SafeCurves:
choosing safe curves for elliptic-curve cryptography


Introduction
Curve parameters:
Fields
Equations
Base points
Prime proofs
ECDLP security:
Rho
Transfers
Discriminants
Rigidity
ECC security:
Ladders
Twists
Completeness
Indistinguishability
More information:
References
Verification

References

Accredited Standards Committee X9. "American National Standard X9.62-1999, Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA)." 1999. Preliminary draft at http://grouper.ieee.org/groups/1363/Research/Other.html

Accredited Standards Committee X9. "American National Standard X9.63-2001, Public key cryptography for the financial services industry: key agreement and key transport using elliptic curve cryptography." 1999. Preliminary draft at http://grouper.ieee.org/groups/1363/Research/Other.html

Accredited Standards Committee X9. "American National Standard X9.62-2005, Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA)." 2005.

Agence nationale de la sécurité des systèmes d'information. "Publication d'un paramétrage de courbe elliptique visant des applications de passeport électronique et de l'administration électronique française." 21 November 2011. http://www.ssi.gouv.fr/fr/anssi/publications/publications-scientifiques/autres-publications/publication-d-un-parametrage-de-courbe-elliptique-visant-des-applications-de.html

Diego F. Aranha, Paulo S. L. M. Barreto, Geovandro C. C. F. Pereira, Jefferson Ricardini. "A note on high-security general-purpose elliptic curves." 2013. https://eprint.iacr.org/2013/647

Daniel V. Bailey, Lejla Batina, Daniel J. Bernstein, Peter Birkner, Joppe W. Bos, Hsieh-Chung Chen, Chen-Mou Cheng, Gauthier Van Damme, Giacomo de Meulenaer, Luis Julian Dominguez Perez, Junfeng Fan, Tim Güneysu, Frank Gürkaynak, Thorsten Kleinjung, Tanja Lange, Nele Mentens, Ruben Niederhagen, Christof Paar, Francesco Regazzoni, Peter Schwabe, Leif Uhsadel, Anthony Van Herrewege, Bo-Yin Yang. "Breaking ECC2K-130." 2009. https://eprint.iacr.org/2009/541

R. Balasubramanian, Neal Koblitz. "The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm." Journal of Cryptology 11 (1998), 141–145. http://citeseerx.ist.psu.edu/showciting?cid=256443

Paulo S. L. M. Barreto, Michael Naehrig. "Pairing-friendly elliptic curves of prime order." Pages 319–331 in: Selected Areas in Cryptography–SAC 2005, Lecture Notes in Computer Science 3897, Springer, 2006. https://eprint.iacr.org/2005/133

Daniel J. Bernstein. "A software implementation of NIST P-224." October 2001. https://cr.yp.to/talks.html#2001.10.29

Daniel J. Bernstein. "Re: Current consensus on ECC." November 2001. https://groups.google.com/forum/message/raw?msg=sci.crypt/mu_paShEU3w/m491pYxHbtAJ

Daniel J. Bernstein. "Curve25519: new Diffie-Hellman speed records." Pages 207–228 in: Public key cryptography—PKC 2006, 9th international conference on theory and practice in public-key cryptography, New York, NY, USA, April 24–26, 2006, proceedings, edited by Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin. Lecture Notes in Computer Science 3958, Springer, 2006. ISBN 3-540-33851-9. https://cr.yp.to/papers.html#curve25519

Daniel J. Bernstein. "Can we avoid tests for zero in fast elliptic-curve arithmetic?" 2006. https://cr.yp.to/papers.html#curvezero

Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange, Christiane Peters. "Twisted Edwards curves." Pages 389–405 in: Progress in cryptology—AFRICACRYPT 2008, first international conference on cryptology in Africa, Casablanca, Morocco, June 11–14, 2008, proceedings, edited by Serge Vaudenay, Lecture Notes in Computer Science 5023, Springer, 2008. ISBN 978-3-540-68159-5. https://eprint.iacr.org/2008/013

Daniel J. Bernstein, Mike Hamburg, Anna Krasnova, Tanja Lange. "Elligator: Elliptic-curve points indistinguishable from uniform random strings." ACM Conference on Computer and Communications Security 2013. https://eprint.iacr.org/2013/325

