[pbsd]

It seems to be a true statement: Dual EC is used to seed a X9.31 generator with 3DES, where 8 bytes are the initial seed V, and the remaining 24 are K (cf. [1]). I don't see any other usage of Dual EC other than to self-test and to seed X9.31.

Oddly, you can disable the Dual EC seeding with the flag 'one-stage-rng'. But not the other way around.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext...

[tptacek]

Unless the backdoor disables the X9.31 stage, what's the point of tampering with the Dual EC RNG, if its outputs are going to be mangled anyways?

[pbsd]

I don't know, it makes little sense to me too. Maybe there's some subtle flaw somewhere, which I haven't spotted. Since subtlety doesn't seem to be a thing with the changes we've seen so far, I'm not sure what to think.