If its not doable how then did NSA supposed to have done it? Its not like they came up with the key at random then invented this algorithm to fit it, the fact that there is a backdoor key is a quirk of the mathematics.
It's basically public-key crypto: you can create a keypair and publish the public key - that's essentially what this is, where the point Q in the Dual_CD_DRBG spec is really just a public key. There's a private key as well - it's far to expensive to compute it from the public key (basically 2^128 time), but they didn't have to do that since they generated the private key first.
And it's really not a "quirk of the mathematics" - it's really pretty straightforward if you understand elliptic curves, and it has been well-known how to do this since 2007 or earlier. I think a lot of academic cryptographers didn't really worry about it when Shumow and Ferguson pointed out the potential backdoor, because it's really a pretty crappy technique anyway - academic cryptographers, who quite frankly often don't know what is used in practice, assumed no one would use this. Then it turns out that RSA used it as the default tehnique in BSAFE. Oops.