Bounty to Recover NIST’s Elliptic Curve Seeds
This is a fun challenge:
The NIST elliptic curves that power much of modern cryptography were generated in the late ’90s by hashing seeds provided by the NSA. How were the seeds generated? Rumor has it that they are in turn hashes of English sentences, but the person who picked them, Dr. Jerry Solinas, passed away in early 2023 leaving behind a cryptographic mystery, some conspiracy theories, and an historical password cracking challenge.
So there’s a $12K prize to recover the hash seeds.
Some backstory:
Some of the backstory here (it’s the funniest fucking backstory ever): it’s lately been circulating—though I think this may have been somewhat common knowledge among practitioners, though definitely not to me—that the “random” seeds for the NIST P-curves, generated in the 1990s by Jerry Solinas at NSA, were simply SHA1 hashes of some variation of the string “Give Jerry a raise”.
At the time, the “pass a string through SHA1” thing was meant to increase confidence in the curve seeds; the idea was that SHA1 would destroy any possible structure in the seed, so NSA couldn’t have selected a deliberately weak seed. Of course, NIST/NSA then set about destroying its reputation in the 2000’s, and this explanation wasn’t nearly enough to quell conspiracy theories.
But when Jerry Solinas went back to reconstruct the seeds, so NIST could demonstrate that the seeds really were benign, he found that he’d forgotten the string he used!
If you’re a true conspiracist, you’re certain nobody is going to find a string that generates any of these seeds. On the flip side, if anyone does find them, that’ll be a pretty devastating blow to the theory that the NIST P-curves were maliciously generated—even for people totally unfamiliar with basic curve math.
Note that this is not the constants used in the Dual_EC_PRNG random-number generator that the NSA backdoored. This is something different.
Clive Robinson • October 12, 2023 10:09 AM
@ Bruce, ALL,
From the article intro,
I would say this is highly probable, because it’s what humans do (as I’ve noted before about the XKCD password system[1]).
One way it happens is you,
1, Specify a system
2, build and test in a spiral
3, Document
4, Tidy up
5, Release.
Note step 2 and it’s implications which is why step 4 is there.
The main implication of step 2 as far,as this goes is,
“Everything has to be reproducable”
So it can be,
“Tested and Evaluated”
So yes an easy to remember throw away phrase like,
“Green ham and eggs make little kids scream”
Which has got only a little over 63bits equivalent entropy gets “hashed” to give a faux 512bits of entropy which gives you a “seed”.
The probability is that it also got hashed more than once, thus increasing the percieved “work factor” without giving any more entropy.
We know we should not do it but it’s a tripple “least path of resistance”,
A, Fast to do.
B, Easy to secure.
3, Easy to reproduce.
Oh so seductively attractive…
The trouble is as we all know “problems arise” and “marketing/managment upgrade the specification” thus “time scales slip”…
So steps 3 and 4 get robbed of time. As step 3 has “easily visable product” cutting time there is a lot harder than step 4…
So the required level of “Tidy up” never happens, and the world continues to spin, all be it with a little more eccentric than before and we move into a more wobbly future.
[1] My first guess would be along the lines of
“This nonsense is above my pay grade so they get what they pay for.”
Hashed 2310 times.
Which would give around 100bits of faux entropy.