9

On article at => Microsoft Docs

CNG Algorithm Identifiers

I notice that BCRYPT_RNG_DUAL_EC_ALGORITHM is now removed since Windows 10.

Beginning with Windows 10, the dual elliptic curve random number generator algorithm has been removed. Existing uses of this algorithm will continue to work; however, the random number generator is based on the AES counter mode specified in the NIST SP 800-90 standard. New code should use BCRYPT_RNG_ALGORITHM, and it is recommended that existing code be changed to use BCRYPT_RNG_ALGORITHM.

Does this imply that Elliptic Curve PRNG is considered unsecure already?

The Government's elliptic curve backdoor is real, isn't it?

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
sandthorn
  • 193
  • 4

1 Answers1

19

The Government's elliptic curve backdoor is real, isn't it?

We don't know for sure, but there are indicators into that direction. More importantly though,

Does this imply that Elliptic Curve PRNG is considered unsecure already?

As you saw above, using Dual-EC can be a real exploitable risk. There are however additional reasons why Dual-EC isn't the greatest random number generator and why people wouldn't want to use it:

  • It's no longer in the list of NIST specified RNGs and was removed from SP 800-90A rev.1.
  • It's very slow compared to all the other "approved" RNGs (like three orders of magnitude slower).
  • It doesn't even have a security proof, which is the only reason why you would want to use such a slow RNG in the first place and more specifically...
  • It's output is actually distinguishable from random (which is like the bare minimum of a security guarantee no RNG should violate)!

So TL;DR: Yes, the Dual-EC is backdoorable and slow and not even properly random and was probably dropped because of that.

Additional reading: Matthew Green's blog post on the subject (which is also a source for this answer) as well as Bernstein's, Lange's and Niederhagen's "Dual EC: A Standardized Back Door".

SEJPM
  • 46,697
  • 9
  • 103
  • 214