Editing Elliptic-curve cryptography (section)

=== Backdoors ===
Cryptographic experts have expressed concerns that the [[National Security Agency]] has inserted a [[kleptographic]] backdoor into at least one elliptic curve-based pseudo random generator.<ref>[https://www.schneier.com/essay-198.html "Did NSA Put a Secret Backdoor in New Encryption Standard?"]. ''www.schneier.com''.</ref> Internal memos leaked by former NSA contractor [[Edward Snowden]] suggest that the NSA put a backdoor in the [[Dual EC DRBG]] standard.<ref>{{Cite web|title = Government Announces Steps to Restore Confidence on Encryption Standards|url = http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/|website = NY Times – Bits Blog|access-date = 2015-11-06|date = 2013-09-10}}</ref> One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of PRNG output.<ref>{{Cite web |last1=Shumow |first1=Dan |last2=Ferguson |first2=Niels |title=On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng |url=http://rump2007.cr.yp.to/15-shumow.pdf |website=Microsoft}}</ref>

The SafeCurves project has been launched in order to catalog curves that are easy to implement securely and are designed in a fully publicly verifiable way to minimize the chance of a backdoor.<ref>{{Cite web | url = http://safecurves.cr.yp.to/ | title = SafeCurves: choosing safe curves for elliptic-curve cryptography | first1 = Daniel J. | last1 = Bernstein | first2 = Tanja | last2 = Lange | access-date = October 1, 2016}}</ref>