Chinese government (Picture credit: Reuters.) is under attack from - - PowerPoint PPT Presentation

(Picture credit: Reuters.) How to manipulate standards Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Chinese government is under attack from terrorists in Hong Kong.

(Picture credit: Reuters.) How to manipulate standards Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Chinese government is under attack from terrorists in Hong Kong. Goal of this talk: Help the government decrypt the terrorists’ encrypted communications.

(Picture credit: Reuters.) to manipulate standards

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven Chinese government is under attack from terrorists in Hong Kong. Goal of this talk: Help the government decrypt the terrorists’ encrypted communications. Intercept (Also exploit How does relate to

Reuters.) manipulate standards Bernstein Illinois at Chicago & Universiteit Eindhoven Chinese government is under attack from terrorists in Hong Kong. Goal of this talk: Help the government decrypt the terrorists’ encrypted communications. Intercept the ciphertext. (Also exploit metadata How does the ciphertext relate to the plaintext?

rds Chicago & Eindhoven Chinese government is under attack from terrorists in Hong Kong. Goal of this talk: Help the government decrypt the terrorists’ encrypted communications. Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext?

Chinese government is under attack from terrorists in Hong Kong. Goal of this talk: Help the government decrypt the terrorists’ encrypted communications. Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext?

Chinese government is under attack from terrorists in Hong Kong. Goal of this talk: Help the government decrypt the terrorists’ encrypted communications. Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext? Maybe 56-bit DES. Feasible to search all 256 possible keys, check plaintext plausibility.

Chinese government is under attack from terrorists in Hong Kong. Goal of this talk: Help the government decrypt the terrorists’ encrypted communications. Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext? Maybe 56-bit DES. Feasible to search all 256 possible keys, check plaintext plausibility. Maybe 128-bit AES. Feasible search is unlikely to find this target’s key. (But can improve probability by batching many targets.)

Chinese government under attack from rists in Hong Kong.

• f this talk:

the government decrypt the terrorists’ encrypted communications. Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext? Maybe 56-bit DES. Feasible to search all 256 possible keys, check plaintext plausibility. Maybe 128-bit AES. Feasible search is unlikely to find this target’s key. (But can improve probability by batching many targets.) Are there to find plain given AES Extensively in public Doesn’t

government from Hong Kong. talk: government rists’ unications. Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext? Maybe 56-bit DES. Feasible to search all 256 possible keys, check plaintext plausibility. Maybe 128-bit AES. Feasible search is unlikely to find this target’s key. (But can improve probability by batching many targets.) Are there better w to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good

nications. Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext? Maybe 56-bit DES. Feasible to search all 256 possible keys, check plaintext plausibility. Maybe 128-bit AES. Feasible search is unlikely to find this target’s key. (But can improve probability by batching many targets.) Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us.

Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext? Maybe 56-bit DES. Feasible to search all 256 possible keys, check plaintext plausibility. Maybe 128-bit AES. Feasible search is unlikely to find this target’s key. (But can improve probability by batching many targets.) Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us.

Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext? Maybe 56-bit DES. Feasible to search all 256 possible keys, check plaintext plausibility. Maybe 128-bit AES. Feasible search is unlikely to find this target’s key. (But can improve probability by batching many targets.) Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us. Maybe we’re smarter and can find something better than what’s in the literature.

Intercept the ciphertext. (Also exploit metadata etc.) How does the ciphertext relate to the plaintext? Maybe 56-bit DES. Feasible to search all 256 possible keys, check plaintext plausibility. Maybe 128-bit AES. Feasible search is unlikely to find this target’s key. (But can improve probability by batching many targets.) Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us. Maybe we’re smarter and can find something better than what’s in the literature. Maybe there are other parts of the system that have been less studied, are easier for us to break.

Intercept the ciphertext. exploit metadata etc.) does the ciphertext to the plaintext? 56-bit DES. easible to search possible keys, plaintext plausibility. 128-bit AES. easible search is unlikely this target’s key. can improve probability tching many targets.) Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us. Maybe we’re smarter and can find something better than what’s in the literature. Maybe there are other parts of the system that have been less studied, are easier for us to break. Standard terrorists we see cipher Maybe terro compute Unintentionally: With our

ciphertext. metadata etc.) ciphertext plaintext? DES. rch eys, plausibility. AES. is unlikely rget’s key. rove probability many targets.) Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us. Maybe we’re smarter and can find something better than what’s in the literature. Maybe there are other parts of the system that have been less studied, are easier for us to break. Standard security mo terrorists compute we see cipher output. Maybe terrorists o compute somethin Unintentionally: “bugs”. With our help: “faults”.

etc.) . robability rgets.) Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us. Maybe we’re smarter and can find something better than what’s in the literature. Maybe there are other parts of the system that have been less studied, are easier for us to break. Standard security model says: terrorists compute cipher; we see cipher output. Maybe terrorists occasionally compute something different. Unintentionally: “bugs”. With our help: “faults”.

Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us. Maybe we’re smarter and can find something better than what’s in the literature. Maybe there are other parts of the system that have been less studied, are easier for us to break. Standard security model says: terrorists compute cipher; we see cipher output. Maybe terrorists occasionally compute something different. Unintentionally: “bugs”. With our help: “faults”.

Are there better ways to find plaintext given AES ciphertext? Extensively studied in public literature. Doesn’t look good for us. Maybe we’re smarter and can find something better than what’s in the literature. Maybe there are other parts of the system that have been less studied, are easier for us to break. Standard security model says: terrorists compute cipher; we see cipher output. Maybe terrorists occasionally compute something different. Unintentionally: “bugs”. With our help: “faults”. Maybe we actually see more than cipher output. “Side channels”: e.g., plaintext or key is visible through power consumption

• r electromagnetic radiation.

there better ways plaintext AES ciphertext? Extensively studied public literature. esn’t look good for us. we’re smarter and find something better what’s in the literature. there are other

• f the system

have been less studied, easier for us to break. Standard security model says: terrorists compute cipher; we see cipher output. Maybe terrorists occasionally compute something different. Unintentionally: “bugs”. With our help: “faults”. Maybe we actually see more than cipher output. “Side channels”: e.g., plaintext or key is visible through power consumption

• r electromagnetic radiation.

How do agree up Maybe secret-k Terrorists produce a random-numb Maybe w See Tanja Maybe the stored on and we can Lack of “k (aka “forw

ways ciphertext? ied re.

• d for us.

smarter and something better the literature.

• ther

system less studied, to break. Standard security model says: terrorists compute cipher; we see cipher output. Maybe terrorists occasionally compute something different. Unintentionally: “bugs”. With our help: “faults”. Maybe we actually see more than cipher output. “Side channels”: e.g., plaintext or key is visible through power consumption

• r electromagnetic radiation.

How do the terrorists agree upon an AES Maybe secret-key cryptography Terrorists Alice and produce 128-bit key a random-number Maybe we can break See Tanja Lange’s Maybe the key is still stored on Bob’s computer and we can grab computer. Lack of “key erasure” (aka “forward secrecy”).

literature. studied, Standard security model says: terrorists compute cipher; we see cipher output. Maybe terrorists occasionally compute something different. Unintentionally: “bugs”. With our help: “faults”. Maybe we actually see more than cipher output. “Side channels”: e.g., plaintext or key is visible through power consumption

• r electromagnetic radiation.

How do the terrorists agree upon an AES key? Maybe secret-key cryptography Terrorists Alice and Bob meet, produce 128-bit key using a random-number generator. Maybe we can break this RNG. See Tanja Lange’s talk. Maybe the key is still stored on Bob’s computer and we can grab computer. Lack of “key erasure” (aka “forward secrecy”).

Standard security model says: terrorists compute cipher; we see cipher output. Maybe terrorists occasionally compute something different. Unintentionally: “bugs”. With our help: “faults”. Maybe we actually see more than cipher output. “Side channels”: e.g., plaintext or key is visible through power consumption

• r electromagnetic radiation.

How do the terrorists agree upon an AES key? Maybe secret-key cryptography. Terrorists Alice and Bob meet, produce 128-bit key using a random-number generator. Maybe we can break this RNG. See Tanja Lange’s talk. Maybe the key is still stored on Bob’s computer and we can grab computer. Lack of “key erasure” (aka “forward secrecy”).

Standard security model says: rists compute cipher; cipher output. terrorists occasionally compute something different. Unintentionally: “bugs”.

• ur help: “faults”.

we actually see than cipher output. channels”: e.g., plaintext or key is visible through power consumption electromagnetic radiation. How do the terrorists agree upon an AES key? Maybe secret-key cryptography. Terrorists Alice and Bob meet, produce 128-bit key using a random-number generator. Maybe we can break this RNG. See Tanja Lange’s talk. Maybe the key is still stored on Bob’s computer and we can grab computer. Lack of “key erasure” (aka “forward secrecy”). Maybe public-k e.g. ECDH using standa

• n an elliptic
• 1. Alice

sends aP

• 2. Bob generates

sends bP

• 3. Alice
• 4. Bob computes
• 5. Alice

abP into

y model says: compute cipher;

• utput.
• ccasionally

ething different. “bugs”. “faults”. actually see cipher output. channels”: e.g., is visible consumption electromagnetic radiation. How do the terrorists agree upon an AES key? Maybe secret-key cryptography. Terrorists Alice and Bob meet, produce 128-bit key using a random-number generator. Maybe we can break this RNG. See Tanja Lange’s talk. Maybe the key is still stored on Bob’s computer and we can grab computer. Lack of “key erasure” (aka “forward secrecy”). Maybe public-key cryptogra e.g. ECDHE;P key using standard point

• n an elliptic curve
• 1. Alice generates

sends aP on E.

• 2. Bob generates secret

sends bP on E.

• 3. Alice computes
• 4. Bob computes a
• 5. Alice and Bob convert

abP into AES key.

says: ccasionally different. consumption radiation. How do the terrorists agree upon an AES key? Maybe secret-key cryptography. Terrorists Alice and Bob meet, produce 128-bit key using a random-number generator. Maybe we can break this RNG. See Tanja Lange’s talk. Maybe the key is still stored on Bob’s computer and we can grab computer. Lack of “key erasure” (aka “forward secrecy”). Maybe public-key cryptography e.g. ECDHE;P key exchange using standard point P

• n an elliptic curve E:
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key.

How do the terrorists agree upon an AES key? Maybe secret-key cryptography. Terrorists Alice and Bob meet, produce 128-bit key using a random-number generator. Maybe we can break this RNG. See Tanja Lange’s talk. Maybe the key is still stored on Bob’s computer and we can grab computer. Lack of “key erasure” (aka “forward secrecy”). Maybe public-key cryptography. e.g. ECDHE;P key exchange using standard point P

• n an elliptic curve E:
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key.

do the terrorists upon an AES key? secret-key cryptography. rists Alice and Bob meet, duce 128-bit key using random-number generator. we can break this RNG. anja Lange’s talk. the key is still

• n Bob’s computer

e can grab computer.

• f “key erasure”

“forward secrecy”). Maybe public-key cryptography. e.g. ECDHE;P key exchange using standard point P

• n an elliptic curve E:
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. Maybe w Maybe w Hard if Alice Maybe w Hard if Bob (Not compatible Alice, Bob Maybe w compute Maybe w compute

terrorists AES key? ey cryptography. and Bob meet, key using er generator. reak this RNG. Lange’s talk. is still computer computer. erasure” secrecy”). Maybe public-key cryptography. e.g. ECDHE;P key exchange using standard point P

• n an elliptic curve E:
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. Maybe we can break Maybe we can grab Hard if Alice discarded Maybe we can modify Hard if Bob already (Not compatible with Alice, Bob use two Maybe we can “break compute a from aP Maybe we can “break compute abP from

cryptography. meet, generator. RNG. computer. Maybe public-key cryptography. e.g. ECDHE;P key exchange using standard point P

• n an elliptic curve E:
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. Maybe we can break RNG fo Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP.

Maybe public-key cryptography. e.g. ECDHE;P key exchange using standard point P

• n an elliptic curve E:
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. Maybe we can break RNG for a. Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard ⇒ Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP.

public-key cryptography. ECDHE;P key exchange standard point P elliptic curve E: Alice generates secret a, aP on E. Bob generates secret b, bP on E. Alice computes abP. Bob computes abP. Alice and Bob convert into AES key. Maybe we can break RNG for a. Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard ⇒ Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP. ECDL/ECDH depends How did which curve

ey cryptography. ey exchange

• int P

curve E: generates secret a, generates secret b, computes abP. computes abP. Bob convert ey. Maybe we can break RNG for a. Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard ⇒ Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP. ECDL/ECDH difficult depends on curve E How did terrorists which curve E to use?

cryptography. exchange , , Maybe we can break RNG for a. Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard ⇒ Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP. ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use?

Maybe we can break RNG for a. Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard ⇒ Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP. ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use?

Maybe we can break RNG for a. Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard ⇒ Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP. ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use? How did terrorists decide to use ECDH instead of another public-key protocol?

Maybe we can break RNG for a. Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard ⇒ Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP. ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use? How did terrorists decide to use ECDH instead of another public-key protocol? How did terrorists decide to use AES instead of another secret-key cipher?

Maybe we can break RNG for a. Maybe we can grab a. Hard if Alice discarded it. Maybe we can modify aP. Hard if Bob already knows it. (Not compatible with discard ⇒ Alice, Bob use two DH layers.) Maybe we can “break ECDL”: compute a from aP. Maybe we can “break ECDH”: compute abP from aP; bP. ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use? How did terrorists decide to use ECDH instead of another public-key protocol? How did terrorists decide to use AES instead of another secret-key cipher? Did they screw up? (See TLS.) Can we influence this?

we can break RNG for a. we can grab a. f Alice discarded it. we can modify aP. f Bob already knows it. compatible with discard ⇒ Bob use two DH layers.) we can “break ECDL”: compute a from aP. we can “break ECDH”: compute abP from aP; bP. ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use? How did terrorists decide to use ECDH instead of another public-key protocol? How did terrorists decide to use AES instead of another secret-key cipher? Did they screw up? (See TLS.) Can we influence this? Move tow model of e.g. proto −1. Jerry

• 0. Public
• 1. Alice

sends aP

• 2. Bob generates

sends bP

• 3. Alice
• 4. Bob computes
• 5. Alice

abP into

reak RNG for a. grab a. discarded it. modify aP. already knows it. with discard ⇒ wo DH layers.) “break ECDL”: aP. “break ECDH”: from aP; bP. ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use? How did terrorists decide to use ECDH instead of another public-key protocol? How did terrorists decide to use AES instead of another secret-key cipher? Did they screw up? (See TLS.) Can we influence this? Move towards more model of cryptography e.g. protocol ECDH −1. Jerry generates

• 0. Public checks V
• 1. Alice generates

sends aP on E.

• 2. Bob generates secret

sends bP on E.

• 3. Alice computes
• 4. Bob computes a
• 5. Alice and Bob convert

abP into AES key.

for a. . it. discard ⇒ ers.) ECDL”: ECDH”: . ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use? How did terrorists decide to use ECDH instead of another public-key protocol? How did terrorists decide to use AES instead of another secret-key cipher? Did they screw up? (See TLS.) Can we influence this? Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S)
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key.

ECDL/ECDH difficulty depends on curve E. How did terrorists decide which curve E to use? How did terrorists decide to use ECDH instead of another public-key protocol? How did terrorists decide to use AES instead of another secret-key cipher? Did they screw up? (See TLS.) Can we influence this? Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S) = 1.
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key.

ECDL/ECDH difficulty ends on curve E. did terrorists decide curve E to use? did terrorists decide ECDH instead of another public-key protocol? did terrorists decide AES instead of another secret-key cipher? they screw up? (See TLS.) e influence this? Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S) = 1.
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. What is Which curves

difficulty curve E. rists decide to use? rists decide instead of ey protocol? rists decide instead of ey cipher? up? (See TLS.) influence this? Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S) = 1.
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. What is V ? Which curves will

col? TLS.) Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S) = 1.
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. What is V ? Which curves will public accept?

Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S) = 1.
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. What is V ? Which curves will public accept?

Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S) = 1.
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. What is V ? Which curves will public accept? What does Jerry do? Will he accidentally help us? How robust is this protocol?

Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S) = 1.
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. What is V ? Which curves will public accept? What does Jerry do? Will he accidentally help us? How robust is this protocol? How secure is this protocol if Jerry works for us?

Move towards more accurate model of cryptography. e.g. protocol ECDHV : −1. Jerry generates E; P; S.

• 0. Public checks V (E; P; S) = 1.
• 1. Alice generates secret a,

sends aP on E.

• 2. Bob generates secret b,

sends bP on E.

• 3. Alice computes abP.
• 4. Bob computes abP.
• 5. Alice and Bob convert

abP into AES key. What is V ? Which curves will public accept? What does Jerry do? Will he accidentally help us? How robust is this protocol? How secure is this protocol if Jerry works for us? Traditional crypto literature fails to formalize any of this. Also fails to formalize analogous questions about selecting ciphers, protocols, etc.

towards more accurate

• f cryptography.

rotocol ECDHV : Jerry generates E; P; S. Public checks V (E; P; S) = 1. Alice generates secret a, aP on E. Bob generates secret b, bP on E. Alice computes abP. Bob computes abP. Alice and Bob convert into AES key. What is V ? Which curves will public accept? What does Jerry do? Will he accidentally help us? How robust is this protocol? How secure is this protocol if Jerry works for us? Traditional crypto literature fails to formalize any of this. Also fails to formalize analogous questions about selecting ciphers, protocols, etc. Warmup: Extensive Pollard rho Pohlig–Hellman MOV/FR SmartASS V1: any public criteria

more accurate cryptography. ECDHV : generates E; P; S. V (E; P; S) = 1. generates secret a, generates secret b, computes abP. computes abP. Bob convert ey. What is V ? Which curves will public accept? What does Jerry do? Will he accidentally help us? How robust is this protocol? How secure is this protocol if Jerry works for us? Traditional crypto literature fails to formalize any of this. Also fails to formalize analogous questions about selecting ciphers, protocols, etc. Warmup: Manipulating Extensive ECDL/ECDH Pollard rho breaks Pohlig–Hellman breaks MOV/FR breaks some SmartASS breaks some V1: any curve surviving public criteria is acceptable.

accurate S. ) = 1. , , What is V ? Which curves will public accept? What does Jerry do? Will he accidentally help us? How robust is this protocol? How secure is this protocol if Jerry works for us? Traditional crypto literature fails to formalize any of this. Also fails to formalize analogous questions about selecting ciphers, protocols, etc. Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable.

What is V ? Which curves will public accept? What does Jerry do? Will he accidentally help us? How robust is this protocol? How secure is this protocol if Jerry works for us? Traditional crypto literature fails to formalize any of this. Also fails to formalize analogous questions about selecting ciphers, protocols, etc. Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable.

What is V ? Which curves will public accept? What does Jerry do? Will he accidentally help us? How robust is this protocol? How secure is this protocol if Jerry works for us? Traditional crypto literature fails to formalize any of this. Also fails to formalize analogous questions about selecting ciphers, protocols, etc. Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it.

is V ? curves will public accept? does Jerry do? he accidentally help us? robust is this protocol? secure is this protocol Jerry works for us? raditional crypto literature formalize any of this. fails to formalize analogous questions about selecting ciphers, protocols, etc. Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is V1 plausible? Would terro any curve that survives

will public accept? do? accidentally help us? this protocol? this protocol for us? crypto literature any of this. rmalize questions about hers, protocols, etc. Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is V1 plausible? Would terrorists really any curve chosen b that survives these

accept? us?

• l?

col literature this. cols, etc. Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is V1 plausible? Would terrorists really accept any curve chosen by Jerry that survives these criteria?

Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is V1 plausible? Would terrorists really accept any curve chosen by Jerry that survives these criteria?

Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is V1 plausible? Would terrorists really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: French ANSSI FRP256V1 (2011) is a random-looking curve that survives these criteria and has no other justification.

Warmup: Manipulating curves Extensive ECDL/ECDH literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. V1: any curve surviving these public criteria is acceptable. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is V1 plausible? Would terrorists really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: French ANSSI FRP256V1 (2011) is a random-looking curve that survives these criteria and has no other justification. Earlier example: Chinese OSCCA SM2 (2010).

rmup: Manipulating curves Extensive ECDL/ECDH literature: rho breaks small E,

• hlig–Hellman breaks most E,

V/FR breaks some E, rtASS breaks some E, etc. any curve surviving these criteria is acceptable. Assume that we’ve figured out break another curve E. standardizes this curve. and Bob use it. Is V1 plausible? Would terrorists really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: French ANSSI FRP256V1 (2011) is a random-looking curve that survives these criteria and has no other justification. Earlier example: Chinese OSCCA SM2 (2010). Manipulating V2: curve criteria, and a “seed” Examples: “selecting verifiably SEC 2 1.0 random pa some additional features”—“pa be predetermined”; 186-2 (2000); Certicom

Manipulating curves CDL/ECDH literature: reaks small E, breaks most E, some E, reaks some E, etc. surviving these acceptable. e’ve figured out another curve E. rdizes this curve. use it. Is V1 plausible? Would terrorists really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: French ANSSI FRP256V1 (2011) is a random-looking curve that survives these criteria and has no other justification. Earlier example: Chinese OSCCA SM2 (2010). Manipulating seeds V2: curve must satisfy criteria, and Jerry a “seed” s such that Examples: ANSI X9.62 “selecting an elliptic verifiably at random”; SEC 2 1.0 (2000) random parameters some additional conservative features”—“parameters be predetermined”; 186-2 (2000); ANSI Certicom SEC 2 2.0

curves literature: , most E, , etc. these acceptable.

• ut

curve E. curve. Is V1 plausible? Would terrorists really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: French ANSSI FRP256V1 (2011) is a random-looking curve that survives these criteria and has no other justification. Earlier example: Chinese OSCCA SM2 (2010). Manipulating seeds V2: curve must satisfy the public criteria, and Jerry must provide a “seed” s such that E = H Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010).

Is V1 plausible? Would terrorists really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: French ANSSI FRP256V1 (2011) is a random-looking curve that survives these criteria and has no other justification. Earlier example: Chinese OSCCA SM2 (2010). Manipulating seeds V2: curve must satisfy the public criteria, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010).

plausible? terrorists really accept curve chosen by Jerry survives these criteria? Example showing plausibility: ANSSI FRP256V1 (2011) random-looking curve survives these criteria has no other justification. example: Chinese OSCCA SM2 (2010). Manipulating seeds V2: curve must satisfy the public criteria, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). What exactly NIST defines y2 = x3 b2c = − hash is SHA-1

really accept chosen by Jerry these criteria? wing plausibility: FRP256V1 (2011)

• king curve

these criteria

• ther justification.

SM2 (2010). Manipulating seeds V2: curve must satisfy the public criteria, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). What exactly is H? NIST defines curve y2 = x3 − 3x + b b2c = −27; c is a hash is SHA-1 concatenation.

accept criteria? plausibility: (2011) justification. (2010). Manipulating seeds V2: curve must satisfy the public criteria, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). What exactly is H? NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation.

Manipulating seeds V2: curve must satisfy the public criteria, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). What exactly is H? NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation.

Manipulating seeds V2: curve must satisfy the public criteria, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). What exactly is H? NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. But clearly public will accept

• ther choices of H.

Examples: Brainpool (2005) uses c = g3=h2 where g and h are separate hashes. NIST FIPS 186-4 (2013) requires an “approved hash function, as specified in FIPS 180”; no longer allows SHA-1!

Manipulating seeds curve must satisfy the public criteria, and Jerry must provide “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom 1.0 (2000) “verifiably parameters offer additional conservative features”—“parameters cannot redetermined”; NIST FIPS (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). What exactly is H? NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. But clearly public will accept

• ther choices of H.

Examples: Brainpool (2005) uses c = g3=h2 where g and h are separate hashes. NIST FIPS 186-4 (2013) requires an “approved hash function, as specified in FIPS 180”; no longer allows SHA-1! 1999 Scott: possibilit

• f all curves

structure but we don’t. generate until they

• ne of ‘their’

get us to

seeds satisfy the public Jerry must provide that E = H(s). ANSI X9.62 (1999) elliptic curve dom”; Certicom (2000) “verifiably rameters offer conservative rameters cannot redetermined”; NIST FIPS ANSI X9.63 (2001); 2.0 (2010). What exactly is H? NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. But clearly public will accept

• ther choices of H.

Examples: Brainpool (2005) uses c = g3=h2 where g and h are separate hashes. NIST FIPS 186-4 (2013) requires an “approved hash function, as specified in FIPS 180”; no longer allows SHA-1! 1999 Scott: “Consider possibility that one

• f all curves have an

structure that ‘they’ but we don’t. Then generate a million until they find one

• ne of ‘their’ curves.

get us to use them.”

public rovide H(s). (1999) Certicom “verifiably conservative cannot FIPS (2001); (2010). What exactly is H? NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. But clearly public will accept

• ther choices of H.

Examples: Brainpool (2005) uses c = g3=h2 where g and h are separate hashes. NIST FIPS 186-4 (2013) requires an “approved hash function, as specified in FIPS 180”; no longer allows SHA-1! 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know ab but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.”

What exactly is H? NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. But clearly public will accept

• ther choices of H.

Examples: Brainpool (2005) uses c = g3=h2 where g and h are separate hashes. NIST FIPS 186-4 (2013) requires an “approved hash function, as specified in FIPS 180”; no longer allows SHA-1! 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.”

What exactly is H? NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. But clearly public will accept

• ther choices of H.

