# Supercharging the NIST Elliptic Curve Seeds Bounty
> Cryptography is typically bypassed, not penetrated.
> _– Adi Shamir_
[Filippo Valsorda](https://filippo.io), along with other famous cryptographers (e.g. the well-known cryptographer and professor at Johns Hopkins University [Matthew Green](https://blog.cryptographyengineering.com)), recently started a bounty to find the hash-seeds for the NIST curves (P-192, P-224, P-256, P-384, and P-521). These curves are widely supported by HSMs, either [local](https://developers.yubico.com/YubiHSM2/Concepts/Algorithms.html) or [cloud](https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-key-types.html), and secure signing hardware in mobile devices, such as [Apple's Secure Enclave](https://developer.apple.com/documentation/cryptokit/secureenclave/p256) and [Android devices with the Titan M2 chip](https://www.niap-ccevs.org/MMO/Product/st_vid11317-st.pdf).
For more information on the bounty and the history of the issue, it is best to read the [original bounty announcement](https://words.filippo.io/dispatches/seeds-bounty).
## Why is this important for Ethereum?
Ethereum is the amalgamation of distributed systems and asymmetric cryptopgrahy. There is no way to compromise on the security of these two cornerstones. Cool, but what's the deal now? Well, the bounty tries to find the preimage (i.e. a preimage is the data that is input into a hash function to calculate a hash) of (among others) the `secp256r1` curve parameters, which is currently in discussion of being added as a precompile via [EIP-7212](https://eips.ethereum.org/EIPS/eip-7212) (see the ongoing discussion [here](https://ethereum-magicians.org/t/eip-7212-precompiled-for-secp256r1-curve-support/14789)).
Note that a lot of backpressure regarding EIP-7212 is due to concerns of it having a _potential_ backdoor. TL;DR: For `secp256r1`, the seed is `c49d360886e704936a6678e1139d26b7819f7e90` and we don't know how it has been exactly calculated. That is what this bounty essentially seeks to change.
For more info regarding the backdoor theories you may want to read [this article](https://bitcoinmagazine.com/technical/satoshis-genius-unexpected-ways-in-which-bitcoin-dodged-some-cryptographic-bullet-1382996984) from Vitalik or the following paper [A Riddle Wrapped in an Enigma](https://eprint.iacr.org/2015/1018.pdf?ref=words.filippo.io).
While finding the seeds does not prove the absence of a backdoor in `secp256r1`, it very well decreases the chances of one if the seed is indeed something as trivial as `SHA1("Jerry deserves a raise")`. After all, you can only try out that many "simple" seeds.
## How can you support this bounty?
### Still got a set of GPUs from the pre-merge days?
Maybe even some experience with [hashcat](https://hashcat.net/hashcat/)? Then challenge your luck and fire up that rig again!
Don't forget to read Filippo's [bounty announcement](https://words.filippo.io/dispatches/seeds-bounty/) to get all the info we have already regarding the seeds.
### Donate to help fill out an empty page of cryptographic history!
If not, you may want to donate some crypto to increases the incentive for crackers.
The project's wallet is [`seeds-bounty.eth`](https://etherscan.io/address/0xf0A4095D3cEa682C653A993B983E866c17be3075).
## Payout Policy
This project is not intended to start a new bounty - we wanna increase Filippo's bounty payout.
This means we accept as winner whoever Filippo is accepting and will follow his payout policy as much as possible.
From Filippo's bounty announcement:
> Half the bounty will pay out to the first submission of at least one pre-seed, and the other half will pay out to the first submission of all five pre-seeds.
> They can of course go to the same person, so don’t wait to have them all to submit.
Of course you are also free to donate the bounty to a charity of your choice.
Note: we will check whether it's legally allowed to send money to you. If we see that it isn't, you'll have to select a charity to send the money to, following the same guidelines Filippo has set.
You’re responsible for any taxes on the bounty!
## Bounty Expiration
While Filippo reserves the right to cancel the bounty, we don't.
The only way the bounty can expire is if the seeds become publicly known. In that case we'll donate the bounty.
## Who is behind this?
The `seeds-bounty.eth` project was initiated by the following folks:
- [merkleplant](https://merkleplant.xyz)
- [pcaversaccio](https://pcaversaccio.com)
- [Charles Cooper](https://twitter.com/big_tech_sux)
- [jtriley](https://twitter.com/jtriley_eth)
- [Kobi Gurkan](https://kobi.one/)
- [z80](https://twitter.com/0xz80)
- [Sebastian Buergel](https://twitter.com/SCBuergel)
- [Philipp Jovanovic](https://twitter.com/Daeinar)
- [Matt Solomon](https://mattsolomon.dev/)
The `seeds-bounty.eth` address is a Safe multisig wallet at [`0xf0A4095D3cEa682C653A993B983E866c17be3075`](https://etherscan.io/address/0xf0A4095D3cEa682C653A993B983E866c17be3075) with a 7 out of 9 threshold configuration.