How to Textbook key exchange manipulate curve standards: - - PowerPoint PPT Presentation

How to manipulate curve standards: a white paper for the black hat Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H¨ ulsing Eran Lambooij Tanja Lange Ruben Niederhagen Christine van Vredendaal bada55.cr.yp.to Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP

How to manipulate curve standards: a white paper for the black hat Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H¨ ulsing Eran Lambooij Tanja Lange Ruben Niederhagen Christine van Vredendaal bada55.cr.yp.to Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E.

to manipulate curve standards: white paper for the black hat

• J. Bernstein

Chou Chitchanok Chuengsatiansup Andreas H¨ ulsing Lambooij Lange Niederhagen Christine van Vredendaal bada55.cr.yp.to Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our Alice’s secret

• Alice’s

public aP {Alice; Bob shared abP

curve standards: r the black hat Bernstein Chuengsatiansup Niederhagen redendaal bada55.cr.yp.to Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our partner choice of

• Alice’s

secret key a

• Alice’s

public key aP ▲ ▲ ▲ ▲ ▲ rrrrr {Alice; Bob}’s shared secret abP =

rds: black hat Chuengsatiansup Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret k

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice shared sec baP

Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP

Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Can we exploit this picture?

• k key exchange

standard point P standard elliptic curve E: Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr ; Bob}’s red secret bP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Can we exploit this picture? Exploitabilit public criteria

exchange

• int P

elliptic curve E: Bob’s secret key b

• ▲

▲ ▲ Bob’s public key bP rrrr = {Bob; Alice}’s shared secret baP ends on choice of E. Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Can we exploit this picture? Exploitability depends public criteria for accepting

curve E: Bob’s key b

• Bob’s

public key P Alice}’s secret aP choice of E. Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Can we exploit this picture? Exploitability depends on public criteria for accepting E

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Can we exploit this picture? Exploitability depends on public criteria for accepting E; P.

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Can we exploit this picture? Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken.

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Can we exploit this picture? Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken. Assume that we’ve figured out how to break another curve E.

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Can we exploit this picture? Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it.

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr ; Bob}’s red secret bP = {Bob; Alice}’s shared secret baP e exploit this picture? Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is first assumption Would the any curve that survives

rtner Jerry’s

• f E; P
• Bob’s

secret key b

• ▲

▲ ▲ Bob’s public key bP rrrr = {Bob; Alice}’s shared secret baP this picture? Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is first assumption Would the public really any curve chosen b that survives these

Jerry’s Bob’s key b

• Bob’s

public key P Alice}’s secret aP picture? Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria?

Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria?

Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: Chinese OSCCA SM2 (2010) includes algorithms and a curve. The curve looks random; survives these criteria; has no other justification.

Exploitability depends on public criteria for accepting E; P. Extensive ECC literature: Pollard rho breaks small E, Pohlig–Hellman breaks most E, MOV/FR breaks some E, SmartASS breaks some E, etc. Assume that public will accept any E not publicly broken. Assume that we’ve figured out how to break another curve E. Jerry standardizes this curve. Alice and Bob use it. Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: Chinese OSCCA SM2 (2010) includes algorithms and a curve. The curve looks random; survives these criteria; has no other justification. More recent example: French ANSSI FRP256V1 (2011). Again no justification.

Exploitability depends on criteria for accepting E; P. Extensive ECC literature: rho breaks small E,

• hlig–Hellman breaks most E,

V/FR breaks some E, rtASS breaks some E, etc. Assume that public will accept not publicly broken. Assume that we’ve figured out break another curve E. standardizes this curve. and Bob use it. Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: Chinese OSCCA SM2 (2010) includes algorithms and a curve. The curve looks random; survives these criteria; has no other justification. More recent example: French ANSSI FRP256V1 (2011). Again no justification. Maybe public

• utside China

E must not and Jerry “seed” s

depends on r accepting E; P. literature: reaks small E, breaks most E, some E, reaks some E, etc. public will accept publicly broken. e’ve figured out another curve E. rdizes this curve. use it. Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: Chinese OSCCA SM2 (2010) includes algorithms and a curve. The curve looks random; survives these criteria; has no other justification. More recent example: French ANSSI FRP256V1 (2011). Again no justification. Maybe public is mo

• utside China and

E must not be publicly and Jerry must provide “seed” s such that

accepting E; P. , most E, , etc. accept en.

• ut

curve E. curve. Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: Chinese OSCCA SM2 (2010) includes algorithms and a curve. The curve looks random; survives these criteria; has no other justification. More recent example: French ANSSI FRP256V1 (2011). Again no justification. Maybe public is more demanding

• utside China and France:

E must not be publicly broken, and Jerry must provide a “seed” s such that E = H(s

Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: Chinese OSCCA SM2 (2010) includes algorithms and a curve. The curve looks random; survives these criteria; has no other justification. More recent example: French ANSSI FRP256V1 (2011). Again no justification. Maybe public is more demanding

• utside China and France:

E must not be publicly broken, and Jerry must provide a “seed” s such that E = H(s).

