Bitcoin's Quantum Leap: Navigating the Cryptocurrency Landscape in a Post-Quantum World

1. Introduction¶

Since its inception in 2009, Bitcoin has garnered significant attention and established itself as the leading cryptocurrency. The underlying technology, blockchain, and the cryptographic algorithms used in Bitcoin ensure the security and integrity of the network. The core cryptographic components of Bitcoin are:

1. The Elliptic Curve Digital Signature Algorithm (ECDSA) for securing transactions
2. The Secure Hash Algorithm 256 (SHA-256) for creating unique transaction identifiers and ensuring the integrity of the blockchain

However, the rapid advancement of quantum computing presents potential threats to the security of these cryptographic algorithms. A sufficiently powerful quantum computer could exploit Shor's algorithm Shor et al to break the ECDSA and Grover's algorithm Grover et al to speed up the search for valid hashes in the Proof of Work (PoW) mining process, thus compromising the integrity of the Bitcoin network.

This has led to a growing interest in post-quantum cryptography, which consists of cryptographic algorithms designed to be resistant against attacks from quantum computers. In this introduction, we will briefly discuss the background of Bitcoin and cryptography, the threats posed by quantum computing, and the need for post-quantum cryptography in the crypto industry.

1.1 Background of Bitcoin and Cryptography¶

Bitcoin, a decentralized digital currency, relies on cryptographic algorithms to secure transactions and maintain the integrity of its blockchain. One such algorithm is the Elliptic Curve Digital Signature Algorithm (ECDSA), which is used to create digital signatures for transactions. The security of ECDSA relies on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP). The ECDLP can be formally defined as follows:

Given an elliptic curve $E$ defined over a finite field $F_p$, a point $P \in E(F_p)$ of prime order $q$, and a point $Q \in \langle P \rangle$, find the integer $k$ such that $0 \le k \le q - 1$ and $Q = kP$.

The intractability of ECDLP ensures the security of digital signatures in Bitcoin. However, as we will discuss in the next section, this security is threatened by the advent of quantum computing.

1.2 Quantum Computing and Its Threats to Cryptography¶

Quantum computing utilizes the principles of quantum mechanics, such as superposition and entanglement, to perform computations exponentially faster than classical computers. A quantum computer operates on quantum bits or qubits, which can exist in a superposition of both 0 and 1 simultaneously. This enables quantum computers to perform certain computations much faster than classical computers.

Shor's algorithm, for example, can solve the integer factorization and discrete logarithm problems exponentially faster than the best-known classical algorithms, effectively breaking RSA and ECDSA cryptography. The time complexity of Shor's algorithm is $O((\log N)^3)$, where $N$ is the number to be factored, which is polynomial in the input size. In contrast, the best-known classical algorithms have sub-exponential or exponential time complexity.

The threat of quantum computing to cryptography can be illustrated using the following formula for the running time of Shor's algorithm on a quantum computer:

$$ T(N) = O((\log N)^3) $$

As the size of the input $N$ increases, the running time of Shor's algorithm grows polynomially, whereas the running time of classical algorithms grows exponentially. This makes it possible for a sufficiently powerful quantum computer to break the cryptographic algorithms used in Bitcoin.

1.3 The Need for Post-Quantum Cryptography in the Crypto Industry¶

Given the potential security threats posed by quantum computing, the need for post-quantum cryptography has become increasingly urgent. Post-quantum cryptography aims to develop cryptographic algorithms that are secure against both classical and quantum computing attacks. This would help ensure the continued security and integrity of Bitcoin and other cryptocurrencies in a post-quantum world.

In the following sections, we will provide an overview of some prominent post-quantum cryptographic techniques, discuss how Bitcoin can be adapted to incorporate post-quantum cryptography, and explore existing projects and research initiatives focused on post-quantum cryptocurrencies.

2. Post-Quantum Cryptography: A Primer¶

Post-quantum cryptography is a burgeoning field that focuses on developing cryptographic algorithms that are resistant to attacks by quantum computers. With the advent of quantum computing, classical cryptographic schemes such as RSA and elliptic curve cryptography are at risk of being broken. In this section, we will explore some of the most promising post-quantum cryptographic techniques, including lattice-based, code-based, and hash-based cryptography, as well as some other novel approaches.

