bladerunner on Nostr: For example, P-256r's seed is c49d360886e704936a6678e1139d26b7819f7e90. No ...
For example, P-256r's seed is c49d360886e704936a6678e1139d26b7819f7e90. No justification is given for that value.
There are two points – P1 and P2 on a curve. The first is used to calculate a random value, which is a coordinate x of the production n*P1, where n can be considered as an internal state of the algorithm. P2 is used to change an internal state of the algorithm by calculating the production n*P2 and using its x coordinate as a new state. If there was a dependency between P1 and P2, e.g. if P2 = s*P1, then calculating internal state becomes trivial – it’s an x coordinate of s*P1*n, where both P1*n and ‘s’ are known to an attacker. Since a method of P2 selection has never been disclosed, it created suspicions that a backdoor key has existed and was known to the algorithm creator since day one.
Just one of so many examples.
https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters