Standardization for the black hat Includes joint work with (in - - PowerPoint PPT Presentation

1

Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1 bada55.cr.yp.to “BADA55 Crypto” including “How to manipulate curve standards: a white paper for the black hat.” 2 projectbullrun.org including “Dual EC: a standardized back door.”

2

Includes joint work with (in alphabetical order): Tung Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Eran Lambooij 1 Tanja Lange 1 2 Ruben Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSI, ANSSI, Brainpool, IETF, ISO, NIST, OSCCA, SECG, and especially our buddies at NSA.

1

Standardization for the black hat

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven bada55.cr.yp.to “BADA55 Crypto” including “How to manipulate curve standards: a paper for the black hat.” projectbullrun.org including “Dual EC: a rdized back door.”

2

Includes joint work with (in alphabetical order): Tung Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Eran Lambooij 1 Tanja Lange 1 2 Ruben Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSI, ANSSI, Brainpool, IETF, ISO, NIST, OSCCA, SECG, and especially our buddies at NSA. The DES IBM: 128! IBM: 64! Final comp

1

for the black hat Bernstein Illinois at Chicago & Universiteit Eindhoven bada55.cr.yp.to “BADA55 including “How to curve standards: a the black hat.” projectbullrun.org EC: a back door.”

2

Includes joint work with (in alphabetical order): Tung Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Eran Lambooij 1 Tanja Lange 1 2 Ruben Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSI, ANSSI, Brainpool, IETF, ISO, NIST, OSCCA, SECG, and especially our buddies at NSA. The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise:

1

black hat Chicago & Eindhoven “BADA55 to rds: a hat.”

2

Includes joint work with (in alphabetical order): Tung Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Eran Lambooij 1 Tanja Lange 1 2 Ruben Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSI, ANSSI, Brainpool, IETF, ISO, NIST, OSCCA, SECG, and especially our buddies at NSA. The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56.

2

Includes joint work with (in alphabetical order): Tung Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Eran Lambooij 1 Tanja Lange 1 2 Ruben Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSI, ANSSI, Brainpool, IETF, ISO, NIST, OSCCA, SECG, and especially our buddies at NSA.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56.

2

Includes joint work with (in alphabetical order): Tung Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Eran Lambooij 1 Tanja Lange 1 2 Ruben Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSI, ANSSI, Brainpool, IETF, ISO, NIST, OSCCA, SECG, and especially our buddies at NSA.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small.

2

Includes joint work with (in alphabetical order): Tung Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Eran Lambooij 1 Tanja Lange 1 2 Ruben Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSI, ANSSI, Brainpool, IETF, ISO, NIST, OSCCA, SECG, and especially our buddies at NSA.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small. NBS: Our key is big enough! And we know how to use it!

2

Includes joint work with (in alphabetical order): Tung Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Eran Lambooij 1 Tanja Lange 1 2 Ruben Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSI, ANSSI, Brainpool, IETF, ISO, NIST, OSCCA, SECG, and especially our buddies at NSA.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small. NBS: Our key is big enough! And we know how to use it! NBS (now NIST) continues to promote DES for two decades, drastically increasing cost

• f the inevitable upgrade.

2

Includes joint work with alphabetical order): Chou 1 Chitchanok Chuengsatiansup 1 Andreas H¨ ulsing 1 Lambooij 1 Lange 1 2 Niederhagen 1 2 Christine van Vredendaal 1 Inspirational previous work: ANSSI, Brainpool, IETF, NIST, OSCCA, SECG, and ecially our buddies at NSA.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small. NBS: Our key is big enough! And we know how to use it! NBS (now NIST) continues to promote DES for two decades, drastically increasing cost

• f the inevitable upgrade.

Random 1992 Rivest: given enough to hang a standa Standardize

2

rk with

• rder):

Chuengsatiansup 1 1 1 2 Niederhagen 1 2 redendaal 1 revious work: Brainpool, IETF, CCA, SECG, and buddies at NSA.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small. NBS: Our key is big enough! And we know how to use it! NBS (now NIST) continues to promote DES for two decades, drastically increasing cost

• f the inevitable upgrade.

Random nonces in 1992 Rivest: “The given enough rope to hang himself—something a standard should Standardize anywa

2

Chuengsatiansup 1 1 rk: IETF, SECG, and NSA.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small. NBS: Our key is big enough! And we know how to use it! NBS (now NIST) continues to promote DES for two decades, drastically increasing cost

• f the inevitable upgrade.