2.1 Lattice-based Cryptography¶

Lattice-based cryptography is a class of cryptographic schemes that rely on the hardness of certain problems in lattice theory. A lattice is a discrete subgroup of a Euclidean space, and can be thought of as a grid of points with a regular structure. The security of these schemes relies on the difficulty of solving problems such as the Shortest Vector Problem (SVP) and the Learning with Errors (LWE) problem.

The SVP is a well-known problem in computational geometry that asks for the shortest non-zero vector in a given lattice. Formally, given a basis $\mathbf{B} = \{\mathbf{b}_1, \ldots, \mathbf{b}_n\}$ for a lattice $\mathcal{L}(\mathbf{B})$, the SVP is to find a non-zero vector $\mathbf{v} \in \mathcal{L}(\mathbf{B})$ such that $\|\mathbf{v}\| \leq \|\mathbf{w}\|$ for all non-zero $\mathbf{w} \in \mathcal{L}(\mathbf{B})$. The LWE problem, on the other hand, involves learning a secret vector $\mathbf{s}$ given noisy linear equations of the form $\langle \mathbf{a}_i, \mathbf{s} \rangle + e_i \pmod{q}$, where $\mathbf{a}_i$ are public vectors, $e_i$ are small errors, and $q$ is a modulus.

One of the most studied lattice-based cryptographic schemes is the NTRU cryptosystem Hoffstein et al. The NTRU encryption scheme is based on the hardness of the Ring-LWE problem, a variant of the LWE problem that operates in polynomial rings. In NTRU, the public key is a polynomial $h = f^{-1}g \pmod{q}$, where $f$ and $g$ are secret polynomials with small coefficients. To encrypt a message $m$, the sender chooses a random small polynomial $r$, and computes the ciphertext $c = rh + m \pmod{q}$. Decryption is performed by computing $c' = cf = rg + m \pmod{q}$ and recovering $m$ by rounding the coefficients of $c'$ modulo $p$.

Lattice-based cryptography offers several advantages, including worst-case to average-case reductions, which ensures that if an algorithm can solve the average-case problem, it can also solve the worst-case problem. Additionally, lattice-based schemes have relatively small key sizes and efficient operations, making them attractive for practical applications.

2.2 Code-based Cryptography¶

Code-based cryptography is another class of post-quantum cryptographic schemes that rely on the hardness of decoding random error-correcting codes. The most famous example is the McEliece cryptosystem McEliece, which is based on the hardness of decoding random Goppa codes. Goppa codes are a class of linear error-correcting codes defined by a polynomial $g(x)$ over a finite field $\mathbb{F}_q$, and an irreducible Goppa code is a code for which $g(x)$ is an irreducible polynomial.

The McEliece cryptosystem works as follows. The private key consists of an $[n, k]$ irreducible Goppa code $C$ with generator matrix $G$, and a random permutation matrix $P$. The public key is the scrambled generator matrix $G' = SGP$, where $S$ is a random invertible $k \times k$ matrix. To encrypt a message $m \in \mathbb{F}_q^k$, the sender first chooses a random error vector $e \in \mathbb{F}_q^n$ with weight $t$, where $t$ is the error-correcting capability of the Goppa code. The ciphertext is then computed as $c = mG' + e$.

Decryption is performed by first applying the inverse permutation $P^{-1}$ to the ciphertext, obtaining $c' = cP^{-1} = mSG + eP^{-1}$. Since the receiver knows the Goppa code $C$ and the error vector $eP^{-1}$ has weight $t$, they can use a decoding algorithm to recover the original message $m$.

The security of code-based cryptography relies on the difficulty of decoding random error-correcting codes, which is believed to be hard even for quantum computers. However, one major drawback of these schemes is their large key sizes, which can be several orders of magnitude larger than traditional cryptographic schemes.

2.3 Hash-based Cryptography¶

Hash-based cryptography is a class of post-quantum cryptographic schemes that utilize cryptographic hash functions to construct digital signatures. The most famous example is the Merkle signature scheme Merkle, which is based on the concept of Merkle trees.

A Merkle tree is a binary tree in which each leaf node contains the hash of a data block, and each internal node contains the hash of the concatenation of its children's hashes. The root of the tree, known as the Merkle root, serves as a compact summary of all the data blocks in the tree.

In the Merkle signature scheme, the private key consists of a set of one-time signature key pairs, and the public key is the Merkle root corresponding to the public keys of these one-time signature schemes. To sign a message, the sender first chooses an unused one-time signature key pair, signs the message using the one-time signature scheme, and constructs a Merkle proof that shows the connection between the one-time public key and the Merkle root. The signature consists of the one-time signature and the Merkle proof.

The security of hash-based cryptography relies on the collision resistance and preimage resistance properties of cryptographic hash functions. As a result, hash-based schemes are believed to be secure against quantum attacks, as quantum computers offer only a quadratic speedup for generic attacks on hash functions. One limitation of hash-based cryptography is that the number of signatures that can be produced with a single public key is limited by the height of the Merkle tree.

2.4 Other Post-Quantum Cryptographic Techniques¶

While lattice-based, code-based, and hash-based cryptography are some of the most well-studied post-quantum cryptographic techniques, there are several other promising approaches. These include multivariate cryptography, which is based on the hardness of solving systems of multivariate polynomial equations over finite fields, and isogeny-based cryptography, which relies on the difficulty of computing isogenies between supersingular elliptic curves.

An example of multivariate cryptography is the Unbalanced Oil and Vinegar (UOV) signature scheme Kipnis et al, which involves constructing a system of quadratic polynomials that can be easily inverted using the private key, but is difficult to invert without it. In isogeny-based cryptography, the security is based on the Supersingular Isogeny Diffie-Hellman (SIDH) problem Jao et al, which involves finding an isogeny between two supersingular elliptic curves given only their j-invariants.

These alternative post-quantum cryptographic techniques offer unique advantages and trade-offs, and further research is needed to determine their suitability for practical applications and their resilience against quantum attacks.

3. Adapting Bitcoin to the Post-Quantum Era¶

As quantum computing advances, it becomes increasingly important to adapt Bitcoin and other cryptocurrencies to withstand potential quantum attacks. In this section, we will discuss the process of replacing traditional cryptographic algorithms with post-quantum alternatives and the challenges involved in implementing post-quantum cryptography in Bitcoin.

3.1 Replacing Traditional Cryptographic Algorithms¶

The current cryptographic algorithms employed by Bitcoin, such as the Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction signing and the Secure Hash Algorithm 256 (SHA-256) for proof-of-work, are vulnerable to attacks from quantum computers. To ensure the security of Bitcoin in a post-quantum world, these algorithms must be replaced with post-quantum alternatives.

One potential replacement for the ECDSA is the Supersingular Isogeny Key Encapsulation (SIKE) algorithm Jao et al., which is based on the hardness of the Supersingular Isogeny Problem (SIP). The SIP can be defined as follows:

Given two supersingular elliptic curves $E_1$ and $E_2$ over a finite field $F_{p^2}$ and an isogeny $\phi: E_1 \rightarrow E_2$ of degree $l^n$, find the kernel of $\phi$, i.e., the subgroup of $E_1(F_{p^2})$ of order $l^n$.

The security of SIKE relies on the difficulty of finding the kernel of a given isogeny between two supersingular elliptic curves. In contrast to the ECDSA, SIKE is believed to be resistant to attacks from both classical and quantum computers. Replacing the ECDSA with SIKE in Bitcoin would involve modifying the address generation and transaction signing processes, as we will discuss in the next section.

Similarly, the proof-of-work algorithm used in Bitcoin mining, which relies on the SHA-256 hash function, must be replaced with a post-quantum alternative. One candidate for a post-quantum proof-of-work algorithm is the Merkle Tree-based hash function, which relies on the security of hash functions that are resistant to quantum attacks, such as the LMS (Leighton-Micali Signature) scheme Leighton and Micali.

3.2 Implementing Post-Quantum Cryptography in Bitcoin¶

Implementing post-quantum cryptography in Bitcoin involves modifying various components of the Bitcoin protocol, including address generation, transaction signing, and consensus mechanisms. In this section, we will discuss these modifications in detail.

3.2.1 Address Generation and Transaction Signing¶

In the current Bitcoin protocol, addresses are generated using the ECDSA public-private key pair. To transition to a post-quantum algorithm such as SIKE, the address generation process must be modified accordingly.

