
The Dark Side of Cryptography: Kleptography in Black-Box Implementations (2003) - jonbaer
http://www.infosecurity-magazine.com/magazine-features/the-dark-side-of-cryptography-kleptography-in/
======
lgarron
This link discusses a nice example of RSA. There was also a paper in 2014 by
Bellare, Paterson, and Rogaway [1] discussing this notion more thoroughly
(under the name "algorithm substitution attack").

From that paper: An approach that works against many block cipher modes is to
select the IV with for a communication using key K as, say, IV =
AES(backdoor_key, K). This is indistinguishable from a random IV due to the
security of AES, but someone with the backdoor key can easily compute K =
AES_inverse(backdoor_key, IV).

[1] [http://eprint.iacr.org/2014/438.pdf](http://eprint.iacr.org/2014/438.pdf)

