This is an interactive proof-of-concept of the Dual_EC_DRBG backdoor. It uses an implementation of the 2006 Dual_EC_DRBG algorithm without any additional input. Please see this redacted NIST paper for algorithmic details. Project Bullrun also has a good overview of the subject.

This demonstration shows how a Shumlow-Ferguson attack could be executed to recover the internal state of the pseudorandom number generator after the attacker sees as little as 32 bytes. It attempts to adhere as closely as possible to the actual NIST specifications of the algorithm. However, because finding the actual backdoor used in the paper is computationally hard and would require solving the ECDLP, the demonstration uses its own version of point Q, and you can choose the backdoor d, such that dQ = P.

In order to run the demonstration, clone the repository and run cargo run. You can choose what curve, backdoor, and seed to use by passing them as additional arguments. By default, the program uses the P-256 curve and randomly generated seed and backdoor values. All numbers in the program are displayed in hexadecimal. Use cargo run -- --help for additional help.