Let $E_1$ and $E_2$ be supersingular elliptic curves over a finite field $F_{p^2}$, and let $\phi: E_1 \rightarrow E_2$ be an isogeny of degree $l^n$. The SIKE key generation process can be summarized as follows:

1. Generate a random secret key $s \in \mathbb{Z}_{l^n}$.
2. Compute the public key $P = \phi(sP_1)$, where $P_1$ is a generator of the subgroup of $E_1(F_{p^2})$ of order $l^n$.

The resulting public key $P$ can be used as a Bitcoin address, while the secret key $s$ remains the private key associated with that address. This new address generation scheme would replace the ECDSA-based process currently in use.

For transaction signing, the existing ECDSA signatures must be replaced with post-quantum secure signatures using the SIKE algorithm. The SIKE signature generation process can be summarized as follows:

1. Generate a random nonce $k \in \mathbb{Z}_{l^n}$.
2. Compute the signature point $R = \phi(kP_1)$, where $P_1$ is a generator of the subgroup of $E_1(F_{p^2})$ of order $l^n$.
3. Compute the challenge value $c = H(R || m)$, where $H$ is a post-quantum secure hash function, $R$ is the signature point, $||$ denotes concatenation, and $m$ is the message (transaction) to be signed.
4. Compute the response value $z = k + cs \pmod{l^n}$.
5. The signature is the pair $(R, z)$.

To verify a SIKE signature, the following steps must be performed:

1. Compute the challenge value $c = H(R || m)$, where $H$ is a post-quantum secure hash function, $R$ is the signature point, $||$ denotes concatenation, and $m$ is the message (transaction) to be signed.
2. Compute the points $U = \phi(zP_1)$ and $V = R + cP$.
3. Verify that $U = V$.

If the verification equation holds, the signature is considered valid. Implementing SIKE-based address generation and transaction signing in Bitcoin would require changes to the Bitcoin protocol and wallet software.

3.2.2 Consensus Mechanisms and Network Security¶

Replacing the SHA-256-based proof-of-work algorithm in Bitcoin with a post-quantum secure alternative, such as the Merkle Tree-based hash function using the LMS scheme, would require modifying the mining process and the consensus mechanism.

The LMS-based proof-of-work algorithm could be defined as follows:

1. Given a block header $H$, compute the LMS hash value $L = LMS(H)$.
2. Check if $L \le T$, where $T$ is the target difficulty value.
3. If the inequality holds, the proof-of-work is considered valid, and the block is added to the blockchain. Otherwise, update the nonce in the block header and repeat the process.

This new proof-of-work algorithm would replace the current SHA-256-based algorithm, and the Bitcoin network would need to reach consensus on adopting this new mining mechanism.

3.3 Challenges and Trade-offs in Post-Quantum Cryptography¶

While implementing post-quantum cryptography in Bitcoin is necessary to ensure its security in the face of quantum computing advancements, there are several challenges and trade-offs that must be considered.

First, post-quantum cryptographic algorithms generally have larger key sizes and signature sizes compared to classical algorithms. This can result in increased storage and bandwidth requirements for Bitcoin nodes and potentially slower transaction processing times. For example, SIKE-based public keys and signatures are typically larger than their ECDSA counterparts.

Second, the computational complexity of post-quantum cryptographic algorithms is generally higher than that of classical algorithms. This could lead to increased energy consumption and reduced efficiency in the mining process, as well as potentially longer transaction confirmation times.

Lastly, the transition to post-quantum cryptography in Bitcoin would require a coordinated effort from the entire Bitcoin community, including developers, miners, and users. Achieving consensus on the necessary protocol changes and implementing them in a secure and timely manner could be a challenging endeavor. A potential solution to this challenge is to implement a phased rollout of post-quantum cryptographic algorithms, allowing the community to gradually adapt to the new cryptographic primitives while ensuring the security and stability of the Bitcoin network.

4. Case Studies: Existing Projects and Research on Post-Quantum Cryptocurrencies¶

In this section, we delve into the intricacies of existing projects and research initiatives that concentrate on the development of post-quantum cryptocurrencies and blockchain technologies.

