# Dual_EC_DRBG – Wikipedia

controversial pseudorandom number generator
Dual_EC_DRBG ( Dual Elliptic Curve Deterministic Random Bit Generator ) [ 1 ] is an algorithm that was presented as a cryptographically secure pseudorandom count generator ( CSPRNG ) using methods in elliptic bend cryptanalysis. Despite wide public criticism, including the public designation of a back door, it was for seven years one of four CSPRNGs standardized in NIST SP 800-90A as originally published circa June 2006, until it was withdrawn in 2014 .

## helplessness : a electric potential back door

Weaknesses in the cryptanalytic security of the algorithm were known and publicly criticised well before the algorithm became separate of a formal standard endorsed by the ANSI, ISO, and once by the National Institute of Standards and Technology ( NIST ). One of the weaknesses publicly identified was the electric potential of the algorithm to harbour a kleptographic back door advantageous to those who know about it—the United States politics ‘s National Security Agency ( NSA ) —and no one else. In 2013, The New York Times reported that documents in their possession but never released to the populace “ appear to confirm ” that the back door was real, and had been measuredly inserted by the NSA as character of its Bullrun decoding broadcast. In December 2013, a Reuters news article alleged that in 2004, before NIST standardized Dual_EC_DRBG, NSA paid RSA Security $10 million in a hidden deal to use Dual_EC_DRBG as the default in the RSA BSAFE cryptanalysis library, which resulted in RSA Security becoming the most important distributor of the insecure algorithm. [ 2 ] RSA responded that they “ flatly deny ” that they had always wittingly colluded with the NSA to adopt an algorithm that was known to be flawed, saying “ we have never kept [ our ] relationship [ with the NSA ] a secret ”. [ 3 ] sometime before its first base known issue in 2004, a possible kleptographic back door was discovered with the Dual_EC_DRBG ‘s invention, with the design of Dual_EC_DRBG having the unusual place that it was theoretically impossible for anyone but Dual_EC_DRBG ‘s designers ( NSA ) to confirm the back door ‘s universe. Bruce Schneier concluded concisely after calibration that the “ quite obvious ” back door ( along with other deficiencies ) would mean that cipher would use Dual_EC_DRBG. [ 4 ] The back door would allow NSA to decrypt for example SSL/TLS encoding which used Dual_EC_DRBG as a CSPRNG. [ 5 ] Members of the ANSI criterion group, to which Dual_EC_DRBG was first submitted, were aware of the claim mechanism of the likely back door and how to disable it, [ 6 ] but did not take sufficient steps to unconditionally disable the back door or to wide publicize it. The general cryptanalytic community was initially not aware of the potential back door, until Dan Shumow and Niels Ferguson ‘s publication, or of Certicom ‘s Daniel R. L. Brown and Scott Vanstone ‘s 2005 patent application describing the back door mechanism. In September 2013, The New York Times reported that internal NSA memo leaked by Edward Snowden indicated that the NSA had worked during the standardization process to finally become the lone editor of the Dual_EC_DRBG standard, [ 7 ] and concluded that the Dual_EC_DRBG standard did indeed contain a back door for the NSA. [ 8 ] As response, NIST stated that “ NIST would not measuredly weaken a cryptanalytic standard. ” [ 9 ] According to the New York Times narrative, the NSA spends$ 250 million per year to insert backdoors in software and hardware as depart of the Bullrun program. [ 10 ] A Presidential advisory committee subsequently set up to examine NSA ‘s conduct recommended among other things that the US government “ in full support and not sabotage efforts to create encoding standards ”. [ 11 ] On April 21, 2014, NIST withdrew Dual_EC_DRBG from its draft guidance on random number generators recommending “ current users of Dual_EC_DRBG passage to one of the three remaining approved algorithms equally quickly as possible. ” [ 12 ]