Random nonces in DSA/ECDSA 1992 Rivest: “The poor user given enough rope with which to hang himself—something a standard should not do.” Standardize anyway.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small. NBS: Our key is big enough! And we know how to use it! NBS (now NIST) continues to promote DES for two decades, drastically increasing cost

• f the inevitable upgrade.

4

Random nonces in DSA/ECDSA 1992 Rivest: “The poor user is given enough rope with which to hang himself—something a standard should not do.” Standardize anyway.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small. NBS: Our key is big enough! And we know how to use it! NBS (now NIST) continues to promote DES for two decades, drastically increasing cost

• f the inevitable upgrade.

4

Random nonces in DSA/ECDSA 1992 Rivest: “The poor user is given enough rope with which to hang himself—something a standard should not do.” Standardize anyway. 2010 Bushing–Marcan–Segher– Sven “PS3 epic fail”: PS3 forgeries—Sony hung itself.

3

The DES key size IBM: 128! NSA: 32! IBM: 64! NSA: 48! Final compromise: 56. Crypto community to NSA+NBS: Your key size is too small. NBS: Our key is big enough! And we know how to use it! NBS (now NIST) continues to promote DES for two decades, drastically increasing cost

• f the inevitable upgrade.

4

Random nonces in DSA/ECDSA 1992 Rivest: “The poor user is given enough rope with which to hang himself—something a standard should not do.” Standardize anyway. 2010 Bushing–Marcan–Segher– Sven “PS3 epic fail”: PS3 forgeries—Sony hung itself. Add complicated options for deterministic nonces, while preserving old options.

3

DES key size 128! NSA: 32! 64! NSA: 48! compromise: 56. community to NSA+NBS: ey size is too small. Our key is big enough! e know how to use it! (now NIST) continues to romote DES for two decades, drastically increasing cost inevitable upgrade.

4

Random nonces in DSA/ECDSA 1992 Rivest: “The poor user is given enough rope with which to hang himself—something a standard should not do.” Standardize anyway. 2010 Bushing–Marcan–Segher– Sven “PS3 epic fail”: PS3 forgeries—Sony hung itself. Add complicated options for deterministic nonces, while preserving old options. Denial of Suspected Bob are “auditors” = “review exploitable in cryptographic Example: involved around the years of How can problem

3

size NSA: 32! 48! romise: 56. community to NSA+NBS: too small. big enough! w to use it! NIST) continues to r two decades, increasing cost upgrade.

4

Random nonces in DSA/ECDSA 1992 Rivest: “The poor user is given enough rope with which to hang himself—something a standard should not do.” Standardize anyway. 2010 Bushing–Marcan–Segher– Sven “PS3 epic fail”: PS3 forgeries—Sony hung itself. Add complicated options for deterministic nonces, while preserving old options. Denial of service via Suspected terrorists Bob are aided and “auditors” (= “cryptanalysts” = “reviewers”) checking exploitable security in cryptographic systems. Example: SHA-3 comp involved 200 cryptographers around the world and years of sustained How can we slip a problem past all of

3

NSA+NBS: enough! it! continues to decades,

4

Random nonces in DSA/ECDSA 1992 Rivest: “The poor user is given enough rope with which to hang himself—something a standard should not do.” Standardize anyway. 2010 Bushing–Marcan–Segher– Sven “PS3 epic fail”: PS3 forgeries—Sony hung itself. Add complicated options for deterministic nonces, while preserving old options. Denial of service via flooding Suspected terrorists Alice and Bob are aided and abetted b “auditors” (= “cryptanalysts” = “reviewers”) checking for exploitable security problems in cryptographic systems. Example: SHA-3 competition involved 200 cryptographers around the world and took years of sustained public effo How can we slip a security problem past all of them?

4

Random nonces in DSA/ECDSA 1992 Rivest: “The poor user is given enough rope with which to hang himself—something a standard should not do.” Standardize anyway. 2010 Bushing–Marcan–Segher– Sven “PS3 epic fail”: PS3 forgeries—Sony hung itself. Add complicated options for deterministic nonces, while preserving old options.

5

Denial of service via flooding Suspected terrorists Alice and Bob are aided and abetted by “auditors” (= “cryptanalysts” = “reviewers”) checking for exploitable security problems in cryptographic systems. Example: SHA-3 competition involved 200 cryptographers around the world and took years of sustained public effort. How can we slip a security problem past all of them?

