Dual EC DRBG

Overview:

Index

Ecosystem vulnerability

Background:

DRBGs and back doors

Description of Dual EC

Dual EC news:

Exploitability in TLS

Attack cost

References:

Downloads and links

Where does Dual EC come from?

The Dual EC algorithm is included in ANSI X9.82, ISO 18031, and NIST SP 800-90. In July 2004 NIST hosted a workshop on random number generation. Documents posted by NIST, as well as reports from the ISO committee, show that Dual EC was first proposed to ANSI and drafts of the proposal were passed to ISO and NIST. In the end ISO published their standard in 2005, before ANSI and NIST. NIST was still soliciting comments in 2005 and eventually published their first version in June 2006. The earliest available ANSI version is from 2007.

None of these documents lists an author for Dual EC. The NIST workshop documents show that the NSA was involved in the workshop (see, e.g., Mike Boyle, Paul Timmel, and Debby Wallner, all from NSA, on the agenda) but Dual EC was presented in slides by Don Johnson (at that time Entrust). Miles Smid's slides include the statement "ANSI X9.82 Concepts submitted as input to ISO/IEC CD 18031. (See Debby Wallner)" but this does not imply NSA authorship of Dual EC. It is not clear whether the origin of Dual EC was known to the ANSI and ISO committees that standardized it.

On 05 September 2013 the Guardian, Pro Publica, and the New York Times reported the existence of the SIGINT Enabling Project, an NSA effort to make "design changes" in systems so as to make those systems "exploitable through SIGINT collection", for example by influencing "standards". At the end of page 3 the NYT article contains the following statement, strongly suggesting that Dual EC was designed by the NSA:

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort "a challenge in finesse."
"Eventually, N.S.A. became the sole editor," the memo says.

The official authors of NIST SP 800-90 are Elaine Barker and John Kelsey from NIST. Kelsey, in December 2013 slides, summarized the X9.82 standardization effort as "NIST and NSA, with some participation from CSE" [page 2]; under the headline "Moving to NIST Special Publications" [page 3] stated "Most of work on standards done by US federal employees (NIST and NSA, with some help from CSE)"; and later stated [page 7] that the standard Dual EC DRBG parameters P and Q come "ultimately from designers of Dual EC DRBG at NSA".

Authors of this "Where does Dual EC come from?" page (alphabetical order)

Daniel J. Bernstein, University of Illinois at Chicago and Technische Universiteit Eindhoven
Tanja Lange, Technische Universiteit Eindhoven
Ruben Niederhagen, Technische Universiteit Eindhoven

Last modified: 2014.03.30