sommerfeld@orchard.medford.ma.us (Bill Sommerfeld) :

...

BTW, my guess at the most likely back door is that the unit keys will be generated as a cryptographic function of the serial number and a *small* random number generated for each chip and unknown to the agency. They would have to search a mere 2**16..2**32 keys once they get the serial number out of the LEEF. The existance of such a backdoor would be difficult to prove, since there would be no visible evidence for it in the individual chips. It is also difficult to disprove such a theory because the clipper key generation algorithms are classified.

I just read a paper that might apply to this type of backdoor; it was by someone at RSA, with the title "..RSA's trapdoor can be broken". I'll No, that's a different argument; it's (name forgotten) vs Kaliski, where the proposed method turns out to take as much work as factoring and

Key generation is one of the obvious backdoors; the wrinkle of making the random number space from the keymasters small enough to search is interesting, especially because they only need one key per batch to validate whether they've got the right guess. My original reaction to the version described by Dorothy Denning was that it wouldn't be very hard to *steal* the key-generating keys the keymasters bring to the key-generation charade in the vault, either physically or by leaking them out in generated keys or something. Now that they've announced they're changing the script for the charade, who knows how easy it will be? They've certainly announced no plans for validation of the key-generation software design or implementation. Matt Thomlinson writes: therefore doesn't rate as a backdoor. Bill Stewart