4

Random nonces in DSA/ECDSA Rivest: “The poor user is enough rope with which hang himself—something standard should not do.” Standardize anyway. Bushing–Marcan–Segher– “PS3 epic fail”: PS3 rgeries—Sony hung itself. complicated options terministic nonces, preserving old options.

5

Denial of service via flooding Suspected terrorists Alice and Bob are aided and abetted by “auditors” (= “cryptanalysts” = “reviewers”) checking for exploitable security problems in cryptographic systems. Example: SHA-3 competition involved 200 cryptographers around the world and took years of sustained public effort. How can we slip a security problem past all of them? During the NIST also FIPS 186-3 FIPS 198-1 SP 800-38E SP 800-38F SP 800-56C SP 800-57 SP 800-67 SP 800-108 SP 800-131A SP 800-133 SP 800-152 and related such as SP

4

in DSA/ECDSA “The poor user is rope with which himself—something should not do.” anyway. Bushing–Marcan–Segher– fail”: PS3 hung itself.

• ptions

nonces,

• ld options.

5

Denial of service via flooding Suspected terrorists Alice and Bob are aided and abetted by “auditors” (= “cryptanalysts” = “reviewers”) checking for exploitable security problems in cryptographic systems. Example: SHA-3 competition involved 200 cryptographers around the world and took years of sustained public effort. How can we slip a security problem past all of them? During the same p NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key SP 800-133 (key generation), SP 800-152 (key management), and related protoc such as SP 800-81r1.

4

DSA/ECDSA user is which himself—something do.” rcan–Segher– itself.

• ptions.

5

Denial of service via flooding Suspected terrorists Alice and Bob are aided and abetted by “auditors” (= “cryptanalysts” = “reviewers”) checking for exploitable security problems in cryptographic systems. Example: SHA-3 competition involved 200 cryptographers around the world and took years of sustained public effort. How can we slip a security problem past all of them? During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

5

Denial of service via flooding Suspected terrorists Alice and Bob are aided and abetted by “auditors” (= “cryptanalysts” = “reviewers”) checking for exploitable security problems in cryptographic systems. Example: SHA-3 competition involved 200 cryptographers around the world and took years of sustained public effort. How can we slip a security problem past all of them?

6

During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

5

• f service via flooding

ected terrorists Alice and re aided and abetted by “auditors” (= “cryptanalysts” “reviewers”) checking for exploitable security problems cryptographic systems. Example: SHA-3 competition involved 200 cryptographers the world and took

• f sustained public effort.

can we slip a security roblem past all of them?

6

During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1. Attention not entirely Auditors security just befo

5

via flooding rists Alice and and abetted by “cryptanalysts” checking for security problems systems. competition cryptographers and took sustained public effort. a security

• f them?

6

During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1. Attention of audito not entirely on SHA-3. Auditors caught a security flaw in EAX just before NIST standa

5

ding and by “cryptanalysts” for roblems etition cryptographers effort.

6

During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1. Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization.

6

During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization.

6

During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization.

6

During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service.

6

During the same period, NIST also published FIPS 186-3 (signatures), FIPS 198-1 (authentication), SP 800-38E (disk encryption), SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg.

6

the same period, also published 186-3 (signatures), 198-1 (authentication), 800-38E (disk encryption), 800-38F (key wrapping), 800-56C (key derivation), 800-57 (key management), 800-67 (block encryption), 800-108 (key derivation), 800-131A (key lengths), 800-133 (key generation), 800-152 (key management), related protocol documents as SP 800-81r1.

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg. Flooding If we were would tell ciphers/hashes

6

period, lished (signatures), (authentication), (disk encryption), wrapping), ey derivation), management), ck encryption), derivation), ey lengths), generation), management), rotocol documents 800-81r1.

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg. Flooding via dishonest If we were honest then would tell Alice+Bob ciphers/hashes as

6

(authentication), encryption), wrapping), derivation), management), encryption), derivation), lengths), generation), management), cuments

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg. Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs.

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg.

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs.

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg.

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs. But why should we be honest? Let’s build PRNGs from scratch!

7

Attention of auditors was not entirely on SHA-3. Auditors caught a severe security flaw in EAX Prime just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg.

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.”

7

ttention of auditors was entirely on SHA-3. rs caught a severe y flaw in EAX Prime efore NIST standardization. troublesome flaw in GCM security “proofs” after NIST standardization. did this take years? Scientific advances? No! successfully denied service. NIST is just the tip of the standardization iceberg.

