Dual EC: A Standardized Back Door

  • Daniel J. BernsteinEmail author
  • Tanja Lange
  • Ruben Niederhagen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9100)


Dual EC is an algorithm to compute pseudorandom numbers starting from some random input. Dual EC was standardized by NIST, ANSI, and ISO among other algorithms to generate pseudorandom numbers. For a long time this algorithm was considered suspicious – the entity designing the algorithm could have easily chosen the parameters in such a way that it can predict all outputs – and on top of that it is much slower than the alternatives and the numbers it provides are more biased, i.e., not random.

The Snowden revelations, and in particular reports on Project Bullrun and the SIGINT Enabling Project, have indicated that Dual EC was part of a systematic effort by NSA to subvert standards.

This paper traces the history of Dual EC including some suspicious changes to the standard, explains how the back door works in real-life applications, and explores the standardization and patent ecosystem in which the standardized back door stayed under the radar.


Random-number generation Back doors NSA ANSI NIST ISO RSA Certicom Undead RNGs 


  1. 1.
    Amann, B., Vallentin, M., Hall, S., Sommer, R.:Revisiting SSL: A large-scale study of the Internet’s mosttrusted protocol (2012).
  2. 2.
    Ball, J., Borger, J., Greenwald, G.: Revealed: how US and UK spy agencies defeat internet privacy andsecurity. The Guardian, 5 September 2013.
  3. 3.
  4. 4.
    Bernstein, D., Heninger, N., Lange, T.: The year in crypto, 2013. In: Presentation at 30th Chaos Communication Congress.
  5. 5.
    Bernstein, D.J., Lange, T., Niederhagen, R.: Certicom’s patent applications regarding Dual EC key escrow (2014).
  6. 6.
    Brown, D.R.L.: Re: Dual\(\_\)EC\(\_\)DRBG (2014).
  7. 7.
    Brown, D.R.L., Vanstone, S.A.: Elliptic curve random number generation. Patent application published by WIPO (2006).
  8. 8.
    Checkoway, S., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H., Fredrikson, M.: On the practical exploitability of Dual EC in TLS implementations. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 319–335. USENIX Association, August 2014.
  9. 9.
    George, R.: Life at both ends of the barrel: an NSA targeting retrospective, keynote talk at Infiltrateconference (2014).
  10. 10.
    Gjøsteen, K.: Comments on Dual-EC-DRBG/NIST SP 800-90, draft December 2005, 2006.
  11. 11.
    Green, M.D.: Results of a recent FOIA for NIST documents related to the designof Dual EC DRBG (2015).
  12. 12.
    Hoffman, P.: Additional random extension to TLS, Internet-Draft version 01, February 2010.
  13. 13.
    Hoffman, P., Solinas, J.: Additional PRF inputs for TLS, Internet-Draft version 01, October 2009.
  14. 14.
    Joint Technical Committee ISO/IEC JTC 1, Informationtechnology, Subcommittee SC 27, IT Security techniques. US national body comments on ISO/IEC 2nd CD 18031. Attachment 10 to SC27 N3685(2003).
  15. 15.
    Johnson, D.: Minding our Ps and Qs in Dual\(\_\)EC (2004).
  16. 16.
  17. 17.
  18. 18.
  19. 19.
    Larson, J., Perlroth, N., Shane, S.: Revealed: The NSA’s secret campaign to crack, undermine Internetsecurity. ProPublica, September 2013.
  20. 20.
    Menn, J.: Exclusive: Secret contract tied NSA and security industry pioneer. Reuters, December 2013.
  21. 21.
    National Institute for Standards and Technology. DRBG validation list.
  22. 22.
    National Institute for Standards and Technology. Internal draft of X9.82 section 9.12, 2004?, received through FOIA
  23. 23.
    National Institute for Standards and Technology. RNG workshop and standards development (2004).
  24. 24.
    National Institute for Standards and Technology. The NIST SP 800-90A Deterministic Random Bit Generator ValidationSystem (DRBGVS); current version from 2013, first version from 2009, 2013.
  25. 25.
    National Institute for Standards and Technology. Compilation of public comments on 2005 draft of SP 800-90 (2014).
  26. 26.
    National Institute for Standards and Technology. NIST FOIA material released to COV: X9.82 and NIST SP800-90 process, 10 June, 2014.
  27. 27.
    National Institute of Standards and Technology. Special Publication 800-90: Recommendation for random numbergeneration using deterministic random bit generators, 2012. First version June 2006, second version March 2007.
  28. 28.
    nymble. Interesting patent on use of ECC random number generator for ‘escrow’. Designed as backdoor in 2005. Twitter post on 3 December, 2013.
  29. 29.
    Patent Application Information Retrieval (PAIR). Image file wrapper for provisional application 60644982 (2005).
  30. 30.
    Patent Application Information Retrieval (PAIR). Image file wrapper for patent application 11336814 (2006).
  31. 31.
    Perlroth, N., Larson, J., Shane, S.: N.S.A. able to foil basic safeguards of privacy on web. International New York Times, September 2013.
  32. 32.
    Rescorla, E., Salter, M.: Opaque PRF inputs for TLS. Internet-Draft version 00, December 2006.
  33. 33.
    Rescorla, E., Salter, M.: Extended random values for TLS, Internet-Draft version 02, March 2009.
  34. 34.
    Schneier, B.: Did NSA put a secret backdoor in new encryption standard? (2007).
  35. 35.
    Schoenmakers, B., Sidorenko, A.: Cryptanalysis of the Dual Elliptic Curve pseudorandom generator. Cryptology ePrint Archive, Report 2006/190 (2006).
  36. 36.
    Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST SP800-90 Dual EcPrng.CRYPTO 2007 Rump Session, August 2007.
  37. 37.
    United States Patent and Trademark Office.Review of applications for national security and property rightsissues. Manual of Patent Examining Procedure, Section 115 (2013).

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
    • 2
    Email author
  • Tanja Lange
    • 1
  • Ruben Niederhagen
    • 1
  1. 1.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  2. 2.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA

Personalised recommendations