4.1 NTRU-based Cryptocurrencies¶

NTRU is a lattice-based cryptographic algorithm that has been proposed for use in post-quantum cryptocurrencies. NTRU is predicated upon the hardness of the NTRU problem, which is defined as finding a short vector in a lattice generated by a polynomial ring. The NTRU problem can be formulated as follows: Given a public key $h = f^{-1} \cdot g \pmod{q}$, where $f$ and $g$ are polynomials in the ring $R = \mathbb{Z}[x]/(x^N - 1)$ and $q$ is a prime integer, the NTRU problem consists of recovering the private key $(f, g)$.

NTRU-based cryptocurrencies, such as qTesla, have been proposed as alternatives to Bitcoin that are resistant to quantum computing attacks. The qTesla cryptocurrency relies on the qTesla signature scheme, a variant of the NTRU signature scheme, which can be summarized as follows:

1. Key generation: Generate a pair of polynomials $(f, g)$ with small coefficients, compute the public key $h = f^{-1} \cdot g \pmod{q}$, and publish $h$.
2. Signing: Given a message $m$, compute a short polynomial $e$ such that $h \cdot e \approx m \pmod{q}$, and output the signature $(e, r)$, where $r = f \cdot e - m \pmod{q}$.
3. Verification: Check if $h \cdot e \approx m + r \pmod{q}$.

The qTesla signature scheme is designed to provide post-quantum security with relatively small key sizes and signature sizes, making it suitable for use in a cryptocurrency context.

4.2 Lattice Coin and Other Lattice-based Cryptocurrencies¶

Lattice Coin is a cryptocurrency project that aims to implement lattice-based cryptography for secure transactions in a post-quantum world. By leveraging the security of lattice-based cryptographic primitives, Lattice Coin aims to provide a scalable and secure cryptocurrency platform that can withstand quantum computing attacks.

One of the core components of Lattice Coin is the implementation of the Learning With Errors (LWE) problem, which is believed to be hard for quantum computers. The LWE problem can be defined as follows: Given a matrix $A \in \mathbb{Z}_q^{n \times m}$, a vector $s \in \mathbb{Z}_q^n$, and an error vector $e \in \mathbb{Z}_q^m$, the LWE problem consists of recovering the secret vector $s$ from the noisy linear equation $b = A^\top s + e \pmod{q}$.

Other lattice-based cryptocurrencies, such as Dilithium, have also been proposed as post-quantum alternatives to Bitcoin. Dilithium is a digital signature scheme based on the hardness of the Module-LWE (MLWE) problem, a generalization of the LWE problem to module lattices. The MLWE problem can be defined as follows: Given a matrix $A \in R_q^{n \times m}$, where $R_q = \mathbb{Z}_q[x]/(x^N - 1)$, a vector $s \in R_q^n$, and an error vector $e \in R_q^m$, the MLWE problem consists of recovering the secret vector $s$ from the noisy linear equation $b = A^\top s + e \pmod{q}$.

Dilithium's digital signature scheme builds upon the MLWE problem and incorporates several optimizations to achieve small signature sizes, making it suitable for use in a cryptocurrency context. The scheme can be summarized as follows:

1. Key generation: Generate a pair of matrices $(A, S)$ with small coefficients, compute the public key $T = A \cdot S \pmod{q}$, and publish $T$.
2. Signing: Given a message $m$, compute a short matrix $E$ such that $T \cdot E \approx A \cdot m \pmod{q}$, and output the signature $(E, R)$, where $R = S \cdot E - A \cdot m \pmod{q}$.
3. Verification: Check if $T \cdot E \approx A \cdot m + R \pmod{q}$.

4.3 Post-Quantum Blockchain Research Initiatives¶

Several research initiatives are underway to explore the integration of post-quantum cryptographic algorithms into blockchain technologies. One notable project is the PQChain project, which aims to develop a comprehensive post-quantum blockchain framework that supports various post-quantum cryptographic primitives, such as lattice-based, code-based, and hash-based algorithms.

Another significant research initiative is the QRL project, which focuses on building a quantum-resistant blockchain platform using the extended Merkle signature scheme (XMSS), a hash-based digital signature scheme that provides post-quantum security. The XMSS signature scheme can be summarized as follows:

1. Key generation: Generate a Merkle tree of one-time signature (OTS) public keys, and publish the root of the tree as the public key.
2. Signing: Select an unused OTS key pair, sign the message with the OTS private key, and output the signature along with the authentication path in the Merkle tree for the corresponding OTS public key.
3. Verification: Check the OTS signature, and verify the authentication path to ensure it leads to the public key's root.

