Abstract
It can be tricky to trust elliptic curves standardized in a non-transparent way. To rectify this, we propose a systematic methodology for analyzing curves and statistically comparing them to the expected values of a large number of generic curves with the aim of identifying any deviations in the standard curves.
For this purpose, we put together the largest publicly available database of standard curves. To identify unexpected properties of standard generation methods and curves, we simulate over 250 000 curves by mimicking the generation process of four standards. We compute 22 different properties of curves and analyze them with automated methods to pinpoint deviations in standard curves, pointing to possible weaknesses.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In this work, we use the adjective “standard” for widely used curves (from actual standards and even that are/were a de facto standard).
- 2.
However, binary, extension and pairing-friendly curves are included in our database as well and have been included partly in our analysis.
- 3.
This is often ignored in the standards though, except for the NUMS standard and individual curves such as Curve25519.
- 4.
At least for short Weierstrass, Montgomery and twisted Edwards curves.
- 5.
Analyzing these curves is of great importance due to the usage of secp256k1 in Bitcoin [Nak08].
- 6.
In the remainder of this work, the word Random with capital R refers to the curves we generated by our own method to be as generic as possible.
- 7.
The set of Random curves and their trait results is currently still evolving.
- 8.
This took up to a week per standard on 40-core cluster of Intel Xeon Gold 5218.
- 9.
More precisely, H also changes the most significant bit of the output to 0.
- 10.
See https://dissect.crocs.fi.muni.cz/ or Appendix A for a full list.
- 11.
The authors support their claims by providing seeds for two of the seven curves. We find it problematic that the seeds were not previously made public.
- 12.
Iterating through 100 million values of x we have generated 54 BLS curves.
- 13.
- 14.
References
Agence Nationale de la Securite des Systemes d’Information. Avis relatif aux paramètres de courbes elliptiques définis par l’Eetat français (2011). https://www.legifrance.gouv.fr/download/pdf?id=QfYWtPSAJVtAB_c6Je5tAv00OY2r1-ad3LaVVmnStGvQ=
Alekseev, E.K., Nikolaev, V.D., Smyshlyaev, S.V.: On the security properties of Russian standardized elliptic curves. Math. Questions Cryptogr. 9(3), 5–32 (2018)
ANSI. Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA). ANSI X9.62 (2005)
Aranha, D.F., Barreto, P.S.L.M., Pereira, G.C.C.F., Ricardini, J.E.: A note on high-security general-purpose elliptic curves. Cryptology ePrint Archive, Report 2013/647 (2013). https://eprint.iacr.org/2013/647
Baigneres, T., Delerablée, C., Finiasz, M., Goubin, L., Lepoint, T., Rivain, M.: Trap me if you can-million dollar curve. IACR Cryptol. ePrint Arch. 2015, 1249 (2015)
Bailey, D.V., et al.: Breaking ECC2K-130. IACR Cryptol. ePrint Arch. 2009, 541 (2009)
Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_19
Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14
Bernstein, D.J., Lange, T.: SafeCurves: choosing safe curves for elliptic-curve cryptography. https://safecurves.cr.yp.to/. Accessed 17 Aug 2021
Bernstein, D.J., et al.: How to manipulate curve standards: a white paper for the black Hat http://bada55.cr.yp.to. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 109–139. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27152-1_6
Bernstein, D.J., Chuengsatiansup, C., Lange, T.: Curve41417: karatsuba revisited. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 316–334. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_18
Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 967–980 (2013)
Bernstein, D.J., Lange, T., Niederhagen, R.: Dual EC: a standardized back door. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 256–281. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4_17
Biham, E., Dunkelman, O.: Cryptanalysis of the A5/1 GSM stream cipher. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 43–51. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44495-5_5
Black, B., Bos, J., Costello, C., Longa, P., Naehrig, M.: Elliptic curve cryptography (ECC) nothing up my sleeve (NUMS) curves and curve generation. Internet-Drafts are working documents of the Internet Engineering Task Force (2014). https://datatracker.ietf.org/doc/html/draft-black-numscurves-02
