Legal & Policy

The Clipper Chip: How the First Government Encryption Backdoor Fell Apart

July 17, 2026 7 min read Haven Team

In April 1993 the White House announced an encryption chip for American phones with a wiretap interface built into the silicon. The government would hold the keys, split between two agencies, released only under legal authorization. Three years later the program was dead, partly from public revolt and partly because a single researcher found a hole in the design. Every "lawful access" proposal since has been a rerun of this argument, so the original is worth knowing in detail.


The Clipper chip (formally the Escrowed Encryption Standard, informally the MYK-78 chip manufactured by Mykotronx) was the Clinton administration's answer to a problem law enforcement had been warning about for years: strong encryption was leaving the laboratory. If citizens could buy phones the FBI could not tap, wiretaps, a court-supervised tool since 1968, would go dark. The proposed bargain: the government would give the public strong encryption, designed by the NSA, on the condition that the government kept a copy of the keys.

How the escrow was supposed to work

The design had three interlocking parts, and the details matter because the details are what failed.

Skipjack. The cipher itself was an NSA design with an 80-bit key, stronger on paper than the 56-bit DES then in wide use. It was also classified. You could buy the chip; you could not inspect the algorithm running on it. Cryptographers had to take the NSA's word that Skipjack contained no shortcuts, a direct inversion of Kerckhoffs's principle, which had been the field's ground rule for a century. (When Skipjack was finally declassified in 1998, the cipher itself held up. The point was never that the NSA had hidden a weakness in it; the point was that users had no way to know.)

The unit key, split in two. Each chip carried a unique serial number and a unique unit key burned in at manufacture. The unit key was split into two halves, one held by NIST and one by a division of the Treasury Department. Neither half alone was useful. An agency wanting to tap a Clipper phone needed legal authorization, then both halves from both escrow agents.

The LEAF. Every encrypted call transmitted a Law Enforcement Access Field alongside the ciphertext: a package containing the session key encrypted under the chip's unit key, the chip's serial number, and a 16-bit checksum. A wiretapper who obtained the escrowed unit key could open the LEAF, recover the session key, and decrypt the call. Receiving chips validated the checksum before accepting a call, which was meant to guarantee no one could use Skipjack while denying the government its access field.

The design in one sentence

Strong classified cipher, per-device key held by the government in two pieces, plus a mandatory field in every call that functions as the wiretap port. The security of the whole scheme rested on the LEAF being impossible to strip or forge.

Blaze's sixteen bits

In 1994, Matt Blaze, then a researcher at AT&T Bell Labs, published "Protocol Failure in the Escrowed Encryption Standard." Working with the government's own Tessera prototype hardware, he showed that the checksum protecting the LEAF was 16 bits long. A device could generate candidate LEAFs until one passed validation by luck: about 65,536 tries, minutes of work even on 1994 hardware. The receiving chip would accept the call as compliant, but the LEAF now contained garbage. The wiretap port was still transmitted, still checksummed, and useless.

The result was not a break of Skipjack, and Blaze was careful to say so. It was something more instructive: the surveillance mechanism bolted onto the cryptography could be defeated by the people it was meant to surveil, while imposing its costs on everyone else. Criminals with modified hardware could opt out of the escrow. Law-abiding users could not opt out of the government holding their keys.

The lesson generalizes: an access mechanism added to a secure protocol is itself a protocol, with its own attack surface, and it must survive adversaries on both sides, those who want to abuse the access and those who want to evade it. The finding restated, thirty years on

Why it died anyway

Blaze's paper wounded Clipper; the market and the public finished it. The only major product to ship the chip was AT&T's TSD-3600 secure phone, and government agencies ended up as nearly its only buyers. Industry refused to build on a classified cipher with government-held keys, foreign customers had no interest in encryption escrowed to the US government, and polling showed the American public overwhelmingly opposed. By 1996 the administration had retreated to a series of "key recovery" successor proposals, in which companies rather than agencies would hold the spare keys. Those collapsed too, for reasons a group of eleven prominent cryptographers laid out in a 1997 paper on the risks of key recovery: every escrow database is a concentrated target, every recovery pathway is an insider risk, and the operational complexity grows faster than anyone can secure it. The same authors updated the argument in 2015 as "Keys Under Doormats," and its conclusions have not been refuted, only re-litigated.

The rerun you are living through

No government today proposes a chip. The proposals now arrive as software obligations, and the escrow moves around, but the structure of the bargain is the Clipper bargain each time:

The Clipper episode is the cleanest experiment we have because everything was explicit: the cipher, the escrow agents, the access field, the legal process. It still failed, technically at the hands of one researcher with the standard document and a prototype board, and politically at the hands of a public that declined the bargain. The proposals since have grown less explicit, which makes them harder to attack in a paper, and no more sound.

One more detail deserves remembering. The escrow agents were named, reputable agencies, and the access process required a court order. The scheme was designed by people who mostly meant well, and it was still unacceptable, because the analysis does not depend on anyone's intentions. A key that exists can be stolen, subpoenaed, or quietly repurposed by a future government you did not vote for. The only escrow database that cannot leak is the one that was never built. That is the principle Haven's architecture starts from: keys are derived on your device, and there is nothing on our side to escrow, hand over, or lose.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →