Backdoored PRNG

Exploit a backdoor in an elliptic curve based PRNG

Discuss The Problem

Suppose we have a random number generator that works as follows:

A visual of the PRNG can be seen below (source). You may recognize it as Dual_EC_DBRG. You can ignore the $\phi$ function and the additional input.

For this problem the values of $P$ and $Q$ are as follows:

P = (0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
Q = (0xd19761748936051e5fb436f5c383a2ca6fbd1e61f227a3d70f44d73311781b32,

I've actually hidden a backdoor in this PRNG, namely that there exists a $d$ such that $d * Q = P$. The value of this $d$ is:

d = 0x561021d34971c6b5da29dbefb21413a469a751356392133a4a78981fb51f3a01

Let's say that you observe the following $32$ bytes as output from the PRNG (you may assume these are the first $32$ bytes it has output since being seeded):

PRNG output - 0x8fc4b1d886a3ac3d3ae3c13722bc5eead9d1dd5eda876ca59b8c33ebeb6e2616
What are the next $28$ bytes that the PRNG will output? Submit your answer in lowercase hex, no leading $0x$. You may find section 2 of this paper and section 5 of this paper helpful.