[146927] in cryptography@c2.net mail archive
[Cryptography] Seed values for NIST curves
daemon@ATHENA.MIT.EDU (Nemo)
Mon Sep 9 18:43:28 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 9 Sep 2013 10:37:09 -0700
From: Nemo <nemo@self-evident.org>
To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============1810308242454132957==
Content-Type: multipart/alternative; boundary=20cf301d3e6079f6e004e5f6d6fc
--20cf301d3e6079f6e004e5f6d6fc
Content-Type: text/plain; charset=ISO-8859-1
I have been reading FIPS 186-3 (
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) and 186-4 (
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf), particularly
Appendix A describing the procedure for generating elliptic curves and
Appendix D specifying NIST's recommended curves.
The approach appears to be an attempt at a "nothing up my sleeve"
construction. Appendix A says how to start with a seed value and use SHA-1
as a psuedo-random generator to produce candidate curves until a suitable
one is found. Appendix D includes the seed value for each curve so that
anyone can verify they were generated according to the pseudo-random
process described in Appendix A.
Unless NSA can invert SHA-1, the argument goes, they cannot control the
final curves.
However...
To my knowledge, most "nothing up my sleeve" constructions use clearly
non-random seed values. For example, MD5 uses the sines of consecutive
integers. SHA-1 uses sqrt(2), sqrt(3), and similar.
Using random seeds just makes it look like you wanted to try a few -- or
possibly a great many -- until the result had some undisclosed property you
wanted.
Question: Who chose the seeds for the NIST curves, and how do they claim
those seeds were chosen, exactly?
- Nemo
--20cf301d3e6079f6e004e5f6d6fc
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I have been reading FIPS 186-3 (<a href=3D"http://csrc.nis=
t.gov/publications/fips/fips186-3/fips_186-3.pdf">http://csrc.nist.gov/publ=
ications/fips/fips186-3/fips_186-3.pdf</a>) and 186-4 (<a href=3D"http://nv=
lpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">http://nvlpubs.nist.gov/n=
istpubs/FIPS/NIST.FIPS.186-4.pdf</a>), particularly Appendix A describing t=
he procedure for generating elliptic curves and Appendix D specifying NIST&=
#39;s recommended curves.<div>
<br></div><div>The approach appears to be an attempt at a "nothing up =
my sleeve" construction. Appendix A says how to start with a seed valu=
e and use SHA-1 as a psuedo-random generator to produce candidate curves un=
til a suitable one is found. Appendix D includes the seed value for each cu=
rve so that anyone can verify they were generated according to the pseudo-r=
andom process described in Appendix A.</div>
<div><br></div><div>Unless NSA can invert SHA-1, the argument goes, they ca=
nnot control the final curves.</div><div><br></div><div>However...</div><di=
v><br></div><div>To my knowledge, most "nothing up my sleeve" con=
structions use clearly non-random seed values. For example, MD5 uses the si=
nes of consecutive integers. SHA-1 uses sqrt(2), sqrt(3), and similar.</div=
>
<div><br></div><div>Using random seeds just makes it look like you wanted t=
o try a few -- or possibly a great many -- until the result had some undisc=
losed property you wanted.</div><div><br></div><div>Question: Who chose the=
seeds for the NIST curves, and how do they claim those seeds were chosen, =
exactly?</div>
<div><br></div><div>=A0- Nemo</div></div>
--20cf301d3e6079f6e004e5f6d6fc--
--===============1810308242454132957==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1810308242454132957==--