The standard given by the NIST gives a list of explicit parameters ... describing the elliptic curve behind the algorithm.
Examining the points P and Q here, it is obvious why cryptographers were suspicious of
the Dual EC ... once the scalar k is known, it is a “simple matter to determine the secret internal state s of the pseudo-random bit generator” [6], by observing as few as 32 bytes of output.
It goes on to quote one of the NSA contractors who admitted that instead of being randomly chosen, "Q is (in essence) the public key for some random private key."
"It could also be generated like a(nother) canonical G, but NSA kyboshed this idea, and I was not allowed to publicly discuss it, just in case you may think of going there."
Straying from the prescribed points was discouraged, and NIST only provided FIPS validation to clients using the original P and Q.
More recently, GPRS was also shown to have been intentionally weakened - presumably to pass export controls - although in this case I think it was the algorithm and not a "cherry picked" curve: https://eprint.iacr.org/2021/819.pdf
Quoting from the paper:
The standard given by the NIST gives a list of explicit parameters ... describing the elliptic curve behind the algorithm.
Examining the points P and Q here, it is obvious why cryptographers were suspicious of the Dual EC ... once the scalar k is known, it is a “simple matter to determine the secret internal state s of the pseudo-random bit generator” [6], by observing as few as 32 bytes of output.
It goes on to quote one of the NSA contractors who admitted that instead of being randomly chosen, "Q is (in essence) the public key for some random private key."
"It could also be generated like a(nother) canonical G, but NSA kyboshed this idea, and I was not allowed to publicly discuss it, just in case you may think of going there."
Straying from the prescribed points was discouraged, and NIST only provided FIPS validation to clients using the original P and Q.
More recently, GPRS was also shown to have been intentionally weakened - presumably to pass export controls - although in this case I think it was the algorithm and not a "cherry picked" curve: https://eprint.iacr.org/2021/819.pdf