[red_admiral]

As far as I'm aware, the other problem with Dual EC is there's two kinds of componets you can use to build a DRBG: "chaotic" (think hash functions, or components thereof) and "algebraic" (highly structured but guaranteed to have certain properties such as minimum period size).

Cryptographic common sense is that if you use an "algebraic" generator, you feed the output through a "chaotic" one at the end. This can't possibly harm security (as long as the output transformation doesn't depend on secret state) as there's a reduction in which the adversary just does the transformation themselves. This is even more important if the algebraic transformation is efficiently invertible in principle, for example if someone has extra secret knowledge (such as the dlog of the base point in use).

If they'd used Dual-EC followed by SHA1 or something that would have not only been better according to folk wisdom, and demonstrably no worse for security (and costing very little compared to the EC operations) but it would also have shut down a lot of conjectured attacks that one could do with twiddled constants.

Yet for some reason, Dual-EC decided to go with an algebraic approach without a "chaotic" output transformation, which is either extreme incompetence or strong evidence that someone is up to no good.

[tptacek]

This is really overthinking it. Dual EC is an asymmetric RNG; it "encrypts" its state to a public key, with an undisclosed private key. To believe it wasn't backdoored (as some people, me included, did --- long story!) you have to take on faith that nobody in the world actually has that private key. We're now fairly sure someone does. That's the whole story.

[red_admiral]

You're probably right, I'm just saying that if you want to design a RNG that doesn't look extremely suspicious, you do it in such as way that there is no way to have a private key to start with. For example with a hash function somewhere in the loop, since these are (presumably) one-way.