As a fix for the problems with the Brainpool curves, the BADA55 Research Team has generated a new and improved verifiably pseudorandom 224-bit curve, BADA55-VPR-224. BADA55-VPR-224 uses the standard NIST P-224 prime, with a simpler, more natural curve-generation procedure than Brainpool.

To avoid Brainpool's complications of concatenating hash outputs, BADA55-VPR-224 upgrades from the deprecated SHA-1 hash function to the state-of-the-art maximum-security SHA3-512 hash function. It also upgrades to requiring maximum twist security: i.e., both the cofactor and the twist cofactor are required to be 1. Note that twist security was not a design criterion for the Brainpool curves: the twist-security level of, e.g., the 256-bit Brainpool curve is so low as to make that curve exploitable in practice.

Brainpool already generates seeds using exp(1) = e and generates primes using arctan(1) = π/4, and MD5 already uses sin(1), so BADA55-VPR-224 uses cos(1). BADA55-VPR-224 eliminates Brainpool's contrived, complicated search pattern for A (which even the Brainpool standard didn't get right); BADA55-VPR-224 simply counts upwards, deterministically trying every seed for A, until finding the first secure (A,B). The full 160-bit seed for A is the 32-bit counter followed by cos(1). BADA55-VPR-224 complements this seed to obtain the seed for B, ensuring maximal difference between the two seeds.

Verification scripts for BADA55-VPR-224:

- vpr1slow.sage is a simple, systematic, deterministic procedure to generate the curve.
- vpr1.sage is another systematic, deterministic procedure to generate the same curve. It's slightly more complicated but much faster.

After the announcement of BADA55-VPR-224, Johannes Merkle objected to the use of cos(1): "Pi and e are by far the most prominent mathematical constants, while cosinus(1) ... is quite arbitrarily chosen." The BADA55 Research Team therefore generated a new curve BADA55-VPR2-224 using exp(1) for its seed.

Verification scripts for BADA55-VPR2-224:

Amazing fact:
BADA55-VPR-224 and BADA55-VPR2-224, despite being "verifiably pseudorandom",
each contain "BADA55" in the hexadecimal expansion of A,
a property that occurs with probability approximately 1/2^{17}.
*Quelle surprise!*

These curves are actually illustrations of the flexibility allowed in
"verifiably pseudorandom" curves.
The BADA55 Research Team
generated approximately 2^{20} "verifiably pseudorandom" curves
modulo the NIST P-224 prime,
and found several "BADA55" curves,
including BADA55-VPR-224 and BADA55-VPR2-224.

Further reading: See the BADA55 paper, particularly Section 5.

**Version:**This is version 2015.09.27 of the "New VPR curves" web page.