Dual EC: A Standardized Back Door

Dual EC is an algorithm to compute pseudorandom numbers starting from some random input. Dual EC was standardized by NIST, ANSI, and ISO among other algorithms to generate pseudorandom numbers. For a long time this algorithm was considered suspicious --- the entity designing the algorithm could have easily chosen the parameters in such a way that it can predict all outputs --- and on top of that it is much slower than the alternatives and the numbers it provides are more biased, i.e., not random. The Snowden revelations, and in particular reports on Project Bullrun and the SIGINT Enabling Project, have indicated that Dual EC was part of a systematic effort by NSA to subvert standards. This paper traces the history of Dual EC including some suspicious changes to the standard, explains how the back door works in real-life applications, and explores the standardization and patent ecosystem in which the standardized back door stayed under the radar.

[1]  Carl Eklund,et al.  National Institute for Standards and Technology , 2009, Encyclopedia of Biometrics.

[2]  John Morris Minding our Ps and Qs , 2016 .

[3]  J. Ball,et al.  Revealed: How US and UK Spy Agencies Defeat Internet Privacy and Security , 2013 .

[4]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[5]  Paul Hoffman,et al.  Additional PRF Inputs for TLS , 2009 .

[6]  Berry Schoenmakers,et al.  Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator , 2006, IACR Cryptol. ePrint Arch..

[7]  Kwok-Wo Wong,et al.  Elliptic curve random number generation , 2001, Proceedings of IEEE Region 10 International Conference on Electrical and Electronic Technology. TENCON 2001 (Cat. No.01CH37239).

[8]  Robin Sommer,et al.  Revisiting SSL : A Large-Scale Study of the Internet ' s Most Trusted Protocol , 2012 .