Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization

Tony Arcieri <> Wed, 28 January 2015 17:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 24BD31A884E for <>; Wed, 28 Jan 2015 09:22:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4Bfic2N_LEwZ for <>; Wed, 28 Jan 2015 09:22:37 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 514351A8842 for <>; Wed, 28 Jan 2015 09:22:37 -0800 (PST)
Received: by with SMTP id wp4so20429198obc.6 for <>; Wed, 28 Jan 2015 09:22:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=cUPHbI3WGminLEGTUEO9bQ+Aj875GSKWw4YrlSRUH+I=; b=v6NRL35Z2D57nvLq2xjO1kPEYnFrrrFt4/HybkT2xXVRLbOBYn9pYYRFsv9DM8GoIQ yD6c8LMTs2NDS13No990izeuyfGtN6hUWoWb5UPnE33eYjnW5oLyZGT60YlPGcIHfOSU asjhkl5zLZN0CGoo9PQ7t97FCkO8st/THGmONHSbto2H1kRZoiwJAm7yuT3l70WjCMpa Mo+YnIJxMGgrjCifHcnLhxrv/I/H3zDvto7keLjeKBzd0uOscmOdoGz6vq2wCDrEro0o N8wNOgO4KHBqHF25aCF8y+nv82xjYDCnouB6MmMZLfzRivAOcUVS58Zi6huRaY9kzNo0 7n+A==
X-Received: by with SMTP id oh7mr2831015obb.47.1422465756433; Wed, 28 Jan 2015 09:22:36 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 28 Jan 2015 09:22:16 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
From: Tony Arcieri <>
Date: Wed, 28 Jan 2015 09:22:16 -0800
Message-ID: <>
To: "Stanislav V. Smyshlyaev" <>
Content-Type: multipart/alternative; boundary="089e011778e71e15b3050db99e01"
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Jan 2015 17:22:39 -0000

On Wed, Jan 28, 2015 at 6:14 AM, Stanislav V. Smyshlyaev <>

> As we believe (and as it has been mentioned earlier during discussion at
> CFRG), the initital seed value doesn't have to be chosen explicitly in case
> of trust in basic hash function properties – to gain some "backdoor-type"
> properties of the curve with d = hash(W), one has either to combine such
> algebraic properties of a curve with properties of a hash function (for a
> trivial example, to have an ability to obtain a hash preimage) or to choose
> a very probable "backdoor-type" property of a curve (such that it is
> possible to obtain by random choice of a curve).

Hi Stanislav,

Dan Bernstein and Tanja Lange have already demonstrated that such
"verifiably random" generation procedures can be used to surreptitiously
tweak specific curve parameters:

I for one would not feel particularly inclined to trust a curve generated
with this method, and would personally prefer the sort of rigid curve
generation approach that this committee and others have been working on to
any curve with large unexplained mystery constants.

Tony Arcieri