If we replaced dual ec drbg's output function by taking the parity of the output point's scalar value, it looks to me like we'd have a secure drbg despite the potentially evil choice of P and Q, with whatever good theoretical properties came from dual ec drbg. --John