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.” Denial of 2006 Gjøsteen, 2006 Scho Dual EC definition

7

auditors was SHA-3. a severe EAX Prime standardization. troublesome flaw in y “proofs” standardization. e years? advances? No! successfully denied service. just the tip of the rdization iceberg.

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.” Denial of service via 2006 Gjøsteen, indep 2006 Schoenmakers–Sido Dual EC flunks well-established definition of PRNG

7

Prime rdization. rdization. service.

• f the

iceberg.

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.” Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenk Dual EC flunks well-established definition of PRNG security.

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.”

9

Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Dual EC flunks well-established definition of PRNG security.

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.”

9

Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Dual EC flunks well-established definition of PRNG security. Are all applications broken? Obviously not! Standardize!

8

Flooding via dishonesty If we were honest then we would tell Alice+Bob to reuse ciphers/hashes as PRNGs. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.”

9

Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Dual EC flunks well-established definition of PRNG security. Are all applications broken? Obviously not! Standardize! 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. 2007 Schneier: Never use Dual

• EC. “Both NIST and the NSA

have some explaining to do.”

8

ding via dishonesty ere honest then we tell Alice+Bob to reuse ciphers/hashes as PRNGs. why should we be honest? build PRNGs from scratch! Number-theoretic RNGs rovide “increased assurance.” Dual EC

• nly DRBG mechanism

Recommendation security is related to a roblem in number theory.”

9

Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Dual EC flunks well-established definition of PRNG security. Are all applications broken? Obviously not! Standardize! 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. 2007 Schneier: Never use Dual

• EC. “Both NIST and the NSA

have some explaining to do.” Did Shumo show us Maintain standard. 2008.07–2014.03: 73 validation for Dual

8

dishonesty t then we Alice+Bob to reuse as PRNGs. we be honest? PRNGs from scratch! er-theoretic RNGs reased assurance.” DRBG mechanism Recommendation is related to a number theory.”

9

Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Dual EC flunks well-established definition of PRNG security. Are all applications broken? Obviously not! Standardize! 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. 2007 Schneier: Never use Dual

• EC. “Both NIST and the NSA

have some explaining to do.” Did Shumow and F show us the key? No! Maintain and promote

• standard. Pay people

2008.07–2014.03: 73 validation certificates for Dual EC implementations.

8

reuse est? scratch! NGs assurance.” mechanism to a theory.”

9

Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Dual EC flunks well-established definition of PRNG security. Are all applications broken? Obviously not! Standardize! 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. 2007 Schneier: Never use Dual

• EC. “Both NIST and the NSA

have some explaining to do.” Did Shumow and Ferguson show us the key? No! Maintain and promote Dual

• standard. Pay people to use

2008.07–2014.03: NIST issues 73 validation certificates for Dual EC implementations.

9

Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Dual EC flunks well-established definition of PRNG security. Are all applications broken? Obviously not! Standardize! 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. 2007 Schneier: Never use Dual

• EC. “Both NIST and the NSA

have some explaining to do.”

10

Did Shumow and Ferguson show us the key? No! Maintain and promote Dual EC

• standard. Pay people to use it.

2008.07–2014.03: NIST issues 73 validation certificates for Dual EC implementations.

9

Denial of service via hoops 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Dual EC flunks well-established definition of PRNG security. Are all applications broken? Obviously not! Standardize! 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. 2007 Schneier: Never use Dual

• EC. “Both NIST and the NSA

have some explaining to do.”

10

Did Shumow and Ferguson show us the key? No! Maintain and promote Dual EC

• standard. Pay people to use it.

2008.07–2014.03: NIST issues 73 validation certificates for Dual EC implementations. Even after being caught, continue to burn auditors’ time by demanding that they jump higher. NSA’s Dickie George, 2014: Gee, Dual EC is really hard to exploit!

9

• f service via hoops

Gjøsteen, independently Schoenmakers–Sidorenko: EC flunks well-established definition of PRNG security. all applications broken? Obviously not! Standardize! Shumow–Ferguson: Dual has a back door. Would have easy to build Q with the key. Schneier: Never use Dual “Both NIST and the NSA some explaining to do.”

10

Did Shumow and Ferguson show us the key? No! Maintain and promote Dual EC

• standard. Pay people to use it.

2008.07–2014.03: NIST issues 73 validation certificates for Dual EC implementations. Even after being caught, continue to burn auditors’ time by demanding that they jump higher. NSA’s Dickie George, 2014: Gee, Dual EC is really hard to exploit! System vs. Traditiona Auditor lo an RNG. Auditor’s random numb Bob are

9

via hoops independently enmakers–Sidorenko: well-established PRNG security. applications broken? Standardize! erguson: Dual

• door. Would have

build Q with the key. Never use Dual and the NSA explaining to do.”

10

Did Shumow and Ferguson show us the key? No! Maintain and promote Dual EC

• standard. Pay people to use it.

2008.07–2014.03: NIST issues 73 validation certificates for Dual EC implementations. Even after being caught, continue to burn auditors’ time by demanding that they jump higher. NSA’s Dickie George, 2014: Gee, Dual EC is really hard to exploit! System vs. ecosystem Traditional RNG auditing: Auditor looks at one an RNG. Tries to find Auditor’s starting assumption: random numbers fo Bob are created by

9

• ps

endently renko: ell-established y. en? rdize! Dual

• uld have

the key. Dual NSA do.”

10

Did Shumow and Ferguson show us the key? No! Maintain and promote Dual EC

• standard. Pay people to use it.

2008.07–2014.03: NIST issues 73 validation certificates for Dual EC implementations. Even after being caught, continue to burn auditors’ time by demanding that they jump higher. NSA’s Dickie George, 2014: Gee, Dual EC is really hard to exploit! System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG.

10

Did Shumow and Ferguson show us the key? No! Maintain and promote Dual EC

• standard. Pay people to use it.

2008.07–2014.03: NIST issues 73 validation certificates for Dual EC implementations. Even after being caught, continue to burn auditors’ time by demanding that they jump higher. NSA’s Dickie George, 2014: Gee, Dual EC is really hard to exploit!

11

System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG.

10

Did Shumow and Ferguson show us the key? No! Maintain and promote Dual EC

• standard. Pay people to use it.

2008.07–2014.03: NIST issues 73 validation certificates for Dual EC implementations. Even after being caught, continue to burn auditors’ time by demanding that they jump higher. NSA’s Dickie George, 2014: Gee, Dual EC is really hard to exploit!

11

System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys

• RNGs. (Same for other crypto.)

10

Shumow and Ferguson us the key? No! Maintain and promote Dual EC

• rd. Pay people to use it.

2008.07–2014.03: NIST issues validation certificates al EC implementations. after being caught, continue to burn auditors’ time by demanding that they jump higher. Dickie George, 2014: Gee, EC is really hard to exploit!

11

System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys

• RNGs. (Same for other crypto.)

This is a perspective. defending The ecosyste weaknesses inside any e.g. Easily

10

and Ferguson ? No! romote Dual EC eople to use it. 2008.07–2014.03: NIST issues ertificates implementations. caught, auditors’ time by they jump higher. George, 2014: Gee, hard to exploit!

11

System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys

• RNGs. (Same for other crypto.)

This is a critical change

• perspective. Audito

defending the wrong The ecosystem has weaknesses that are inside any particula e.g. Easily take control

10

erguson Dual EC use it. issues implementations. time by higher. 2014: Gee, exploit!

11

System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys

• RNGs. (Same for other crypto.)

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO.

11

System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys

• RNGs. (Same for other crypto.)

12

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO.

11

System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys

• RNGs. (Same for other crypto.)

12

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO. e.g. Propose 20 weak standards. Some will survive auditing. Then manipulate selection.

11

System vs. ecosystem Traditional RNG auditing: Auditor looks at one system, an RNG. Tries to find weakness. Auditor’s starting assumption: random numbers for Alice and Bob are created by an RNG. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys

• RNGs. (Same for other crypto.)

12

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO. e.g. Propose 20 weak standards. Some will survive auditing. Then manipulate selection. Deter publication of weaknesses: “This attack is trivial. Reject.”

11

• vs. ecosystem

raditional RNG auditing: r looks at one system,

• RNG. Tries to find weakness.

r’s starting assumption: numbers for Alice and re created by an RNG. y: random numbers created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys (Same for other crypto.)

12

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO. e.g. Propose 20 weak standards. Some will survive auditing. Then manipulate selection. Deter publication of weaknesses: “This attack is trivial. Reject.” Textbook using standa

• n a standa

Alice’s secret

• Alice’s

public aP {Alice; Bob shared abP

11

ecosystem auditing:

• ne system,

to find weakness. rting assumption: ers for Alice and by an RNG. numbers much more

• system that

evaluates, standardizes, implements, and deploys r other crypto.)

