Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation

Merkle, Johannes; Lochter, Manfred

doi:10.17487/rfc5639

Cited by 78 publications

(67 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…However, for the moment the method from [34] can be used if one is willing to settle for partially personalized parameters: the finite field and thus the elliptic curve group cardinality are still fully personalized and unpredictable to any third party, but not more than eight choices are available for the Weierstrass equation used for the curve parameterization. Although the resulting parameters are not in compliance with the security criteria adopted by [9] and implied by [39], we point out that there is no indication whatsoever that either of these eight choices offers inadequate security: citing [9] "there is no evidence of serious problems". The choice is between being vulnerable to as yet unknown attacks -as virtually all cryptographic systems are -or being vulnerable to attacks aimed at others by sharing parameters, on top of trusting choices made by others.…”

Section: Introductionmentioning

confidence: 90%

“…The seven Brainpool curves [39] at seven security levels from 80-bit to 256-bit revert to the verifiably pseudo random approach from [16], while improving it and thereby making it harder to target specific curve properties (but see [6]). The primes p have no special form (except that they are 3 mod 4) and are deterministically determined as a function of a seed that is chosen in a uniform manner based on the binary expansion of π = 3.14159 .…”

Section: Preliminariesmentioning

confidence: 99%

“…A variety of ECC parameters has been proposed or standardized [58,16,17,5,1,39,13,9], with or without all kinds of properties that are felt to be desirable or undesirable, and as reviewed in Section 2. All these proposals and standards contain a fixed number of possible ECC parameter choices.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Efficient Ephemeral Elliptic Curve Cryptographic Keys

Miele

Lenstra

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We show how any pair of authenticated users can on-the-fly agree on an elliptic curve group that is unique to their communication session, unpredictable to outside observers, and secure against known attacks. Our proposal is suitable for deployment on constrained devices such as smartphones, allowing them to efficiently generate ephemeral parameters that are unique to any single cryptographic application such as symmetric key agreement. For such applications it thus offers an alternative to long term usage of standardized or otherwise pre-generated elliptic curve parameters, obtaining security against cryptographic attacks aimed at other users, and eliminating the need to trust elliptic curves generated by third parties.

show abstract

Section: Introductionmentioning

confidence: 90%

Section: Preliminariesmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Ephemeral Elliptic Curve Cryptographic Keys

Miele

Lenstra

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The built-in domain parameters are from ECC-Brainpool [20]. We analyzed the implementation for brainpoolP384r1.…”

Section: Description Of the Implementationmentioning

confidence: 99%

Using Bleichenbacher”s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA

Mulder¹,

Hutter

Marson³

et al. 2013

Cryptographic Hardware and Embedded Systems - CHES 2013

View full text Add to dashboard Cite

Abstract. In this paper we describe an attack against nonce leaks in 384-bit ECDSA using an FFT-based attack due to Bleichenbacher. The signatures were computed by a modern smart card. We extracted the low-order bits of each nonce using a template-based power analysis attack against the modular inversion of the nonce. We also developed a BKZ-based method for the range reduction phase of the attack, as it was impractical to collect enough signatures for the collision searches originally used by Bleichenbacher. We confirmed our attack by extracting the entire signing key using a 5-bit nonce leak from 4 000 signatures.

show abstract

“…But it crucially relies on the existence of an injective encoding ι, only a few examples of which are known [13,17,6], all of them for elliptic curves of non-prime order over large characteristic fields. This makes the method inapplicable to implementations based on curves of prime order or on binary fields, which rules out most standardized ECC parameters [15,11,22,1], in particular. Moreover, the rejection sampling involved (when a point P is picked outside ι(S), the protocol has to start over) can impose a significant performance penalty.…”

Section: Introductionmentioning

confidence: 99%

Binary Elligator Squared

Aranha

Fouque

Qian

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Applications of elliptic curve cryptography to anonymity, privacy and censorship circumvention call for methods to represent uniformly random points on elliptic curves as uniformly random bit strings, so that, for example, ECC network traffic can masquerade as random traffic.At ACM CCS 2013, Bernstein et al. proposed an efficient approach, called "Elligator," to solving this problem for arbitrary elliptic curve-based cryptographic protocols, based on the use of efficiently invertible maps to elliptic curves. Unfortunately, such invertible maps are only known to exist for certain classes of curves, excluding in particular curves of prime order and curves over binary fields. A variant of this approach, "Elligator Squared," was later proposed by Tibouchi (FC 2014) supporting not necessarily injective encodings to elliptic curves (and hence a much larger class of curves), but, although some rough efficiency estimates were provided, it was not clear how an actual implementation of that approach would perform in practice.In this paper, we show that Elligator Squared can indeed be implemented very efficiently with a suitable choice of curve encodings. More precisely, we consider the binary curve setting (which was not discussed in Tibouchi's paper), and implement the Elligator Squared bit string representation algorithm based on a suitably optimized version of the Shallue-van de Woestijne characteristic 2 encoding, which we show can be computed using only multiplications, trace and half-trace computations, and a few inversions.On the fast binary curve of Oliveira et al. (CHES 2013), our implementation runs in an average of only 22850 Haswell cycles, making uniform bit string representations possible for a very reasonable overhead-much smaller even than Elligator on Edwards curves.As a side contribution, we also compare implementations of Elligator and Elligator Squared on a curve supported by Elligator, namely Curve25519. We find that generating a random point and its uniform bitstring representation is around 35-40% faster with Elligator for protocols using a fixed base point (such as static ECDH), but 30-35% faster with Elligator Squared in the case of a variable base point (such as ElGamal encryption). Both are significantly slower than our binary curve implementation.

show abstract

Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation

Cited by 78 publications

References 1 publication

Efficient Ephemeral Elliptic Curve Cryptographic Keys

Efficient Ephemeral Elliptic Curve Cryptographic Keys

Using Bleichenbacher”s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA

Binary Elligator Squared

Contact Info

Product

Resources

About