How to manipulate curve standards: a white paper for the black hat

Daniel J. Bernstein; Tony Chou; Chitchanok Chuengsatiansup; Andreas Hülsing; Eran Lambooij; Tanja Lange; Ruben Niederhagen; Christine Van Vredendaal

doi:10.1007/978-3-319-27152-1_6

How to manipulate curve standards: a white paper for the black hat

Daniel J. Bernstein
, Tony Chou
, Chitchanok Chuengsatiansup
, Andreas Hülsing
, Eran Lambooij
, Tanja Lange
, Ruben Niederhagen
, Christine Van Vredendaal

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

14 Citations (Scopus)

3 Downloads (Pure)

Abstract

This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable. This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends heavily upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable. This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a onein- a-million vulnerability and that plausible models of the “Microsoft NUMS criteria” allow the attacker to target a one-in-a-hundred-thousand vulnerability.

Original language	English
Title of host publication	Security Standardisation Research
Subtitle of host publication	Second International Conference, SSR 2015, Tokyo, Japan, December 15-16, 2015, Proceedings
Editors	L. Chen, S. Matsuo
Place of Publication	Berlin
Publisher	Springer
Pages	109-139
Number of pages	31
ISBN (Print)	9783319271514
DOIs	https://doi.org/10.1007/978-3-319-27152-1_6
Publication status	Published - 2015
Event	2nd International Conference on Security Standardisation Research (SSR 2015), December 15-16, 2015, Tokyo, Japan - Tokyo, Japan Duration: 15 Dec 2015 → 16 Dec 2015 http://ssr2015.com/

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9497
ISSN (Print)	03029743
ISSN (Electronic)	16113349

Conference

Conference	2nd International Conference on Security Standardisation Research (SSR 2015), December 15-16, 2015, Tokyo, Japan
Abbreviated title	SSR 2015
Country/Territory	Japan
City	Tokyo
Period	15/12/15 → 16/12/15
Internet address	http://ssr2015.com/

Keywords

ANSI X9
Brainpool
Elliptic-curve cryptography
Microsoft NUMS
Minimal curves
NIST
Nothing-up-mysleeve numbers
SECG
Verifiably pseudorandom curves
Verifiably random curves

Access to Document

10.1007/978-3-319-27152-1_6

https://eprint.iacr.org/2014/571

Cite this

Bernstein, D. J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lambooij, E., Lange, T., Niederhagen, R., & Van Vredendaal, C. (2015). How to manipulate curve standards: a white paper for the black hat. In L. Chen, & S. Matsuo (Eds.), Security Standardisation Research: Second International Conference, SSR 2015, Tokyo, Japan, December 15-16, 2015, Proceedings (pp. 109-139). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9497). Springer. https://doi.org/10.1007/978-3-319-27152-1_6

Bernstein, Daniel J. ; Chou, Tony ; Chuengsatiansup, Chitchanok et al. / How to manipulate curve standards : a white paper for the black hat. Security Standardisation Research: Second International Conference, SSR 2015, Tokyo, Japan, December 15-16, 2015, Proceedings. editor / L. Chen ; S. Matsuo. Berlin : Springer, 2015. pp. 109-139 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{c7cc545579cf425da588fe9e7879d3f2,

title = "How to manipulate curve standards: a white paper for the black hat",

abstract = "This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable. This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends heavily upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable. This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a onein- a-million vulnerability and that plausible models of the “Microsoft NUMS criteria” allow the attacker to target a one-in-a-hundred-thousand vulnerability.",

keywords = "ANSI X9, Brainpool, Elliptic-curve cryptography, Microsoft NUMS, Minimal curves, NIST, Nothing-up-mysleeve numbers, SECG, Verifiably pseudorandom curves, Verifiably random curves",

author = "Bernstein, \{Daniel J.\} and Tony Chou and Chitchanok Chuengsatiansup and Andreas H{\"u}lsing and Eran Lambooij and Tanja Lange and Ruben Niederhagen and \{Van Vredendaal\}, Christine",

year = "2015",

doi = "10.1007/978-3-319-27152-1\_6",

language = "English",

isbn = "9783319271514",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "109--139",

editor = "L. Chen and Matsuo, \{S. \}",

booktitle = "Security Standardisation Research",

address = "Germany",

note = "2nd International Conference on Security Standardisation Research (SSR 2015), December 15-16, 2015, Tokyo, Japan, SSR 2015 ; Conference date: 15-12-2015 Through 16-12-2015",

url = "http://ssr2015.com/",

}

Bernstein, DJ, Chou, T, Chuengsatiansup, C, Hülsing, A, Lambooij, E, Lange, T, Niederhagen, R & Van Vredendaal, C 2015, How to manipulate curve standards: a white paper for the black hat. in L Chen & S Matsuo (eds), Security Standardisation Research: Second International Conference, SSR 2015, Tokyo, Japan, December 15-16, 2015, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9497, Springer, Berlin, pp. 109-139, 2nd International Conference on Security Standardisation Research (SSR 2015), December 15-16, 2015, Tokyo, Japan, Tokyo, Japan, 15/12/15. https://doi.org/10.1007/978-3-319-27152-1_6

How to manipulate curve standards: a white paper for the black hat. / Bernstein, Daniel J.; Chou, Tony; Chuengsatiansup, Chitchanok et al.
Security Standardisation Research: Second International Conference, SSR 2015, Tokyo, Japan, December 15-16, 2015, Proceedings. ed. / L. Chen; S. Matsuo. Berlin: Springer, 2015. p. 109-139 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9497).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - How to manipulate curve standards

T2 - 2nd International Conference on Security Standardisation Research (SSR 2015), December 15-16, 2015, Tokyo, Japan

AU - Bernstein, Daniel J.

AU - Chou, Tony

AU - Chuengsatiansup, Chitchanok

AU - Hülsing, Andreas

AU - Lambooij, Eran

AU - Lange, Tanja

AU - Niederhagen, Ruben

AU - Van Vredendaal, Christine

PY - 2015

Y1 - 2015

N2 - This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable. This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends heavily upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable. This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a onein- a-million vulnerability and that plausible models of the “Microsoft NUMS criteria” allow the attacker to target a one-in-a-hundred-thousand vulnerability.

AB - This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable. This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends heavily upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable. This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the “Brainpool acceptability criteria” allow the attacker to target a onein- a-million vulnerability and that plausible models of the “Microsoft NUMS criteria” allow the attacker to target a one-in-a-hundred-thousand vulnerability.

KW - ANSI X9

KW - Brainpool

KW - Elliptic-curve cryptography

KW - Microsoft NUMS

KW - Minimal curves

KW - NIST

KW - Nothing-up-mysleeve numbers

KW - SECG

KW - Verifiably pseudorandom curves

KW - Verifiably random curves

UR - https://www.scopus.com/pages/publications/84952768133

U2 - 10.1007/978-3-319-27152-1_6

DO - 10.1007/978-3-319-27152-1_6

M3 - Conference contribution

AN - SCOPUS:84952768133

SN - 9783319271514

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 109

EP - 139

BT - Security Standardisation Research

A2 - Chen, L.

A2 - Matsuo, S.

PB - Springer

CY - Berlin

Y2 - 15 December 2015 through 16 December 2015

ER -

Bernstein DJ, Chou T, Chuengsatiansup C, Hülsing A, Lambooij E, Lange T et al. How to manipulate curve standards: a white paper for the black hat. In Chen L, Matsuo S, editors, Security Standardisation Research: Second International Conference, SSR 2015, Tokyo, Japan, December 15-16, 2015, Proceedings. Berlin: Springer. 2015. p. 109-139. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-27152-1_6

How to manipulate curve standards: a white paper for the black hat

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this