Perry asks about the 30-bit serial number. Actually, it appears that the unit key UK is a function of the serial number plus the two 80-bit random numbers input by the escrow agents when the chips are programmed. This would prevent an easy guessing attack as long as these random numbers S1 and S2 are unknown. The one problem is that S1 and S2 are not changed for each chip, but are rather kept the same in programming a batch of about 300 chips. Then they are supposed to be destroyed. The potential weakness is that if someone managed to keep a copy of the S1 and S2 values which were used to program all clipper chips (only about 3000 such values for a million chips), then Perry's suggested attack could work. This would be few enough bits that the unit key could be guessed. Those who are asked to judge the safety of the system will presumably pay careful attention to the measures used to insure that S1 and S2 are not saved. I don't know how they'll check for NSA micro-cameras in the vault ceiling, though... Hal