As a fix for the problems with the Brainpool curves, the BADA55 Research Team has generated a new and improved verifiably pseudorandom 224-bit curve, BADA55-VPR-224. BADA55-VPR-224 uses the standard NIST P-224 prime, with a simpler, more natural curve-generation procedure than Brainpool.
To avoid Brainpool's complications of concatenating hash outputs, BADA55-VPR-224 upgrades from the deprecated SHA-1 hash function to the state-of-the-art maximum-security SHA3-512 hash function. It also upgrades to requiring maximum twist security: i.e., both the cofactor and the twist cofactor are required to be 1. Note that twist security was not a design criterion for the Brainpool curves: the twist-security level of, e.g., the 256-bit Brainpool curve is so low as to make that curve exploitable in practice.
Brainpool already generates seeds using exp(1) = e and generates primes using arctan(1) = π/4, and MD5 already uses sin(1), so BADA55-VPR-224 uses cos(1). BADA55-VPR-224 eliminates Brainpool's contrived, complicated search pattern for A (which even the Brainpool standard didn't get right); BADA55-VPR-224 simply counts upwards, deterministically trying every seed for A, until finding the first secure (A,B). The full 160-bit seed for A is the 32-bit counter followed by cos(1). BADA55-VPR-224 complements this seed to obtain the seed for B, ensuring maximal difference between the two seeds.
Verification scripts for BADA55-VPR-224:
- vpr1slow.sage is a simple, systematic, deterministic procedure to generate the curve.
- vpr1.sage is another systematic, deterministic procedure to generate the same curve. It's slightly more complicated but much faster.
After the announcement of BADA55-VPR-224, Johannes Merkle objected to the use of cos(1): "Pi and e are by far the most prominent mathematical constants, while cosinus(1) ... is quite arbitrarily chosen." The BADA55 Research Team therefore generated a new curve BADA55-VPR2-224 using exp(1) for its seed.
Verification scripts for BADA55-VPR2-224:
Amazing fact: BADA55-VPR-224 and BADA55-VPR2-224, despite being "verifiably pseudorandom", each contain "BADA55" in the hexadecimal expansion of A, a property that occurs with probability approximately 1/217. Quelle surprise!
These curves are actually illustrations of the flexibility allowed in "verifiably pseudorandom" curves. The BADA55 Research Team generated approximately 220 "verifiably pseudorandom" curves modulo the NIST P-224 prime, and found several "BADA55" curves, including BADA55-VPR-224 and BADA55-VPR2-224.
Further reading: See the BADA55 paper, particularly Section 5.
Version: This is version 2015.09.27 of the "New VPR curves" web page.