Dual EC DRBG
Randomness is essential for secure cryptography. Random numbers are used for secret long-term keys, secret short-term keys, public "nonces" that must never repeat, secret nonces, and more. An attacker who can control these random numbers, or who can merely predict the secret random numbers, has the power to decrypt encrypted messages and forge authenticated messages.
Cryptographic users obtain random numbers from software and hardware devices called "random-number generators" (RNGs). This site collects new results on one RNG, Dual EC, and also provides detailed background on this RNG.
Dual EC was standardized by the American standardization bodies ANSI and NIST and by the International Organization for Standardization, ISO. Cryptographers raised alarms about undesirable properties of Dual EC, including a potential back door; these alarms began while the NIST standard was still a draft. In September 2013, the New York Times mentioned Dual EC as an example of NSA's Bullrun program. In response, NIST issued an official bulletin that "strongly recommends" against Dual EC. On 21 April 2014, NIST issued a draft revision of SP 800-90A removing Dual EC. The comment period lasted till 23 May 2014. On June 24, 2015, NIST published a Revision 1 of SP 800-90A. NIST's press release mentions the removal of Dual EC and comments "This algorithm has spawned controversy because of concerns that it might contain a weakness that attackers could exploit to predict the outcome of random number generation."
In February 2014, NIST issued a request for comments on the "principles, processes and procedures" behind NIST's "cryptographic standards development efforts". In May 2014, NIST's advisory committee "formed a panel of experts to assess NIST’s existing cryptographic standards and guidelines and the process by which they have been developed".
Summaries of subpages with new content
For details on the research credit stated in these summaries see the individual pages.
Last modified: 2015.06.28