12

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO. e.g. Propose 20 weak standards. Some will survive auditing. Then manipulate selection. Deter publication of weaknesses: “This attack is trivial. Reject.” Textbook key exchange using standard point

• n a standard elliptic

Alice’s secret key a

• Alice’s

public key aP ▲ ▲ ▲ ▲ ▲ rrrrr {Alice; Bob}’s shared secret abP =

11

system, eakness. assumption: and RNG. re that rdizes, deploys crypto.)

12

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO. e.g. Propose 20 weak standards. Some will survive auditing. Then manipulate selection. Deter publication of weaknesses: “This attack is trivial. Reject.” Textbook key exchange using standard point P

• n a standard elliptic curve E

Alice’s secret key a

• Bob’s

secret k

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice shared sec baP

12

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO. e.g. Propose 20 weak standards. Some will survive auditing. Then manipulate selection. Deter publication of weaknesses: “This attack is trivial. Reject.”

13

Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP

12

This is a critical change in

• perspective. Auditor is stuck

defending the wrong targets! The ecosystem has many weaknesses that are not visible inside any particular system. e.g. Easily take control of ISO. e.g. Propose 20 weak standards. Some will survive auditing. Then manipulate selection. Deter publication of weaknesses: “This attack is trivial. Reject.”

13

Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E.

12

is a critical change in

• ective. Auditor is stuck

defending the wrong targets! ecosystem has many eaknesses that are not visible any particular system. Easily take control of ISO. Propose 20 weak standards. will survive auditing. manipulate selection. publication of weaknesses: attack is trivial. Reject.”

13

Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our Alice’s secret

• Alice’s

public aP {Alice; Bob shared abP This is not

12

critical change in Auditor is stuck wrong targets! has many are not visible rticular system. control of ISO. weak standards. survive auditing. manipulate selection. publication of weaknesses:

• trivial. Reject.”

13

Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our partner choice of

• Alice’s

secret key a

• Alice’s

public key aP ▲ ▲ ▲ ▲ ▲ rrrrr {Alice; Bob}’s shared secret abP = This is not the same

12

in stuck rgets! visible system. ISO. standards. auditing. election. eaknesses: Reject.”

13

Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E. Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret k

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice shared sec baP This is not the same picture!

13

Textbook key exchange using standard point P

• n a standard elliptic curve E:

Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP Security depends on choice of E.

14

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP This is not the same picture!

13

• k key exchange

standard point P standard elliptic curve E: Alice’s secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr ; Bob}’s red secret bP = {Bob; Alice}’s shared secret baP Security depends on choice of E.

14

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP This is not the same picture! One final 2005 Brainp “The choice from which parameters not motivated part of the : : : Verifiably The [Brainp generated manner using generated comprehensive

13

exchange

• int P

elliptic curve E: Bob’s secret key b

• ▲

▲ ▲ Bob’s public key bP rrrr = {Bob; Alice}’s shared secret baP ends on choice of E.

14

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP This is not the same picture! One final example 2005 Brainpool standa “The choice of the from which the [NIST] parameters have b not motivated leaving part of the security : : : Verifiably pseudo-random. The [Brainpool] curves generated in a pseudo-random manner using seeds generated in a systematic comprehensive way

13

curve E: Bob’s key b

• Bob’s

public key P Alice}’s secret aP choice of E.

14

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP This is not the same picture! One final example 2005 Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived not motivated leaving an essential part of the security analysis : : : Verifiably pseudo-random. The [Brainpool] curves shall generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

14

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr {Alice; Bob}’s shared secret abP = {Bob; Alice}’s shared secret baP This is not the same picture!

15

One final example 2005 Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

14

Our partner Jerry’s choice of E; P

• Alice’s

secret key a

• Bob’s

secret key b

• Alice’s

public key aP

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key bP rrrrrrr ; Bob}’s red secret bP = {Bob; Alice}’s shared secret baP is not the same picture!

15

One final example 2005 Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

import hashlib def hash(seed): h seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = def secure(A,B): if k(B).is_square(): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and and Integers(n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) def fullhash(seed): return str2int(hash(seed) def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S) B = fullhash(S) if not secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

14

rtner Jerry’s

• f E; P
• Bob’s

secret key b

• ▲

▲ ▲ Bob’s public key bP rrrr = {Bob; Alice}’s shared secret baP same picture!

15

One final example 2005 Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

14

Jerry’s Bob’s key b

• Bob’s

public key P Alice}’s secret aP picture!

