[HN Gopher] NIST Elliptic Curves Seeds Bounty
___________________________________________________________________
NIST Elliptic Curves Seeds Bounty
Author : mfrw
Score : 94 points
Date : 2023-10-05 21:26 UTC (1 hours ago)
(HTM) web link (words.filippo.io)
(TXT) w3m dump (words.filippo.io)
| mcpherrinm wrote:
| I'm one of the people contributing to the bounty because if it
| really is a password-crackable phrase, it would be of significant
| historical impact to know.
| ilc wrote:
| Now, for the real question:
|
| Did Jerry get a raise?
| freedude wrote:
| I came here for this...
| glompers wrote:
| They're still in seed stage
| natch wrote:
| 4d169a9023aed89e92b73edc661498dc7bb22026
| [deleted]
| tptacek wrote:
| Some of the backstory here (it's the funniest fucking backstory
| ever): it's lately been circulating --- though I think this may
| have been somewhat common knowledge among practitioners, though
| definitely not to me --- that the "random" seeds for the NIST
| P-curves, generated in the 1990s by Jerry Solinas at NSA, were
| simply SHA1 hashes of some variation of the string "Give Jerry a
| raise".
|
| At the time, the "pass a string through SHA1" thing was meant to
| _increase_ confidence in the curve seeds; the idea was that SHA1
| would destroy any possible structure in the seed, so NSA couldn
| 't have selected a deliberately weak seed. Of course, NIST/NSA
| then set about destroying its reputation in the 2000's, and this
| explanation wasn't nearly enough to quell conspiracy theories.
|
| But when Jerry Solinas went back to reconstruct the seeds, so
| NIST could demonstrate that the seeds really were benign, he
| found that he'd forgotten the string he used!
|
| If you're a true conspiracist, you're certain nobody is going to
| find a string that generates any of these seeds. On the flip
| side, if anyone does find them, that'll be a pretty devastating
| blow to the theory that the NIST P-curves were maliciously
| generated --- even for people totally unfamiliar with basic curve
| math.
|
| So: pretty fun bounty.
| smegsicle wrote:
| a true conspiracist doesn't believe everything he hears
| colmmacc wrote:
| By the late nineties using _both_ MD5 and SHA1 for "additional
| robustness" together in ad-hoc constructions was also en vogue.
| SSLv2 and SSLv3 are good examples. The outputs match the size
| of a SHA1, but it wouldn't be that shocking if the pipeline
| were some form of echo "$string" | md5sum | sha1sum.
| worewood wrote:
| > At the time, the "pass a string through SHA1" thing was meant
| to increase confidence in the curve seeds; the idea was that
| SHA1 would destroy any possible structure in the seed, so NSA
| couldn't have selected a deliberately weak seed.
|
| It's standard to use transcendental constants like pi or e for
| this purpose as you can't select them. A phrase could in theory
| be selected to yield a more desirable hash
| monocasa wrote:
| I mean sha-1 is for sure broken, but I thought that was mainly
| concerning stuff like collisions via a length extension attack
| and other known plaintext attacks.
|
| Finding what amounts to a passphrase just given a hash was still
| generally untractable I thought.
| tptacek wrote:
| It's a simple dictionary attack, which is how most password
| hashes are broken. This has really nothing to do with SHA1
| itself.
| woodruffw wrote:
| Yes, SHA-1 is still considered preimage resistant. But preimage
| resistance isn't _that_ important here, if the hypothesis about
| seed structure is correct: SHA-1 is also very fast and trivial
| to parallelize, and someone dedicated to exploring the
| permutation space of "Jerry needs a raise" stands a decent
| chance of discovering the original input.
___________________________________________________________________
(page generated 2023-10-05 23:00 UTC)