Yes. The P- curves start from a single random number, and then go through a number of reasonable steps to expand the number into a set of curve parameters. It's not easy, given the steps involved, to see how that random seed could easily be used to select a weak curve, but it's possible. At this point, nobody OK with "possible".
The NIST curves suck. But if your choice is between the NIST P- curves and PKCS1v15 RSA, it's not hard to see what the better of the two options is.
So the fact that NIST used a "verifiably random" seed that was definitely not random, and later shown to not be rigid isn't a practical cause for concern? Wouldn't it be prudent to assume that these unexplained seeds might have some more advanced attack, assuming the NSA is a decade or two beyond public research?
The seed itself was never claimed to be verifiably random. Instead, because it uses a (cryptographically secure) pseudo random generator to produce the curve parameters out of a public seed, the curve parameters are said to be "verifiably random". Today, we have more strict requirements on curve rigidity in mind than at the time they released the curves. It's not really fair to claim that NIST acted in malice by not following best practices which only developed after its publication.
How does hashing prevent anything? It just makes it a bit harder, as you've got to try a bunch of inputs and look for a desired output. Big deal, especially if they have plenty of time before publishing. It's not like it is hard at all to come up with a really truly random seed to use, one that would not allow such speculation.
If you are looking for one specific output, this bunch of inputs is as large as 2^159 on average before you find the preimage (which is far too large to bruteforce with the meager earthly energy resources). The current fear regarding this curves is that the NSA might know how to break a large fraction of all curves, like every millionth curve. In that case, trying out seeds until you get one of those rare curves is feasible, but a truly random curve would be safe with 99.9999% probability. As we have don't trust anybody to generate these truly random curves, we a stuck with rigidity requirements as our best shot.
It's not about the code. You need to get Mozilla and Google to agree to deploy. They aren't dragging their feet; they put an enormous amount of effort into these problems, and employ some of the best in the industry.
That's not fair either. Most of this stuff is happening in the open; you just have to put the effort in to joining the mailing lists, reading the bug trackers, &c.
Thomas, you basically just told me, "That's not fair either. Most of this stuff is happening in the open; you just have to know the obscure places to look."
Visibility isn't a matter of "can the public see it?" I also mean "is it in a place the public is likely to look?"
Nobody is hiding it. People who are competent in the subject matter can find it easily if they want to. I think, respectfully, that you might just not want to be wrong about this. :)
I was moreso trying to express a desire for better PR than criticizing the transparency of their efforts. I'll hunt down these elusive mailing lists and bug trackers and see if I can cobble together a TL;DR portal :)
The NIST curves suck. But if your choice is between the NIST P- curves and PKCS1v15 RSA, it's not hard to see what the better of the two options is.