Known curve names are the following (as defined in X9.63-1998 [3])
F(2^163)
F(2^176)
F(2^191)
F(2^208)
F(2^239)
F(2^272)
F(2^304)
F(2^359)
F(2^368)
F(2^431)
163, 191, 239, 359, 431 is primes
but 176, 208, 272, 304, 368 is not primes
isn't the curves over F(2^m) with composite m suspected to
Nigel Smarts's attack ?
why these curves was choosen ?
I was about to delete them (in the text is mentioned NOT to use them
for key generation) - but they are defined in X9.63 so maybe there are
already keys which rely on these curves - and I think it is useful
to have the oppotunity to decrypt such messages...
On the other side this standard is new, so if anybody has keys to this
possibly weak curves they should generate new ones.
If you or anybody else think it is no good idea to include discouraged
curves to the standard, I'll remove them. Also I want to include some
curves over extension fields, but our tests are not completed yet...
--
Dominikus Scherkl