How to Manipulate Curve Standards: A White Paper for the Black Hat

  • Daniel J. BernsteinEmail author
  • Tung ChouEmail author
  • Chitchanok ChuengsatiansupEmail author
  • Andreas HülsingEmail author
  • Eran LambooijEmail author
  • Tanja LangeEmail author
  • Ruben NiederhagenEmail author
  • Christine van VredendaalEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9497)


This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable.

This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends heavily upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable.

This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a one-in-a-million vulnerability and that plausible models of the “Microsoft NUMS criteria” allow the attacker to target a one-in-a-hundred-thousand vulnerability.


Elliptic-curve cryptography Verifiably random curves  Verifiably pseudorandom curves Minimal curves Nothing-up-my-sleeve numbers ANSI X9 NIST SECG Brainpool Microsoft NUMS 


  1. 1.
    Accredited Standards Committee X9: American national standard X9.62-1999, public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA) (1999)Google Scholar
  2. 2.
    Accredited Standards Committee X9: American national standard X9.63-2001, public key cryptography for the financial services industry: key agreement and key transport using elliptic curve cryptography (2001)Google Scholar
  3. 3.
    Agence nationale de la sécurité des systèmes d’information: Publication d’un paramétrage de courbe elliptique visant des applications de passeport électronique et de l’administration électronique française (2011)Google Scholar
  4. 4.
    Aumasson, J.P.: Generator of “nothing-up-my-sleeve" (NUMS) constants (2015).
  5. 5.
    Bach, E., Peralta, R.: Asymptotic semismoothness probabilities. Math. Comput. 65(216), 1701–1715 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Crypt. Eng. 2, 77–89 (2012)CrossRefzbMATHGoogle Scholar
  8. 8.
    Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 967–980. ACM (2013)Google Scholar
  9. 9.
    Bernstein, D.J., Lange, T.: SafeCurves: choosing safe curves for elliptic-curve cryptography (2015). Accessed 21 May 2015
  10. 10.
    Bernstein, D.J., Schwabe, P.: NEON Crypto. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  11. 11.
    Black, B., Bos, J.W., Costello, C., Langley, A., Longa, P., Naehrig, M.: Rigid parameter generation for elliptic curve cryptography (2015).
  12. 12.
    Black, B., Bos, J.W., Costello, C., Longa, P., Naehrig, M.: Elliptic curve cryptography (ECC) nothing up my sleeve (NUMS) curves and curve generation (2014).
  13. 13.
    Bos, J.W., Costello, C., Longa, P., Naehrig, M.: Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Cryptographic Eng. 1–28 (2015). doi: 10.1007/s13389-015-0097-y
  14. 14.
    ECC Brainpool: ECC Brainpool standard curves and curve generation (2005).
  15. 15.
    Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  16. 16.
    Certicom Research: SEC 1: Elliptic curve cryptography, version 1.0 (2000)Google Scholar
  17. 17.
    Certicom Research: SEC 2: Recommended elliptic curve domain parameters, version 1.0 (2000)Google Scholar
  18. 18.
    Certicom Research: SEC 1: Elliptic curve cryptography, version 2.0 (2009)Google Scholar
  19. 19.
    Certicom Research: SEC 2: Recommended elliptic curve domain parameters, version 2.0 (2010)Google Scholar
  20. 20.
    Checkoway, S., Fredrikson, M., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H.: On the practical exploitability of Dual EC in TLS implementations. In: 23rd USENIX Security Symposium (USENIX Security 2014). USENIX Association, San Diego (2014)Google Scholar
  21. 21.
    Chou, T.: Sandy2x: fastest Curve25519 implementation ever (2015).
  22. 22.
    Costigan, N., Schwabe, P.: Fast elliptic-curve cryptography on the Cell Broadband engine. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 368–385. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  23. 23.
