Eh, the slowness comes come from it being based on group primitives normally reserved for public key crypto. In a sense, basing a PRNG on a general believed-hard problem is nicer than on a believed-hard instance of bit shufflings, so the idea does have merit despite low adoption due to performance.
What I have to wonder is the implications for all of the other random generators.. The NSA has been studying symmetric crypto far longer and far harder than the public. Symmetric crypto is both sufficient for state security (hierarchal+opsec), and breaking it is sufficient to snoop on the public's communications (the bulk encryption and PRNGs).
On the other hand, academics love neatly defined problems, so their interest is heavily skewed towards studying asymmetric crypto where foundations of open mathematical problems and implementations based on nice closed-form number theory.
The same backdooring approach may have been applied to other NIST generators (which would be sufficient for the NSA to preserve its dragnet snooping and still secure against other attackers), and we simply don't have the analytical tools to see this (what is the entropy diminishment of a nothing-up-my-sleeve-number when the explanation is chosen a posteriori?). Dual_DC_DRBG comes across as so ham-fisted only because we have the ability to analyze it.
The idea has of an EC-based PRNG apparently has merit, however the Dual_DC_DRBG implemntation doesn't. Supposedly there are similar designs out there which have nice security proofs which the NSA one lacked, most likely due to the backdoor.
What I have to wonder is the implications for all of the other random generators.. The NSA has been studying symmetric crypto far longer and far harder than the public. Symmetric crypto is both sufficient for state security (hierarchal+opsec), and breaking it is sufficient to snoop on the public's communications (the bulk encryption and PRNGs).
On the other hand, academics love neatly defined problems, so their interest is heavily skewed towards studying asymmetric crypto where foundations of open mathematical problems and implementations based on nice closed-form number theory.
The same backdooring approach may have been applied to other NIST generators (which would be sufficient for the NSA to preserve its dragnet snooping and still secure against other attackers), and we simply don't have the analytical tools to see this (what is the entropy diminishment of a nothing-up-my-sleeve-number when the explanation is chosen a posteriori?). Dual_DC_DRBG comes across as so ham-fisted only because we have the ability to analyze it.