Paper 2014/571

How to manipulate curve standards: a white paper for the black hat

Daniel J. Bernstein, Tung Chou, Chitchanok Chuengsatiansup, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, and Christine van Vredendaal


This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable. This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable. This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a one-in-a-million vulnerability.

Available format(s)
Publication info
Preprint. MINOR revision.
Elliptic-curve cryptographyverifiably random curvesverifiably pseudorandom curvesnothing- up-my-sleeve numberssabotaging standardsfighting terrorismprotecting the children.
Contact author(s)
authorcontact-bada55 @ box cr yp to
2015-09-27: revised
2014-07-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Daniel J.  Bernstein and Tung Chou and Chitchanok Chuengsatiansup and Andreas Hülsing and Tanja Lange and Ruben Niederhagen and Christine van Vredendaal},
      title = {How to manipulate curve standards:   a white paper for the black hat},
      howpublished = {Cryptology ePrint Archive, Paper 2014/571},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.