    Düll, M., Haase, B., Hinterwälder, G., Hutter, M., Paar, C., Sánchez, A.H., Schwabe, P.: High-speed Curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers. Designs, Codes and Cryptography (to appear, 2015).
  24. 24.
    Flori, J.P., Plût, J., Reinhard, J.R., Ekerå, M.: Diversity and transparency for ECC (2015).
  25. 25.
    Galbraith, S.D., McKee, J.: The probability that the number of points on an elliptic curve over a finite field is prime. J. London Math. Soc. 62, 671–684 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Gaudry, P., Thomé, E.: The mpFq library and implementing curve-based key exchanges. In: SPEED: Software Performance Enhancement for Encryption and Decryption, pp. 49–64 (2007).
  27. 27.
    Granville, A.: Smooth Numbers: Computational Number Theory and Beyond, pp. 267–323. Cambridge University Press (2008)., psh/ANTproc/09andrew.pdf
  28. 28.
    Institute of Electrical and Electronics Engineers: IEEE 1363–2000: Standard specifications for public key cryptography (2000)Google Scholar
  29. 29.
    Kelsey, J.: Choosing a DRBG algorithm (2003?).
  30. 30.
    LaMacchia, B., Costello, C.: Deterministic generation of elliptic curves (a.k.a. “NUMS" curves) (2014).
  31. 31.
    Langley, A., Moon, A.: Implementations of a fast elliptic-curve digital signature algorithm (2013).
  32. 32.
    Lochter, M., Merkle, J.: RFC 5639: Elliptic curve cryptography (ECC) Brainpool standard curves and curve generation (2010)Google Scholar
  33. 33.
    Lochter, M., Merkle, J., Schmidt, J.M., Schütze, T.: Requirements for standard elliptic curves (2014), position Paper of the ECC Brainpool.
  34. 34.
    Luca, F., Mireles, D.J., Shparlinski, I.E.: MOV attack in various subgroups on elliptic curves. Illinois J. Math. 48(3), 1041–1052 (2004)MathSciNetzbMATHGoogle Scholar
  35. 35.
    Mahé, E.M., Chauvet, J.M.: Fast GPGPU-based elliptic curve scalar multiplication (2014).
  36. 36.
    Merkle, J.: Re: [Cfrg] ECC reboot (Was: When’s the decision?) (2014).
  37. 37.
    National Institute for Standards and Technology: FIPS PUB 186–2: Digital signature standard (2000)Google Scholar
  38. 38.
    National Institute for Standards and Technology: FIPS PUB 186–4: Digital signature standard (DSS) (2013)Google Scholar
  39. 39.
    National Security Agency: Suite B cryptography / cryptographic interoperability (2005).
  40. 40.
    State Commercial Cryptography Administration (OSCCA), China: Public key cryptographic algorithm SM2 based on elliptic curves, December 2010.
  41. 41.
    State Commercial Cryptography Administration (OSCCA), China: Recommanded curve parameters for public key cryptographic algorithm SM2 based on elliptic curves, December 2010.
  42. 42.
    Rosser, J.B., Schoenfeld, L.: Approximate formulas for some functions of prime numbers. Illinois J. Math. 6, 64–94 (1962)MathSciNetzbMATHGoogle Scholar
  43. 43.
    Sasdrich, P., Güneysu, T.: Efficient elliptic-curve cryptography using Curve25519 on reconfigurable devices. In: Goehringer, D., Santambrogio, M.D., Cardoso, J.M.P., Bertels, K. (eds.) ARC 2014. LNCS, vol. 8405, pp. 25–36. Springer, Heidelberg (2014) Google Scholar
  44. 44.
    Scott, M.: Re: NIST announces set of Elliptic Curves (1999).
  45. 45.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, New York (2009) zbMATHGoogle Scholar
  46. 46.
    Stein, W., et al.: Sage Mathematics Software (Version 6.1.1). The Sage Development Team (2014).
  47. 47.
    Hutter, M., Schilling, J., Schwabe, P., Wieser, W.: NaCl’s crypto\(\_\)box in hardware. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 81–101. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  48. 48.
    Wikipedia: Nothing up my sleeve number (2015). Accessed 20 May 2015

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenNetherlands
  2. 2.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA

Personalised recommendations