I have been reading FIPS 186-3 ( http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) and 186-4 ( http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf), particularly Appendix A describing the procedure for generating elliptic curves and Appendix D specifying NIST's recommended curves.
The approach appears to be an attempt at a "nothing up my sleeve" construction. Appendix A says how to start with a seed value and use SHA-1 as a psuedo-random generator to produce candidate curves until a suitable one is found. Appendix D includes the seed value for each curve so that anyone can verify they were generated according to the pseudo-random process described in Appendix A. Unless NSA can invert SHA-1, the argument goes, they cannot control the final curves. However... To my knowledge, most "nothing up my sleeve" constructions use clearly non-random seed values. For example, MD5 uses the sines of consecutive integers. SHA-1 uses sqrt(2), sqrt(3), and similar. Using random seeds just makes it look like you wanted to try a few -- or possibly a great many -- until the result had some undisclosed property you wanted. Question: Who chose the seeds for the NIST curves, and how do they claim those seeds were chosen, exactly? - Nemo
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography