How to manipulate curve standards: a white paper for the black hat

Daniel J. Bernstein, Tung Chou, Chitchanok Chuengsatiansup, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, and Christine van Vredendaal

Abstract

This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable. This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable. This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a one-in-a-million vulnerability.

Available format(s)
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
Elliptic-curve cryptographyverifiably random curvesverifiably pseudorandom curvesnothing- up-my-sleeve numberssabotaging standardsfighting terrorismprotecting the children.
Contact author(s)
authorcontact-bada55 @ box cr yp to
History
2015-09-27: revised
See all versions
Short URL
https://ia.cr/2014/571

CC BY

BibTeX

@misc{cryptoeprint:2014/571,
author = {Daniel J.  Bernstein and Tung Chou and Chitchanok Chuengsatiansup and Andreas Hülsing and Tanja Lange and Ruben Niederhagen and Christine van Vredendaal},
title = {How to manipulate curve standards:   a white paper for the black hat},
howpublished = {Cryptology ePrint Archive, Paper 2014/571},
year = {2014},
note = {\url{https://eprint.iacr.org/2014/571}},
url = {https://eprint.iacr.org/2014/571}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.