I disagree: DJB and others have researched how backdoors in elliptic-curve cryptography (and other algorithms) could work. In Dual_EC_DRBG we even know exactly how they would work.
While I don't believe there's any publication that explains the exact mathematics of a backdoor that could have been used in the NIST curves, I think the likely algorithmic consequences for EC security assumptions probably are understood -- just not by me. :-)
While I don't believe there's any publication that explains the exact mathematics of a backdoor that could have been used in the NIST curves, I think the likely algorithmic consequences for EC security assumptions probably are understood -- just not by me. :-)