Does the backdoor in Dual_EC_DRBG work like that?

Question

From what I read, the backdoor in Dual_EC_DRBG operates by using related $P$ and $Q$ points.

Did I understand the idea correctly?

Dual_EC_DRBG works by multiplying the $P$ point with the seed initially, and then using the $x$-coordinate of the previous resulting point (let's call that $S$) instead of the seed (that value is named $s$).

The $x$-coordinate of the current point is then multiplied by the $Q$ point, to act as an one-way function and prevent the ability to produce more bits knowing one output value.

Let's call the resulting point $R$. Its $x$-coordinate (called $r$) is then truncated and output.

Does the backdoor work the following way?

Assuming $Q = P \cdot x$ and $R = Q \cdot s = (P \cdot x) \cdot s$

(and that x is known to the adversary)

it should be possible to calculate $S = P \cdot s$, which would allow to continue generating bits since the output:

$$S = R \cdot x^{-1} \pmod n)$$

Is that true?

Answer 1

Not quite, but you're close. I will write $[n]A$ for scalar multiplication of the point $A$ on the curve in question by the scalar $n$, as is more typical notation, and I will write $x(A)$ for the least nonnegative integer representative of the $x$ coordinate of $A$.

Let $E/k$ be an elliptic curve over the field $k$, and $P$ and $Q$ be two $k$-rational points of large prime order.

The initial state is a bit string interpreted as an integer $s_0$. The $i^\mathit{th}$ state $s_i$ and output $r_i$ are given by \begin{align*} s_i &= x([s_{i - 1}]P), \\ r_i &= x([s_i]Q). \end{align*} If $P = [d]Q$ for some integer $d$, then $$s_{i + 1} = x([s_i]P) = x([s_i][d]Q) = x([d][s_i]Q) = x([d] x^{-1}(r_i)),$$ where $x^{-1}(r_i)$ is one of the two possible points with $x$ coordinate $r_i$.

Finding $d$ given $P$ and $Q$ is intractable in a curve for which the ECDLP is hard, but the nation-state adversary influencing cryptography standards could have picked $P$ and $d$ and then computed $Q$ from them.

You, too, can create your own Dual_EC_DRBG back door in the privacy of your own living room! However, you probably can't get FIPS certification if you do that—and if anyone catches you at it outside your living room, you may fall afoul of US Patent 8,396,213 on how to design a key escrow euphemism for a back door. And by design they can't distinguish whether you generated your own $P$ and $Q$ at random or picked $Q$ and $d$ first and then computed $P$ from them for a key escrow system, saving $d$ somewhere secure like a sticky note on your monitor.

So merely using base points other than the standard ones may be a violation of US patent law. (Caveat: I may be a vulture, like many attorneys, but I have not passed the bar, and I am certainly not your patent vulture.)