Dual_EC_DRBG
Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG)[1] is a cryptographically secure pseudorandom number generator (CSPRNG) standardized by the National Institute of Standards and Technology, ANSI, and ISO, which was discovered in 2013 to contain a backdoor from NSA, inserted as part of NSA's Bullrun decryption program. Dual_EC_DRBG is based on the elliptic curve discrete logarithm problem (ECDLP) and is one of the four CSPRNGs standardized in NIST SP 800-90A. The backdoor in Dual_EC_DRBG had been suspected since before it was standardized, but Dual_EC_DRBG had still been relatively widely implemented. In 2004, before NIST standardized Dual_EC_DRBG, NSA paid RSA Security $10 million in a secret deal to use Dual_EC_DRBG as the default in the RSA BSAFE cryptography library, which resulted in RSA Security becoming the most important distributor of the backdoored algorithm.[2] The backdoor would allow NSA to decrypt for example SSL/TLS encryption which used Dual_EC_DRBG as a CSPRNG.[3]
Members of the ANSI standard group, to which Dual_EC_DRBG was first submitted, were aware of the exact mechanism of the potential backdoor and how to disable it,[4] but did not take sufficient steps to unconditionally disable the backdoor. The general cryptographic community was initially not aware of the potential backdoor, or of Certicom's Daniel R. L. Brown and Scott Vanstone's 2005 patent application describing the backdoor mechanism. Shortly after the NIST publication, Bruce Schneier wrote that the random number generator could be an NSA backdoor based on discoveries made by Dan Shumow and Niels Ferguson.[5] In 2013, The New York Times reported that internal NSA memos leaked by Edward Snowden suggested the Dual_EC_DRBG standard did indeed contain a backdoor for the NSA.[6] Documents leaked by Snowden show that NSA inserted the back door working during the standardization process to eventually become the sole editor of the Dual_EC_DRBG standard.[7]
According to leaked documents, NSA spends $250 million per year to insert backdoors in software and hardware as part of the Bullrun program.[8] The Dual_EC_DRBG backdoor is one of the most prominent and perhaps the only specific backdoor from the Bullrun program that has been revealed. Three months after the Dual_EC_DRBG backdoor was first revealed, a presidential advisory committee set up to examine NSA's conduct following the Snowden leak recommended among other things that the US government "fully support and not undermine efforts to create encryption standards".[9]
Timeline
- Indeterminate. Before NIST publication: According to John Kelsey (who was listed as author of NIST SP 800-90A together with Elaine Barker), the possibility of the backdoor by carefully chosen P and Q values was brought up at an ANSI X9.82 meeting. As a result, a way was specified for implementers to choose their own P and Q values.[10] It turned out later that the specific subtle formulation put into the NIST standard meant that you could only get the crucial FIPS 140-2 validation of your implementation if you used the original compromised P and Q values.[11]
- June 2004: A draft of ANSI X9.82, Part 3 is published, which includes Dual_EC_DRBG.[4] It is unknown if earlier drafts were published.
- Sometime in 2004: RSA makes Dual_EC_DRBG the default CSPRNG in BSAFE, as a result of a secret $10 million deal with NSA.[2]
- January 2005: Priority date for patent application "Elliptic curve random number generation" filed by the two Certicom members of the ANSI X9.82 standardization committee, Daniel R. L. Brown and Scott Vanstone. The patent describes the working of a elliptic curve CSPRNG backdoor identical to the NSA backdoor, and ways to neutralize such a hidden backdoor by choosing alternative curve points and more bit truncation in the output function.[4]
- Sometime 2005:[12] ISO/IEC 18031:2005 is published, and includes Dual_EC_DRBG.[4]
- December 2005:[13] The first draft of NIST SP 800-90A is released to the public, includes Dual_EC_DRBG.[3]
- 16 March 2006: Kristian Gjøsteen publishes Comments on Dual-EC-DRBG/NIST SP 800-90, Draft December 2005 showing that part of Dual_EC_DRBG is "not cryptographically sound", and constructing a bit-predictor with an advantage of 0.0011, which is considered unacceptable for a CSPRNG.[13][3]
- 29 March 2006: Daniel R. L. Brown publishes "Conjectured Security of the ANSI-NIST Elliptic Curve RNG", concluding that "[Dual_EC_DRBG] should be a serious consideration", assuming less trunkation of the curve points than is present in Dual_EC_DRBG, as shown necessary by Gjøsteen's 2006 paper. The paper also describes the backdoor: "This proof makes essential use of Q being random. The reason for this is more than just to make the proof work. If Q is not random, then it may be the case the adversary knows a d such that dQ = P. Then dRi = dSi+1, so that such a distinguisher could immediately recover the secret prestates from the output. Once the distinguisher gets the prestates, it can easily distinguish the output from random. Therefore, it is generally preferable for Q to be chosen randomly, relative to P."[14]
- 29 May 2006: Berry Schoenmakers and Andrey Sidorenko publishes a Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator, showing that emperically the output from Dual_EC_DRBG can be distinguised from random bits, concluding that Dual_EC_DRBG is insecure as a CSPRNG. (note that this is a separate problem from the backdoor)[15]
- June 2006: NIST SP 800-90A is published, includes Dual_EC_DRBG with the defects pointed out by Kristian Gjøsteen and Berry Schoenmakers and Andrey Sidorenko not having been fixed.