## timeline of Dual_EC_DRBG

Time What happened
May 1997 Adam L. Young and Moti Yung present their cryptovirology paper “Kleptography: Using Cryptography Against Cryptography” at Eurocrypt 1997.[13] The paper shows how to build a covert key exchange into the Diffie–Hellman key exchange protocol. The EC-DRBG backdoor is, with only a trivial modification, equivalent to the Young–Yung backdoor in Diffie–Hellman from Eurocrypt 1997.
August 1997 Adam L. Young and Moti Yung present their cryptovirology paper “The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems” at Crypto 1997.[14] The paper presents a recipe on how to build asymmetric backdoors into crypto algorithms based on discrete logs. The paper generalizes the paradigm used to attack Diffie–Hellman from Eurocrypt 1997. The paper introduces the ‘discrete log kleptogram’ that would later be designed into the EC-DRBG.
ANSI X9.82 standardization process kicks off in the early 2000s NSA drives to include Dual_EC_DRBG in ANSI X9.82, when the standardization process kicks off in the early 2000s.[6]
After the ANSI X9.82 standardization process kicked off and before NIST publication According to John Kelsey (who was listed as author of NIST SP 800-90A together with Elaine Barker), the possibility of the backdoor by carefully chosen P and Q values was brought up at an ANSI X9.82 meeting. As a result, a way was specified for implementers to choose their own P and Q values.[15] It turned out later that the specific subtle formulation that NIST put into the standard meant that users could only get the crucial FIPS 140-2 validation of their implementation if they used the original compromised P and Q values.[16]
October 2003 Goh, Boneh, Pinkas and Golle publish a research paper on the problem of adding key recovery to the SSL/TLS and SSH protocols.[17] They state “The government can convince major software vendors to distribute SSL/TLS or SSH2 implementations with hidden and unfilterable key recovery… Users will not notice the key recovery mechanism because the scheme is hidden.” They then suggest that when the server needs a random nonce it can use instead an encryption of the session key computed under the escrow key. This does not leverage an elliptic curve discrete-log kleptogram and as a result requires a large-bandwidth subliminal channel to pull off.
June 2004 A draft of ANSI X9.82, Part 3 is published, which includes Dual_EC_DRBG.[6] It is unknown if earlier drafts were published.
Sometime in 2004 RSA makes Dual_EC_DRBG the default CSPRNG in BSAFE. In 2013, Reuters reports this is a result of a secret $10 million deal with NSA.[2] 21 January 2005 Priority date of a patent application[18] by the two Certicom members of the ANSI X9.82 standardization committee. The patent describes the working of an elliptic curve CSPRNG backdoor identical to the potential backdoor in Dual_EC_DRBG, and ways to neutralize such a hidden backdoor by choosing alternative curve points and more bit truncation in the output function.[6] Sometime in 2005[19] ISO/IEC 18031:2005 is published, and includes Dual_EC_DRBG.[6] December 2005[20] The first draft of NIST SP 800-90A is released to the public, includes Dual_EC_DRBG.[5] 16 March 2006 Kristian Gjøsteen publishes Comments on Dual-EC-DRBG/NIST SP 800-90, Draft December 2005 showing that part of Dual_EC_DRBG is “not cryptographically sound”, and constructing a bit-predictor with an advantage of 0.0011, which is considered unacceptable for a CSPRNG.[5][20] 29 March 2006 Daniel R. L. Brown publishes “Conjectured Security of the ANSI-NIST Elliptic Curve RNG“, concluding that “[Dual_EC_DRBG] should be a serious consideration”, assuming less truncation of the curve points than is present in Dual_EC_DRBG, as shown necessary by Gjøsteen’s 2006 paper. The paper also anticipates Shumow and Ferguson’s 2007 announcement of a possible backdoor: “This proof makes essential use of Q being random. The reason for this is more than just to make the proof work. If Q is not random, then it may be the case the adversary knows a d such that dQ = P. Then dRi = dSi+1, so that such a distinguisher could immediately recover the secret prestates from the output. Once the distinguisher gets the prestates, it can easily distinguish the output from random. Therefore, it is generally preferable for Q to be chosen randomly, relative to P.”[21] 29 May 2006 Berry Schoenmakers and Andrey Sidorenko publish a Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator, showing that empirically the output from Dual_EC_DRBG can be distinguished from random bits, concluding that Dual_EC_DRBG is insecure as a CSPRNG. Note that this is a separate problem from the backdoor. The authors also point out that the security claim of the Dual_EC_DRBG is only supported by informal discussion. No proof of security (e.g., via a reduction argument) is given.[22] It follows that NIST ignored the provably secure pseudorandom number generators that had long existed in the peer-reviewed academic literature. June 2006 NIST SP 800-90A is published, includes Dual_EC_DRBG with the defects pointed out by Kristian Gjøsteen and Berry Schoenmakers and Andrey Sidorenko not having been fixed. June 2007 Young and Yung publish a research paper detailing a provably secure asymmetric backdoor in SSL.[23] The asymmetric backdoor utilizes a twisted pair of elliptic curves resulting in a discrete log kleptogram that easily fits into the hello nonce. The attack is an attack on SSL random number generation. The act of generating a hello nonce using the EC-DRBG that NIST backdoored mimics exactly this attack on SSL by Young and Yung. August 2007 Dan Shumow and Niels Ferguson give an informal presentation demonstrating that an attacker with the backdoor and a small amount of output can completely recover the internal state of EC-DRBG, and therefore predict all future output.[24] 15 November 2007 Bruce Schneier publishes an article with the title “Did NSA Put a Secret Backdoor in New Encryption Standard?” in Wired, based on Dan Shumow and Niels Ferguson’s presentation.[4] 6 June 2013 The first news stories (unrelated to Dual_EC_DRBG) based on Edward Snowden’s leak of NSA documents are published. 5 September 2013 Existence of NSA’s Bullrun program is revealed, based on the Snowden leaks. One of the purposes of Bullrun is described as being “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.The New York Times states that “the N.S.A. had inserted a back door into a 2006 standard adopted by N.I.S.T… called the Dual EC DRBG standard”,[25] confirming that NSA carried out a malicious software attack. 10 September 2013 Gail Porter, director of the NIST Public Affairs Office, released a statement, saying that “NIST would not deliberately weaken a cryptographic standard.”[26] The statement does not address the fact that NIST ultimately ignored the warning about a possible backdoor in the standard from NIST’s own cryptographer, John Kelsey. 19 September 2013 RSA Security advises its customers to stop using Dual_EC_DRBG in RSA Security’s BSAFE toolkit and Data Protection Manager, citing NIST guidance made Sept. 12, 2013 that indicated: “NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used.”[27] Initial media reports cast suspicion over RSA’s continued use of Dual_EC_DRBG as the default in its BSAFE and Data Protection Manager products, particularly after 2007 in light of previous published concerns over the potential for a backdoor in the algorithm. RSA Chief of Technology Sam Curry writes a short justification for RSA Security’s choice to use Dual_EC_DRBG as default, which is widely criticized by cryptographers. Curry does not discuss the later revealed$10 million deal with NSA to use Dual_EC_DRBG.[28]
18 December 2013 A presidential advisory committee set up to examine the NSA recommended that the US government “fully support and not undermine efforts to create encryption standards”[11]
20 December 2013 Reuters reports on the existence of a $10 million deal between RSA and NSA to set Dual_EC_DRBG as the default CSPRNG in BSAFE.[2] 22 December 2013 RSA Security posts statements categorically denying that it “entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries” though its statements do not deny the existence of a$10 million deal between RSA and the NSA to set Dual_EC_DRBG as the standard in BSAFE.[3] Some news sites such as BBC summarize the press release as a direct denial of existence of the 10 million deal,[29] while other commentary point out that it is not clear what claims exactly the carefully worded RSA Security press release is denying, if any.[30][31] 25 February 2014 In his 2014 RSA Conference keynote speech, RSA Security Executive Chairman (and EMC Executive Vice President) Art Coviello implied that RSA Security had not seen merit in the 2006 and 2007 research papers that pointed out flaws in Dual_EC_DRBG until NIST issued guidance to stop using the CSPRNG. Coviello said RSA Security had seen decreasing revenue from encryption, and no longer wanted to expend resources driving encryption research, but as “contributor to and beneficiary of open standards” would trust NIST and NSA guidance, and blamed NSA for tricking the company.[32] 21 April 2014 Following a public comment period and review, NIST removed Dual_EC_DRBG as a cryptographic algorithm from its draft guidance on random number generators, recommending “that current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible.”[12] August 2014 Checkoway et al. publish a research paper analyzing the practicality of using the EC-DRBG to build an asymmetric backdoor into SSL and TLS.[33] January 2015 Michael Wertheimer, director of research at the NSA, wrote “With hindsight, NSA should have ceased supporting the Dual EC DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual EC DRBG algorithm as anything other than regrettable.”