Bowe, S.: BLS12-381: New zk-snark elliptic curve construction (2017). https://electriccoin.co/blog/new-snark-curve/. Accessed 16 Sept 2021
Bowe, S., Grigg, J., Hopwood, D.: Recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021 (2019). https://ia.cr/2019/1021
Brengel, M., Rossow, C.: Identifying key leakage of bitcoin users. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 623–643. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_29
Breunig, M.M., Kriegel, H.-P., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. In: Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, pp. 93–104 (2000)
Bröker, R.: Constructing elliptic curves of prescribed order. Ph.D. thesis. Thomas Stieltjes Institute for Mathematics (2006)
Certicom Research. Sec 2: Recommended elliptic curve domain parameters, version 2.0 (2010). https://secg.org/
Certicom Research. Standards for Efficient Cryptography Group. https://secg.org/. Accessed 13 Aug 2021
Checkoway, S., et al.: A systematic analysis of the Juniper Dual EC incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 468–479 (2016)
Cheng, Q.: A new special-purpose factorization algorithm. Citeseer (2002)
Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_1
Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7(4), 385–434 (1986)
Collectif. Nombres de classes des corps quadratiques imaginaires. In: Séminaire Bourbaki: 1983/84, exposés 615–632. Astérisque 121–122. Société mathématique de France (1985). https://www.numdam.org/item/SB_1983-1984__26__309_0/
Accredited Standards Committee et al.: American national standard x9. 62-1998. Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA) (1998)
Costello, C., Longa, P., Naehrig, M.: A brief discussion on selecting new elliptic curves. In: Microsoft Research. Microsoft 8 (2015)
Davenport, H.: Multiplicative number theory, pp. 43–53 (1980)
Di, L., Yan, L.: Introduction to the commercial cryptography scheme in China (2015). https://icmconference.org/wp-content/uploads/C23Introduction-on-the-Commercial-Cryptography-Scheme-in-China-20151105.pdf. Accessed 23 Aug 2021
Elliptic curve cryptography (ECC) brainpool standard curves and curve generation. Technical report IETF RFC 5639 (2010)
Frey, G., Rück, H.-G.: A remark concerning \(m\)-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62(206), 865–874 (1994)
Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001). ISBN 978-3-540-44647-7. https://doi.org/10.1007/3-540-44647-8_11
Goubin, L.: A refined power-analysis attack on elliptic curve cryptosystems. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–211. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_15
Hales, T.C.: The NSA back door to NIST. Not. AMS 61(2), 190–192 (2013)
Hamburg, M.: A note on high-security general-purpose elliptic curves. Cryptology ePrint Archive, Report 2015/625 (2015). https://eprint.iacr.org/2015/625.pdf
Hamburg, M.: Ed448-goldilocks, a new elliptic curve. IACR Cryptology ePrint Archive, Report 2015/625 (2015)
Hopwood, D.: The pasta curves (2020). https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/. Accessed 27 Aug 2021
ISO/IEC 15946. Information technology—Security techniques—Cryptographic techniques based on elliptic curves—Part 5: Elliptic curve generation (2017)
Journal officiel de la republique francaise. Avis relatif aux paramètres de courbes elliptiques définis par l’etat français (2011). https://www.legifrance.gouv.fr/download/pdf?id=QfYWtPSAJVtAB_c6Je5tAv00OY2r1ad3LaVVmnStGvQ=
Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_20
Koblitz, N., Menezes, A.: A riddle wrapped in an enigma. IEEE Secur. Priv. 14(6), 34–42 (2016)
Lochter, M., Merkle, J., Schmidt, J.-M., Schutze, T.: Requirements for standard elliptic curves. IACR Cryptology ePrint Archive, Report 2014/832 (2014)
Maxwell, G.: The most repeated R value on the blockchain (2015). https://bitcointalk.org/index.php?topic=1118704.0. Accessed 09 Sept 2021
Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)
Miele, A., Lenstra, A.K.: Efficient ephemeral elliptic curve cryptographic keys. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 524–547. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23318-5_29
MIRACL UK Ltd.: Multiprecision integer and rational arithmetic cryptographic library (2018). https://github.com/miracl/MIRACL
Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84, 1234–1243 (2001)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Decentralized Business Review, p. 21260 (2008)
National Institute of Standards and Technology. Fips publication 186-2 (2000). https://csrc.nist.gov/publications/detail/fips/186/2/archive/2000-01-27
Obrátil, L., Klinec, D., Švenda, P., Ukrop, M.: Randomness testing toolkit (2015). https://rtt.ics.muni.cz
Orman, H.: The OAKLEY key determination protocol. RFC 2412 (1998). https://rfc-editor.org/rfc/rfc2412.txt
Pereira, G.C., Simplício, M.A., Jr., Naehrig, M., Barreto, P.S.: A family of implementation-friendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)
Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over \(GF(p)\) and its cryptographic significance. IEEE Trans. Inf. Theory 106–110 (1978)
Popov, V., Leontiev, S., Kurepkin, I.: Additional cryptographic algorithms for use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms (2006). https://rfc-editor.org/rfc/rfc4357.txt
Pornin, T.: https://crypto.stackexchange.com/questions/60420/what-does-the-special-form-of-the-base-point-of-secp256k1-allow. Accessed 16 Sept 2021
Satoh, T., Araki, K., et al.: Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Rikkyo Daigaku sugaku zasshi 47(1), 81–92 (1998)
Schneier, B.: The NSA Is Breaking Most Encryption on the Internet (2013). https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html. Accessed 13 Aug 2021
Schoof, R.: Counting points on elliptic curves over finite fields. Jo. Théorie Nombres Bordeaux 219–254 (1995)
Scott, M.: Re: NIST annouces set of Elliptic Curves (1999). https://web.archive.org/web/20160313065951/groups.google.com/forum/message/raw?msg=sci.crypt/mFMukSsORmI/FpbHDQ6hM_MJ. Accessed 13 Aug 2021
Scott, M.: A new curve (2015). https://moderncrypto.org/mail-archive/curves/2015/000449.html. Accessed 01 Sept 2021
Sedláček, V.: On cryptographic weaknesses related to elliptic curves. Ph.D. thesis. Masaryk University (2022)
Semaev, I.: On computing logarithms on elliptic curves. Discret. Math. Appl. 6(1), 69–76 (1996)
Semaev, I.: Evaluation of discrete logarithms in a group of \(p\)-torsion points of an elliptic curve in characteristic \(p\). Math. Comput. 67(221), 353–356 (1998)
Shen, S., Shen, S., Lee, X.: SM2 digital signature algorithm. Internet-Draft. Work in Progress (2014). https://datatracker.ietf.org/doc/html/draft-shen-sm2-ecdsa-02
Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193–196 (1999)
Smyshlyaeva, E.S., Fotieva, V.: Information technology. Cryptographic data security. Parameters of elliptic curves for cryptographic algorithms and protocols. Federal Agency on Technical Regulating and Metrology (2016)
Solinas, J.A.: Generalized mersenne prime. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, pp. 509–510. Springer, Boston (2011). https://doi.org/10.1007/978-1-4419-5906-5_32
Torkelson, C.E.: The clipper chip: how key escrow threatens to undermine the fourth amendment. Seton Hall L. Rev. 25, 1142 (1994)
Valenta, L., Sullivan, N., Sanso, A., Heninger, N.: In search of curveswap: Measuring elliptic curve implementations in the wild. Cryptology ePrint Archive, Report 2018/298 (2018). https://ia.cr/2018/298
Weiser, S., Schrammel, D., Bodner, L., Spreitzer, R.: Big numbers - big troubles: systematically analyzing nonce leakage in (EC)DSA implementations. In: USENIX Security Symposium (2020)
Wireless Application Protocol Forum. Wireless application protocol wireless transport layer security specification (2000). https://web.archive.org/web/20170829023257/www.wapforum.org/tech/documents/WAP-199-WTLS-20000218-a.pdf
Acknowledgements
This project has been made possible in part by a grant from the Cisco University Research Program Fund, an advised fund of Silicon Valley Community Foundation. V. Sedlacek, V. Matyas, M. Sys and A. Dufka were supported by Czech Science Foundation project GA20-03426S. V. Sedlacek and V. Suchanek were also supported by the Ph.D. Talent Scholarship - funded by the Brno City Municipality. Computational resources were supplied by the project “e-Infrastruktura CZ” (e-INFRA LM2018140) provided within the program Projects of Large Research, Development and Innovations Infrastructures.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A A List of traits
A A List of traits
The following is a list of all traits used for curve analysis. Each trait takes as an input an ordinary elliptic curve \(E/\mathbb {F}_{p}:y^2=x^3+ax+b\) of order n.
