I hope it goes without saying that I disagree with Comey's claim that (academic,

1. I hope it goes without saying that I disagree with Comey's claim that (academic, industry and government) cryptographers have not explored the problem of creating lawful access backdoors to encryption protocols. This is not true. Indeed, there are dozens if not hundreds of different works that explore some aspect of this problem -- either constructively (meaning, by proposing some solution) or destructively (meaning that they find flaws in a previous proposal).
2.  
3. The real problem here is that mostly is *not* a technical, cryptographic one. When it comes to building key escrow systems there are dozens of possible solutions (essentially as many as there are ways to encrypt). The problems are not in the crypto. The boil to four different non-cryptographic areas:
4.  
5. 1. System implementation. No matter how well we design the cryptography on a whiteboard or in a specification, someone will implement it as software, and they'll probably make a mistake. In a normal cryptographic implementation this is bad. In a key escrow system this is catastrophic. Nobody has enough confidence in our ability to implement software correctly that we'd be willing to wager the entire planet's data security on it.
6.  
7. 2. Key storage. No matter what ingredients you use to build a key escrow system (symmetric key encryption, public key encryption, identity-based or attribute-based encryption), ultimately you wind up with master keys that you have to store. This is more or less a fact of life in most designs. While cryptographers have worked for a long time on securing keys, nobody is confident that we can secure decryption keys with a value as high as the master escrow keys would have.
8.  
9. 3. Human factors. While lawmakers like to say things like "decryption only with a court order", the fact of the matter is that a court order is just a piece of paper. It contains no cryptographic magic. Thus, the difference between a legitimate (warranted) decryption request and an invalid/forged one often depends on *who signs the paper, or who enters the commands into a terminal*. No cryptography can save you if e.g., an ADA forges a wiretap order [1], or if the terminal is compromised.
10.  
11. 4. Uncertain design requirements. Law enforcement is not entirely clear on what they want. Do they want *prospective* access (meaning that a warrant is issued, and only then can wiretapping start), or do they want *retrospective* access (meaning that past messages can be decrypted as well.) This makes a huge difference in terms of what guarantees cryptography can offer, but we can't get law enforcement to come out and tell us which they want.
12.  
13. Now, in terms of escrow solutions there are quite a few. A good way to illustrate this is to search for "key escrow" on Google Scholar. Much of the work you'll find dates back to the 1990s and early 2000s -- not because cryptographers got bored with this problem, but because most of the solutions were found and discussed at that time. A
14.  
15. A more recent area of research is into "accountable key escrow". This is a loose collection of works that focus on building key escrow (and exceptional access systems) that have some limits built into them. For example, an accountable system might deliberately reveal the number of wiretapped accounts, or force law enforcement to reveal the identities of surveilled individuals (after some period of time). Although this sounds like a hippy-dippy "criminal friendly" solution, in practice it makes it possible *fopr the authorities* to detect unauthorized wiretapping. Normal key escrow systems make it very difficult to detect abuse, since decryption is offline and leaves no trace.
16.  
17. A final benefit of some accountable escrow systems is that some of these systems also limit surveillance to *prospective* access, rather than allowing retrospective decryption. This is a key distinction. The major benefit of prospective systems is that they require the wiretapper to take some specific action -- send a message, update a key, etc. -- before wiretapping some party. This may not be detectable to the target, but it must take place. This means that if the master keys are stolen, there is a possibility to renew the security of the system (even if by forcing everyone to update their software). By contrast, it is fundamentally challenging to renew security (for past messages) in retrospective systems. The problem is that if law enforcement can decrypt your past messages, then a bad guy who steals the keys can also do so. There is no real defense against this.
18.  
19. Again, the point of this note is just to explain why the research field looks the way it does. There is plenty of (older) work out there on the basics of key escrow. There is some more recent work on sophisticated accountable key escrow. There are relatively few cryptographers working on *implementing* key escrow, because we don't know how to do it well and at scale -- and mostly the problems are in hardware/software engineering, not cryptography.
20.  
21. Hope this is helpful,
22.  
23. Matt
24.  
25. [1] http://nypost.com/2016/11/29/assistant-da-arrested-for-wiretapping-to-spy-on-nypd-love-interest/