HackMDSupercharging the NIST Elliptic Curve Seeds Bounty
Cryptography is typically bypassed, not penetrated.
– Adi Shamir
Filippo Valsorda, along with other famous cryptographers (e.g. the well-known cryptographer and professor at Johns Hopkins University Matthew Green), recently started a bounty to find the hash-seeds for the NIST curves (P-192, P-224, P-256, P-384, and P-521). These curves are widely supported by HSMs, either local or cloud, and secure signing hardware in mobile devices, such as Apple's Secure Enclave and Android devices with the Titan M2 chip.
For more information on the bounty and the history of the issue, it is best to read the original bounty announcement.
Why is this important for Ethereum?
Ethereum is the amalgamation of distributed systems and asymmetric cryptopgrahy. There is no way to compromise on the security of these two cornerstones. Cool, but what's the deal now? Well, the bounty tries to find the preimage (i.e. a preimage is the data that is input into a hash function to calculate a hash) of (among others) the secp256r1 curve parameters, which is currently in discussion of being added as a precompile via EIP-7212 (see the ongoing discussion here).
Note that a lot of backpressure regarding EIP-7212 is due to concerns of it having a potential backdoor. TL;DR: For secp256r1, the seed is c49d360886e704936a6678e1139d26b7819f7e90 and we don't know how it has been exactly calculated. That is what this bounty essentially seeks to change.
For more info regarding the backdoor theories you may want to read this article from Vitalik or the following paper A Riddle Wrapped in an Enigma.
While finding the seeds does not prove the absence of a backdoor in secp256r1, it very well decreases the chances of one if the seed is indeed something as trivial as SHA1("Jerry deserves a raise"). After all, you can only try out that many "simple" seeds.
How can you support this bounty?
Still got a set of GPUs from the pre-merge days?
Maybe even some experience with hashcat? Then challenge your luck and fire up that rig again!
Don't forget to read Filippo's bounty announcement to get all the info we have already regarding the seeds.
Donate to help fill out an empty page of cryptographic history!
If not, you may want to donate some crypto to increases the incentive for crackers.
The project's wallet is seeds-bounty.eth.
Payout Policy
This project is not intended to start a new bounty - we wanna increase Filippo's bounty payout.
This means we accept as winner whoever Filippo is accepting and will follow his payout policy as much as possible.
From Filippo's bounty announcement:
Half the bounty will pay out to the first submission of at least one pre-seed, and the other half will pay out to the first submission of all five pre-seeds.
They can of course go to the same person, so don’t wait to have them all to submit.
Of course you are also free to donate the bounty to a charity of your choice.
Note: we will check whether it's legally allowed to send money to you. If we see that it isn't, you'll have to select a charity to send the money to, following the same guidelines Filippo has set.
You’re responsible for any taxes on the bounty!
Bounty Expiration
While Filippo reserves the right to cancel the bounty, we don't.
The only way the bounty can expire is if the seeds become publicly known. In that case we'll donate the bounty.
Who is behind this?
The seeds-bounty.eth project was initiated by the following folks:
- merkleplant
- pcaversaccio
- Charles Cooper
- jtriley
- Kobi Gurkan
- z80
- Sebastian Buergel
- Philipp Jovanovic
- Matt Solomon
The seeds-bounty.eth address is a Safe multisig wallet at 0xf0A4095D3cEa682C653A993B983E866c17be3075 with a 7 out of 9 threshold configuration.
