Dual_EC_DRBG backdoor: a proof of concept

Here&#x27;s an example in Sage, if the verbosity of OpenSSL code annoys you as much as it does me:<p><pre><code> n = 115792089210356248762697446949407573529996955224135760342422259061068512044369 p = 2^256 - 2^224 + 2^192 + 2^96 - 1 a = -3 b = 41058363725152142129326129780047268409114441015993725554835256314039467401291 E = EllipticCurve(GF(p), [a,b]) P = E(48439561293906451759052585252797914202762949526041747995844080717082404635286, 36134250956749795798585127919587881956611106672985015071877198253568414405109) &quot;&quot;&quot; Q = E(91120319633256209954638481795610364441930342474826146651283703640232629993874, 80764272623998874743522585409326200078679332703816718187804498579075161456710) &quot;&quot;&quot; e = 0x12345678 ei = inverse_mod(e, n) Q = e*P def to_bin(x): return (&quot;%060x&quot; % x).decode(&#x27;hex&#x27;) def from_bin(x): return int(x.encode(&#x27;hex&#x27;), 16) def dual_ec_drbg(s, len): out = &#x27;&#x27; for i in range(0, len, 30): x, y = (s*P).xy() s = Integer(x) x, y = (s*Q).xy() r = Integer(x) % 2**240 out += to_bin(r) return out[0:len] def recover_s(s0, s1): for i in range(2**16): # For all possible 256-bit x r = i*2**240 + s0 # if E.is_x_coord(r): # is valid x? R = E.lift_x(r) # Lift it to a point x, y = (R*ei).xy() # Undo s*Q s = Integer(x) x, y = (s*Q).xy() # Check if it matches next observed block if (Integer(x) % 2**240) == s1: return s # done return None import os # Get 3 blocks: 2 are for the break, the other to confirm prediction s = dual_ec_drbg(from_bin(os.urandom(16)), 30*3) s0 = from_bin(s[ 0:30]) s1 = from_bin(s[30:60]) s2 = from_bin(s[60:90]) # Recover internal state s = recover_s(s0, s1) # Now try predicting something t = dual_ec_drbg(s, 30) assert( from_bin(t) == s2 ) print &quot;Done&quot;</code></pre>

&quot;I did not break the official algorithm. I do not know the secret value used to compute the Q constant, and thus cannot break the default implementation. Only NSA (and people with access to the key) can exploit the PRNG weakness.&quot;<p>I found this note interesting. How big is the secret value used to compute the Q constant? Is it a single static value or does it vary? Would it be possible to brute force this? I&#x27;m not a crypto expert and want to understand this a bit better.<p>One of the big arguments about the NSA introducing weaknesses into these algorithms is &quot;this makes them insecure for everyone and flaws exploited by the government could be exploited by anyone&quot;, but this makes it sound like ONLY the NSA could exploit this.<p>I&#x27;m not saying this is better. I just think, if true, it&#x27;s an interesting discussion point in the debate.<p>[Cross-posted and answered at &#x2F;r&#x2F;netsec]: <a href="http://www.reddit.com/r/netsec/comments/1u5jvw/dual_ec_drbg_backdoor_proof_of_concept/ceevcet" rel="nofollow">http:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;netsec&#x2F;comments&#x2F;1u5jvw&#x2F;dual_ec_drbg_...</a>

I&#x27;m confused how this is valid, since he seems to be using the OpenSSL code without the patch[1] that actually makes Dual EC work and his patch doesn&#x27;t (to my C-ignorant eyes) include the fix either. Does it fix it in another way?<p>[1] <a href="http://marc.info/?l=openssl-announce&amp;m=138747119822324&amp;w=2&amp;x=1" rel="nofollow">http:&#x2F;&#x2F;marc.info&#x2F;?l=openssl-announce&amp;m=138747119822324&amp;w=2&amp;x...</a><p>[2] Discussion: <a href="https://news.ycombinator.com/item?id=6949652" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6949652</a>

Site seems sluggish, here&#x27;s a mirror — <a href="http://archive.is/On8jE" rel="nofollow">http:&#x2F;&#x2F;archive.is&#x2F;On8jE</a>

&quot;A<i>n</i> hashing algorithm&quot;? That struck me as odd, is this valid in any accent other than Cockney?<p>EDIT: Oh, he&#x27;s a fellow Greek. That explains that.