- August 2007: Dan Shumow and Niels Ferguson gives an informal presentation pointing out that the choices giving rise to the predictability documented in the 2006 papers also enabled the later verified backdoor, with attacker chosen P and Q.[16]
- 15 November 2007: Bruce Schneier publishes an article with the title "Did NSA Put a Secret Backdoor in New Encryption Standard?" in Wired, based on Dan Shumow and Niels Ferguson's presentation.
- 6 June 2013: The first news stories (unrelated to Dual_EC_DRBG) based on Snowden's leak of NSA documents are published.
- 5 September 2013: Existence of NSA's Bullrun program is revealed, based on the Snowden leaks. One of the purposes of Bullrun is described as being "to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."[17]
- 10 September 2013: New York Times publishes an article saying that a memo leaked by Snowden "suggests" that Dual_EC_DRBG contain a NSA backdoor.[6] On the same day, the NIST Public Affairs Office director released a statement, saying that "NIST would not deliberately weaken a cryptographic standard."[18] Later media reports, such as the the 20 December article by Reuters, treat the existence of the back door as a fact.[2]
- 19 September 2013: RSA Security advices its customers to stop using Dual_EC_DRBG in RSA Security's BSAFE toolkit and Data Protection Manager, shortly after Ars Technica emailed RSA Security about their using Dual_EC_DRBG by default.[19] RSA Chief of Technology Sam Curry writes a short and poorly argued "justification" for RSA Security's choice to use Dual_EC_DRBG as default, which is widely criticized, and somehow forgets to mention the later revealed $10 million deal with NSA to use Dual_EC_DRBG.[20]
- 18 December 2013: A presidential advisory committee set up to examine the NSA recommended that the US government "fully support and not undermine efforts to create encryption standards"[9]
- 20 December 2013: Reuters reports on the existence of the 2004 $10 million deal to set Dual_EC_DRBG as the default CSPRNG in BSAFE.[2]
Security
The stated purpose of including the Dual_EC_DRBG in NIST SP 800-90A is that its security is based on computational hardness assumptions from number theory. A mathematical security reduction proof can then prove that as long as the number theoretical problems are hard, the random number generator itself is secure. However, the makers of Dual_EC_DRBG did not publish a security reduction for Dual_EC_DRBG, and it was shown soon after the NIST draft was published that Dual_EC_DRBG was indeed not secure, because it output too many bits per round.[21][22][23] The output of too many bits (along with carefully chosen elliptic curve points P and Q) is what makes the NSA backdoor possible, because it enables the attacker to revert the trunkation by brute force guessing. The output of too many bits was not corrected in the final published standard, leaving Dual_EC_DRBG both insecure and backdoored.[3]
In many other standards, constants which are meant to be arbitrary are chosen by a the nothing up my sleeve number principle, where the constants are derived from for example pi in a way that leaves little room for adjustment. However, Dual_EC_DRBG did not specify how the default P and Q constants were chosen, because they were indeed constructed by NSA to be backdoored.[citation needed] Because the standard committee were aware of the potential for a backdoor, a way for an implementer for choose their own secure P and Q were included.[10][4] But the exact formulation in the standard was written such that use of the official backdoored P and Q was required for FIPS 140-2 validation, so the OpenSSL project choose to implement the backdoored P and Q, even though they were aware of the potential backdoor and would have preferred generating their own secure P and Q.[24] New York Times would later write that NSA had worked during the standardization process to eventually become the sole editor of the standard.[7]
