
A Patent From 2004 Describes Dual EC As Key Escrow - tptacek
https://twitter.com/eqe/status/417035396044697600
======
meowface
Interestingly, the patent even mentions the actual use case:

>Therefore, if the ECRNG is used to generate the encryption key K, then it may
be possible that the escrow key e can be used to recover the encryption key K.
Escrow keys can provide other functionality, such as _for use in a wiretap_.
In this case, _trusted law enforcement agents may need to decrypt encrypted
traffic of criminals_ , and to do this they may want to be able to use an
escrow key to recover an encryption key.

------
casca
This patent was originally owned by Certicom, now part of Blackberry. One of
the inventors was Scott Vanstone who's excellent book, Handbook of Applied
Cryptography lives on my desk.

The patent seems to indicate that Dual EC is known to be usable for escrow,
something that the NSA surely knew. But given the pedigree of the authors, it
must have been known by a bunch of other people well before the March 2013
publication date.

There's something odd going on here.

~~~
Zigurd
> _But given the pedigree of the authors, it must have been known by a bunch
> of other people well before the March 2013 publication date_

Unfortunately I cannot recall the details of key escrow as it was implemented
in Lotus Notes. It is a fact Notes used BSAFE. And it appears to be true that
key escrow, or key recovery, was an intentional feature of this RNG. But I did
not learn, at the time, how key escrow was implemented in Notes.

------
tptacek
Been waiting a little while for this one to come out.

Key escrow schemes were the establishment answer to the problem of crypto
enabling crime. The idea was that strong crypto would be outlawed, and the
government would instead provide regulated crypto that would include overt
backdoors for lawful access. Thankfully, that idea perished in the crypto wars
of the '90s.

One line of reasoning about Dual EC, the PKRNG that is believed to be the
backdoor referenced by the NSA BULLRUN leak, is that it could have been
innocuous and suffering merely from bad optics: while there would in the
universe be ECC points that would allow attackers to "decrypt" random numbers
and recover PKRNG state, those numbers had been generated and discarded
honestly.

The presence of this patent and its explicit claims on key escrow applications
grievously harms that argument. It's circumstantially but potently damning.

For whatever it's worth to you: while I don't believe that it had much real-
world impact (I think pretty much exactly what Lucky Green said about Dual EC
in the most recent Reuters discussion), I'm 99% convinced Dual EC was intended
as a backdoor. There is at least one scenario where it actually made sense in
practice --- that is, where it could plausibly have been deployed.

The PKRNG "escrow" scheme is especially damning, because it's intrinsically
surreptitious. Conventional key escrow schemes presume that all users know
their keys are escrowed. A PKRNG escrow scheme kicks in even in systems that
assume they aren't escrowed. It's an evil idea.

There is at least one plausible (though I think dumb) argument for PKRNG (it
allows you to compose a whole cryptosystem in terms of a smaller number of
primitives --- if you need the PK primitives anyways, it might be nice in a
formal sense to have the CSPRNG rely on those same primitives). But there are
no practical arguments in favor of a CSPRNG having PK structure. CSPRNGs based
on stream ciphers, for instance, regularly rekey: their outputs aren't all
bound under a static root secret. PKRNG is such a goofy idea that it was hard
to take it seriously as a backdoor to begin with.

If the whole Twitter thread doesn't pop up for you like it does for me, here's
the link to the actual patent:

[http://www.freshpatents.com/Elliptic-curve-random-number-
gen...](http://www.freshpatents.com/Elliptic-curve-random-number-generation-
dt20070816ptan20070189527.php)

Tanja Lange makes another devious point: since ECC PKRNGs are patented,
there's a financial disincentive to ever using alternate parameters for it,
because tuning your ECC PKRNG and using (presumably) non-backdoored points
could result in your system being royalty-encumbered. Man. Ick.

~~~
JasonPunyon
Why didn't you come out with it?

~~~
tptacek
What a weird question.

~~~
maaku
The first sentence of your post could be interpreted to mean that you _knew_
about this for "a little while" but decided not to inform the rest of us, in
which case I don't think it's that weird to ask "why didn't you tell us?"

~~~
tptacek
Because I wasn't at liberty to.

~~~
wreegab
Then why did you answer "What a weird question" instead of just saying so?

~~~
tptacek
What other answer could there have been?

~~~
Dylan16807
The initial comment was possibly ambiguous as to whether you had known about
this specific thing.

Even after that is clarified, it could have been professional courtesy rather
than 'not at liberty', and possibly other reasons would have worked too.

------
quasse
Here's a link to the Google Patents page:
[http://www.google.com/patents/US8396213](http://www.google.com/patents/US8396213)

Relevant lines are "Intentional use of escrow keys can provide for back up
functionality. The relationship between P and Q is used as an escrow key and
stored by for a security domain. The administrator logs the output of the
generator to reconstruct the random number with the escrow key."

------
raverbashing
See this ladies and gentlemen?

This is why you don't patent stuff that's supposed to be _secret_ , regardless
of what other people think

~~~
adestefan
It's actually possible to file a patent along with a secrecy order. This is
done to protect the government in case someone else ever tries to patent the
same idea at a later date. And before someone freaks out, this is not new. It
was imposed during WW I, WW II, and then codified in the Invention Secrecy Act
of 1952.

~~~
sanxiyn
In particular, patent GB630726 by Leo Szilard, Producing neutrons, covering
nuclear chain reaction, was one such secret patent. I think it probably was a
good idea to keep that secret.

------
this_user
Here's the video of the talk from 30c3 that I assume was referenced:
[http://www.youtube.com/watch?v=G-TM9ubxKIg](http://www.youtube.com/watch?v=G-TM9ubxKIg)

It's actually worth watching if you haven't been closely following all of the
crypto related revelations this year.

------
middleclick
Can anyone please explain what this means for someone who doesn't understand
crypto?

~~~
bm1362
I'll give it a shot, but I have absolutely no experience with cryptography.

I found this video to help explain the concept:

[http://www.youtube.com/watch?v=ulg_AHBOIQU&feature=c4-overvi...](http://www.youtube.com/watch?v=ulg_AHBOIQU&feature=c4-overview&list=UUoxcjq-8xIDTYp3uz647V5A)

The relationship between P and Q (two points on the elliptic curve, see the
video) allows someone to predict the RNG behavior. This is alleged to be used
by the NSA, and the paper above predicts this relationship being used to
provide an escrow-like ability for a 3rd party to access encrypted data.

Someone please correct me if I am wrong, as I would like to further my
understanding as well.

