One way to get a NOBUS vulnerability that allows GCHQ to recommend a curve (and thus see it deployed on systems they care about) and break that same curve is for the vulnerability to be mitigated with an additional parameter check. For instance, maybe a particular weak curve is safe to use if you exclude a small subset of points. GCHQ's implementations do the additional check, but nobody else does that (why would it ever occur to them to check? would they even know what to check for?).
Dual_EC is, of course, the gold standard of NOBUS backdoors: it's literally a strongly-encrypted backdoor!
One way to get a NOBUS vulnerability that allows GCHQ to recommend a curve (and thus see it deployed on systems they care about) and break that same curve is for the vulnerability to be mitigated with an additional parameter check. For instance, maybe a particular weak curve is safe to use if you exclude a small subset of points. GCHQ's implementations do the additional check, but nobody else does that (why would it ever occur to them to check? would they even know what to check for?).
Dual_EC is, of course, the gold standard of NOBUS backdoors: it's literally a strongly-encrypted backdoor!