A security proof was later published for Dual_EC_DRBG by Daniel R.L. Brown and Kristian Gjøsteen, showing that the generated elliptic curve points would be indistinguishable from uniformly random elliptic curve points, and that if less bits were output in the final output trunkation, and if the two elliptic curve points P and Q were independent, and if three problems were shown to be hard (only one of which is generally accepted as being hard), then Dual_EC_DRBG is secure. The proof relied on the assumption that three problems were hard: the decisional Diffie–Hellman assumption (which is generally accepted to be hard), and two newer problems which are not generally accepted to be hard: The truncated point problem, and the x-logarithm problem.[21][22] Dual_EC_DRBG was quite slow compared to many alternative CSPRNGs (which don't have security reductions[25]), but Daniel R.L. Brown argue that the security reduction makes the slow Dual_EC_DRBG a valid alternative (assuming implementors disable the obvious backdoor).[25] Note that Daniel R.L. Brown works for Certicom, the main owner of elliptic curve cryptography patents, so there may be a conflict of interest in promoting a EC CSPRNG.
The NSA backdoor allow the attacker to determine the internal state of the random number generator from looking at the output from a single round (32 bytes); all future output of the random number generator can then easily be calculated. This makes for example SSL/TLS vulnerable, since the setup of a TLS connection includes the sending of a randomly generated cryptographic nonce in the clear.[3] NSA's backdoor depend on NSA knowing the single e such that e*Q=P - this is a hard problem, given Q and P, but easy to generate if you can choose P and Q.[16] So e is a secret key known only by NSA, and the backdoor is very likely a kleptographic asymmetric hidden back door[26]. Matthew Green's blog post The Many Flaws of Dual_EC_DRBG has a good simplified explanation of how the NSA backdoor works. The backdoor employs the discrete-log kleptogram introduced in Crypto 1997.[27]
Standardization and implementations
NSA first introduced Dual_EC_DRBG in the ANSI X9.82 DRBG in the early 2000s, including the same parameters which created the backdoor, and Dual_EC_DRBG was published in a draft ANSI standard. Dual_EC_DRBG also exists in the ISO 18031 standard.[4]
According to John Kelsey (who together with Elaine Barker was listed as author of NIST SP 800-90A), the possibility of the backdoor by carefully chosen P and Q was brought up at a ANSI X9F1 Tool Standards and Guidelines Group meeting.[4]
At least two members of the Members of the ANSI X9F1 Tool Standards and Guidelines Group which wrote ANSI X9.82, Daniel R. L. Brown and Scott Vanstone from Certicom,[4] were aware of the exact circumstances and mechanism in which a backdoor could occur, since the wrote a 2005 patent application on exactly how to insert or prevent the backdoor in DUAL_EC_DRBG. The working of the "trap door" mentioned in the patent is identical to the one later confirmed in Dual_EC_DRBG. Brown and Vanstone's patent list two necessary conditions for the backdoor to exist
1) Chosen Q
An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.
2) Small output truncation
[0041] Another alternative method for preventing a key escrow attack on the output of an ECRNG, shown in Figures 3 and 4 is to add a truncation function to ECRNG to truncate the ECRNG output to approximately half the length of a compressed elliptic curve point. Preferably, this operation is done in addition to the preferred method of Figure 1 and 2, however, it will be appreciated that it may be performed as a primary measure for preventing a key escrow attack. The benefit of truncation is that the list of R values associated with a single ECRNG output r is typically infeasible to search. For example, for a 160-bit elliptic curve group, the number of potential points R in the list is about 280, and searching the list would be about as hard as solving the discrete logarithm problem. The cost of this method is that the ECRNG is made half as efficient, because the output length is effectively halved.
According to John Kelsey, the option in the standard to choose a verifiably random Q was added as an option in response to the suspected backdoor.[10] Though in such a way that FIPS 140-2 validation could only be attained by using the backdoored Q.[24] Steve Marquess (who helped implement NIST SP 800-90A for OpenSSL) speculated that this requirement to use the backdoored points could be evidence of NIST complicity.[28] It is not clear why the standard did not specify the default Q in the standard as a verifyably generated nothing up my sleeve number, or why the standard did not use greater truncation, which Brown's patent said could be used as the "primary measure for preventing a key escrow attack". The small truncation was unusual compared to previous EC PRGs, which according to Matthew Green had only output 1/2 to 2/3 of the bits in the output function.[3] The low truncation was in 2006 shown by Gjøsteen to make the the RNG predictable and therefore unusable as a CSPRNG, even if Q had not been chosen to contain a back door.[13] The standard says that implementations "should" use the small max_outlen provided, but gives the option of outputting a multiple of 8 less bits. Appendix C of the standard gives a loose argument that outputting less bits will make the output less uniformly distributed. Brown's 2006 security proof relies on outlen being much smaller the default max_outlen value in the standard.
The ANSI X9F1 Tool Standards and Guidelines Group which discussed the back door also included three employees from RSA Security.[4] In 2004, RSA Security made an implementation of Dual_EC_DRBG which contained the NSA backdoor the default CSPRNG in their RSA BSAFE as a result of a secret $10 million deal with NSA. In 2013, after the Snowden leaks confirmed that Dual_EC_DRBG contained a backdoor from NSA, RSA Security said they had not been aware of the backdoor when they made the deal with NSA, and told their customers to switch CSPRNG.
A draft of NIST SP 800-90A including the backdoored Dual_EC_DRBG was published in December 2005. The final NIST SP 800-90A including the backdoored Dual_EC_DRBG was published in June 2006. Documents leaked by Snowden show that NSA inserted the back door by working during the standardization process to eventually become the sole editor of the standard.[7] The early usage of Dual_EC_DRBG by RSA Security (for which NSA was later reported to have secretly paid $10 million) was cited by the NSA as an argument for Dual_EC_DRBG's acceptance into the NIST SP 800-90A standard.[2] RSA Security subsequently cited Dual_EC_DRBG's acceptance into the NIST standard as a reason they used Dual_EC_DRBG.[29]
Daniel R. L. Brown's March 2006 paper on the security reduction of Dual_EC_DRBG mentions the need to more output truncation and randomly chosen Q, but mostly in passing, and does not mention his conclusions from his patent that these two defects in Dual_EC_DRBG together can be used as a back door. Brown writes in the conclusion: "Therefore, the ECRNG should be a serious consideration, and its high efficiency makes it suitable even for constrained environments." The potential for a backdoor in Dual_EC_DRBG was not widely publicised outside of internal standard group meetings. It was only after Dan Shumow and Niels Ferguson's 2007 presentation that the potential for a backdoor became widely known.
OpenSSL implemented all of NIST SP 800-90A including Dual_EC_DRBG at the request of a client. The OpenSSL developers were aware of the potential backdoor because of Shumow and Ferguson's presentation, and wanted to use the method included in the standard to choose a guarantied non-backdoored P and Q, but was told that to get FIPS 140-2 validation they would have to use the default P and Q. OpenSSL choose to implement Dual_EC_DRBG despite its dubious reputation for completeness, noting that OpenSSL tried to be complete and implements many other insecure algoritms. OpenSSL did not use Dual_EC_DRBG as the default CSPRNG, and it was discovered in 2013 that a bug made the OpenSSL implementation of Dual_EC_DRBG non-functioning, meaning that no one could have been using it.[24]
Bruce Schneier reported in December 2007 that Microsoft added Dual_EC_DRBG support to Windows Vista, though not enabled by default, and Schneier warned against the known potential back door.[30] Dual_EC_DRBG is still listed as available for Windows 8, according to msdn.microsoft.com,[31] so it was presumably also available in Windows 7.
On September 9, 2013, The NIST ITL announced, that in light of community security concerns, it was reissuing SP 800-90A as draft standard, and re-opening SP800-90B/C for public comment, and NIST now "strongly recommends" against the use of Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A.[32][33] The discovery of a backdoor in a NIST standard has been a major embarrassment for the National Institute of Standards and Technology.
