Comment by dfox
2 years ago
The issue with the NIST curves is that they were generated from a PRNG with some kind of completely random seed. The conspiracy theory there is that the seed was selected such as to make the curve exploitable for NSA and NSA only. Choosing such a seed is somewhat harder than complete break of the hash function (IIRC SHA-2) used in the PRNG that was used to derive the curve.
On the other hand, there is a lot of reasons to use elliptic curve that was intentionally designed, so, DJB's designs. And well, in 2009 I would not imagine that the kinds of stuff that DJB publishes will end up being TLS1.3.
It's very unlikely the seeds were random, and they weren't even ostensibly generated from a PRNG, as I understand it. Rather, they were passed through SHA1 (remember: this is the 1990s), as a means to destroy any possible structure in the original seed. The actual seeds themselves aren't my story to tell, but are a story that other people are talking about. For my part, I'll just point again to Koblitz and Menenzes on the actual cryptographic problems with the NIST P-curve seed conspiracy:
https://eprint.iacr.org/2015/1018.pdf
This seems to be all that is publicly known about the seeds: https://saweis.net/posts/nist-curve-seed-origins.html
A hash function is a (CS)PRNG. It has the key property, namely of being indistinguishable from randomness while being generated deterministically.
In fact, `echo "This is my seed" | openssl sha -sha256` is not really a CSPRNG. Hash functions are the bases of many PRNGs. But I think you're abusing an ambiguity with the word "random" here. At any rate: we should be clear now on the point being made about the P-curve seeds.
That is not true. There is no such requirement for a hash function.
2 replies →