Examples: Brainpool (2005) uses c = g3=h2 where g and h are separate hashes. NIST FIPS 186-4 (2013) requires an “approved hash function, as specified in FIPS 180”; no longer allows SHA-1! 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” New: Optimized this computation using Keccak on cluster of 41 GTX780 GPUs. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C.

exactly is H? defines curve E as

3 − 3x + b where

−27; c is a hash of s; is SHA-1 concatenation. clearly public will accept choices of H. Examples: Brainpool (2005) = g3=h2 where h are separate hashes. FIPS 186-4 (2013) requires “approved hash function, as ecified in FIPS 180”; longer allows SHA-1! 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” New: Optimized this computation using Keccak on cluster of 41 GTX780 GPUs. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C.

Manipulating Brainpool “The choice from which parameters not motivated part of the

• pen. : : :

Verifiably The [Brainp generated manner using generated comprehensive

H? curve E as b where a hash of s; concatenation. public will accept H. Brainpool (2005) where rate hashes. 4 (2013) requires hash function, as 180”; SHA-1! 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” New: Optimized this computation using Keccak on cluster of 41 GTX780 GPUs. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C.

Manipulating NUMS Brainpool standard: “The choice of the from which the [NIST] parameters have b not motivated leaving part of the security

• pen. : : :

Verifiably pseudo-random. The [Brainpool] curves generated in a pseudo-random manner using seeds generated in a systematic comprehensive way

s; concatenation. accept (2005) hashes. requires function, as 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” New: Optimized this computation using Keccak on cluster of 41 GTX780 GPUs. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C.

Manipulating NUMS numbers Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived not motivated leaving an essential part of the security analysis

• pen. : : :

Verifiably pseudo-random. The [Brainpool] curves shall generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” New: Optimized this computation using Keccak on cluster of 41 GTX780 GPUs. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C.

Manipulating NUMS numbers Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis

• pen. : : :

Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

Scott: “Consider now the

• ssibility that one in a million

curves have an exploitable structure that ‘they’ know about, don’t. Then ‘they’ simply generate a million random seeds they find one that generates ‘their’ curves. Then they to use them.” Optimized this computation Keccak on cluster of 41 GTX780 GPUs. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C.

Manipulating NUMS numbers Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis

• pen. : : :

Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.” Wikipedia: nothing are any numb construction,

• f hidden

Microsoft “generated from the Albertini–Aumasson–Eichlseder– Mendel–Schl hashing” in hash f expected nothing-up-y

“Consider now the

• ne in a million

have an exploitable ‘they’ know about, Then ‘they’ simply million random seeds

• ne that generates
• curves. Then they

them.” this computation cluster of 41 In 7 hours found ecure” b = 0x

D8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C.

Manipulating NUMS numbers Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis

• pen. : : :

Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.” Wikipedia: “In cryptography nothing up my sleeve are any numbers which, construction, are ab

• f hidden properties

Microsoft “NUMS” “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions a expected to be identifiable nothing-up-your-sleeve

w the million exploitable about, simply seeds generates Then they computation

• f 41

hours found

0x D8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C.

Manipulating NUMS numbers Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis

• pen. : : :

Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.” Wikipedia: “In cryptography nothing up my sleeve numb are any numbers which, by their construction, are above suspicion

• f hidden properties.”

Microsoft “NUMS” curves (2014): “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions are normally expected to be identifiable as nothing-up-your-sleeve numb

Manipulating NUMS numbers Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis

• pen. : : :

Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.” Wikipedia: “In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion

• f hidden properties.”

Microsoft “NUMS” curves (2014): “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions are normally expected to be identifiable as nothing-up-your-sleeve numbers”.

Manipulating NUMS numbers

• ol standard:

choice of the seeds which the [NIST] curve rameters have been derived is motivated leaving an essential

• f the security analysis

: : : erifiably pseudo-random. [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and rehensive way.” Wikipedia: “In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion

• f hidden properties.”

Microsoft “NUMS” curves (2014): “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions are normally expected to be identifiable as nothing-up-your-sleeve numbers”. New: W curve “BAD with a Brai

NUMS numbers standard: the seeds [NIST] curve been derived is leaving an essential security analysis pseudo-random. curves shall be pseudo-random seeds that are systematic and ay.” Wikipedia: “In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion

• f hidden properties.”

Microsoft “NUMS” curves (2014): “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions are normally expected to be identifiable as nothing-up-your-sleeve numbers”. New: We generated curve “BADA55-VPR-224” with a Brainpool-lik

numbers curve derived is essential analysis pseudo-random. shall be pseudo-random re and Wikipedia: “In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion

• f hidden properties.”

