Re: Or right if you work for some intelligence agency
You're multiplying entities needlessly. It's difficult to do constant-time big-number arithmetic correctly, and the dangers of timing side attacks for ECC were not well-documented until relatively recently. Thus it's probable that most or all of these attacks are accidental.
While well-resourced actors are likely capable of subverting the TPM development process at various OEMs, and certainly wouldn't have any qualms about doing so, these are odd backdoors to choose. They'd be better off backdooring the CPRNG, which is undetectable if done correctly. (Or putting in backdoored ECC curves, except there are users who know to insist on using standard ones.)
And as long as those actors know existing implementations are flawed, there's no reason for them to intervene and risk discovery.
Biting the hand that feeds IT
