雙橢圓曲線確定性隨機比特生成器

雙橢圓曲線確定性隨機比特生成器（Dual Elliptic Curve Deterministic Random Bit Generator，Dual_EC_DRBG）^[1] ，是一種使用橢圓曲線密碼學實現的密碼學安全偽隨機數生成器（CSPRNG）。該算法自2006年6月左右被公開，儘管受到了大量密碼學家們的批評，並被認為存在潛在的後門，但直到2017年被撤銷之前，Dual_EC_DRBG在七年的時間內都是NIST SP 800-90A定義的4個（現為3個）標準的CSPRNG之一。

參見

密碼學安全偽隨機數生成器
隨機數生成器攻擊
Crypto AG：一家主要從事通信和信息安全的瑞士公司，該公司長期受美國中央情報局與德國聯邦情報局的直接控制，並在其加密機中插入後門^[2]。

參考文獻

^ Recommendations for Random Number Generation Using Deterministic Random Bit Generators (Revised) (PDF). National Institute of Standards and Technology. January 2012 [2018-03-03]. NIST SP 800-90. （原始內容存檔 (PDF)於2013-10-09）.
^ How the CIA used Crypto AG encryption devices to spy on countries for decades - Washington Post. www.washingtonpost.com. 2020-02-11 [2020-02-13]. （原始內容存檔於2020-02-11）.

外部連結

NIST SP 800-90A - Recommendation for Random Number Generation Using Deterministic Random Bit Generators（頁面存檔備份，存於網際網路檔案館）
Dual EC DRBG（頁面存檔備份，存於網際網路檔案館） - Collection of Dual_EC_DRBG information, by Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen.
On the Practical Exploitability of Dual EC in TLS Implementations（頁面存檔備份，存於網際網路檔案館） - Key research paper by Stephen Checkoway et al.
The prevalence of kleptographic attacks on discrete-log based cryptosystems（頁面存檔備份，存於網際網路檔案館） - Adam L. Young, Moti Yung (1997)
United States Patent Application Publication US 2007189527,Brown, Daniel R. L. & Vanstone, Scott A.,「Elliptic curve random number generation」 on the Dual_EC_DRBG backdoor, and ways to negate the backdoor.
Comments on Dual-EC-DRBG/NIST SP 800-90, Draft December 2005 Kristian Gjøsteen's March 2006 paper concluding that Dual_EC_DRBG is predictable, and therefore insecure.
A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator（頁面存檔備份，存於網際網路檔案館） Daniel R. L. Brown and Kristian Gjøsteen's 2007 security analysis of Dual_EC_DRBG. Though at least Brown was aware of the backdoor (from his 2005 patent), the backdoor is not explicitly mentioned. Use of non-backdoored constants and a greater output bit truncation than Dual_EC_DRBG specifies are assumed.
On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng（頁面存檔備份，存於網際網路檔案館） Dan Shumow and Niels Ferguson's presentation, which made the potential backdoor widely known.
The Many Flaws of Dual_EC_DRBG（頁面存檔備份，存於網際網路檔案館） - Matthew Green's simplified explanation of how and why the backdoor works.
A few more notes on NSA random number generators（頁面存檔備份，存於網際網路檔案館） - Matthew Green
Sorry, RSA, I'm just not buying it（頁面存檔備份，存於網際網路檔案館） - Summary and timeline of Dual_EC_DRBG and public knowledge.
[//web.archive.org/web/20160818132539/http://www.ietf.org/mail-archive/web/cfrg/current/msg03651.html 頁面存檔備份，存於網際網路檔案館） [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]] A December 2013 email by Daniel R. L. Brown defending Dual_EC_DRBG and the standard process.

[NIST-800-90-1] Recommendations for Random Number Generation Using Deterministic Random Bit Generators (Revised) (PDF). National Institute of Standards and Technology. January 2012 [2018-03-03]. NIST SP 800-90. （原始內容存檔 (PDF)於2013-10-09）.

[2] How the CIA used Crypto AG encryption devices to spy on countries for decades - Washington Post. www.washingtonpost.com. 2020-02-11 [2020-02-13]. （原始內容存檔於2020-02-11）.

[1]

[2]