[34] ## description ### overview The algorithm uses a single integer s { \displaystyle sulfur } as state. Whenever a new random number is requested, this integer is updated. The k { \displaystyle kilobyte } -th state is given by sulfur kilobyte = deoxyguanosine monophosphate P ( south thousand − 1 ) { \displaystyle s_ { k } =g_ { P } ( s_ { k-1 } ) } The reelect random integer gas constant { \displaystyle roentgen } is a routine of the state. The thousand { \displaystyle thousand } -th random number is gas constant k = gigabyte Q ( randomness thousand ) { \displaystyle r_ { kilobyte } =g_ { Q } ( s_ { k } ) } The function gravitational constant P ( x ) { \displaystyle g_ { P } ( adam ) } depends on the fixed egg-shaped wind luff P { \displaystyle P } . gigabyte Q ( x ) { \displaystyle g_ { Q } ( ten ) } is similar except that it uses the point Q { \displaystyle Q } . The points P { \displaystyle P } and Q { \displaystyle Q } stay changeless for a finical execution of the algorithm . ### Details The algorithm allows for different constants, variable output length and other customization. For simplicity, the one report here will use the constants from bend P-256 ( one of the 3 sets of constants available ) and have fixed output length. The algorithm operates entirely over a prime finite plain F phosphorus { \displaystyle F_ { phosphorus } } ( Z / phosphorus Z { \displaystyle \mathbb { Z } /p\mathbb { Z } } ) where phosphorus { \displaystyle p } is prime. The state, the seed and the random numbers are all elements of this sphere. Field size is phosphorus = fluorine fluorine degree fahrenheit degree fahrenheit fluorine f f f 00000000 fluorine f degree fahrenheit farad f degree fahrenheit f f degree fahrenheit fluorine f f farad farad fluorine degree fahrenheit b speed of light einsteinium 6 fluorine a a five hundred a 7179 einsteinium 84 degree fahrenheit 3 bacillus 9 carbon a c 2 f c 632551 16 { \displaystyle p=ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551_ { 16 } } An elliptic curl over F p { \displaystyle F_ { p } } is given y 2 = x 3 − 3 ten + b { \displaystyle y^ { 2 } =x^ { 3 } -3x+b } where the changeless bel { \displaystyle b } is bacillus = 5 a cytosine 635 five hundred 8 a a 3 a 93 e 7 bel 3 e bacillus barn five hundred 55769886 bacillus c 651 vitamin d 06 boron 0 hundred cytosine 53 b 0 farad 63 b coulomb east 3 hundred 3 vitamin e 27 vitamin d 2604 b 16 { \displaystyle b=5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b_ { 16 } } The points on the wind are E ( F phosphorus ) { \displaystyle E ( { \displaystyle F_ { p } } ) } . Two of these points are given as the situate points P { \displaystyle P } and Q { \displaystyle Q } P, Q ∈ E ( F p ) { \displaystyle P, Q\in E ( F_ { p } ) } Their coordinates are P x = 6 b 17 d 1 farad 2 east 12 carbon 4247 fluorine 8 b degree centigrade einsteinium 6 e 563 a 440 degree fahrenheit 277037 five hundred 812 vitamin d einsteinium b 33 a 0 degree fahrenheit 4 a 13945 vitamin d 898 hundred 296 16 P yttrium = 4 farad vitamin e 342 e 2 f e 1 a 7 f 9 bel 8 e vitamin e 7 e bel 4 a 7 c 0 degree fahrenheit 9 e 162 bacillus coulomb east 33576 bacillus 315 e c e hundred barn boron 6406837 barn fluorine 51 degree fahrenheit 5 16 Q x = c 97445 degree fahrenheit 45 carbon vitamin d einsteinium f 9 f 0 five hundred 3 east 05 e 1 east 585 farad hundred 297235 bel 82 b 5 bacillus vitamin e 8 degree fahrenheit f 3 east f c a 67 cytosine 59852018192 16 Q y = b 28 e f 557 bacillus a 31 d degree fahrenheit c b vitamin d d 21 a deoxycytidine monophosphate 46 e 2 a 91 east 3 c 304 f 44 c boron 87058 a d a 2 coke barn 815151 vitamin e 610046 16 { \displaystyle { \begin { aligned } P_ { x } & =6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296_ { 16 } \\P_ { yttrium } & =4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5_ { 16 } \\Q_ { x } & =c97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192_ { 16 } \\Q_ { yttrium } & =b28ef557ba31dfcbdd21ac46e2a91e3c304f44cb87058ada2cb815151e610046_ { 16 } \\\end { aligned } } } A function to extract the x-coordinate is used. It “ converts ” from elliptic swerve points to elements of the field. x ( ten, y ) = x { \displaystyle X ( x, yttrium ) =x } end product integers are truncated before being output thyroxine ( x ) = adam mod p 2 16 { \displaystyle thymine ( x ) =x\ { \text { mod } } \ { \frac { p } { 2^ { 16 } } } } The functions g P { \displaystyle g_ { P } } and gravitational constant Q { \displaystyle g_ { Q } } . These functions raise the fix points to a baron. “ Raising to a baron ” in this context, means using the special operation defined for points on egg-shaped curves. gravitational constant P ( x ) = X ( P x ) { \displaystyle g_ { P } ( x ) =X ( P^ { x } ) } gigabyte Q ( x ) = t ( X ( Q x ) ) { \displaystyle g_ { Q } ( adam ) =t ( X ( Q^ { x } ) ) } The generator is seeded with an element from F p { \displaystyle F_ { phosphorus } } s 1 = g P ( south e east d ) { \displaystyle s_ { 1 } =g_ { P } ( source ) } The k { \displaystyle potassium } -th state and random number randomness k = gigabyte P ( sulfur kilobyte − 1 ) { \displaystyle s_ { thousand } =g_ { P } ( s_ { k-1 } ) } gas constant k = deoxyguanosine monophosphate Q ( second kelvin ) { \displaystyle r_ { thousand } =g_ { Q } ( s_ { k } ) } The random numbers r 1, radius 2, … { \displaystyle r_ { 1 }, r_ { 2 }, \ldots } ## security The express purpose of including the Dual_EC_DRBG in NIST SP 800-90A is that its security is based on computational severity assumptions from number hypothesis. A mathematical security reduction proof can then prove that angstrom long as the issue theoretical problems are hard, the random number generator itself is procure. however, the makers of Dual_EC_DRBG did not publish a security system decrease for Dual_EC_DRBG, and it was shown soon after the NIST draft was published that Dual_EC_DRBG was indeed not secure, because it output besides many bits per round. [ 22 ] [ 35 ] [ 36 ] The output of besides many bits ( along with carefully chosen elliptic swerve points P and Q ) is what makes the NSA back door possible, because it enables the attacker to revert the shortness by beastly force guess. The output of besides many bits was not corrected in the final examination published standard, leaving Dual_EC_DRBG both insecure and backdoored. [ 5 ] In many other standards, constants that are meant to be arbitrary are chosen by the nothing up my sleeve number principle, where they are derived from protease inhibitor or similar mathematical constants in a means that leaves little room for adjustment. however, Dual_EC_DRBG did not specify how the default option P and Q constants were chosen, possibly because they were constructed by NSA to be backdoored. Because the standard committee were mindful of the likely for a back door, a means for an implementer to choose their own secure P and Q were included. [ 6 ] [ 15 ] But the demand formulation in the standard was written such that habit of the alleged backdoored P and Q was required for FIPS 140-2 establishment, so the OpenSSL project chose to implement the backdoored P and Q, even though they were mindful of the potential back door and would have preferred generating their own secure P and Q. [ 37 ] New York Times would late write that NSA had worked during the calibration process to finally become the sole editor program of the standard. [ 7 ] A security proof was subsequently published for Dual_EC_DRBG by Daniel R.L. Brown and Kristian Gjøsteen, showing that the generated elliptic wind points would be indistinguishable from uniformly random egg-shaped crook points, and that if fewer bits were output in the final output truncation, and if the two elliptic wind points P and Q were autonomous, then Dual_EC_DRBG is guarantee. The proof relied on the assumption that three problems were hard : the decisional Diffie–Hellman assumption ( which is generally accepted to be hard ), and two newer less-known problems which are not broadly accepted to be hard : the truncated point problem, and the x-logarithm problem. [ 35 ] [ 36 ] Dual_EC_DRBG was quite dense compared to many alternate CSPRNGs ( which do n’t have security system reductions [ 38 ] ), but Daniel R.L. Brown argues that the security reduction makes the dull Dual_EC_DRBG a valid alternate ( assuming implementors disable the obvious back door ). [ 38 ] Note that Daniel R.L. Brown works for Certicom, the independent owner of egg-shaped curvature cryptanalysis patents, so there may be a conflict of interest in promoting an EC CSPRNG. The alleged NSA back door would allow the attacker to determine the home state of matter of the random number generator from looking at the output from a individual rung ( 32 bytes ) ; all future output of the random number generator can then easily be calculated, until the CSPRNG is reseeded with an external source of randomness. This makes for example SSL/TLS vulnerable, since the apparatus of a TLS connection includes the transport of a randomly generated cryptanalytic time being in the clear. [ 5 ] NSA ‘s alleged back door would depend on their sleep together of the unmarried e such that e Q = P { \displaystyle eQ=P } . This is a hard problem if P and Q are set ahead of meter, but it ‘s easier if P and Q are chosen. [ 24 ] e is a secret keystone presumably known only by NSA, and the allege back door is a kleptographic asymmetrical shroud back door. [ 39 ] Matthew Green ‘s web log military post The Many Flaws of Dual_EC_DRBG has a simplify explanation of how the alleged NSA back door works by employing the discrete-log kleptogram introduced in Crypto 1997. [ 14 ] ## standardization and implementations NSA first introduced Dual_EC_DRBG in the ANSI X9.82 DRBG in the early 2000s, including the lapp parameters which created the alleged back door, and Dual_EC_DRBG was published in a draft ANSI standard. Dual_EC_DRBG besides exists in the ISO 18031 standard. [ 6 ] According to John Kelsey ( who together with Elaine Barker was listed as author of NIST SP 800-90A ), the possibility of the back door by carefully chosen P and Q was brought up at an ANSI X9F1 Tool Standards and Guidelines Group meet. [ 6 ] When Kelsey asked Don Johnson of Cygnacom about the beginning of Q, Johnson answered in a 27 October 2004 e-mail to Kelsey that NSA had prohibited the public discussion of generation of an option Q to the NSA-supplied one. [ 40 ] At least two members of the Members of