This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable.
This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a one-in-a-million vulnerability.Category / Keywords: implementation / Elliptic-curve cryptography, verifiably random curves, verifiably pseudorandom curves, nothing- up-my-sleeve numbers, sabotaging standards, fighting terrorism, protecting the children. Date: received 22 Jul 2014 Contact author: tanja at hyperelliptic org Available format(s): PDF | BibTeX Citation Version: 20140724:124934 (All versions of this report) Discussion forum: Show discussion | Start new discussion