15

One final example 2005 Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

15

One final example 2005 Brainpool standard: “The choice of the seeds from which the [NIST] curve parameters have been derived is not motivated leaving an essential part of the security analysis open. : : : Verifiably pseudo-random. The [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and comprehensive way.”

16

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

15

final example Brainpool standard: choice of the seeds which the [NIST] curve rameters have been derived is motivated leaving an essential

• f the security analysis open.

erifiably pseudo-random. [Brainpool] curves shall be generated in a pseudo-random manner using seeds that are generated in a systematic and rehensive way.”

16

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

2015: W the curve-gene from the Previous Output of

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E B 68AEC4BFE84C659E

15

example standard: the seeds [NIST] curve been derived is leaving an essential security analysis open. pseudo-random. curves shall be pseudo-random seeds that are systematic and ay.”

16

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

2015: We carefully the curve-generation from the Brainpool Previous slide: 224-bit Output of this pro

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

15

curve derived is essential analysis open. pseudo-random. shall be pseudo-random re and

16

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

2015: We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

16

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

17

2015: We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

16

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

17

2015: We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

16

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

17

2015: We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

16

= hashlib.sha1(); h.update(seed); return h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF = k[] k(B).is_square(): return False EllipticCurve([k(A),k(B)]).cardinality() and n.is_prime() Integers(n)(p).multiplicative_order() * 100 >= n-1) int2str(seed,bytes): ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) str2int(seed): Integer(seed.encode(’hex’),16) int2str(str2int(seed) + 1,len(seed)) fullhash(seed): str2int(hash(seed) + hash(update(seed))) % 2^223 real2str(seed,bytes): int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) nums[2*seedbytes:3*seedbytes] (k(A)*x^4+3).roots(): S = update(S); continue secure(A,B): S = update(S); continue ’p’,hex(p).upper() ’A’,hex(A).upper() ’B’,hex(B).upper()

17

2015: We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

import hashlib def hash(seed): h seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and and Integers(n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) def fullhash(seed): return str2int(hash(seed) def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): while True: S = update(S) B = fullhash(S) if not k(B).is_square(): if not secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

16

h.update(seed); return h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF EllipticCurve([k(A),k(B)]).cardinality() Integers(n)(p).multiplicative_order() * 100 >= n-1) ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) Integer(seed.encode(’hex’),16) 1,len(seed)) hash(update(seed))) % 2^223 int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) update(S); continue continue

17

2015: We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

16

h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF n-1) reversed(range(bytes))]) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes)

17

2015: We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

17

2015: We carefully implemented the curve-generation procedure from the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

The standard 224-bit Brainpool curve is not the same curve:

p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

Next slide: a procedure that does generate the standard Brainpool curve.

18

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

17

We carefully implemented curve-generation procedure the Brainpool standard. Previous slide: 224-bit procedure. Output of this procedure:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E 8AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

standard 224-bit Brainpool is not the same curve:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

slide: a procedure does generate standard Brainpool curve.

18

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Did Brainp publication? Did they Brainpool advertised “comprehensive”, transparent”, say the same

17

refully implemented ation procedure

• ol standard.

224-bit procedure. rocedure:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

224-bit Brainpool same curve:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

cedure generate Brainpool curve.

18

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Did Brainpool check publication? After Did they know befo Brainpool procedure advertised as “systematic”, “comprehensive”, “completely transparent”, etc. say the same for b

17

implemented cedure rd. cedure.

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 8AEC4BFE84C659E BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

Brainpool curve:

D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B

curve.

18

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we say the same for both procedures.

18

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

19

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures.

18

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

19

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure.

18

import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

19

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.”

18

= hashlib.sha1(); h.update(seed); return h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF = k[] EllipticCurve([k(A),k(B)]).cardinality() and n.is_prime() Integers(n)(p).multiplicative_order() * 100 >= n-1) int2str(seed,bytes): ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) str2int(seed): Integer(seed.encode(’hex’),16) int2str(str2int(seed) + 1,len(seed)) fullhash(seed): str2int(hash(seed) + hash(update(seed))) % 2^223 real2str(seed,bytes): int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) nums[2*seedbytes:3*seedbytes] (k(A)*x^4+3).roots(): S = update(S); continue fullhash(S) k(B).is_square(): break secure(A,B): S = update(S); continue ’p’,hex(p).upper() ’A’,hex(A).upper() ’B’,hex(B).upper()

