SafeCurves: Choosing Safe Curves for Elliptic-Curve Cryptography

Presented at ShmooCon X (2014), Jan. 18, 2014, noon (60 minutes)

There are several different standards covering selection of curves for use in elliptic-curve cryptography (ECC). Each of these standards tries to ensure that the elliptic-curve discrete-logarithm problem (ECDLP) is difficult. ECDLP is the problem of finding an ECC user's secret key, given the user's public key. Unfortunately, there is a gap between ECDLP difficulty and ECC security. None of these standards do a good job of ensuring ECC security. There are many attacks that break real-world ECC without solving ECDLP. The core problem is that if you implement the standard curves, chances are you're doing it wrong: * Your implementation produces incorrect results for some rare curve points. * Your implementation leaks secret data when the input isn't a curve point. * Your implementation leaks secret data through branch timing. * Your implementation leaks secret data through cache timing. These problems are exploitable by real attackers, taking advantage of the gaps between ECDLP and real-world ECC. Secure implementations of the standard curves are theoretically possible but very hard. Most of these attacks would have been ruled out by better choices of curves that allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves, The SafeCurves criteria are designed to ensure ECC security, not just ECDLP security.


  • Tanja Lange
    We've done some other things in crypto as well.
  • Daniel J. Bernstein
    We're researchers in both constructive and destructive aspects of elliptic-curve cryptography. We started issuing warnings about the security dangers of the NIST elliptic curves before it became fashionable to do so. We've proposed alternatives that are faster and stronger, including Curve25519, Ed25519, and Curve3617. Curve25519 is now the go-to alternative curve for people wanting speed and implementation security; it's also not tainted by NIST/NSA. In 2007 we pointed out that Edwards curves are faster and easier to implement securely than standard Weierstrass curves. Edwards curves are also mathematically simpler, allowing a much friendlier introduction to ECC.

Similar Presentations: