Comment by digitalPhonix

Actually, thinking about this a bit more - saying that there's no "Nobody but us backdoor" to prove there's no backdoor is a poor argument.

As an example - if there's a weakness that affects 50% of keys (replace with whatever hypothetical number), NSA can make sure it doesn't use those affected keys but still retain the ability to decrypt 50% of everyone else's communications. And using the entropy analysis from this post, that would require 1 bit hidden in the parameters which is clearly within the entropy budget.