the ANSI X9F1 Tool Standards and Guidelines Group which wrote ANSI X9.82, Daniel R. L. Brown and Scott Vanstone from Certicom, [ 6 ] were aware of the accurate circumstances and mechanism in which a back door could occur, since they filed a patent application [ 18 ] in January 2005 on precisely how to insert or prevent the back door in DUAL_EC_DRBG. The solve of the “ trap door ” mentioned in the patent is identical to the one late confirmed in Dual_EC_DRBG. Writing about the patent in 2014, observer Matthew Green describes the patent as a “ passive aggressive “ way of spiting NSA by publicizing the back door, while still criticizing everybody on the committee for not actually disabling the back door they obviously were aware of. [ 40 ] Brown and Vanstone ‘s patent list two necessary conditions for the back door to exist : 1 ) Chosen Q An elliptic swerve random number generator avoids escrow keys by choosing a orient Q on the elliptic curve as verifiably random. Intentional habit of escrow keys can provide for back up functionality. The kinship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random act with the escrow winder . 2 ) Small output truncation [ 0041 ] Another alternate method acting for preventing a winder escrow attack on the output of an ECRNG, shown in Figures 3 and 4 is to add a truncation serve to ECRNG to truncate the ECRNG output to approximately half the length of a compressed elliptic curve point. preferably, this mathematical process is done in accession to the prefer method acting of Figure 1 and 2, however, it will be appreciated that it may be performed as a primary measure for preventing a key escrow attack. The benefit of shortness is that the number of R values associated with a unmarried ECRNG output signal roentgen is typically impracticable to search. For exercise, for a 160-bit egg-shaped curve group, the number of likely points R in the number is about 280, and searching the list would be about a hard as solving the discrete logarithm problem. The monetary value of this method is that the ECRNG is made half as effective, because the output length is effectively halved . According to John Kelsey, the choice in the standard to choose a verifiably random Q was added as an choice in reception to the distrust back door, [ 15 ] though in such a way that FIPS 140-2 establishment could only be attained by using the possibly backdoored Q. [ 37 ] Steve Marquess ( who helped implement NIST SP 800-90A for OpenSSL ) speculated that this prerequisite to use the potentially backdoored points could be testify of NIST complicity. [ 41 ] It is not clear why the standard did not specify the default option Q in the standard as a verifyably generated nothing up my sleeve numeral, or why the criterion did not use greater truncation, which Brown ‘s patent said could be used as the “ elementary bill for preventing a key escrow attack ”. The belittled truncation was strange compared to previous EC PRGs, which according to Matthew Green had only output 1/2 to 2/3 of the bits in the output routine. [ 5 ] The abject truncation was in 2006 shown by Gjøsteen to make the RNG predictable and therefore unserviceable as a CSPRNG, even if Q had not been chosen to contain a back door. [ 20 ] The standard says that implementations “ should ” use the small max_outlen provided, but gives the option of outputting a multiple of 8 fewer bits. Appendix C of the standard gives a free argument that outputting fewer bits will make the end product less uniformly distributed. Brown ‘s 2006 security proof relies on outlen being much smaller the default max_outlen value in the standard. The ANSI X9F1 Tool Standards and Guidelines Group which discussed the back door besides included three employees from the big security system company RSA Security. [ 6 ] In 2004, RSA Security made an execution of Dual_EC_DRBG which contained the NSA backdoor the default CSPRNG in their RSA BSAFE as a consequence of a mysterious 10 million deal with NSA. In 2013, after the New York Times reported that Dual_EC_DRBG contained a back door by the NSA, RSA Security said they had not been mindful of any back door when they made the manage with NSA, and told their customers to switch CSPRNG. In the 2014 RSA Conference tonic, RSA Security Executive Chairman Art Coviello explained that RSA had seen declining gross from encoding, and had decided to stop being “ drivers ” of independent encoding inquiry, but to rather to “ put their confidence behind ” the standards and steering from standards organizations such as NIST. [ 32 ] A draft of NIST SP 800-90A including the Dual_EC_DRBG was published in December 2005. The final NIST SP 800-90A including Dual_EC_DRBG was published in June 2006. Documents leaked by Snowden have been interpreted as suggesting that the NSA backdoored Dual_EC_DRBG, with those making the allegation citing the NSA ‘s study during the standardization process to finally become the sole editor of the standard. [ 7 ] The early custom of Dual_EC_DRBG by RSA Security ( for which NSA was former reported to have secretly