Is first assumption plausible? Would the public really accept any curve chosen by Jerry that survives these criteria? Example showing plausibility: Chinese OSCCA SM2 (2010) includes algorithms and a curve. The curve looks random; survives these criteria; has no other justification. More recent example: French ANSSI FRP256V1 (2011). Again no justification. Maybe public is more demanding

• utside China and France:

E must not be publicly broken, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010).

assumption plausible? the public really accept curve chosen by Jerry survives these criteria? Example showing plausibility: Chinese OSCCA SM2 (2010) includes algorithms and a curve. curve looks random; survives these criteria;

• ther justification.

recent example: ANSSI FRP256V1 (2011). no justification. Maybe public is more demanding

• utside China and France:

E must not be publicly broken, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). NIST defines y2 = x3 b2c = − hash is SHA-1

assumption plausible? public really accept chosen by Jerry these criteria? wing plausibility: SM2 (2010) ithms and a curve. random; criteria; justification. example: FRP256V1 (2011). ation. Maybe public is more demanding

• utside China and France:

E must not be publicly broken, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). NIST defines curve y2 = x3 − 3x + b b2c = −27; c is a hash is SHA-1 concatenation.

plausible? accept criteria? plausibility: (2010) curve. (2011). Maybe public is more demanding

• utside China and France:

E must not be publicly broken, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation.

Maybe public is more demanding

• utside China and France:

E must not be publicly broken, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation.

Maybe public is more demanding

• utside China and France:

E must not be publicly broken, and Jerry must provide a “seed” s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom SEC 2 1.0 (2000) “verifiably random parameters offer some additional conservative features”—“parameters cannot be predetermined”; NIST FIPS 186-2 (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.”

public is more demanding

• utside China and France:

must not be publicly broken, Jerry must provide a s such that E = H(s). Examples: ANSI X9.62 (1999) “selecting an elliptic curve verifiably at random”; Certicom 1.0 (2000) “verifiably parameters offer additional conservative features”—“parameters cannot redetermined”; NIST FIPS (2000); ANSI X9.63 (2001); Certicom SEC 2 2.0 (2010). NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” Optimized cluster of H = Keccak. “secure+t

BADA55EC B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST

more demanding nd France: publicly broken, provide a that E = H(s). ANSI X9.62 (1999) elliptic curve dom”; Certicom (2000) “verifiably rameters offer conservative rameters cannot redetermined”; NIST FIPS ANSI X9.63 (2001); 2.0 (2010). NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” Optimized this computation cluster of 41 GTX780 H = Keccak. In 7 “secure+twist-secure”

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256.

anding roken, (s). (1999) Certicom “verifiably conservative cannot FIPS (2001); (2010). NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” Optimized this computation cluster of 41 GTX780 GPUs H = Keccak. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256.

NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” Optimized this computation on cluster of 41 GTX780 GPUs using H = Keccak. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256.

NIST defines curve E as y2 = x3 − 3x + b where b2c = −27; c is a hash of s; hash is SHA-1 concatenation. 1999 Scott: “Consider now the possibility that one in a million

• f all curves have an exploitable

structure that ‘they’ know about, but we don’t. Then ‘they’ simply generate a million random seeds until they find one that generates

• ne of ‘their’ curves. Then they

get us to use them.” Optimized this computation on cluster of 41 GTX780 GPUs using H = Keccak. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256. Similarly found b = 0x

BADA55ECFD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E

mod NIST P-224; and b = 0x

BADA55EC3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

mod NIST P-384.

defines curve E as

3 − 3x + b where

−27; c is a hash of s; is SHA-1 concatenation. Scott: “Consider now the

• ssibility that one in a million

curves have an exploitable structure that ‘they’ know about, don’t. Then ‘they’ simply generate a million random seeds they find one that generates ‘their’ curves. Then they to use them.” Optimized this computation on cluster of 41 GTX780 GPUs using H = Keccak. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256. Similarly found b = 0x

BADA55ECFD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E

mod NIST P-224; and b = 0x

BADA55EC3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

mod NIST P-384. Maybe in the public

curve E as b where a hash of s; concatenation. “Consider now the

• ne in a million

have an exploitable ‘they’ know about, Then ‘they’ simply million random seeds

• ne that generates
• curves. Then they

them.” Optimized this computation on cluster of 41 GTX780 GPUs using H = Keccak. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256. Similarly found b = 0x

BADA55ECFD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E

mod NIST P-224; and b = 0x

BADA55EC3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

mod NIST P-384. Maybe in some countries the public is more

s; concatenation. w the million exploitable about, simply seeds generates Then they Optimized this computation on cluster of 41 GTX780 GPUs using H = Keccak. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256. Similarly found b = 0x

BADA55ECFD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E

mod NIST P-224; and b = 0x

BADA55EC3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

mod NIST P-384. Maybe in some countries the public is more demanding.

