This paper is great and contains some really interesting historical examples of backdoored crypto. For example, Lotus Notes 4 circumvented export controls by using a 64-bit key but taking the first 24 bits and encrypting them with a public key available to the NSA, thus meeting the 40-bit limit.

I'm not sure I'm at liberty to cite explicitly another example, but I will allude to it: At the time when only 512-bit-RSA was permitted for general export, export a 1024-bit-RSA based system by ensuring that each time public key encryption is performed, a 512-bit key pair is generated, the wrapped symmetric key included with the payload, and the 512-bit key pair discarded.

Removed in later versions, AFAIK, as regulations relaxed, e.g., with the advent of Wassenaar.

SSL 3.0 and TLS 1.0 did this (with a ServerKeyExchange message), with the limit being 512-bit for 40-bit export cipher suites and 1024-bit for the 56-bit export cipher suites. This is another reason why it is unfortunate that the 56-bit export cipher suites was disabled in OpenSSL in 2006.

Wow, timely: http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03... and https://news.ycombinator.com/item?id=9139273

That 768-bit RSA key is factorable nowadays.

As is the 64-bit keyspace breakable.

But the 768-bit key only has to be factored once.

I'm upset that the paper didn't include known 'sidedoors' designed in to get Windows Device Encryption (Bitlocker) keys, nor the controversy over remote TPM attestation, nor the 12 bit keyspace that Apple provides the user through its Secure Enclave.