These research initiatives represent critical steps towards the development and adoption of post-quantum cryptocurrencies and blockchain technologies. They also serve as catalysts for further research and innovation in the field of post-quantum cryptography.

5. Conclusion and Future Outlook¶

5.1 The Road to a Secure Post-Quantum Bitcoin¶

The transition quantum secure Bitcoin ecosystem is a complex, multifaceted endeavor that requires the cooperation of various stakeholders, including developers, researchers, and users. The successful integration of post-quantum cryptography into Bitcoin will necessitate the replacement of traditional cryptographic algorithms with quantum-resistant alternatives, as well as the implementation of post-quantum cryptographic primitives in various aspects of the Bitcoin protocol, such as address generation, transaction signing, consensus mechanisms, and network security.

As we have explored in this article, several post-quantum cryptographic techniques, such as lattice-based, code-based, and hash-based cryptography, offer promising alternatives to traditional cryptographic algorithms. While each of these techniques has its own unique advantages and challenges, they collectively provide a solid foundation for the development of quantum-resistant cryptocurrencies and blockchain technologies.

5.2 The Broader Implications of Post-Quantum Cryptography for the Crypto Ecosystem¶

The implications of post-quantum cryptography extend beyond the realm of Bitcoin and encompass the entire crypto ecosystem. The integration of post-quantum cryptographic algorithms into various cryptocurrencies and blockchain platforms will not only help to safeguard the security and integrity of these systems in a post-quantum world but also spur further innovation and development in the field of cryptography and blockchain technology.

Moreover, the successful implementation of post-quantum cryptography in the crypto ecosystem will have far-reaching consequences for other areas of the digital economy, such as secure communications, digital identity management, and data privacy. As quantum computing continues to advance and the threat of quantum attacks on cryptographic systems becomes more imminent, the need for robust and efficient post-quantum cryptographic solutions will only grow more urgent.

In conclusion, the transition to a post-quantum world presents both challenges and opportunities for the crypto ecosystem. By embracing the potential of post-quantum cryptography and working together to develop and implement quantum-resistant solutions, the crypto community can help to ensure the long-term security and viability of cryptocurrencies and blockchain technologies in the face of emerging quantum threats.

6. References¶

1. Nakamoto, S. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System. Retrieved from https://bitcoin.org/bitcoin.pdf
2. Shor, P. W. (1994). Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings 35th Annual Symposium on Foundations of Computer Science (pp. 124-134). IEEE.
3. Bernstein, D. J., & Lange, T. (2017). Post-quantum cryptography. Nature, 549(7671), 188-194.
4. Regev, O. (2009). On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM (JACM), 56(6), 1-40.
5. McEliece, R. J. (1978). A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 42-44, 114-116.
6. Merkle, R. C. (1987). A digital signature based on a conventional encryption function. Advances in Cryptology—CRYPTO’87, 369-378.
7. Chen, L., Jordan, S., Liu, Y. K., Moody, D., Peralta, R., Perlner, R., & Smith-Tone, D. (2016). Report on post-quantum cryptography. NISTIR, 8105.
8. Paquin, C., & Stebila, D. (2019). Uptane: Securing software updates for automobiles. In International Conference on Financial Cryptography and Data Security (pp. 45-64). Springer, Cham.
9. Hoffstein, J., Pipher, J., & Silverman, J. H. (1998). NTRU: A ring-based public key cryptosystem. In International Algorithmic Number Theory Symposium (pp. 267-288). Springer, Berlin, Heidelberg.
10. Langlois, A., & Stehlé, D. (2014). Worst-case to average-case reductions for module lattices. Designs, Codes, and Cryptography, 75(3), 565-599.
11. Aguilar-Melchor, C., Barrier, J., Guelton, S., Guinet, A., Killijian, M. O., & Lepoint, T. (2017). NFLlib: NTT-based fast lattice library. Cryptology ePrint Archive, Report 2016/510.
12. Bernstein, D. J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lange, T., Niederhagen, R., & Schwabe, P. (2015). How to manipulate curve standards: a white paper for the black hat. In International Workshop on Selected Areas in Cryptography(pp. 211-231). Springer, Cham.