And I realize that while the P-NNNr curves do use a deterministic value their provided seeds are completely fucking implausible.
E.g. the seed for P-256r is c49d360886e704936a6678e1139d26b7819f7e90. They procedure generates random data by feeding the seed into SHA1. There is no reason I could tell that the seed wouldn't have been something like "15" (and all lower values would have failed the test).
Well, damn. Presumably they'd argue the seed is also supposed to be random for "extra randomness" or something?
If the NSA did know of an attack on ECC for specific curve parameters, doing a brute force search over SHA-1 inputs until you found a breakable output would appear one way to do it.
It'd be really fantastic to know where the hell that seed value came from. Schneier might have a point about not trusting ECC! Or at least only using it with something like curve25519.
BTW what do you mean by "all lower values would have failed the test"? edit: never mind, you mean the seed selection algorithm would be: start at sha1(1), generate candidate parameters, check to see if they are usable, if not move on to sha1(2), etc.