GOST R 34.10-2012

The GOST R is a set of standards of the Russian Federation (not to be confused with the GOST standards maintained by the Euro-Asian Council for Standardization). The name is an acronym for gosudarstvennyy standard, which means state standard [1]. The GOST R standards have employed elliptic curve cryptography since GOST R 34.10-2001 [2]. This standard doesn't specify any elliptic curve parameters or elliptic curve generation but describes the following security conditions for elliptic curves over 256-bit prime field used in ECC.

Security - 2001 version

Since no curves were recommended, curves were then provided in 2006 in RFC [3], each of 256-bit length (CryptoPro-A, CryptoPro-B, CryptoPro-C). Although no method of generation was specified, these curves satisfy the recommended security conditions. In 2012 an updated standard GOST R 34.10-2012 was released [4]. The only notable difference from the previous version concerning elliptic curves was the introduction of 512-bit protocols. The security conditions were extended to:

Security - 2012 version

Finally, two 512-bit Weierstrass curves (512-paramSetA, 512-paramSetB), one 256-bit (256-paramSetA) and one 512-bit Edwards curve (512-paramSetC), were then adopted in [5] in 2016. Again, no method of generation was specified.

In [6], authors investigate russian standardized elliptic curves and show that all of the standardized curves were generated in the following way:

The authors provide the seeds to support the claimed generation method but only for the twisted Edwards curves. As the authors do not consider the RFC document [3] as a standard (based on a private discussion with the authors), they did not claim anything about the generation method of the first three CryptoPro curves specified by the RFC. You can read our hypothesis about the generation method of these curves in our paper.

  1. GOST - Wikipedia
  2. GOST R 34.10-2001 (in russian), information can be found in RFC 5832
  3. RFC 4357
  4. GOST R 34.10-2012 (in russian), information can be found in RFC 7091
  5. ла 50.1.114-2016 (in russian)
  6. On the security properties of Russian standardized elliptic curves
  7. RFC 6986