Was watching this lecture, and was startled to hear the Dan Boneh mention that P-256 might have a backdoor.
Gist: the seed for the curve has unknown origin. Possible attack: let's say there is an attack possible on 1/10^6 curves. Just loop through a million curves until you find one vulnerable, and publish it into the standard.
[+] [-] philipfweiss|4 years ago|reply
Gist: the seed for the curve has unknown origin. Possible attack: let's say there is an attack possible on 1/10^6 curves. Just loop through a million curves until you find one vulnerable, and publish it into the standard.