In this paper, we have proposed an AES-like encryption algorithm which contains a backdoor at its design level. This algorithm, named BEA-1, exhibits many of the desirable properties that any secure algorithm should. However, it is absolutely unsuitable for actually protection information. Indeed, we manage to break it with a rather limited amount of resources successfully. While it is a humble, first step in a larger research work, it illustrates the issue of using foreign encryption algorithms which may contains such hidden weaknesses. The very final aim of our work is to prove that it is feasible to embed such undetectable intended weaknesses. It is consequently a critical issue to have a broader work conducted in this research area and we hope that other people will also consider it as such. The next step will be to consider more sophisticated combinatoric structures.

https://arxiv.org/pdf/1702.06475.pdf

https://www.ruscrypto.ru/resource/archive/rc2017/files/02_filiol.pdf

Idea is that authorities design algorithm such that S boxes have also another version that allow you to extremely drop complexity for decryption (if you know enough encrypted and encrypted data pairs - not very hard for common file formats).

Real AES, Mordor and Chinese standards use much more complex holes, and many of them (top ones are known for extremely limited number of people).