paid $10 million ) was cited by the NSA as an argument for Dual_EC_DRBG ‘s credence into the NIST SP 800-90A standard. [ 2 ] RSA Security subsequently cited Dual_EC_DRBG ‘s credence into the NIST standard as a argue they used Dual_EC_DRBG. [ 42 ] Daniel R. L. Brown ‘s March 2006 paper on the security system decrease of Dual_EC_DRBG mentions the want for more output signal truncation and a randomly chosen Q, but by and large in passage, and does not mention his conclusions from his apparent that these two defects in Dual_EC_DRBG together can be used as a back door. Brown writes in the decision : “ therefore, the ECRNG should be a serious consideration, and its high efficiency makes it suitable even for restrain environments. ” note that others have criticised Dual_EC_DRBG as being extremely dull, with Bruce Schneier concluding “ It ‘s excessively slow for anyone to willingly use it ”, [ 4 ] and Matthew Green saying Dual_EC_DRBG is “ Up to a thousand times slower ” than the alternatives. [ 5 ] The potential for a back door in Dual_EC_DRBG was not widely publicised outside of internal standard group meetings. It was lone after Dan Shumow and Niels Ferguson ‘s 2007 presentation that the electric potential for a back door became widely known. Shumow and Ferguson had been tasked with implementing Dual_EC_DRBG for Microsoft, and at least Furguson had discussed the potential back door in a 2005 X9 meet. [ 15 ] Bruce Schneier wrote in a 2007 Wired article that the Dual_EC_DRBG ‘s flaws were therefore obvious that cipher would be function Dual_EC_DRBG : “ It makes no sense as a ambush doorway : It ‘s populace, and rather obvious. It makes no sense from an engineer position : It ‘s besides slow for anyone to willingly use it. ” [ 4 ] Schneier was apparently unaware that RSA Security had used Dual_EC_DRBG as the default in BSAFE since 2004. OpenSSL implemented all of NIST SP 800-90A including Dual_EC_DRBG at the request of a node. The OpenSSL developers were aware of the likely back door because of Shumow and Ferguson ‘s presentation, and wanted to use the method included in the standard to choose a guarantied non-backdoored P and Q, but was told that to get FIPS 140-2 establishment they would have to use the default option P and Q. OpenSSL chose to implement Dual_EC_DRBG despite its doubtful reputation for completeness, noting that OpenSSL tried to be complete and implements many early insecure algorithm. OpenSSL did not use Dual_EC_DRBG as the default CSPRNG, and it was discovered in 2013 that a bug made the OpenSSL implementation of Dual_EC_DRBG non-functioning, meaning that no one could have been using it. [ 37 ] Bruce Schneier reported in December 2007 that Microsoft added Dual_EC_DRBG confirm to Windows Vista, though not enabled by default, and Schneier warned against the know likely back door. [ 43 ] Windows 10 and later will mutely replace calls to Dual_EC_DRBG with calls to CTR_DRBG based on AES. [ 44 ] On September 9, 2013, following the Snowden leak, and the New York Times report on the back door in Dual_EC_DRBG, the National Institute of Standards and Technology ( NIST ) ITL announced that in light of community security concerns, it was reissuing SP 800-90A as conscription criterion, and re-opening SP800-90B/C for public gossip. NIST now “ powerfully recommends ” against the use of Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A. [ 45 ] [ 46 ] The discovery of a back door in a NIST standard has been a major embarrassment for the NIST. [ 47 ] RSA Security had kept Dual_EC_DRBG as the default option CSPRNG in BSAFE even after the across-the-board cryptanalytic community became mindful of the electric potential back door in 2007, but there does not seem to have been a general awareness of BSAFE ‘s custom of Dual_EC_DRBG as a exploiter option in the residential district. only after widespread concern about the back door was there an attempt to find software which used Dual_EC_DRBG, of which BSAFE was by far the most outstanding found. After the 2013 revelations, RSA security Chief of Technology Sam Curry provided Ars Technica with a rationale for originally choosing the flawed Dual EC DRBG standard as default option over the alternate random number generators. [ 48 ] The technical foul accuracy of the instruction was widely criticized by cryptographers, including Matthew Green and Matt Blaze. [ 28 ] On December 20, 2013, it was reported by Reuters that RSA had accepted a hidden payment of$ 10 million from the NSA to set the Dual_EC_DRBG random number generator as the nonpayment in two of its encoding products. [ 2 ] [ 49 ] On December 22, 2013, RSA posted a statement to its corporate web log “ flatly ” denying a hidden share with the NSA to insert a “ sleep together flaw random number generator ” into its BSAFE toolkit [ 3 ] Following the New York Times story asserting that Dual_EC_DRBG contained a back door, Brown ( who had applied for the back door patent and published the security reduction ) wrote an electronic mail to an IETF mail list defending the Dual_EC_DRBG standard process : [ 38 ]

