Nothing Up My Sleeve

This challenge is about the Dual_EC_DRBG random number generator, which is famous for being backdoored by the NSA so they can predict the output after reading only 32 bytes of the random stream. This excellent video should demonstrate how to generate the point $Q$ so that we can easily recover the state of the PRNG given that we know the relation of $P = dQ$, where $d$ is the secret component only known by the NSA....