[Cryptography] Dual_EC_DRBG backdoor: a proof of concept

[Krisztián Pintér]

John Kelsey (at Friday, January 3, 2014, 2:31:00 AM):
> If we replaced dual ec drbg's output function by taking the parity
> of the output point's scalar value, it looks to me like we'd have a
> secure drbg despite the potentially evil choice of P and Q, with
> whatever good theoretical properties came from dual ec drbg.

dual ec is easy to fix, but what is the point? it is even easier not
to use it, and use fortuna instead, which is better in every way
possible. people only use dual ec if they have to, to be compliant
with whatever standards. but then they can't change it, not even the
extraction part (heck, they can't even fix the mistakes in the
documentation, see the case of openssl).