Do Weak Elliptic Curves Exist?

Question

I'm running into very contradictory opinions when try to understand if weak elliptic curves exist. I'm not interested in the case when a curve's weakness is attributed to properties of an EC's prime, because those cases have been already explored, e.g. here: http://wstein.org/edu/2010/414/projects/novotney.pdf

I want to understand if there is a known proven weakness attributed to parameters a or b of a short Weierstrass equation.

Dan Brown introduced a hypothesis of "spectral weakness" here:

DJB went even further and dubbed curves with unclear parameter's generation method "manipulative" at http://safecurves.cr.yp.to/rigid.html

Both major and popular ECC standards such as NIST and Brainpool have a "verifiable random" requirement for the curve's parameters.

At the same time I've learned just yesterday that there is a strong opinion that "spectral weakness" (attributed to the parameters) doesn't exist (see comments to this blog: http://ogryb.blogspot.com/2014/11/why-i-dont-trust-nist-p-256.html)

If no weak curves have been discovered yet, how big the threat of "spectral weakness" is?

Related: Should we trust the NIST-recommended ECC parameters? — otus, Oct 28 '15 at 18:54
Do you ask about prime curves specifically or about ECs in general (including binary extension field curves and such)? — SEJPM, Oct 28 '15 at 20:25
@SEJPM prime only, since they are used the most in applications — Oleg Gryb, Oct 28 '15 at 20:26
I think I've found a candidate property. If your curve has as many points as your field has elements then the ECDLP can be broken easily. The number of points is dictated by A and B. Other weak curves are the supersingular ones where you can use Index-Calculus for breaking ECDLP. — SEJPM, Oct 28 '15 at 21:05
In addition to SEJPM: also curves with very low embedding degree. Even embedding degree one is possible. — , Oct 28 '15 at 21:11
@ECDLP Thanks for the link, however, I think this assumption: "EC includes all point" is very marginal and is attributed to the P's property itself, not only A and B. Probably I'm wrong. Is it possible to find A and B meeting this criteria for each P? — Oleg Gryb, Oct 28 '15 at 22:41
Yes, it is possible to construct supersingular curves for all values of $p$. In particular, it is very easy if $p \equiv 2 \pmod 3$, then $Y^2 = X^3 + b$ is supersingular for all $b \not\equiv 0 \pmod p$. However, the probability that a randomly chosen curve is supersingular (or otherwise has low embedding degree) is very low. — fkraiem, Oct 29 '15 at 16:07
Looks like a valid case then for the first part of my question, even though all standards would exclude supersingulars. Yes, it's not a good case for "spectral weakness", but it proves that weakness attributed to A and B does exist. — Oleg Gryb, Oct 29 '15 at 16:39
Yes: CVE-2015-2613 / CVE-2015-7940 are examples of weak curves. — Kurt, Oct 30 '15 at 04:09
@Kurt It's not a curve's weakness, it's a flaw in the implementation that doesn't check if a point is on the curve. All contemporary OpenSSL implementations do have this check, so what you're writing about is an Oracle specific problem only. — Oleg Gryb, Oct 30 '15 at 06:17
@Kurt Ok, then it's not an Oracle's only problem, but it's still an implementation issue and not a curve's weakness. — Oleg Gryb, Oct 31 '15 at 15:39

score 8 · Answer 1 · edited Oct 30 '15 at 03:27

8

The following is more or less a copy-paste of a comment I made on the related ArsTechnica thread. Indeed, StackExchange is probably one of the better places to debate this.

A few reminders first:

there are approximately $p$ elliptic curves over the finite field of integers $\pmod{p}$;
of these curves, only those with (almost) prime order are of cryptographic interest (I will write only about prime order, for simplicity): there are approximately $p/\log p$ such curves;
among these prime curves, there are some known conditions which happen rarely and make the curve insecure;
the "Suite B" generation procedure is basically: pick some seed $\sigma$ (randomly or maliciously; assume that it is malicious), hash it with a cryptographic hash function (and more particularly, a preimage-resistant hash function), and derive curve parameters from this.

The largest class of "subtly weak" curves (with prime order) that we know is the set of supersingular curves, which has a size of about $\sqrt{p}$ and therefore a probability of occurrence of $1/\sqrt{p}$ (neglecting the logarithmic factor). So finding one via the Suite B generation procedure, even in the malicious case, should take about $\sqrt{p}$ tries - which, coincidentally, is exactly as long as solving ECDLP in the first place. (Besides, this class is easy to detect anyway, but that's not the point).

So any useable (by the NSA) class of weak curves would need to be much (= exponentially) larger than this; this is, much larger than all known classes of weak curves.

