[Cryptography] "How to manipulate curve standards: a white paper for the black hat"

[Peter Gutmann]

  http://eprint.iacr.org/2014/571
  
  How to manipulate curve standards: a white paper for the black hat

  Daniel J. Bernstein and Tung Chou and Chitchanok Chuengsatiansup and Andreas
  H\"ulsing and Tanja Lange and Ruben Niederhagen and Christine van Vredendaal

  Abstract: This paper analyzes the cost of breaking ECC under the following
  assumptions: (1) ECC is using a standardized elliptic curve that was
  actually chosen by an attacker; (2) the attacker is aware of a vulnerability
  in some curves that are not publicly known to be vulnerable.

  This cost includes the cost of exploiting the vulnerability, but also the
  initial cost of computing a curve suitable for sabotaging the standard. This
  initial cost depends upon the acceptability criteria used by the public to
  decide whether to allow a curve as a standard, and (in most cases) also upon
  the chance of a curve being vulnerable.

  This paper shows the importance of accurately modeling the actual
  acceptability criteria: i.e., figuring out what the public can be fooled
  into accepting. For example, this paper shows that plausible models of the
  “Brainpool acceptability criteria” allow the attacker to target a one-in-a-
  million vulnerability.

Peter.