ECCFROG522PP: An Enhanced 522-bit Weierstrass Elliptic Curve

V\'ictor Duarte Melo; William J. Buchanan

arxiv: 2509.04097 · v3 · submitted 2025-09-04 · 💻 cs.CR

ECCFROG522PP: An Enhanced 522-bit Weierstrass Elliptic Curve

V\'ictor Duarte Melo , William J. Buchanan This is my paper

Pith reviewed 2026-05-18 19:08 UTC · model grok-4.3

classification 💻 cs.CR

keywords elliptic curveWeierstrass formdeterministic generationBLAKE3reproducible parametersprime ordertransparent cryptography522-bit curve

0 comments

The pith

ECCFROG522PP is a 522-bit Weierstrass elliptic curve whose parameters are all derived deterministically from a public seed using BLAKE3.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces ECCFROG522PP to meet demand for transparent elliptic curves at roughly 260-bit security, comparable to NIST P-521. It establishes that every curve parameter can be generated from a single fixed public seed through the BLAKE3 function, removing any possibility of hidden choices or discretionary decisions. The resulting curve has prime order with cofactor one, a twist whose order contains a proven 505-bit prime factor, an embedding degree of at least 14, and passes listed checks against MOV attacks and complex multiplication up to defined bounds. Full reproducibility is achieved because published scripts allow any user to regenerate the exact parameters byte-for-byte. The design therefore prioritizes verifiable trust and long-term auditability in a practical curve of this size.

Core claim

ECCFROG522PP is a 522-bit prime-field Weierstrass elliptic curve constructed so that the field prime, curve coefficients, base point, and group order are produced deterministically from one public seed by repeated application of the BLAKE3 hash function. This process yields a curve of prime order (cofactor 1), a verified twist with an approximately 505-bit prime factor, embedding degree at least 14, and passage of anti-MOV checks for k up to 200 together with CM discriminant checks up to 100000. Because the seed is fixed and public, the entire set of parameters is reproducible and verifiable by anyone who runs the published generation scripts.

What carries the argument

The BLAKE3-based deterministic mapping from a fixed public seed to every curve parameter, including the prime, a, b, base point, and order.

If this is right

The curve can be regenerated and audited byte-for-byte by any independent party using the published scripts.
Standard elliptic-curve protocols can use the curve without small-subgroup or embedding-degree concerns.
Security properties match those expected for a 260-bit classical security level while remaining fully transparent.
The same derivation approach supports future curves at other bit lengths with equivalent verifiability guarantees.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Cryptographic libraries could adopt similar seed-based generation to reduce reliance on curves whose parameters were chosen without public explanation.
The method offers a practical template for constructing curves that can be re-derived at higher security levels while preserving the same transparency properties.
Protocols that embed this curve could provide stronger assurances to users concerned about potential backdoors in standard curves.

Load-bearing premise

The chosen seed together with the BLAKE3 derivation process produces a curve free of hidden weaknesses, an assumption resting on the listed security checks rather than a formal proof that no attack is possible.

What would settle it

A demonstration that the published scripts do not regenerate the stated parameters exactly, or discovery of an embedding degree below 14 or a twist factor smaller than claimed that permits an efficient attack.

Figures

Figures reproduced from arXiv: 2509.04097 by V\'ictor Duarte Melo, William J. Buchanan.

**Figure 1.** Figure 1: Benchmark References 1. N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of computation, vol. 48, no. 177, pp. 203–209, 1987. 2. V. S. Miller, “Use of elliptic curves in cryptography,” in Conference on the theory and application of cryptographic techniques. Springer, 1985, pp. 417–426. 3. H. W. Lenstra Jr, “Factoring integers with elliptic curves,” Annals of mathematics, pp. 649–673, 1987. 4. D. J. … view at source ↗

read the original abstract

Whilst many key exchange and digital signature systems still rely on NIST P-256 (secp256r1) and secp256k1, offering around 128-bit security, there is an increasing demand for transparent and reproducible curves at the 256-bit security level. Standard higher-security options include NIST P-521, Curve448, and Brainpool-P512. This paper presents ECCFROG522PP ("Presunto Powered"), a 522-bit prime-field elliptic curve that delivers security in the same classical approx 260-bit ballpark as NIST P-521, but with a fundamentally different design philosophy. All of the curve parameters are deterministically derived from a fixed public seed via BLAKE3, with zero hidden choices. The curve has prime order (cofactor = 1), a verified twist with a proven approx 505-bit prime factor, safe embedding degree (greater than or equal to 14), and passes anti-MOV checks up to k less than or equal to 200 and CM discriminant sanity up to 100k. Unlike prior opaque or ad-hoc constructions, ECCFROG522PP is fully reproducible: anyone can regenerate and verify it byte-for-byte using the published scripts. The intent is not to outperform NIST P-521 in raw speed, but to maximise trust, verifiability, and long-term auditability in a practical curve of equivalent security level

