在 https://github.com/zkcrypto/jubjub/tree/master/doc/evidence 中,有相应的sage脚本来验证其符合SafeCurves criteria。
做SafeCurves criteria验证的主要原因如下:
There are several different standards covering selection of curves for use in elliptic-curve cryptography (ECC):
- ANSI X9.62 (1999).
- IEEE P1363 (2000).
- SEC 2 (2000).
- NIST FIPS 186-2 (2000).
- ANSI X9.63 (2001).
- Brainpool (2005).
- NSA Suite B (2005).
- ANSSI FRP256V1 (2011).
Each of these standards tries to ensure that the elliptic-curve discrete-logarithm problem (ECDLP) is difficult. ECDLP is the problem of finding an ECC user’s secret key, given the user’s public key.
Unfortunately, there is a gap between ECDLP difficulty and ECC security. None of these standards do a good job of ensuring ECC security. There are many attacks that break real-world ECC without solving ECDLP.
The SafeCurves criteria are designed to ensure ECC security, not just ECDLP security.
参考资料: [1] https://github.com/zkcrypto/jubjub/tree/master/doc/evidence [2] https://safecurves.cr.yp.to/index.html [3] https://safecurves.cr.yp.to/verify.html