19

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.” We made using standa To avoid complications hash outputs: from SHA-1 maximum-securit Also upgraded maximum Brainpool and arctan(1) uses sin(1), We also pattern of

18

h.update(seed); return h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF EllipticCurve([k(A),k(B)]).cardinality() Integers(n)(p).multiplicative_order() * 100 >= n-1) ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) Integer(seed.encode(’hex’),16) 1,len(seed)) hash(update(seed))) % 2^223 int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) update(S); continue continue

19

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.” We made a new 224- using standard NIST To avoid Brainpool’s complications of concatenating hash outputs: We from SHA-1 to state-of-the-a maximum-security Also upgraded to requiring maximum twist securit Brainpool uses exp(1) and arctan(1) = ı uses sin(1), so we We also used much pattern of searching

18

h.digest() 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF n-1) reversed(range(bytes))]) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes)

19

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.” We made a new 224-bit curve using standard NIST P-224 p To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-a maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and M uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

19

Did Brainpool check before publication? After publication? Did they know before 2015? Brainpool procedure is advertised as “systematic”, “comprehensive”, “completely transparent”, etc. Surely we can say the same for both procedures. Can quietly manipulate choice to take the weaker procedure. Interesting Brainpool quote: “It is envisioned to provide additional curves on a regular basis.”

20

We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

19

Brainpool check before publication? After publication? they know before 2015?

• ol procedure is

advertised as “systematic”, rehensive”, “completely transparent”, etc. Surely we can the same for both procedures. quietly manipulate choice e the weaker procedure. Interesting Brainpool quote: “It envisioned to provide additional

• n a regular basis.”

20

We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and Integers(n)(p).multiplicative_order() and Integers(2*p+2-n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

19

check before After publication? efore 2015? cedure is “systematic”, rehensive”, “completely

• etc. Surely we can

both procedures. manipulate choice er procedure. Brainpool quote: “It provide additional regular basis.”

20

We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() and Integers(2*p+2-n)(p).multiplicative_order() def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

19

re publication? 2015? “systematic”, “completely we can cedures. choice cedure. quote: “It additional

20

We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

20

We made a new 224-bit curve using standard NIST P-224 prime. To avoid Brainpool’s complications of concatenating hash outputs: We upgraded from SHA-1 to state-of-the-art maximum-security SHA3-512. Also upgraded to requiring maximum twist security. Brainpool uses exp(1) = e and arctan(1) = ı=4, and MD5 uses sin(1), so we used cos(1). We also used much simpler pattern of searching for seeds.

21

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

20

made a new 224-bit curve standard NIST P-224 prime. avoid Brainpool’s complications of concatenating

• utputs: We upgraded

SHA-1 to state-of-the-art maximum-security SHA3-512. upgraded to requiring maximum twist security.

• ol uses exp(1) = e

rctan(1) = ı=4, and MD5 sin(1), so we used cos(1). also used much simpler pattern of searching for seeds.

21

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

20

224-bit curve NIST P-224 prime.

• ol’s

concatenating e upgraded state-of-the-art maximum-security SHA3-512.

• requiring

security. exp(1) = e ı=4, and MD5 e used cos(1). much simpler rching for seeds.

21

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

7144BA12CE8A0C3BEFA053ED

20

curve P-224 prime. concatenating upgraded state-of-the-art SHA3-512. MD5 cos(1). impler eeds.

21

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

Output:

7144BA12CE8A0C3BEFA053EDBADA55

21

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

22

Output:

7144BA12CE8A0C3BEFA053EDBADA55...

21

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

22

Output:

7144BA12CE8A0C3BEFA053EDBADA55...

We actually generated >1000000 curves for this prime, each having a Brainpool-like explanation, even without complicating hashing, seed search, etc.; e.g., BADA55-VPR2-224 uses exp(1).

21

import simplesha3 hash = simplesha3.sha3512 p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): return Integer(seed.encode(’hex’),16) def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) B = str2int(hash(T)) if secure(A,B): print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

22

Output:

7144BA12CE8A0C3BEFA053EDBADA55...

We actually generated >1000000 curves for this prime, each having a Brainpool-like explanation, even without complicating hashing, seed search, etc.; e.g., BADA55-VPR2-224 uses exp(1). See bada55.cr.yp.to for much more: full paper; scripts; detailed Brainpool analysis; manipulating “minimal” primes and curves (Microsoft “NUMS”); manipulating security criteria.