Score:1

P256 seed problem

gh flag

I'm reading up on elliptic curves and their history and it seems that people don't trust P256 seed which is defined in FIPS 186-3 on page 89 to be

SEED = c49d3608 86e70493 6a6678e1 139d26b7 819f7e90

Which people suspect may have been generated maliciously.

I'm wondering what happens if the seed is picked in a way that is computationally very hard to to not be random e.g. from a decade of Bitcoin block history?

Suppose we do the following. We define the max Bitcoin block number e.g. 730422 which is the latest Bitcoin block. The starting point is the Bitcoin genesis block. We now repeat the process:

  1. Hash the block hash to obtain X
  2. seed += X[0]
  3. Compute the next block height as X % 730422
  4. Repeat 1 until we have a long enough seed.

Would such a seed be secure under the assumption that over a decade of energy was not maliciously generated?

Score:5
vn flag

The curve parameters were generated with $y^2=x^3+ax+H(s)$ with $H$ being SHA-1 and $s$ being the special seed. As the values are generated by passing the seed through SHA-1, it would be difficult to backdoor the curve unless there was such a massive class of weak curves that one could be found by brute force, or SHA-1 was vulnerable to trivial preimage attacks. Both possibilities seem exceedingly unlikely. According to a paper on the subject, the NSA would have had to know of a class of at least $2^{61}$ weak curves in 1997 that are still unknown as of today, and have been able to perform $2^{86}$ bit operations prior to the same year. This is incredibly unlikely to be the case.

While your suggestion would absolutely make such an attack more difficult, the attack is already impractical, if not impossible. Furthermore, if you're worried about a cooked curve, it's far better to use a safe curve with a nothing-up-my-sleeve parameter. See also this answer by Thomas Pornin.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.