Paper 2015/1249

Trap Me If You Can -- Million Dollar Curve

Thomas Baignères, Cécile Delerablée, Matthieu Finiasz, Louis Goubin, Tancrède Lepoint, and Matthieu Rivain


A longstanding problem in cryptography is the generation of publicly verifiable randomness. In particular, public verifiability allows to generate parameters for a cryptosystem in a way people can legitimately trust. There are many examples of standards using arbitrary constants which are now challenged and criticized for this reason, some of which even being suspected of containing a trap. Several sources of public entropy have already been proposed such as lotteries, stock market prices, the bitcoin blockchain, board games, or even Twitter and live webcams. In this article, we propose a way of combining lotteries from several different countries which would require an adversary to manipulate several independent draws in order to introduce a trap in the generated cryptosystem. Each and every time a new source of public entropy is suggested, it receives its share of criticism for being "easy to manipulate". We do not expect our solution to be an exception on this aspect, and will gladly receive any suggestion allowing to increase the confidence in the cryptosystem parameters we generate. Our method allows to build what we call a Publicly verifiable RNG, from which we extract a seed that is used to instantiate and initialize a Blum-Blum-Shub random generator. We then use the binary stream produced by this generator as an input to a filtering function which deterministically outputs secure and uniformly distributed parameters from uniform bitstreams. We apply our methodology to the ECDH cryptosystem, and propose the "Million Dollar Curve" as an alternative to curves P-256 and Curve25519.

Note: This is a commitment on the SHA256 hash of the MDCurve201601 design text file. This file is available at The hash is: e9dd4baf0d351b5a64c59ed6b1efd3108094b3585e17a0e5350fb200500058d9. This is a commitment on the SHA256 hash of the MDCurve201601 seeding text file. This file is available at The hash is: f8bdb5bd4957a2d65b567378bb32744d0d0573a77e4ef0247311a5a4b98744da.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
Publicly verifiable RNGlotterytrusted cryptosystem parameterselliptic curveMillion Dollar Curvedecentralized beaconNSASnowden
Contact author(s)
thomas baigneres @ cryptoexperts com
2016-02-01: last of 4 revisions
2016-01-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Thomas Baignères and Cécile Delerablée and Matthieu Finiasz and Louis Goubin and Tancrède Lepoint and Matthieu Rivain},
      title = {Trap Me If You Can -- Million Dollar Curve},
      howpublished = {Cryptology ePrint Archive, Paper 2015/1249},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.