{m-1} * beta^{m-1} + ... + y_1 * beta + y_0 and i is the smallest integer such that y_i != 0</t>
		<t>(E) If y' = 0, compute L = BS2OSP(00000110)</t>
		<t>(F) If y' = 1, compute L = BS2OSP(00000111)</t>
		<t>(G) Output M = L || X || Y</t>
	      </list>
	    </t>
	  </list>
	</t>
      </section>

      <section anchor="construction-of-os2ecpp" title="Construction of OS2ECPP">
	<t>Concrete construction of OS2ECPP(M), is specified as follows:</t>

	<t>System parameters</t>
	<t>
	  <list style="symbols">
	    <t>Curve-ID : an elliptic curve parameter</t>
	  </list>
	</t>

	<t>Input:</t>
	<t>
	  <list style="symbols">
	    <t>M : an octet string</t>
	  </list>
	</t>
	<t>Output:</t>
	<t>
	  <list style="symbols">
	    <t>P : an elliptic curve point</t>
	  </list>
	</t>
	<t>Method:</t>
	<t>
	  <list style="numbers">
	    <t>If M = BS2OSP(00000000), output P = O_E</t>
	    <t>If M has length ceil(m * log_2 p / 8) + 1
	      <list style="empty">
		<t>(A) Let M be L||X where L is a single octet</t>
		<t>(B) Compute x = OS2FEP(X)</t>
		<t>(C) If L = BS2OSP(00000010), then set y' = 0</t>
		<t>(D) Else if L = BS2OSP(00000011), then set y' = 1</t>
		<t>(E) Else output INVALID and stop</t>
		<t>(F) Compute w = x^3 + A * x + B</t>
		<t>(G) Compute gamma = square(w)</t>
		<t>(H) If there is no gamma in F_{p^m}, then output INVALID and stop</t>
		<t>(I) Else if gamma = 0, then set y = 0</t>
		<t>(J) Else if gamma_i = y' mod 2 where gamma = gamma_{m-1} * beta^{m-1} + ... + gamma_{1} * beta + gamma_{0} and i is the smallest integer such that gamma_i != 0</t>
		<t>(K) Else if gamma_i != y' mod 2, set y = -gamma where gamma = gamma_{m-1} * beta^{m-1} + ... + gamma_{1} * beta + gamma_{0} and i is the smallest integer such that gamma_i != 0</t>
		<t>(L) Output P = (x,y)</t>
	      </list>
	    </t>
	    <t>If M has length 2 * floor(m * log_2 p / 8) + 1
	      <list style="empty">
		<t>(A) Let M be L || X || Y where L is a single octet, X is floor(m * log_2 p / 8) octets, and Y is floor(m * log_2 p / 8) octets</t>
		<t>(B) Unless L is BS2OSP(00000100), BS2OSP(00000110)  or  BS2OSP(00000111), output INVALID and stop.
		  <list style="empty">
		    <t>(a) Compute x = OS2FEP(X)</t>
		    <t>(b) Compute y = OS2FEP(Y)</t>
		    <t>(c) If (x,y) does not satisfy the equation of elliptic curve, then output INVALID and stop</t>
		    <t>(d) Output P = (x,y)</t>
		  </list>
		</t>
	      </list>
	    </t>
	  </list>
	</t>
      </section>
    </section>
  </back>
</rfc>
