Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [dual-ec-drbg]

Dual-ec-drbg is short for Dual Elliptic Curve Deterministic Random Bit Generator; a pseudorandom number generator based on the elliptic curve discrete logarithm problem.

Dual-ec-drbg is short for Dual Elliptic Curve Deterministic Random Bit Generator; a pseudorandom number generator based on the elliptic curve discrete logarithm problem.

It was standardized in NIST SP 800-90A, but Dual_EC has a pretty negative image. In 2006, Dual_EC was shown to be a slow and bad random number generator. By 2007, Shumow and Ferguson raised worries about the possibility of a backdoor in the specification. In 2013, The New York Times reported internal NSA memos suggest an RNG generated by the NSA which was used in the Dual_EC_DRBG standard does indeed contain a backdoor for the NSA.

15 questions
53
votes
6 answers

Who uses Dual_EC_DRBG?

Recent news articles have suggested that the NSA may be involved in trying to influence the cryptography in public standards or commercially deployed software, to enable the NSA to decrypt the encrypted traffic. For example, see this article in the…
D.W.
  • 36,982
  • 13
  • 107
  • 196
39
votes
1 answer

Explaining weakness of Dual EC DRBG to wider audience?

I have an audience of senior (non-technical) executives and senior technical people who are taking the backdoor in Dual_EC_DRBG and considering it as a weakness of Elliptic curves in general. I can take a max of about 10 mins in my presentation to…
DeepSpace101
  • 1,717
  • 3
  • 17
  • 24
10
votes
2 answers

Does Microsoft use Dual_EC_DRBG by default?

So, as we all know, Dual_EC_DRBG contains an NSA back door. At this point, there is no reason to call it a "potential" or even an "alleged" back door; the presence is obvious even to the NY Times. As we also know, RSA BSAFE has been using…
Nemo
  • 1,377
  • 1
  • 14
  • 18
9
votes
1 answer

Why does BCRYPT_RNG_DUAL_EC_ALGORITHM get removed from CNG API on Windows 10?

On article at => Microsoft Docs CNG Algorithm Identifiers I notice that BCRYPT_RNG_DUAL_EC_ALGORITHM is now removed since Windows 10. Beginning with Windows 10, the dual elliptic curve random number generator algorithm has been removed. Existing…
sandthorn
  • 193
  • 4
7
votes
1 answer

Does the backdoor in Dual_EC_DRBG work like that?

From what I read, the backdoor in Dual_EC_DRBG operates by using related $P$ and $Q$ points. Did I understand the idea correctly? Dual_EC_DRBG works by multiplying the $P$ point with the seed initially, and then using the $x$-coordinate of the…
Mark
  • 835
  • 7
  • 24
7
votes
1 answer

Why does anyone use elliptic curves for a CSPRNG?

I saw Martijn Grooten's talk on elliptic curves at BSides London this year, and it helped me understand how elliptic curve crypto works, especially in the case of Diffie-Hellman (ECDH). He also touched on the use of EC for random number generators…
Polynomial
  • 3,577
  • 4
  • 30
  • 45
6
votes
1 answer

What exactly could be accomplished with a backdoor in Dual_EC_DRBG?

Assume that some entity really holds the private key corresponding to the recommended/dubious constants of Dual_EC_DRBG. According to this presentation, they would be able to reconstruct the internal state from only 32 bytes of random output and…
lxgr
  • 1,798
  • 1
  • 13
  • 22
4
votes
1 answer

Can the backdoor in Dual_EC_DRBG be used to create a public key stream cipher?

Dual_EC_DRBG has the property that if $Q = e\cdot P$, someone who knows $e$ can break the PRNG. This seems to lead to a public-key stream cipher: Alice chooses a random $P, e$, where $P$ is a generator. Alice computes $Q = e\cdot P$. Alice…
Demi
  • 4,853
  • 1
  • 22
  • 40
2
votes
1 answer

Mathematical proof or any reference of "Deterministic random bit generator cannot produce more randomness than the randomness of seed"

The heading tells everything. Any proof or any kind of reference is welcome regarding this: Can we get more randomness from a deterministic random bit generator than the entropy that we feed to the generator?
R.Ali
  • 21
  • 4
2
votes
2 answers

Is it possible to calculate the 'skeleton key' for DUAL_EC_DRBG? What would it take?

According to Bruce Schneier the constants used in the spec of DUAL_EC_DRBG may be related to a secret set of numbers, that could function as a master key for encryption using on this random number generator: This is how it works: There are a bunch…
oɔɯǝɹ
  • 123
  • 4
2
votes
1 answer

Generating pseudorandom numbers using Dual_EC_DRBG

I am currently learning about the Dual_EC_DRBG protocol and I am stuck at the calculation of the initial state with the point P. For context, I am using the secp256k1 curve with a = 0 and b = 7. I have two points P and Q provided to me already. I am…
Nosticlov
  • 21
  • 2
2
votes
1 answer

Dual_EC_DRBG and OpenSSL on a Mac

Since there is not much info anywhere on the Internet related to this: Does anyone know if OpenSSL's default CSPRNG is Dual_EC_DRBG or not? Their wiki is not very clear… Related to the first question, does anyone have any experience with OpenSSL on…
tony
  • 31
  • 3
1
vote
0 answers

Exploration of Blum Micali Security By Seed Size

I'm new to cryptography and am most intrigued by mathematically based pseudo random number generators. With reference to the Blum Micali algorithm: $X_{i+1} = G^{X_i} \bmod P$ can security be reduced to a simple stated seed size? I've seen claims…
0rob
  • 31
  • 3
1
vote
0 answers

$\phi$ function in Dual_EC_DRBG

I am trying to understand the operation of the Dual_EC_DRBG. I'm reading the formal specification (SP 800-90) and can't seem to find a definition of the $\phi$ function used throughout the definition that I can grasp. The definition I found is on…
Bill
  • 41
  • 2
1
vote
0 answers

What’s the relationship between P-256 and Dual EC DRBG?

It is said that Dual EC DRBG has a backdoor given the values of the curve. Hence some people do not trust it. With that in mind, some people also distrust NIST P-256 Curve. Why? Is it purely because it’s from NIST? Is it the same curve as Dual EC…
Eduardo Andrés Castillo Perera
  • 11
  • 1