How does it work?

Get the full paper here.
How are curve parameters generated and why should I trust them?

There are two parallel processes: one that computes 128 bit secure curves and one that handles the 192 and 256 bit secure curves; each curve generation follows five steps:

  1. Initially, we announce the type of curve that will be generated along with the time interval [start_tweet, end_tweet) for the tweeting phase.
  2. The tweeting phase is a ten-minute interval during which public data is gathered, so that everyone who contributes can trust and verify the resulting parameters (as explained in the paper). At time start_tweet a hashtag is published of the form #trx_curve_xxxxx (with x a character or digit). All tweets received before end_tweet are concatenated in the order received to form the public part of the input to sloth.
  3. This public part is immediately published. At the same time a picture is made of the parking lot and publicly committed to without being revealed yet. The concatenation of the public part and the picture forms the input to sloth.
  4. About ten minutes later the curve generation process starts, based on the output of sloth (which will be revealed along with the resulting curve parameters).
  5. At the end the curve parameters are published, along with the uncontestably random number g produced by sloth, data for its fast verification (the sloth witness), the picture taken at time end_tweet, and the list of rejected parameters.

What types of curves are generated?
  • Curve security: this can be 128, 192, or 256 bits, corresponding to curves over prime fields of 256, 384, or 512 bits.
  • Type of prime fields: the prime p can be fixed as NIST primes or be randomly generated based on the seed.
  • Choice of elliptic curve parameter a: either a = −3 mod p, or a is randomly chosen based on the seed.
  • Montgomery compatibility: all curves are twist secure in the following sense. Either the number of rational points on the curve and its twist are both prime, or, if the curve is Montgomery compatible, both orders are four times a prime.


Sloth is a slow hash function. Like a regular hash function, it takes as input any kinds of data and outputs a short string. Unlike other hash funtions, it is very slow to compute, but the result can be checked fast.


Unicorn is a protocol for generating incorruptible random numbers, using data sent, via tweets, by all the people who want to trust the number. This protocol renders any kind of cheating infeasible.


Trx is the name of our online elliptic curve service which you are currently browsing. Using random numbers generated by unicorn, trx is contantly computing and publishing fresh, cryptographically secure elliptic curves.