The problem isn't the algorithm. The "problem" is specifically a question of trust in how the constants for the curve were developed. There is no backdoor if you don't create one from the start. The possibility of there being one is gone if you have an open process to create the curve values in which a backdoor isn't created. At that point the remaining issue is performance. Up till now there have been three other RNGs in the standard if you don't like Dual_EC_DRBG. Yes you can compare the situation to DES because the issue in question is the same in both cases: trust in the body creating the standard. The fact that they are different types of encryption is meaningless. Either NSA did or didn't backdoor DES. Either NSA did or didn't backdoor Dual_EC_DRBG. There is now enough accumulated knowledge and evidence to say that they didn't backdoor DES. We may never know about Dual_EC_DRBG. Suspicion is reasonable, claims of knowledge aren't unless you worked at NSA on that standards effort unless you want to say you "just know."

That really isn't right, is it? You're abusing the notion of "backdoor." The evidence that a backdoor is possible is incontrovertible. But practically speaking to have access to that backdoor you have to develop the backdoor values as part of defining the curve for the standard / implementation. If you don't develop the backdoor values as part of defining the curve then you are essentially back to solving the original problem in order to get your "shortcut". In other words, it is no help at all if you don't do it from the start. An unknown "backdoor" that is as hard or harder to solve than the original math problem isn't really what you could call a backdoor in conventional terms, is it?

Conclusions about Dual_EC_DRBG

On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng

So, what are these algorithms that are impossible to backdoor either through design or implementation? No chance of another something like heartbleed, or Reflections on Trusting Trust?

There is actually nothing wrong with the algorithm for Dual_EC_DRBG, the issue is with people's trust of the constants that define the curve for it in the standard. The only issue there is that people don't trust them just like they didn't trust the NSA generated S-boxes that strengthened DES against secret cryptanalysis techniques. Choosing a new set of known good constants for the standard would resolves all the issues other than performance. Of course that would mean you would need to verify the new configuration was still good and generated proper numbers. (And no matter what you do there will be people that mistrust it, just as this thread started.)

Paranoia can be a useful factor in dealing with security, but it should be moderated and harnessed in a positive manner. If not you end up making mistakes due to poor judgment as I discussed in my other post on DES. You assume the worst case, flop around and make an ever worse choice.

That may be at some level, but keep it mind that operating only on suspicion makes it easy to end up in the "didn't use DES, got data read by differential cryptanalysis (or method X)" bin. Your choice. It is easy to have suspicions that aren't well founded, as well as false confidence.

Math majors get heavily recruited for those jobs for a reason. Sound encryption doesn't tend to emerge from whimsy.

Clear thinking generally takes some effort. You should always be clear about what the evidence proves and what it doesn't prove or you are likely to make mistakes. Once you understand that you can apply your suspicions. There were plenty of people that assumed that DES was backdoored due to the changes made in the DES S-boxes prior to the standard being approved. They refused to use DES and used other technologies. It was later revealed that DES had been hardened against secret cryptanalysis techniques that cracked other methods. The people that refused to use DES and used those other methods were unknowingly using weaker encryption due simply to their suspicions. Operating by suspicion can be hazardous when it comes to encryption. Of course the flip side is true too, as the Ultra cracks of Enigma showed.

As I understand it that is the nature of elliptic curve technology, so I don't think that is quite right. You may recall that elliptic curve encryption was thought to be a highly promising encryption technology at the time. I'm not sure that the calculations would really help you since you could probably generate the same points with or without a backdoor, although I could be mistaken on that point. But as far as I know there is no way to tell just by examining a set of constants if there is a backdoor or not. And that is where the controversy comes in.

When it comes to encryption you're either going to trust somebody, who may end up having a hidden agenda and the ability to hide it from you, or you won't be exchanging encrypted messaged. Even public review is no guarantee: "Opps! Looks like we didn't cover that obscure corner case, "glad" you spotted it!"

The problem is that by assuming the worst you can go down the wrong path is the situation isn't in fact worst case. Consider the example of DES encryption. The NSA tweaked the S-box values before the standard was approved. Nobody outside of NSA knew why. Many people suspected some sort of backdoor, but nobody could find one. As a result of the suspicion there were people that refused to use DES. Eventually it emerged that NSA had strengthened DES against secret cryptanalysis techniques that weren't generally known at the time. Many of the people that refused to use DES ended up using encryption schemes that were vulnerable to the secret techniques because they assumed the worst and were wrong. DES held up remarkably well against attacks over time, including attacks that were either invented or reinvented long after DES was approved.

There is no evidence that a backdoor actually exists, only that one is possible with the technology. You can't tell if one exists or not just from the published specification. The only people that would know if one exists are the people that created the curve values.

That isn't quite the issue. All of the options in the standard were vetted. The Dual_EC_DRBG option is controversial for performance, the correction to it, and one other reason. Some people claim that it has a backdoor, but that isn't what has been proven. What has been proven is that a backdoor is possible with the technology and you wouldn't know either way. You can generate values for the curve without creating a backdoor, and that would be less work. If there was a backdoor created, only the person or group that created the values used in curve would know it and how to exploit it. If a backdoor exists for a particular set of curve values identifying it isn't easier than the original problem. It looks the same either way with or without a backdoor. People have been making exaggerated claims based on this ambiguity.

Ah yes, the "no true communist" fallacy. Surely you don't believe it? There has been no shortage of communists over the years willing to exterminate the class according to Marx's bloody theories (14:16-23:16) to try building yet another Marxist "uptopia" of collectivism and a dictatorship of the proletariat. What makes you so certain you've got it right and none of those other millions that called themselves communists didn't?

I hope that if you haven't already done so that you make some time to share some of those memories with her. It would be mark of shame on the generation that lived through it if the memory of communist oppression were to disappear quickly, especially since there are still communists straining for another chance to try building communism again.

If it was Soviet Estonia then your parents or grandparents weren't among the victims of repression or deportation, although they might be among the ethnic Russians moved there by the Soviet Union. (Ethnic Russian by any chance?) Those would be among the ethnic Russians that Putin has threatened other countries over.

Just a snippet of history: Soviet deportations from Estonia in 1940s

Yes, it would be a very bad thing for the Soviet Union to come back, a disaster of epic proportions. Communists killed 100,000,000 people in the last century. Such tyranny has seldom been equaled.

If you miss the "sanity" of Soviet times, you are woefully ignorant about events, badly confused, or a madman. Perhaps you could start smaller, such a suggesting widespread castration because it "calms" men?

If you really miss an ever present threat against you then you could try a visit a tribal society and start a blood feud?