Trait name | Input | Output |
---|---|---|
cofactor | int r | Tuple \((n_1, n_2)\) such that the group \(E(\mathbb {F}_{p^r})\) is isomorphic to \(\mathbb {Z}_{n_1}\times \mathbb {Z}_{n_2}\) and \(n_1|n_2\) (\(n_1=1\) for cyclic groups) |
discriminant | The factorization of \(D = t^2-4p = v^2d_K\), where \(d_K\) is the discriminant of the endomorphism algebra of E | |
twist order | int r | The factorization of the cardinality of the quadratic twist of \(E(\mathbb {F}_{p^r})\) |
kn fact. | int k | The factorizations of \(kn+1\) , \(kn-1\) |
torsion extension | prime l | \(k_1,k_2,k_2/k_1\), where \(k_1,k_2\) are the smallest integers satisfying \(E[l]\cap E(\mathbb {F}_{p^{k_1}})\ne \emptyset \) and \(E[l]\subseteq E(\mathbb {F}_{p^{k_2}})\) |
conductor | int r | The factorization of \(D_r/D_1\), where \(D_r = t_r^2-4p^{r}\) and \(t_r\) is the trace of Frobenius of \(E/\mathbb {F}_{p^r}\) |
embedding | The ratio \(\phi (r)/e\), where \(r\mid n\) is the order of the prime order subgroup and e is the multiplicative order of \(q \pmod r\) | |
class number | Upper bound [Dav80] and lower bound [Col85] on the class number of the endomorphism algebra of E | |
small prime order | prime l | The ratio \(\phi (n)/m\) where m is the multiplicative order of \(l \pmod n\) |
division pol. | prime l | The factorization of the l-th division polynomial |
volcano | prime l | The depth and the degree of the l-volcano |
isogeny extension | prime l | \(i_1,i_2,i_2/i_1\) where \(i_1,i_2\) are the smallest integers such that there exists a \(\mathbb {F}_{p^{i_1}}\)-rational l-isogeny and \(l+1\) \(\mathbb {F}_{p^{i_2}}\)-rational l-isogenies from E |
trace fact. | int r | A factorization of the trace of Frobenius of \(E/\mathbb {F}_{p^r}\) |
isogeny neighbors | prime l | A number of roots of \(\Phi _l(j(E),x)\) where \(\Phi _l\) is the l-th modular polynomial |
q torsion | Torsion order of \(E'(\mathbb {Q})\) where \(E'\) is given by the same equation \(y^2=x^3+ax+b\) | |
hamming x | int k | A number of points on E with the Hamming weight of the x-coordinate equal to k |
square 4p-1 | The factorization of square-free parts of \(4p-1\) and \(4n-1\) where n is the order of the generator point of E | |
pow distance | The distances of n to the nearest power of 2 and multiples of 32 and 64 | |
multiples x | int k | The x-coordinate of \(\frac{1}{k}G\) |
x962 inv. | The value \(r = \frac{a^3}{b^2}\) | |
brainpool overlap | \(a_{160}-b_{-160}\) where \(a_{160}\) are the \(s-160\) rightmost bits of a and \(b_{-160}\) are the \(s-160\) leftmost bits of b | |
weierstrass | The parameters a, b |
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sedlacek, V., Suchanek, V., Dufka, A., Sys, M., Matyas, V. (2022). DiSSECT: Distinguisher of Standard and Simulated Elliptic Curves via Traits. In: Batina, L., Daemen, J. (eds) Progress in Cryptology - AFRICACRYPT 2022. AFRICACRYPT 2022. Lecture Notes in Computer Science, vol 13503. Springer, Cham. https://doi.org/10.1007/978-3-031-17433-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-17433-9_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17432-2
Online ISBN: 978-3-031-17433-9
eBook Packages: Computer ScienceComputer Science (R0)