Microsoft “NUMS” curves (2014): “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions are normally expected to be identifiable as nothing-up-your-sleeve numbers”. New: We generated a BADA55 curve “BADA55-VPR-224” with a Brainpool-like explana

Wikipedia: “In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion

• f hidden properties.”

Microsoft “NUMS” curves (2014): “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions are normally expected to be identifiable as nothing-up-your-sleeve numbers”. New: We generated a BADA55 curve “BADA55-VPR-224” with a Brainpool-like explanation.

Wikipedia: “In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion

• f hidden properties.”

Microsoft “NUMS” curves (2014): “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions are normally expected to be identifiable as nothing-up-your-sleeve numbers”. New: We generated a BADA55 curve “BADA55-VPR-224” with a Brainpool-like explanation. We actually generated >1000000 curves, each having a Brainpool-like explanation.

Wikipedia: “In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion

• f hidden properties.”

Microsoft “NUMS” curves (2014): “generated deterministically from the security level”. Albertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants in hash functions are normally expected to be identifiable as nothing-up-your-sleeve numbers”. New: We generated a BADA55 curve “BADA55-VPR-224” with a Brainpool-like explanation. We actually generated >1000000 curves, each having a Brainpool-like explanation. Example of underlying flexibility: Brainpool generates seeds from exp(1) and primes from arctan(1); MD5 generates constants from sin(1); BADA55-VPR-224 generated a seed from cos(1).

edia: “In cryptography, nothing up my sleeve numbers ny numbers which, by their construction, are above suspicion hidden properties.” Microsoft “NUMS” curves (2014): “generated deterministically the security level”. ertini–Aumasson–Eichlseder– Mendel–Schl¨ affer “Malicious hashing” (2014): “constants hash functions are normally ected to be identifiable as nothing-up-your-sleeve numbers”. New: We generated a BADA55 curve “BADA55-VPR-224” with a Brainpool-like explanation. We actually generated >1000000 curves, each having a Brainpool-like explanation. Example of underlying flexibility: Brainpool generates seeds from exp(1) and primes from arctan(1); MD5 generates constants from sin(1); BADA55-VPR-224 generated a seed from cos(1). Most material was drawn How to manipulate a white pap Daniel J. Tung Chou Chitchanok Andreas Tanja Lange Ruben Niederhagen Christine safecurves.cr.yp.to /bada55.html

cryptography, sleeve numbers which, by their above suspicion erties.” “NUMS” curves (2014): deterministically y level”. ertini–Aumasson–Eichlseder– affer “Malicious (2014): “constants unctions are normally identifiable as

• ur-sleeve numbers”.

New: We generated a BADA55 curve “BADA55-VPR-224” with a Brainpool-like explanation. We actually generated >1000000 curves, each having a Brainpool-like explanation. Example of underlying flexibility: Brainpool generates seeds from exp(1) and primes from arctan(1); MD5 generates constants from sin(1); BADA55-VPR-224 generated a seed from cos(1). Most material in this was drawn from this How to manipulate curve standa a white paper for the Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H¨ ulsing Tanja Lange Ruben Niederhagen Christine van Vredendaal safecurves.cr.yp.to /bada55.html

cryptography, numbers y their suspicion (2014): deterministically ertini–Aumasson–Eichlseder– “Malicious “constants rmally as numbers”. New: We generated a BADA55 curve “BADA55-VPR-224” with a Brainpool-like explanation. We actually generated >1000000 curves, each having a Brainpool-like explanation. Example of underlying flexibility: Brainpool generates seeds from exp(1) and primes from arctan(1); MD5 generates constants from sin(1); BADA55-VPR-224 generated a seed from cos(1). Most material in this talk was drawn from this paper: How to manipulate curve standards: a white paper for the black hat Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H¨ ulsing Tanja Lange Ruben Niederhagen Christine van Vredendaal safecurves.cr.yp.to /bada55.html

New: We generated a BADA55 curve “BADA55-VPR-224” with a Brainpool-like explanation. We actually generated >1000000 curves, each having a Brainpool-like explanation. Example of underlying flexibility: Brainpool generates seeds from exp(1) and primes from arctan(1); MD5 generates constants from sin(1); BADA55-VPR-224 generated a seed from cos(1). Most material in this talk was drawn from this paper: How to manipulate curve standards: a white paper for the black hat Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H¨ ulsing Tanja Lange Ruben Niederhagen Christine van Vredendaal safecurves.cr.yp.to /bada55.html