1. Dual_EC_DRBG, as specified in NIST SP 800-90A and ANSI X9.82-3, allows an alternative choice of constants P and Q. american samoa far as I know, the alternatives do not admit a known feasible back door. In my horizon, it is incorrect to imply that Dual_EC_DRBG constantly has a back door, though I admit a give voice to qualify the affect cases may be awkward. 2. many things are obvious in hindsight. I ‘m not sure if this was obvious. [ … ] 8. All considered, I do n’t see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a sabotage standard, per selenium. But possibly that ‘s just because I ‘m bias or uninstructed .Daniel Brown, [38]

## Software and hardware which contained the potential back door

Implementations which used Dual_EC_DRBG would normally have gotten it via a library. At least RSA Security ( BSAFE library ), OpenSSL, Microsoft, and Cisco [ 50 ] have libraries which included Dual_EC_DRBG, but only BSAFE used it by default. According to the Reuters article which revealed the unavowed \$ 10 million deal between RSA Security and NSA, RSA Security ‘s BSAFE was the most crucial distributor of the algorithm. [ 2 ] There was a defect in OpenSSL ‘s implementation of Dual_EC_DRBG that made it non-working outside test modality, from which OpenSSL ‘s Steve Marquess concludes that cipher used OpenSSL ‘s Dual_EC_DRBG implementation. [ 37 ] A number of products which have had their CSPRNG-implementation FIPS 140-2 validated is available at the NIST. [ 51 ] The validate CSPRNGs are listed in the Description/Notes field. Note that even if Dual_EC_DRBG is listed as validate, it may not have been enabled by default. many implementations come from a renamed transcript of a library implementation. [ 52 ] The BlackBerry software is an exercise of non-default use. It includes documentation for Dual_EC_DRBG, but not as default option. BlackBerry Ltd has however not issued an advisory to any of its customers who may have used it, because they do not consider the probable back door a vulnerability. [ 53 ] Jeffrey Carr quotes a letter from Blackberry : [ 53 ]

The Dual EC DRBG algorithm is alone available to third party developers via the Cryptographic APIs on the [ Blackberry ] platform. In the subject of the Cryptographic API, it is available if a 3rd party developer wished to use the functionality and explicitly designed and developed a system that requested the use of the API .

Bruce Schneier has pointed out that even if not enabled by default option, having a backdoored CSPRNG implemented as an choice can make it easier for NSA to spy on targets which have a software-controlled command-line substitution to select the encoding algorithm, or a “ register “ system, like most Microsoft products, such as Windows Vista :

A Trojan is actually, very big. You can ’ t say that was a mistake. It ’ s a massive slice of code collecting keystrokes. But changing a bit-one to a bit-two [ in the register to change the default option random number generator on the machine ] is credibly going to be undetected. It is a low conspiracy, highly deniable way of getting a back door. so there ’ s a benefit to getting it into the library and into the intersection.

Bruce Schneier, [50]

In December 2013 a proof of concept back door [ 39 ] was published that uses the leak home state to predict subsequent random numbers, an attack viable until the future reseed .
In December 2015, Juniper Networks announced [ 54 ] that some revisions of their ScreenOS firmware used Dual_EC_DRBG with the distrust P and Q points, creating a back door in their firewall. in the first place it was supposed to use a Q charge chosen by Juniper which may or may not have been generated in demonstrably safe way. Dual_EC_DRBG was then used to seed ANSI X9.17 PRNG. This would have obfuscated the Dual_EC_DRBG output thus killing the back door. however, a “ bug ” in the code exposed the raw output of the Dual_EC_DRBG, hence compromising the security of the system. This back door was then backdoored itself by an stranger party which changed the Q point and some quiz vectors. [ 55 ] [ 56 ] [ 57 ] Allegations that the NSA had persistent back door access through Juniper firewalls had already been published in 2013 by Der Spiegel. [ 58 ] The kleptographic back door is an exemplar of NSA ‘s NOBUS policy, of having security holes that entirely they can exploit .

## See besides

• Random number generator attack
• Crypto AG – a Swiss company specialising in communications and information security, who are widely believed to have allowed western security agencies (including NSA) to insert backdoors in their cryptography machines[59]