Reward offered for secret NSA seeds behind NIST elliptic curve algorithm | spcilvly

NSA encryption

A reward of $12,288 has been announced for the first person to decipher the seeds of NIST’s elliptic curves and discover the original phrases that were processed to generate them.

The reward will be tripled to $36,864 if the prize recipient chooses to donate the amount to any 501(c)(3) charity.

This challenge was announced by cryptography specialist Filippo Valsorda, who raised the amount with the help of renowned figures in cryptography and cybersecurity.

This includes Johns Hopkins University professor Matt Green, PKI and Chromium contributor Ryan Sleevi, browser security expert Chris Palmer, “Logjam attack” developer David Adrian, and AWS cryptography engineer Colm MacCárthaigh.


In elliptic curve cryptography (ECC), seeds are values ​​or sets of values ​​that are used as initial input to an encryption algorithm or process to produce cryptographic keys.

ECC is based on the mathematical concept of elliptic curves defined over finite fields to generate relatively short but secure keys. The use of curves ensures that, for a selected point (on them), it is computationally infeasible to determine the multiple of that point (scalar) used to produce it, providing the basis for encryption.

NIST elliptic curves (P-192, P-224, P-256, P-384 and P-521), introduced in 2000 through the agency’s FIPS 186-2 ‘Digital Signature Standard’ and which are crucial for modern cryptography. , were generated in 1997 using seeds provided by the NSA.

The curves are specified by their coefficient and a random initial value, while the deterministic process for deriving the keys is transparent and verifiable to alleviate fears of hidden vulnerabilities.

End users and developers do not have to interact directly with those seeds, but instead use the curve parameters in the selected cryptographic protocol. However, those who care about the integrity and security of the system are really interested in the origin of the seeds.

No one knows how the original seeds were generated, but rumors and research suggest that they are fragments of English phrases provided to Solinas by the NSA.

Solinas is believed to have used a hashing algorithm, probably SHA-1, to generate the seeds and presumably forgot about the phrases forever.

The target seeds
The target seeds

“The NIST elliptic curves that drive much of modern cryptography were generated in the late 1990s using hash seeds provided by the NSA. How were the seeds generated?” reads a Valsorda blog post.

“It is rumored that they are, in turn, fragments of English phrases, but the person who chose them, Dr. Jerry Solinas, died in early 2023 leaving behind a cryptographic mystery, some conspiracy theories and a historical challenge to decipher passwords”.

Voices of concern from the crypto community began many years ago, starting with the Dual_EC_DRBG controversy that claimed the NSA had created a backdoor to the algorithm.

The most worrying scenario arises from speculation and skepticism about an intentional weakness built into the NIST curves, which would allow sensitive data to be decrypted.

Although there is no substantial evidence to support these scenarios, the origin of the seeds remains unknown, causing fear and uncertainty in the community.

Cracking Challenge

The security implications arising from concerns that the NSA intentionally selected weak curves are dire, and finding the original sentences used to generate them would allay these concerns once and for all.

Aside from that, this challenge has historical significance, considering that NIST elliptic curves are fundamental in modern cryptography.

Furthermore, this is essentially a cryptographic mystery that adds intrigue to the entire story, especially after the death of Dr. Solinas.

Filippo Valsorda believes that anyone with enough GPU power and experience in brute-forcing passphrases could crack the (presumed) SHA-1 hashes and derive the original sentences.


The first submission of at least one pre-seed ruling will receive half the reward ($6,144), with the other half going to the first person to submit the entire pack of five. If it is the same person, you will receive the full reward of $12,000.

You can find more details about the challenge and how to submit your findings on the Valsorda blog.

Leave a Reply

Your email address will not be published. Required fields are marked *