[Cryptography] Seed values for NIST curves

Nemo nemo at self-evident.org
Mon Sep 9 13:37:09 EDT 2013

I have been reading FIPS 186-3 (
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) and 186-4 (
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf), particularly
Appendix A describing the procedure for generating elliptic curves and
Appendix D specifying NIST's recommended curves.

The approach appears to be an attempt at a "nothing up my sleeve"
construction. Appendix A says how to start with a seed value and use SHA-1
as a psuedo-random generator to produce candidate curves until a suitable
one is found. Appendix D includes the seed value for each curve so that
anyone can verify they were generated according to the pseudo-random
process described in Appendix A.

Unless NSA can invert SHA-1, the argument goes, they cannot control the
final curves.


To my knowledge, most "nothing up my sleeve" constructions use clearly
non-random seed values. For example, MD5 uses the sines of consecutive
integers. SHA-1 uses sqrt(2), sqrt(3), and similar.

Using random seeds just makes it look like you wanted to try a few -- or
possibly a great many -- until the result had some undisclosed property you

Question: Who chose the seeds for the NIST curves, and how do they claim
those seeds were chosen, exactly?

 - Nemo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130909/096742b0/attachment.html>

More information about the cryptography mailing list