The existence of a potential backdoor in Dual EC DRBG was recognized by participants in the ANSI working group as early as 2005 and was publicly revealed by academic cryptographers in 2007 (Bernstein et al., 2015).
Adoption of any of the extensions would have made exploitation of the Dual EC DRBG backdoor much easier (Checkoway et al., 2014).
This appears to have been the case with Dual EC DRBG, where NIST's cryptographers deferred to the expertise of their NSA colleagues.
When evidence of a backdoor in Dual EC DRBG was published in September 2013, NIST released a statement saying that it "would not deliberately weaken a cryptographic standard" (NIST, 2013, para.
The NIST standard describing Dual EC DRBG was finally revised in June 2015 to remove the flawed algorithm, 10 years after participants in the ANSI working group first recognized the possibility of a backdoor.
NIST has used this model to develop some of its cryptographic standards, and because of the transparency of the process, these standards have remained trusted even after the Dual EC DRBG revelations.
The DRBGs use a variety of methods to create a truly random number called a seed.
(The researchers said the National Institute of Standards and Technology has approved three DRBGs for use by the U.S.
"I think our work could be more impactful if someone extended it to apply to DRBGs that are even more widely used than HMAC-DRBG," she said.