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

A new 522-bit curve generated deterministically from a public seed with BLAKE3, positioned as a transparent alternative to NIST P-521 at similar security level.

read the letter

The main takeaway is a concrete 522-bit Weierstrass curve called ECCFROG522PP whose parameters are derived from a fixed public seed using BLAKE3. The authors supply scripts so anyone can regenerate the exact values byte for byte. They report that the curve has prime order with cofactor one, a twist whose large prime factor is around 505 bits, embedding degree at least 14, and that it passes anti-MOV checks to k=200 plus CM discriminant checks to 100k. This setup aims at roughly 260-bit classical security while emphasizing auditability over speed or novelty in performance terms. The reproducibility and the explicit generation process are the clearest positives here. They give implementers a way to verify the parameters without relying on opaque choices, which addresses a real concern in curve selection for higher-security applications. The listed properties line up with standard requirements for safe curves, and the deterministic method avoids the fitting or hidden-parameter issues that have drawn criticism elsewhere. The softer spot is the security argument. The paper relies on the enumerated checks being sufficient to rule out hidden weaknesses or special properties induced by the seed and the hash function. There is no broader case showing why the chosen bounds (CM to 100k, anti-MOV to 200) cover the relevant attack space or why the BLAKE3 derivation cannot introduce undetected structure. That completeness assumption is plausible but not demonstrated beyond the tests performed. This work is aimed at readers who need a verifiable high-security curve for long-term or high-assurance systems and who are willing to run the scripts themselves. It is not aimed at performance-critical or low-security settings. The construction is concrete enough and the claims testable enough that it deserves a serious referee. The generation details and reproducibility add genuine value even if the security justification could be tightened. I would send it for peer review.

Referee Report

2 major / 2 minor

Summary. The paper proposes ECCFROG522PP, a 522-bit Weierstrass elliptic curve over a prime field for approximately 256-bit security. All curve parameters (including the prime modulus, curve coefficients a and b, and base point) are claimed to be generated deterministically from a fixed public seed using the BLAKE3 hash function with no hidden choices or ad-hoc adjustments. The manuscript asserts that the resulting curve has prime order (cofactor 1), a twist whose order has a proven ~505-bit prime factor, embedding degree at least 14, passes MOV attack resistance checks for k up to 200, and satisfies CM discriminant sanity checks up to 100000. Verification scripts are provided to allow byte-for-byte reproduction.

Significance. If the reproducibility claims and security checks are confirmed, the work supplies a transparent, auditable alternative to NIST P-521 at comparable security level. The deterministic BLAKE3-based generation and open scripts constitute a concrete strength for long-term verifiability in elliptic-curve cryptography, where parameter opacity has been a recurring concern.

major comments (2)

[§5] §5 (Security Analysis): The central claim that the listed checks suffice to establish absence of hidden weaknesses or backdoors rests on the completeness of prime-order verification, twist factor, embedding degree ≥14, anti-MOV up to k=200, and CM discriminant checks up to 100k. No formal argument, reduction, or literature reference is supplied showing these bounds cover all relevant attack classes for a 522-bit prime-field curve (e.g., potential future pairing attacks or hash-induced special structure). This is load-bearing for the trust argument.
[§3.1] §3.1 (Parameter Derivation): The exact public seed value and the precise extraction rules that map BLAKE3 output bytes to the field prime p and curve coefficients are not stated in the main text. While scripts are referenced, the absence of these constants in the manuscript prevents immediate manual verification of the “zero hidden choices” claim without executing external code.

minor comments (2)

[Abstract] The abstract states “approx 260-bit ballpark” security; a precise estimate (e.g., via Pollard's rho or MOV) should be given in §2 or §5 for clarity.
[§4] Notation for the twist order factor and embedding degree computation should be defined once in §4 before being used in the security tables.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their careful and constructive review of our manuscript. We address each major comment below and indicate the specific revisions we will make to strengthen the paper.

read point-by-point responses

Referee: [§5] §5 (Security Analysis): The central claim that the listed checks suffice to establish absence of hidden weaknesses or backdoors rests on the completeness of prime-order verification, twist factor, embedding degree ≥14, anti-MOV up to k=200, and CM discriminant checks up to 100k. No formal argument, reduction, or literature reference is supplied showing these bounds cover all relevant attack classes for a 522-bit prime-field curve (e.g., potential future pairing attacks or hash-induced special structure). This is load-bearing for the trust argument.