Daniel J. Bernstein, Tanja Lange. "Faster addition and doubling on elliptic curves." Pages 29–50 in: Advances in cryptology—ASIACRYPT 2007, 13th international conference on the theory and application of cryptology and information security, Kuching, Malaysia, December 2–6, 2007, proceedings, edited by Kaoru Kurosawa. Lecture Notes in Computer Science 4833, Springer, 2007. ISBN 978-3-540-76899-9. https://eprint.iacr.org/2007/286 and https://cr.yp.to/newelliptic/newelliptic.html

Daniel J. Bernstein, Tanja Lange. "Two grumpy giants and a baby." Algorithmic Number Theory Symposium 2012. https://cr.yp.to/papers.html#grumpy

Daniel J. Bernstein, Tanja Lange. "Computing small discrete logarithms faster." Pages 317–338 in: Progress in cryptology—INDOCRYPT 2012, 13th international conference on cryptology in India, Kolkata, India, December 9–12, 2012, proceedings, edited by Steven D. Galbraith and Mridul Nandi, Lecture Notes in Computer Science 7668, Springer, 2012. ISBN 978-3-642-34930-0. https://eprint.iacr.org/2012/458

Daniel J. Bernstein, Tanja Lange. "Security dangers of the NIST curves." May 2013. https://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf

Daniel J. Bernstein, Tanja Lange. "Security dangers of the NIST curves." September 2013. https://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf

Daniel J. Bernstein, Tanja Lange, Peter Schwabe. "On the correct use of the negation map in the Pollard rho method." Pages 128–146 in: Public key cryptography—PKC 2011—14th international conference on practice and theory in public key cryptography, Taormina, Italy, March 6–9, 2011, proceedings, edited by Dario Catalano, Nelly Fazio, Rosario Gennaro, and Antonio Nicolosi, Lecture Notes in Computer Science 6571, Springer, 2011. ISBN 978-3-642-19378-1. https://eprint.iacr.org/2011/003

Ingrid Biehl, Bernd Meyer, Volker Müller. "Differential fault attacks on elliptic curve cryptosystems (extended abstract)." Pages 131–146 in: Advances in cryptology—Crypto 2000, Lecture Notes in Computer Science 1880, Springer, 2000. http://lecturer.ukdw.ac.id/vmueller/publications.php

Colin Boyd, Paul Montague, Khanh Quoc Nguyen. "Elliptic curve based password authenticated key exchange protocols." Pages 487–501 in: ACISP 2001.

Joppe W. Bos, Marcelo E. Kaihara, Peter L. Montgomery. "Pollard rho on the PlayStation 3." Pages 35–50 in: Workshop record of SHARCS'09. 2009. https://www.hyperelliptic.org/tanja/SHARCS/record2.pdf

Joppe W. Bos, Thorsten Kleinjung, Arjen K. Lenstra. "On the use of the negation map in the Pollard rho method." Pages 66–82 in: Algorithmic Number Theory Symposium 2010. http://infoscience.epfl.ch/record/164553/files/NPDF-45.pdf

Eric Brier, Marc Joye. "Weierstraß elliptic curves and side-channel attacks." Pages 33–34 in: Public Key Cryptography 2002.

Certicom Research. "SEC 2: Recommended Elliptic Curve Domain Parameters, Version 1.0." September 20, 2000. Local copy of http://www.secg.org/SEC2-Ver-1.0.pdf, which keeps moving.

Certicom Research. "SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0." January 27, 2010. Local copy of http://www.secg.org/sec2-v2.pdf, which keeps moving.

Committee on National Security Systems. "National information assurance policy on the use of public standards for the secure sharing of information among national security systems." 1 October 2012. https://www.cnss.gov/Assets/pdf/CNSSP_No%2015_minorUpdate1_Oct12012.pdf

Iwan M. Duursma, Pierrick Gaudry, François Morain. "Speeding up the discrete log computation on curves with automorphisms" Pages 103–121 in: Advances in cryptology: ASIACRYPT '99, international conference on the theory and applications of cryptology and information security, Singapore, November 14–18, 1999, proceedings, edited by Kwok-Yan Lam, Eiji Okamoto, Chaoping Xing. Lecture Notes in Computer Science 1716, Springer, 1999. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.45.1383

ECC Brainpool. "ECC Brainpool standard curves and curve generation." October 2005. http://www.ecc-brainpool.org/download/Domain-parameters.pdf

Harold M. Edwards. "A normal form for elliptic curves." Bulletin of the American Mathematical Society 44 (July 2007), 393–422. http://www.ams.org/bull/2007-44-03/S0273-0979-07-01153-6/home.html

Adrian Escott. "Implementing a parallel Pollard rho attack on ECC." 1998. http://www.cacr.math.uwaterloo.ca/conferences/1998/ecc98/escott.ps

Pierre-Alain Fouque, Reinald Lercier, Denis Réal, Frédéric Valette. "Fault attack on elliptic curve with Montgomery ladder." Pages 92–98 in: FDTC '08, IEEE, 2008. http://www.di.ens.fr/~fouque/pub/fdtc08.pdf

Gerhard Frey. "How to disguise an elliptic curve." 1998. http://cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html

Gerhard Frey, Hans-Georg Rück. "A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves." Mathematics of Computation 62 (1994), 865–874. ISSN 0025-5718. MR 94h:11056. http://exp-math.uni-essen.de/zahlentheorie/preprints2/DISCLOG.pdf

Pierrick Gaudry, Florian Hess, Nigel Smart. "Constructive and destructive facets of Weil descent on elliptic curves." Journal of Cryptology 15 (2002), 19–46. http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html

Pierrick Gaudry. "Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem." Journal of Symbolic Computation 44 (2009), 1690–1702. https://eprint.iacr.org/2004/073

Ryuichi Harasawa, Junji Shikata, Joe Suzuki, Hideki Imai. "Comparing the MOV and FR reductions in elliptic curve cryptography." Pages 190–205 in: Advances in cryptology—EUROCRYPT '99 (Prague), proceedings, Lecture Notes in Computer Science 1592, Springer, 1999.

Hüseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, Ed Dawson. "Twisted Edwards curves revisited." Pages 326–343 in: Advances in cryptology—ASIACRYPT 2008, 14th international conference on the theory and application of cryptology and information security, Melbourne, Australia, December 7–11, 2008. Lecture Notes in Computer Science 5350, Springer, 2008. https://eprint.iacr.org/2008/522

Yvonne Hitchcock, Paul Montague, Gary Carter, Ed Dawson. "The efficiency of solving multiple discrete logarithm problems and the implications for the security of fixed elliptic curves." International Journal of Information Security 3 (2004), 86–98.

Institute of Electrical and Electronics Engineers. "IEEE 1363-2000: Standard specifications for public key cryptography." Preliminary draft at http://grouper.ieee.org/groups/1363/P1363/draft.html

Tetsuya Izu, Tsuyoshi Takagi. "Exceptional procedure attack on elliptic curve cryptosystems." Pages 224–239 in: Public key cryptography—PKC 2003, 6th international workshop on theory and practice in public key cryptography, Miami, FL, USA, January 6–8, 2003, proceedings, Lecture Notes in Computer Science 2567, Springer, 2003.

Burton S. Kaliski Jr. "A pseudo-random bit generator based on elliptic logarithms." Pages 84–103 in: Advances in cryptology—CRYPTO '86, Santa Barbara, California, USA, 1986, proceedings. Lecture Notes in Computer Science 263, Springer, 1986.

Burton S. Kaliski Jr. "Elliptic curves and cryptography: a pseudorandom bit generator and other tools." Ph.D. thesis, MIT, MIT/LCS/TR-411, 1988.

Ann Hibner Koblitz, Neal Koblitz, Alfred Menezes. "Elliptic curve cryptography: the serpentine course of a paradigm shift." Journal of Number Theory 131 (2011), 781–814. http://cacr.uwaterloo.ca/~ajmeneze/anotherlook/serpentine.shtml

Fabian Kuhn, Rene Struik. "Random walks revisited: extensions of Pollard's rho algorithm for computing multiple discrete logarithms." Pages 212–229 in: SAC 2001. http://www.distcomp.ethz.ch/publications.html

Hyung Tae Lee, Jung Hee Cheon, Jin Hong. "Accelerating ID-based encryption based on trapdoor DL using pre-computation." 2011. https://eprint.iacr.org/2011/187

Chae Hoon Lim, Pil Joong Lee. "A key recovery attack on discrete log-based schemes using a prime order subgroup." Pages 249–263 in: Advances in cryptology—CRYPTO '97: 17th annual international cryptology conference, Santa Barbara, California, USA, August 17–21, 1997, proceedings. Lecture Notes in Computer Science 1294. Springer, 1997. http://dasan.sejong.ac.kr/~chlim/english_pub.html

Alfred J. Menezes, Tatsuaki Okamoto, Scott A. Vanstone. "Reducing elliptic curve logarithms to logarithms in a finite field." IEEE Transactions on Information Theory 39 (1993), 1639–1646. MR 95e:94038. http://www-rcf.usc.edu/~mdhuang/cs599/MOV.pdf

Peter L. Montgomery. "Speeding the Pollard and elliptic curve methods of factorization." Mathematics of Computation 48 (1987), 243–264. ISSN 0025-5718. MR 88e:11130. http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866113-7/S0025-5718-1987-0866113-7.pdf

National Institute for Standards and Technology. "Digital signature standard." Federal Information Processing Standards Publication 186-2. 2000. http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf

Geovandro C. C. F. Pereira, Marcos A. Simplicio Jr, Michael Naehrig, Paulo S. L. M. Barreto. "A family of implementation-friendly BN elliptic curves." Journal of Systems and Software 84 (2011), 1319–1326. https://eprint.iacr.org/2010/429

Christophe Petit, Jean-Jacques Quisquater. "On polynomial systems arising from a Weil descent." Pages 451–466 in: ASIACRYPT 2012. https://eprint.iacr.org/2012/146

John M. Pollard. "Monte Carlo methods for index computation mod p." Mathematics of Computation 32 (1978), 918–924. ISSN 0025-5718. MR 58:10684. http://www.ams.org/journals/mcom/1978-32-143/S0025-5718-1978-0491431-9/S0025-5718-1978-0491431-9.pdf

Takakazu Satoh, Kiyomichi Araki. "Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves." Commentarii Mathematici Universitatis Sancti Pauli 47 (1998), 81–92.

Bruce Schneier. "How to remain secure against the NSA." September 15, 2013. https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html

Michael Scott. "Re: NIST annouces set of Elliptic Curves." 1999. https://groups.google.com/forum/message/raw?msg=sci.crypt/mFMukSsORmI/FpbHDQ6hM_MJ

Igor A. Semaev. "On the computation of logarithms on elliptic curves." Discrete Mathematics and Applications 6 (1996), 69–76. ISSN 0924-9265.

Igor A. Semaev. "Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p." Mathematics of Computation 67 (1998), 353–-356. http://www.ams.org/journals/mcom/1998-67-221/S0025-5718-98-00887-4/S0025-5718-98-00887-4.pdf

Nigel P. Smart. "The discrete logarithm problem on elliptic curves of trace one." Journal of Cryptology 12 (1999), 193–196. http://www.hpl.hp.com/techreports/97/HPL-97-128.pdf

William Stein (editor). "Sage mathematics software (version 5.10)." The Sage Group. 2013. http://www.sagemath.org

Edlyn Teske. "On random walks for Pollard's rho method." Mathematics of Computation 70 (2001), 809–825. ISSN 0025-5718. http://www.ams.org/journals/mcom/2001-70-234/S0025-5718-00-01213-8/S0025-5718-00-01213-8.pdf

Paul C. van Oorschot, Michael Wiener. "Parallel collision search with cryptanalytic applications." Journal of Cryptology 12 (1999), 1–28. ISSN 0933–2790 http://members.rogers.com/paulv/papers/pubs.html

Michael J. Wiener, Robert J. Zuccherato. "Faster attacks on elliptic curve cryptosystems." 1998. http://grouper.ieee.org/groups/1363/Research/contributions/attackEC.ps

Michael J. Wiener, Robert J. Zuccherato. "Faster attacks on elliptic curve cryptosystems." Pages 190–200 in: Selected areas of cryptography 1998, edited by Stafford Tavares and Henk Meijer, Lecture Notes in Computer Science 1556, Springer, 1999.


Version: This is version 2018.05.22 of the refs.html web page.