Members of the ANSI standard group, to which Dual_EC_DRBG was first submitted, were aware of the exact mechanism of the potential backdoor and how to disable it, but did not take sufficient steps to unconditionally disable the backdoor or to widely publicize it. In April 21, 2014, NIST withdrew Bsafe crypto c from its draft guidance on random number generators recommending “current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible. Young and Moti Yung present their cryptovirology paper “Kleptography: Using Cryptography Against Cryptography” at Eurocrypt 1997.
Young and Moti Yung present their cryptovirology paper “The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems” at Crypto 1997. The paper presents a recipe on how to build asymmetric backdoors into crypto algorithms based on discrete logs. NSA drives to include Dual_EC_DRBG in ANSI X9. 82, when the standardization process kicks off in the early 2000s. P and Q values was brought up at an ANSI X9.
TLS or SSH2 implementations with hidden and unfilterable key recovery Users will not notice the key recovery mechanism because the scheme is hidden. 82, Part 3 is published, which includes Dual_EC_DRBG. RSA makes Dual_EC_DRBG the default CSPRNG in BSAFE. Priority date of a patent application by the two Certicom members of the ANSI X9. IEC 18031:2005 is published, and includes Dual_EC_DRBG. The first draft of NIST SP 800-90A is released to the public, includes Dual_EC_DRBG.
NIST SP 800-90, Draft December 2005 showing that part of Dual_EC_DRBG is “not cryptographically sound”, and constructing a bit-predictor with an advantage of 0. 0011, which is considered unacceptable for a CSPRNG. Brown publishes “Conjectured Security of the ANSI-NIST Elliptic Curve RNG”, concluding that ” should be a serious consideration”, assuming less truncation of the curve points than is present in Dual_EC_DRBG, as shown necessary by Gjøsteen’s 2006 paper. Berry Schoenmakers and Andrey Sidorenko publish a Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator, showing that empirically the output from Dual_EC_DRBG can be distinguished from random bits, concluding that Dual_EC_DRBG is insecure as a CSPRNG. Note that this is a separate problem from the backdoor. NIST SP 800-90A is published, includes Dual_EC_DRBG with the defects pointed out by Kristian Gjøsteen and Berry Schoenmakers and Andrey Sidorenko not having been fixed.
Young and Yung publish a research paper detailing a provably secure asymmetric backdoor in SSL. The asymmetric backdoor utilizes a twisted pair of elliptic curves resulting in a discrete log kleptogram that easily fits into the hello nonce. The attack is an attack on SSL random number generation. Dan Shumow and Niels Ferguson give an informal presentation demonstrating that an attacker with the backdoor and a small amount of output can completely recover the internal state of EC-DRBG, and therefore predict all future output. Bruce Schneier publishes an article with the title “Did NSA Put a Secret Backdoor in New Encryption Standard?