Correction. We know the following about Dual_EC_DRBG:
- NSA provided the NIST the required elliptic curves and recommended EC parameters p and q;
- If p and q are related in a certain way, there is a back door;
- The NIST paper gave instructions those who were suspicious and wanted to roll their own could use to generate their own values for p and q, and that those instructions, if used correctly, made the probability of a back door vanishingly small (but not exactly zero);
- The probability that normal developers and users would bother to pick their own p, q was small and, as far as I know, was not done commercially.
We do not know how the NSA produced the values given in SP-800-90 and its successors. In particular, we do not know that it was not done in the way describe in Appendix A of SP-800-90.
While I anticipate a substantial number of negative votes, I would much rather see a credible reference to a source that establishes whether or not the DRBG was corrupt in fact, rather than simply constructed in a such a way that it might have been.