Authors: We agree that the manuscript would be strengthened by a more explicit discussion of the chosen security criteria. In the revised version we will expand §5 to include references to established literature on elliptic-curve security checks (including criteria used for Brainpool and other transparent curves) and add a short paragraph explaining why the listed bounds are considered adequate for the targeted security level of a 522-bit prime-field curve. We note that while no finite set of checks can formally exclude every conceivable future attack, the selected tests align with current best practices for reproducible curve proposals. revision: yes
Referee: [§3.1] §3.1 (Parameter Derivation): The exact public seed value and the precise extraction rules that map BLAKE3 output bytes to the field prime p and curve coefficients are not stated in the main text. While scripts are referenced, the absence of these constants in the manuscript prevents immediate manual verification of the “zero hidden choices” claim without executing external code.

Authors: We thank the referee for this observation. To enable immediate manual verification, we will revise §3.1 to state the exact public seed and provide the precise byte-extraction and mapping rules that convert the BLAKE3 output into the field prime p and the curve coefficients a and b. These additions will allow readers to reproduce the parameter derivation step by step without running external code. revision: yes

Circularity Check

0 steps flagged

Deterministic BLAKE3 derivation from public seed is externally grounded with no circular reduction

full rationale

The paper derives all curve parameters deterministically from a fixed public seed via the standard BLAKE3 hash function, producing a reproducible 522-bit Weierstrass curve. This process is defined externally and does not reference or depend on the resulting curve properties (prime order, twist factor, embedding degree >=14, anti-MOV checks, or CM discriminant bounds) to generate the inputs. The listed security verifications occur after derivation and serve as independent checks rather than feeding back into parameter selection. No self-definitional equations, fitted inputs renamed as predictions, or load-bearing self-citations are present in the derivation chain. The construction remains self-contained against the external public seed and hash standard.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Review based on abstract only; no explicit free parameters, invented entities, or non-standard axioms are described. Standard elliptic-curve mathematics over prime fields is presupposed.

axioms (1)

standard math Standard arithmetic and security properties of Weierstrass elliptic curves over prime fields
Invoked implicitly for all order, twist, embedding-degree, and MOV checks.

pith-pipeline@v0.9.0 · 5784 in / 1235 out tokens · 43864 ms · 2026-05-18T19:08:38.126850+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

6 extracted references · 6 canonical work pages

[1]

Elliptic curve cryptosystems,

N. Koblitz, “Elliptic curve cryptosystems,”Mathematics of computation, vol. 48, no. 177, pp. 203–209, 1987

work page 1987
[2]

Use of elliptic curves in cryptography,

V. S. Miller, “Use of elliptic curves in cryptography,” inConference on the theory and application of cryptographic techniques. Springer, 1985, pp. 417–426

work page 1985
[3]

Factoring integers with elliptic curves,

H. W. Lenstra Jr, “Factoring integers with elliptic curves,”Annals of mathematics, pp. 649–673, 1987

work page 1987
[4]

SafeCurves: Introduction — safecurves.cr.yp.to,

D. J. Bernstein, “SafeCurves: Introduction — safecurves.cr.yp.to,” https://safecu rves.cr.yp.to/, [Accessed 04-09-2025]

work page 2025
[5]

DiSSECT — dissect.crocs.fi.muni.cz,

DiSSECT, “DiSSECT — dissect.crocs.fi.muni.cz,” https://dissect.crocs.fi.muni.cz/ standards/nist, [Accessed 04-09-2025]

work page 2025
[6]

Decaf: Eliminating cofactors through point compression,

M. Hamburg, “Decaf: Eliminating cofactors through point compression,” inAnnual Cryptology Conference. Springer, 2015, pp. 705–723

work page 2015

[1] [1]

Elliptic curve cryptosystems,

N. Koblitz, “Elliptic curve cryptosystems,”Mathematics of computation, vol. 48, no. 177, pp. 203–209, 1987

work page 1987

[2] [2]

Use of elliptic curves in cryptography,

V. S. Miller, “Use of elliptic curves in cryptography,” inConference on the theory and application of cryptographic techniques. Springer, 1985, pp. 417–426

work page 1985

[3] [3]

Factoring integers with elliptic curves,

H. W. Lenstra Jr, “Factoring integers with elliptic curves,”Annals of mathematics, pp. 649–673, 1987

work page 1987

[4] [4]

SafeCurves: Introduction — safecurves.cr.yp.to,

D. J. Bernstein, “SafeCurves: Introduction — safecurves.cr.yp.to,” https://safecu rves.cr.yp.to/, [Accessed 04-09-2025]

work page 2025

[5] [5]

DiSSECT — dissect.crocs.fi.muni.cz,

DiSSECT, “DiSSECT — dissect.crocs.fi.muni.cz,” https://dissect.crocs.fi.muni.cz/ standards/nist, [Accessed 04-09-2025]

work page 2025

[6] [6]

Decaf: Eliminating cofactors through point compression,

M. Hamburg, “Decaf: Eliminating cofactors through point compression,” inAnnual Cryptology Conference. Springer, 2015, pp. 705–723

work page 2015