RSA Security had kept Dual_EC_DRBG as the default CSPRNG in BSAFE even after the wider cryptographic community became aware of the potential backdoor in 2007, but there does not seem to have been a general awareness of BSAFE's usage of Dual_EC_DRBG in the community. After the 2013 backdoor revelation, RSA security Chief of Technology Sam Curry provided Ars Technica with a rationale for originally choosing the flawed Dual EC DRBG standard as default over the alternative random number generators.[19] The technical accuracy of the statement was widely criticized by cryptographers, including Matthew Green and Matt Blaze.[20]
On December 20, 2013, it was reported by Reuters that RSA had accepted a secret payment of $10 million from the NSA to set the backdoor-equipped random number generator as the default.[2][34]
Following the Snowden leak confirming that Dual_EC_DRBG contained a back door, Brown (who had applied for the backdoor patent and published the security reduction) wrote an email to an ietf mailing list defending the Dual_EC_DRBG standard process:[25]
1. Dual_EC_DRBG, as specified in NIST SP 800-90A and ANSI X9.82-3, allows an alternative choice of constants P and Q. As far as I know, the alternatives do not admit a known feasible backdoor. In my view, it is incorrect to imply that Dual_EC_DRBG always has a backdoor, though I admit a wording to qualify the affected cases may be awkward.
2. Many things are obvious in hindsight. I'm not sure if this was obvious. [...]
8. All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se. But maybe that's just because I'm biased or naive.
— Daniel Brown, [1]
Software and hardware which contained the backdoor
Implementations which used Dual_EC_DRBG would usually have gotten it via a library. At least RSA Security (BSAFE library), OpenSSL, Microsoft, and Cisco[35] has libraries which included Dual_EC_DRBG, but only BSAFE used it by default. It is generally assumed that most users of cryptographic libraries tend to use default CSPRNG of their library, so mainly implementors using RSA BSAFE library will have been enabling the backdoor. According to the Reuters article which revealed the secret $10 million deal between RSA Security and NSA, RSA Security's BSAFE was most important distributor of the backdoored algorithm.[2] There was a flaw in OpenSSL's implementation of Dual_EC_DRBG that made it non-working outside test mode, from which OpenSSL's Steve Marquess conclude that nobody used OpenSSL's Dual_EC_DRBG implementation.[24]
A list of products which have had their CSPRNG-implementation FIPS 140-2 validated is available at http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html ; The validated CSPRNGs are listed in the Description/Notes field. Note that even if Dual_EC_DRBG is listed as validated, it may not have been enabled by default. Many implementations come from a renamed copy of a library implementation.[36]
Bruce Schneier has pointed out that even if not enabled by default, having the backdoored CSPRNG implemented as an option can make it easier for NSA to spy on targets:
A Trojan is really, really big. You can’t say that was a mistake. It’s a massive piece of code collecting keystrokes. But changing a bit-one to a bit-two [in the registry to change the default random number generator on the machine] is probably going to be undetected. It is a low conspiracy, highly deniable way of getting a backdoor. So there’s a benefit to getting it into the library and into the product.
— Bruce Schneier, [35]
In december 2013 a proof of concept backdoor[37] was published that uses the leaked internal state to predict subsequent random numbers, an attack viable until the next reseed.
This section needs expansion. You can help by adding to it. (December 2013) |
See also
References
- ^ "Recommendations for Random Number Generation Using Deterministic Random Bit Generators (Revised)" (PDF). National Institute of Standards and Technology. January 2012. NIST SP 800-90.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ a b c d e f g Menn, Joseph (December 20, 2013). "Exclusive: Secret contract tied NSA and security industry pioneer". San Francisco. Reuters. Retrieved December 20, 2013.
- ^ a b c d e f Matthew Green. "The Many Flaws of Dual_EC_DRBG".
- ^ a b c d e f g h i http://blog.cryptographyengineering.com/2013/12/a-few-more-notes-on-nsa-random-number.html
- ^ Bruce Schneier (2007-11-15). "Did NSA Put a Secret Backdoor in New Encryption Standard?". Wired News.
- ^ a b Perlroth, Nicole (September 10, 2013). "Government Announces Steps to Restore Confidence on Encryption Standards". The New York Times. Retrieved September 11, 2013.
- ^ http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
- ^ a b "NSA should stop undermining encryption standards, Obama panel says". Ars Technica.
- ^ a b c http://cryptome.org/2013/12/800-90-dual-ec-drbg.pdf
- ^ http://marc.info/?l=openssl-announce&m=138747119822324&w=2
- ^ http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=30816
- ^ a b c http://www.math.ntnu.no/~kristiag/drafts/dual-ec-drbg-comments.pdf
- ^ Daniel R. L. Brown (2006). "Conjectured Security of the ANSI-NIST Elliptic Curve RNG".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ http://eprint.iacr.org/2006/190.pdf
- ^ a b http://rump2007.cr.yp.to/15-shumow.pdf
- ^ http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html
- ^ http://www.nist.gov/director/cybersecuritystatement-091013.cfm
- ^ a b "Stop using NSA-influenced code in our products, RSA tells customers". Ars Technica.
- ^ a b Matthew Green (2013-09-20). "RSA warns developers not to use RSA products". A Few Thoughts on Cryptographic Engineering. Retrieved 2013-09-28.
- ^ a b Kristian Gjøsteen. Comments on Dual-EC-DRBG/NIST SP 800-90
- ^ a b Daniel R. L. Brown and Kristian Gjøsteen. A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator, CRYPTO 2007, LNCS 4622, Springer, pp. 466–481. IACR ePrint version
- ^ Berry Schoenmakers and Andrey Sidorenko. Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator, IACR ePrint 2006/190.
- ^ a b c d Steve Marquess. "Flaw in Dual EC DRBG (no, not that one)". OpenSSL project.
- ^ a b c http://www.ietf.org/mail-archive/web/cfrg/current/msg03651.html
- ^ http://blog.0xbadc0de.be/archives/155
- ^ Adam L. Young, Moti Yung (1997). "The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems". CRYPTO.
{{cite conference}}
: Unknown parameter|booktitle=
ignored (|book-title=
suggested) (help) - ^ Steve Marquess. "Secure or Compliant, Pick One".
- ^ "We don't enable backdoors in our crypto products, RSA tells customers". Ars Technica.
- ^ https://www.schneier.com/blog/archives/2007/12/dual_ec_drbg_ad.html
- ^ http://msdn.microsoft.com/en-us/library/aa375534.aspx
- ^ http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf
- ^ "Government Announces Steps to Restore Confidence on Encryption Standards". New York Times.
- ^ "$10m NSA contract with security firm RSA led to encryption 'back door'". Guardian. 20 December 2013.
- ^ a b http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/
- ^ http://veridicalsystems.com/blog/secure-or-compliant-pick-one/
- ^ http://blog.0xbadc0de.be/archives/155
External links
- NIST SP 800-90A - Recommendation for Random Number Generation Using Deterministic Random Bit Generators
- The prevalence of kleptographic attacks on discrete-log based cryptosystems - Adam L. Young, Moti Yung (1997)
- Elliptic curve random number generation - US 8396213 B2 Scott A. Vanstone and Daniel R. L. Brown's patent on the Dual_EC_DRBG backdoor, and ways to negate the backdoor.
- Comments on Dual-EC-DRBG/NIST SP 800-90, Draft December 2005 Kristian Gjøsteen's March 2006 paper concluding that Dual_EC_DRBG is predictable, and therefore insecure.
- A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator Daniel R. L. Brown and Kristian Gjøsteen's 2007 security analysis of Dual_EC_DRBG. Though at least Brown was aware of the backdoor (from his 2005 patent), the backdoor is not explicitly mentioned. Use of non-backdoored constants and a greater output bit truncation than Dual_EC_DRBG specifies are assumed.
- On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng Dan Shumow and Niels Ferguson's presentation, which made the potential backdoor widely known.
- Did NSA Put a Secret Backdoor in New Encryption Standard? 2007 article by Bruce Schneier in Wired
- The Many Flaws of Dual_EC_DRBG - Matthew Green's simplified explanation of how the and why the backdoor works.
- A few more notes on NSA random number generators - Matthew Green
- Sorry, RSA, I'm just not buying it - Summary and timeline of Dual_EC_DRBG and public knowledge.
- [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair] A December 2013 email by Daniel R. L. Brown defending Dual_EC_DRBG and the standard process.