NSA Back Door to NIST
Introduction
This article gives a brief mathematical description of the NIST standard for cryptographically secure pseudo-random number generation by elliptic curves, the back door to the algorithm discovered by Ferguson and Shumow, and finally the design of the back door based on the Diffie-Hellman key exchange algorithm.
NIST (the National Institute for Standards and Technology) of the U.S. Department of Commerce derives its mandate from the U.S. Constitution, through the congressional power to “fix the standard of weights and measures.” In brief, NIST establishes the basic standards of science and commerce. Whatever NIST says about cryptography becomes implemented in cryptographic applications throughout U.S. government agencies. Its influence leads to the widespread use of its standards in industry and the broad adoption of its standards internationally.
Eliptic Curves as Pseudo-Random Number Generators
NIST standard gives a list $(E, p, n, f, P, Q)$ to be used for pseudo-random number generation.
- $E$ an elliptic curve over a finite field $F_p$ of prime order.
- The group $E(F_p)$ has order $n$, which is prime for all of the curves that occur in the NIST standard. The elements of the group $E(F_p)$ consist of the set of points on an affine curve, together with a point at infinity which serves as the identity element of the group. The affine curve is defined by an equation $y^2 = f(x)$ for some explicit cubic polynomial $f$ in $F_p[x]$.
- $P$ and $Q$ are given points on the affine curve.
- NIST gives a few sets of data in each case $p$ is large -- the smallest is greater than $10^{77}$. The standard stipulates that "one of the following NIST approved curves with associated points shall be used in applications requiring certification under FIPS-140 [U.S. government computer security accreditation]."