The standard does say on page 77
> One of the following NIST approved curves with associated points shall be used in applications requiring certification under [FIPS 140].
and it seems likely that this was what mandated the backdoored points.
But the standard actually also allows you to output less bits in the output function, on page 65. Using about half the X coordinate as output (instead of all but 16 bits) should actually also stop the backdoor attack. At least according to Certicom's Daniel Brown, who patented the backdoor for Dual EC DRBG in 2005, as well as ways to mitigate the backdoor. OpenSSL could actually have used an "outlen" parameter of about half the key length, which would probably have been safe.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds