> if anyone does find them, that'll be a pretty devastating blow to the theory that the NIST P-curves were maliciously generated
IDK, if I don't think that finding that a seed matches a hash of "Give Jerry a raise of $100000 dollars now!!!" is any evidence for that, because if I had a desire to generate malicious constants, and knew some unusual property that they must have to be weak, then nothing would prevent me from generating hashes of many, many variations of similar strings until one gives me constants with the properties I need.
At the point where we find an intelligible English string that generates the NIST P-curve seeds, nobody serious is going to take the seed provenance concerns seriously anymore. I think everybody sort of understands that people who don't work in cryptography are always going to have further layers of theory to add, the same way people waiting for the "Mother of All Short Squeezes" do with Direct Share Registration and share votes and stuff. If the bounty program is successful, that's going to end the NIST curve "debate", such as it is.
If you're convinced the P-curves must be backdoored, despite the computer science arguments that suggests they really couldn't have been, then you should comfort yourself in the knowledge that we're probably not going to find the seed strings any time soon; presumably Solinas tried pretty hard himself!
For the reason stated in the article, it's actually pretty likely that there's a counter in there somewhere. A 31-bit number like "3263958374" doesn't seem especially interesting cryptographically.
The counter is described as the minimum value that will fit the pattern and make the result a prime. So that should be easily checkable and not really add any free variables.
If you were evil and motivated you'd probably want to hide your variables in the innocent looking part, the simple English or the punctuation, instead.
Yeah, that counter is separate from a counter embedded in an ASCII string. The one thing that kind of string indicates is that it almost certainly wasn't the first string they tried.
This would basically be a Nostradamus attack. If we're going around claiming exciting (read: improbable) things about P256 I don't know what stops us from claiming the NSA can generate collisions in the hash functions it also chose the parameters for.
> At the point where we find an intelligible English string that generates the NIST P-curve seeds, nobody serious is going to take the seed provenance concerns seriously anymore.
GP is making a different argument along the lines of last week’s Twitter fad generating intelligible English sentences which spell out the first few bytes of their hash.
Exactly. How many gramattically correct sentances are there, vs what is the probability that a "random" hash used as an EC seed results in poor security? Research[0] has demonstrated it's not a theoretical vulnerability in the EC selection process.
IDK, if I don't think that finding that a seed matches a hash of "Give Jerry a raise of $100000 dollars now!!!" is any evidence for that, because if I had a desire to generate malicious constants, and knew some unusual property that they must have to be weak, then nothing would prevent me from generating hashes of many, many variations of similar strings until one gives me constants with the properties I need.