**How to manipulate curve standards: a white paper for the black hat**

*Daniel J. Bernstein and Tung Chou and Chitchanok Chuengsatiansup and Andreas Hülsing and Tanja Lange and Ruben Niederhagen and Christine van Vredendaal*

**Abstract: **This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable.

This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable.

This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a one-in-a-million vulnerability.

**Category / Keywords: **implementation / Elliptic-curve cryptography, verifiably random curves, verifiably pseudorandom curves, nothing- up-my-sleeve numbers, sabotaging standards, fighting terrorism, protecting the children.

**Date: **received 22 Jul 2014, last revised 27 Sep 2015

**Contact author: **authorcontact-bada55 at box cr yp to

**Available format(s): **PDF | BibTeX Citation

**Version: **20150927:155915 (All versions of this report)

**Short URL: **ia.cr/2014/571

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]