This paper presents several methods to construct trapdoor block ciphers. A trapdoor cipher contains some hidden structure; knowledge of this structure allows an attacker to obtain information on the key or to decrypt certain ciphertexts. Without this trapdoor information the block cipher seems to be secure. It is demonstrated that for certain block ciphers, trapdoors can be built-in that make the cipher susceptible to linear cryptanalysis; however, nding these trapdoors can be made very hard, even if one knows the general form of the trapdoor. In principle such a trapdoor can be used to design a public key encryption scheme based on a conventional block cipher. 1 Introduction Researchers have been wary of trapdoors in encryption algorithms, ever since the DES 9] was proposed in the seventies 15]. In spite of this, no one has been able to show how to construct a practical block cipher with a trapdoor. For most current block ciphers it is relatively easy to give strong evidence that there exist no full trapdoors. We deene a full trapdoor as some secret information which allows an attacker to obtain knowledge of the key by using a very small number of known plaintexts, no matter what these plaintexts are or what the key is. In this paper we consider partial trapdoors, i.e., trapdoors that not necessarily work for all keys, or that give an attacker only partial information on the key. We show that it is possible to construct block ciphers for which there exists a linear relation with a high probability; knowledge of such a relation allows for a linear attack which requires only a very small number of known plaintexts 13, 14]. A trapdoor is said to be detectable (undetectable) if it is computationally feasible (infeasible) to nd it even if one knows the general form of the trapdoor.