zh %E5%8F%8C%E6%A4%AD%E5%9C%86%E6%9B%B2%E7%BA%BF%E7%A1%AE%E5%AE%9A%E6%80%A7%E9%9A%8F%E6%9C%BA%E6%AF%94%E7%89%B9%E7%94%9F%E6%88%90%E5%99%A8

双椭圆曲线确定性随机比特生成器（Dual Elliptic Curve Deterministic Random Bit Generator，Dual_EC_DRBG）^[1] ，是一种使用椭圆曲线密码学实现的密码学安全伪随机数生成器（CSPRNG）。该算法自2006年6月左右被公开，尽管受到了大量密码学家们的批评，并被认为存在潜在的后门，但直到2017年被撤销之前，Dual_EC_DRBG在七年的时间内都是NIST SP 800-90A定义的4个（现为3个）标准的CSPRNG之一。

参见

密码学安全伪随机数生成器
随机数生成器攻击
Crypto AG：一家主要从事通信和信息安全的瑞士公司，该公司长期受美国中央情报局与德国联邦情报局的直接控制，并在其加密机中插入后门^[2]。

参考文献

^ Recommendations for Random Number Generation Using Deterministic Random Bit Generators (Revised) (PDF). National Institute of Standards and Technology. January 2012 [2018-03-03]. NIST SP 800-90. （原始内容存档 (PDF)于2013-10-09）.
^ How the CIA used Crypto AG encryption devices to spy on countries for decades - Washington Post. www.washingtonpost.com. 2020-02-11 [2020-02-13]. （原始内容存档于2020-02-11）.

外部链接

NIST SP 800-90A - Recommendation for Random Number Generation Using Deterministic Random Bit Generators（页面存档备份，存于互联网档案馆）
Dual EC DRBG（页面存档备份，存于互联网档案馆） - Collection of Dual_EC_DRBG information, by Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen.
On the Practical Exploitability of Dual EC in TLS Implementations（页面存档备份，存于互联网档案馆） - Key research paper by Stephen Checkoway et al.
The prevalence of kleptographic attacks on discrete-log based cryptosystems（页面存档备份，存于互联网档案馆） - Adam L. Young, Moti Yung (1997)
United States Patent Application Publication US 2007189527,Brown, Daniel R. L. & Vanstone, Scott A.,「Elliptic curve random number generation」 on the Dual_EC_DRBG backdoor, and ways to negate the backdoor.
Comments on Dual-EC-DRBG/NIST SP 800-90, Draft December 2005 Kristian Gjøsteen's March 2006 paper concluding that Dual_EC_DRBG is predictable, and therefore insecure.
A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator（页面存档备份，存于互联网档案馆） Daniel R. L. Brown and Kristian Gjøsteen's 2007 security analysis of Dual_EC_DRBG. Though at least Brown was aware of the backdoor (from his 2005 patent), the backdoor is not explicitly mentioned. Use of non-backdoored constants and a greater output bit truncation than Dual_EC_DRBG specifies are assumed.
On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng（页面存档备份，存于互联网档案馆） Dan Shumow and Niels Ferguson's presentation, which made the potential backdoor widely known.
The Many Flaws of Dual_EC_DRBG（页面存档备份，存于互联网档案馆） - Matthew Green's simplified explanation of how and why the backdoor works.
A few more notes on NSA random number generators（页面存档备份，存于互联网档案馆） - Matthew Green
Sorry, RSA, I'm just not buying it（页面存档备份，存于互联网档案馆） - Summary and timeline of Dual_EC_DRBG and public knowledge.
[//web.archive.org/web/20160818132539/http://www.ietf.org/mail-archive/web/cfrg/current/msg03651.html 页面存档备份，存于互联网档案馆） [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]] A December 2013 email by Daniel R. L. Brown defending Dual_EC_DRBG and the standard process.

[NIST-800-90-1] Recommendations for Random Number Generation Using Deterministic Random Bit Generators (Revised) (PDF). National Institute of Standards and Technology. January 2012 [2018-03-03]. NIST SP 800-90. （原始内容存档 (PDF)于2013-10-09）.

[2] How the CIA used Crypto AG encryption devices to spy on countries for decades - Washington Post. www.washingtonpost.com. 2020-02-11 [2020-02-13]. （原始内容存档于2020-02-11）.

[1]

[2]