Then: if such a class exists, then how does the NSA exploit it? Because of hashing, (assuming SHA-1 to be preimage-resistant, which seems plausible), they cannot have inserted backdoor info in the curve: any trap that they use is computable from the curve itself without knowing the seed $\sigma$. This means that such a backdoor is available to any good mathematician (no need to steal NSA secrets!).

So the Suite B curves can be considered as dangerous only if you believe all three following conditions:

there exists a class of curves which is exponentially larger than all known classes of weak curves;
NSA knew about this class 20 years ago, but nobody else has been able to discover it since then;
they deliberately published, and use for themselves, a curve which they know to be weak to anybody else.
I personnally do not believe either (2) or (3), and tend not to believe (1) either. This is why I still believe P-256 to be safe.

Actually, even the DUAL_EC_DRBG scandal makes a strong case that both the P-256 curve (vs. ECDLP) and SHA-1 (vs. preimage computation) are probably safe: if the NSA had had, at the time of the DUAL_EC_DRGB parameter generation, a mean to either compute a SHA-1 preimage OR an elliptic curve discrete logarithm, then they would have been able to publish the seeds $\sigma_P, \sigma_Q$ for both points $P, Q$ while still knowing the discrete logarithm $\log(Q)/\log(P)$. They would have gained the same powers of prediction of the DRBG without leaving such a mess.

Of course, the preceding paragraph does not rule out that the whole DUAL_EC_DRBG scandal could have been deliberate misinformation from the NSA, and that Snowden could be a double agent. But this is leaving the crypto domain for the tinfoil-hat domain...

So why did NIST not use a verifiable method for generating the "Suite B" curves? Again, this is only borderline crypto, but my opinion on this is: nobody asked them to at the time, and it is only post-DUAL_EC_DRBG that we, the crypto community, have matured enough to require verifiability in all published parameters (which is a good thing, but does not mean by itself that P-256, or even worse, ECC in general, is broken!)

edited Oct 30 '15 at 03:27

e-sushi

17,891
12
83
229

answered Oct 29 '15 at 16:42

Circonflexe

217
1
5

Jerome, this is a great explanation that clarifies many things and please pardon me for being harsh @ blogpost. That reaction comes from a huge pain inflicted by all ECC uncertainties. I like your reasoning, especially in the two last paragraphs. Three conclusions that I make from this: (1) weak EC classes do exist, (2) brute forcing described by Dan Brown won't work since 'w' is too big (p^1/2) for known weak classes, (3) we still don't know if larger weak classes exist and more research is required. Please let me know if/where I'm wrong. I accept your answer. – Oleg Gryb Oct 29 '15 at 17:22
Regarding your condition 1. I can't see why an exponentially larger class would be required. A constant factor larger would have sufficed, if the objective was to backdoor e.g. P-256 only (or more generally, curves up to a certain size). – otus Oct 29 '15 at 17:48
@otus You need to be able to reach your class of weak curves. If this class contains $s$ curves, then (modeling SHA-1 as random) you need on average $(p/\log p)/s$ trials to land in the weak curves. For this to be $POLY(\log p)$, you need $s = p/POLY(\log p)$ (read this as "immensely huge"). The value I put in the answer was more generous, allowing the NSA to scan for instance a sub-exponential number of curves. – Circonflexe Oct 29 '15 at 18:16
1

@OlegGryb The answers you drew are correct. I also add that, for all the known weak classes of curves, it is always possible to test whether a curve is weak (or: it is impossible to produce a "trapped" curve). This is, of course, not necessarily true for the unknown weak classes. – Circonflexe Oct 29 '15 at 18:21
1

@Circonflexe, my point is that the amount of effort needed only matters for the practical curves you would want to make weak, even if it is asymptotically intractable. – otus Oct 29 '15 at 19:26
But then the constant you need is about $2^{128}$. Using the same size of constants, we could claim to solve ECDLP on P-256 in constant time. – Circonflexe Oct 29 '15 at 20:03
@Circonflexe Now when we're on the same page, almost, we should admit that "spectral weakens" does exist. It's just Dan's w is so big that complexity of bruteforcing is the same as that of ECDLP and is not practically doable. Not yet. BTW, all comments at blogger.com are gone. Do you know why? Is it Jerry or Google or both :) ? – Oleg Gryb Oct 30 '15 at 17:27
@Circonflexe I was thinking about this "any trap is computable from a curve itself". You mean any known trap, right? If it's unknown, having a seed is a perfect window dressing: look we used a seed and SHA1, thus our constant is not rigged. – Oleg Gryb Oct 31 '15 at 13:46
@Circonflexe: Plus vote for Snowden being a double agent! The notion that someone could expose NSA "secrets" publicly and not be killed in about two seconds is a hoot ! – William Hird Oct 31 '15 at 19:05
@William - LOL. You've made my day :) – Oleg Gryb Oct 31 '15 at 22:02
@OlegGryb I did remove my Blogger comments, since here is a better place to discuss the subject. Apparently it removed yours too. What I wrote does not imply that "spectral weakness" exists, on the contrary: I give numerical bounds for such a weakness, if it exists, to be useful, and show that these bounds are really very vast - so that it is extremely implausible that such a weakness exists. Plus, we know for certain that (Snowden is not a NSA agent) or (P-256 ECDLP was still safe from NSA in 2004) - the latter implies that no backdoor exists in the NIST standard from 2000. – Circonflexe Nov 02 '15 at 12:40
On the "SHA1 / trap" topic: I was actually writing about unknown traps. If they wanted to find a curve such that, say, some magic number was small enough, all they could do was trial-and-error; it was impossible to make the curve first, and then invert SHA-1 to find a corresponding seed. – Circonflexe Nov 02 '15 at 12:43
@Circonflexe "exits" and "exists to be useful " are different things. In your deleted comments it's the former. The fact that it exists in non-usable form now adds confidence that usable classes will be found in the future or have been already found by some in the past. It's not clear to me where 2004 and 2000 came from. Please publish your sources – Oleg Gryb Nov 02 '15 at 13:19
@Circonflexe "curve first". It could've been a class first (like supersingulars) and then brute forcing. – Oleg Gryb Nov 02 '15 at 13:26
Addition to "found by some in the past". It's a fact that government knew about "heart bleed" for years and didn't tell anything to the public. – Oleg Gryb Nov 02 '15 at 13:58
@OlegGryb It's actually obvious. 2000=Suite B. 2004=DUAL_EC_DRBG. Also, "exists" and "exists to be useful" are the same in practice: I'm estimating the probability that the standards are trapped, which implies that a vulnerability exists and the NSA found such a curve. A vulnerability which is impossible to find is considered as a non-threat in crypto (after all, with the same computational cost, you might as well solve ECDLP directly). Also, since you are (deliberately?) being dense and misunderstanding everything on this topic, I will stop commenting. Remove tin-foil hat please. – Circonflexe Nov 03 '15 at 08:16
2

@Circonflexe I believe the number of Elliptic Curves defined in $\mathbb{F}_p$ is about $2p$ not $p$. This is due to the fact that there are $p$ possible j-invariant and two curves per j-invariant (I'm considering here the non-trivial quadratic twist). The situation is different for j-invariant 0 and 1728, plus the trace of Frobenius could be zero but I think we can say it is "approximately $2p$". Am I missing something ? – Ruggero Nov 03 '15 at 12:41
@Circonflexe That's fine, don't comment, but at least read and try not to complain to a moderator, as you did @ blogger. This is what your head's tin-foil doesn't allow you to comprehend: (a) There is nothing about practical exploitability in my qs (b) There is nothing about exploitability in your deleted comments either. Your previous statement was: "it doesn't exist" and this is what I was trying to explore at this forum. (c) It turned out that it does exist. You knew it of course, but didn't mention supersingulars at blogger. – Oleg Gryb Nov 03 '15 at 18:39
@Circonflexe (d) I do realize that the fact that it exists doesn't prove anything, but it makes DJB's "manipulative" and Dan Brown's brute forcing hypothesis more plausible.
If cryptography should not consider something that is "impossible to find" then DJB and Dan Brown are not cryptographers. Please understand that CRFG and you personally are in deep doo-doo after DUAL_EC scandal and stop giving your advises about tin-foils, fear mongering, etc.
– Oleg Gryb Nov 03 '15 at 18:42
Instead of that, analyze the reasons why the crypto community has failed, apologize to the people who relied on your judgement and tell us why it will never ever happen again. Only after that I will consider taking my tin-foil off. – Oleg Gryb Nov 03 '15 at 18:42

score 0 · Answer 2 · edited Nov 18 '21 at 15:44

The assumption that the second pre-image property is to be used here might be wrong. Using the possibility of alternate representations of a given weak curve (using the mapping from $a,b$ to $a',b'$ curve), one could compute many seeds $a/b$ value following FIPS, with many $a'/b'$ target weak curves to search for a single collision from seed set to target weak ECC set. A $2^{80}$ time memory tradeoff may be reachable today. While it was certainly not the case 20 years ago, keeping SHA1 for the FIPS 186-5 for the ECC parameter generation draft is not reasonable.

Do Weak Elliptic Curves Exist?

2 Answers2

Linked