[lgarron]

This link discusses a nice example of RSA. There was also a paper in 2014 by Bellare, Paterson, and Rogaway [1] discussing this notion more thoroughly (under the name "algorithm substitution attack").

From that paper: An approach that works against many block cipher modes is to select the IV with for a communication using key K as, say, IV = AES(backdoor_key, K). This is indistinguishable from a random IV due to the security of AES, but someone with the backdoor key can easily compute K = AES_inverse(backdoor_key, IV).

[1] http://eprint.iacr.org/2014/438.pdf