BADA55 Crypto
Verifiably random parameters offer some additional conservative features. These parameters are chosen from a seed using SHA-1 as specified in ANSI X9.62 [X9.62]. This process ensures that the parameters cannot be predetermined. The parameters are therefore extremely unlikely to be susceptible to future special-purpose attacks, and no trapdoors can have been placed in the parameters during their generation. —Certicom SEC 2 2.0 (2010)

Several standards, including Certicom SEC 2 1.0 (2000), IEEE Std 1363 (2000), NIST FIPS 186-2 (2000), ANSI X9.63 (2001), and Certicom SEC 2 2.0 (2010), recommend verifiably hashed elliptic curves: curves where the curve coefficients are hashes of a public seed.

Many of these standards describe verifiably hashed curves using the deceptive terminology "verifiably random". In fact, the claimed randomness (a uniform distribution) is not being verified; what is being verified is merely a hash computation. The curves would still pass the same verification even if seeds were generated with no randomness at all.

To illustrate the flexibility allowed by verifiable hashing, the BADA55 Research Team has generated approximately 250 verifiably hashed elliptic curves (using approximately 2 days on a cluster of 41 NVIDIA GTX780 GPUs) and selected three of those curves to present here:

Each of these curves meets all standard security criteria plus twist security, with cofactor 1 and twist cofactor 1. Each of these curves also has B beginning with "BADA55EC" in hexadecimal, a property that occurs with probability 1/232.

If you've found a special-purpose attack that breaks one out of 1000000000000 elliptic curves that meet the public security criteria, you can carry out a larger but still feasible computation to find a verifiably hashed curve that's secretly vulnerable to this attack. You can then publicly advertise this curve as, e.g., "the verifiably random TrustedCurve-VR-224 curve" and claim that it is "extremely unlikely to be susceptible to special-purpose attacks". To encourage terrorists to "upgrade" from NIST P-224 to TrustedCurve-VR-224, you can explain that TrustedCurve-VR-224 addresses the following "concerns regarding the NIST elliptic curves":

Further reading: See the BADA55 paper, particularly Section 4.

Version: This is version 2017.01.22 of the "New VR curves" web page.