Optimized this computation on cluster of 41 GTX780 GPUs using H = Keccak. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256. Similarly found b = 0x

BADA55ECFD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E

mod NIST P-224; and b = 0x

BADA55EC3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

mod NIST P-384. Maybe in some countries the public is more demanding.

Optimized this computation on cluster of 41 GTX780 GPUs using H = Keccak. In 7 hours found “secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

mod NIST P-256. Similarly found b = 0x

BADA55ECFD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E

mod NIST P-224; and b = 0x

BADA55EC3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

mod NIST P-384. Maybe in some countries the public is more demanding. Brainpool standard (2005): “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

Optimized this computation on

• f 41 GTX780 GPUs using
• Keccak. In 7 hours found

“secure+twist-secure” b = 0x

BADA55ECD8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

NIST P-256. rly found b = 0x

BADA55ECFD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E

NIST P-224; and b = 0x

BADA55EC3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

NIST P-384. Maybe in some countries the public is more demanding. Brainpool standard (2005): “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

import hashlib def hash(seed): h seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = def secure(A,B): if k(B).is_square(): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and and Integers(n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) def fullhash(seed): return str2int(hash(seed) def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S) B = fullhash(S) if not secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

computation on GTX780 GPUs using 7 hours found ecure” b = 0x

D8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C

P-256. = 0x

FD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E

P-224; and b = 0x

3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

P-384. Maybe in some countries the public is more demanding. Brainpool standard (2005): “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

computation on GPUs using found

0x D8BBEAD3ADD6C534F92197DE B47FCEB9BE7E0E702A8D1DD56B5D0B0C FD9CA54C0738B8A6FB8CF4CC F84E916D83D6DA1B78B622351E11AB4E 0x 3BE2AD1F9EEEA5881ECF95BB F3AC392526F01D4CD13E684C63A17CC4 D5F271642AD83899113817A61006413D

Maybe in some countries the public is more demanding. Brainpool standard (2005): “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Maybe in some countries the public is more demanding. Brainpool standard (2005): “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

in some countries public is more demanding.

• ol standard (2005):

choice of the seeds which the [NIST] curve rameters have been derived is motivated leaving an essential

• f the security analysis open.

erifiably pseudo-random. [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and rehensive way.”

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

We carefully the curve-gene from the Previous Output of

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E B 68AEC4BFE84C659E

countries re demanding. standard (2005): the seeds [NIST] curve been derived is leaving an essential security analysis open. pseudo-random. curves shall be pseudo-random seeds that are systematic and ay.”

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

We carefully implemented the curve-generation from the Brainpool Previous slide: 224-bit Output of this pro

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

ding. (2005): curve derived is essential analysis open. pseudo-random. shall be pseudo-random re and

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

= hashlib.sha1(); h.update(seed); return h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF = k[] k(B).is_square(): return False EllipticCurve([k(A),k(B)]).cardinality() and n.is_prime() Integers(n)(p).multiplicative_order() * 100 >= n-1) int2str(seed,bytes): ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) str2int(seed): Integer(seed.encode(’hex’),16) int2str(str2int(seed) + 1,len(seed)) fullhash(seed): str2int(hash(seed) + hash(update(seed))) % 2^223 real2str(seed,bytes): int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) nums[2*seedbytes:3*seedbytes] (k(A)*x^4+3).roots(): S = update(S); continue secure(A,B): S = update(S); continue ’p’,hex(p).upper() ’A’,hex(A).upper() ’B’,hex(B).upper()

We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

import hashlib def hash(seed): h seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and and Integers(n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) def fullhash(seed): return str2int(hash(seed) def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): while True: S = update(S) B = fullhash(S) if not k(B).is_square(): if not secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

h.update(seed); return h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF EllipticCurve([k(A),k(B)]).cardinality() Integers(n)(p).multiplicative_order() * 100 >= n-1) ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) Integer(seed.encode(’hex’),16) 1,len(seed)) hash(update(seed))) % 2^223 int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) update(S); continue continue

We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF n-1) reversed(range(bytes))]) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes)

We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

refully implemented curve-generation procedure the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E 8AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

standard 224-bit Brainpool is not the same curve:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

slide: a procedure does generate standard Brainpool curve.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Did Brainp publication? Did they Brainpool advertised “comprehensive”, transparent”, say the same Can quietly to take the

implemented ation procedure

• ol standard.

224-bit procedure. rocedure:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

224-bit Brainpool same curve:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

cedure generate Brainpool curve.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Did Brainpool check publication? After Did they know befo Brainpool procedure advertised as “systematic”, “comprehensive”, “completely transparent”, etc. say the same for b Can quietly manipulate to take the weaker

cedure rd. cedure.

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 8AEC4BFE84C659E BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

Brainpool curve:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

curve.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we say the same for both procedures. Can quietly manipulate choice to take the weaker procedure.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.”

= hashlib.sha1(); h.update(seed); return h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF = k[] EllipticCurve([k(A),k(B)]).cardinality() and n.is_prime() Integers(n)(p).multiplicative_order() * 100 >= n-1) int2str(seed,bytes): ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) str2int(seed): Integer(seed.encode(’hex’),16) int2str(str2int(seed) + 1,len(seed)) fullhash(seed): str2int(hash(seed) + hash(update(seed))) % 2^223 real2str(seed,bytes): int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) nums[2*seedbytes:3*seedbytes] (k(A)*x^4+3).roots(): S = update(S); continue fullhash(S) k(B).is_square(): break secure(A,B): S = update(S); continue ’p’,hex(p).upper() ’A’,hex(A).upper() ’B’,hex(B).upper()

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.” We made using standa To avoid complications hash outputs: from SHA-1 maximum-securit Also upgraded maximum Brainpool and arctan(1) uses sin(1), We also pattern of

h.update(seed); return h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF EllipticCurve([k(A),k(B)]).cardinality() Integers(n)(p).multiplicative_order() * 100 >= n-1) ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) Integer(seed.encode(’hex’),16) 1,len(seed)) hash(update(seed))) % 2^223 int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) update(S); continue continue

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.” We made a new 224- using standard NIST To avoid Brainpool’s complications of concatenating hash outputs: We from SHA-1 to state-of-the-a maximum-security Also upgraded to requiring maximum twist securit Brainpool uses exp(1) and arctan(1) = ı uses sin(1), so we We also used much pattern of searching

h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF n-1) reversed(range(bytes))]) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes)

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.” We made a new 224-bit curve using standard NIST P-224 p To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-a maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and M uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.” We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

Brainpool check before publication? After publication? they know before 2015?

• ol procedure is

advertised as “systematic”, rehensive”, “completely transparent”, etc. Surely we can the same for both procedures. quietly manipulate choice e the weaker procedure. Interesting Brainpool quote: “It envisioned to provide additional

• n a regular basis.”

We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and Integers(n)(p).multiplicative_order() and Integers(2*p+2-n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

check before After publication? efore 2015? cedure is “systematic”, rehensive”, “completely

• etc. Surely we can

both procedures. manipulate choice er procedure. Brainpool quote: “It provide additional regular basis.” We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() and Integers(2*p+2-n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

re publication? 2015? “systematic”, “completely we can cedures. choice cedure. quote: “It additional We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

made a new 224-bit curve standard NIST P-224 prime. avoid Brainpool’s complications of concatenating

• utputs: We upgraded

SHA-1 to state-of-the-art maximum-security SHA3-512. upgraded to requiring maximum twist security.

• ol uses exp(1) = e

rctan(1) = ı=4, and MD5 sin(1), so we used cos(1). also used much simpler pattern of searching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

224-bit curve NIST P-224 prime.

• ol’s

concatenating e upgraded state-of-the-art maximum-security SHA3-512.

• requiring

security. exp(1) = e ı=4, and MD5 e used cos(1). much simpler rching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

7144BA12CE8A0C3BEFA053ED

curve P-224 prime. concatenating upgraded state-of-the-art SHA3-512. MD5 cos(1). impler eeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

7144BA12CE8A0C3BEFA053EDBADA55

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

7144BA12CE8A0C3BEFA053EDBADA55...

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

7144BA12CE8A0C3BEFA053EDBADA55...

We actually generated >1000000 curves for this prime, each having a Brainpool-like explanation, even without complicating hashing, seed search, etc.; e.g., BADA55-VPR2-224 uses exp(1).

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

7144BA12CE8A0C3BEFA053EDBADA55...

We actually generated >1000000 curves for this prime, each having a Brainpool-like explanation, even without complicating hashing, seed search, etc.; e.g., BADA55-VPR2-224 uses exp(1). See bada55.cr.yp.to for much more: full paper; scripts; detailed Brainpool analysis; manipulating “minimal” primes and curves (Microsoft “NUMS”); manipulating security criteria.