crypto crypto also by steven levy Insanely Great: The Life and Times of Macintosh, the Computer That Changed Everything Artificial Life: How Computers Are Transforming Our Understanding of Evolution and the Future of Life The Unicorn’s Secret: Murder in the Age of Aquarius Hackers: Heroes of the Computer Revolution how the code rebels beat the government — saving privacy in the digital age crypto steven levy viking VIKING Published by the Penguin Group Penguin Putnam Inc., 375 Hudson Street, New York, New York 10014, U.S.A. Penguin Books Ltd, 27 Wrights Lane, London W8 5TZ, England Penguin Books Australia Ltd, Ringwood, Victoria, Australia Penguin Books Canada Ltd, 10 Alcorn Avenue, Toronto, Ontario, Canada M4V 3B2 Penguin Books (N.Z.) Ltd, 182-190 Wairau Road, Auckland 10, New Zealand Penguin Books Ltd, Registered Offices: Harmondsworth, Middlesex, England Copyright © Steven Levy, 2001 ISBN: 0-7865-0256-8 All rights reserved. This book, or parts thereof, may not be reproduced in any form without permission. Making or distributing electronic copies of this book constitutes copyright infringement and could subject the infringer to criminal and civil liability. First edition (electronic): January 2001 To Teresa and Andrew acknowledgments The backbone of Crypto is a series of interviews conducted over the past decade with the people who populate, or have had an impact on, the world of cryptography. Obviously, my deepest thanks go to those who have given time and attention to an outsider who wanted to tell a good story. I hope that none of those who cooperated with me will take offense if I single out a few for duty above and beyond: Len Adleman, Jim Bidzos, David Chaum, Whitfield Diffie, Mary Fischer, Eric Hughes, Tim May, Ray Ozzie, Ron Rivest, and Phil Zimmermann. From September 1994 to June 1995, I was a Fellow at the Freedom Forum Media Studies Center, then located on the Columbia University campus. I enthusiastically acknowledge the kindness of the Freedom Forum, the accommodations and assistance of the Media Studies Center staff, and the terrific company and well-timed wisdom of my fellow Fellows. My researcher there, Kaushik Arunagiri, dug out innumerable documents and also walked me through some math. John Kasdan kindly allowed me to audit his cyberlaw course and Matt Blaze and Joan Feigenbaum welcomed me to their computer science course on cryptography. Mark Rotenberg, David Banisar, and David Sobel of the Electronic Privacy Information Center gave me access to the astounding documents coughed up by the government under their skillful use of the Freedom of Information Act. John Gilmore and his lawyer Lee Tien also provided me with armloads of declassified materials. Roger Schlafly sent me a huge pack of documents related to RSA and Cylink. Simpson Garfinkel e-mailed me notes of interviews he did for his book, PGP. (Other suppliers will remain nameless, but thanks to them, too.) During the past eight years, I wrote a number of magazine articles on crypto, and some of these are reflected in this book, particularly those I wrote for Wired, beginning with the cover story on cypherpunks in its second issue and winding up with the first detailed account of nonsecret encryption in 1999. Thanks to all my editors there, especially Kevin Kelly. I also wrote crypto-related stories for The New York Times Sunday Magazine, Macworld, and Newsweek. The latter has been my professional home for the past five years, and I am grateful to everyone there for providing an inveterate freelance writer with a reason to actually hold a job. Thanks to Mark Whitaker, Jon Meacham, and the editor who suffers most with me, George Hackett. I also owe a large debt to the late Maynard Parker. At Viking, editor Pam Dorman hung tough throughout the marathon. Ann Mah kept the bits flowing. Victoria Wright was both a master transcriber and sharp observer. My agent, Flip Brophy, was once again a flawless advisor and facilitator. And some early readers caught mistakes and offered great suggestions (I won’t cite them by name because any errors are solely mine). Those who discover more are encouraged to get in touch with me through my Web site (www.steven levy.com), where I will post corrections and updates. Words, even in plaintext, can’t express what I owe my family, Andrew and Teresa. Steven Levy, September 2000 contents Acknowledgments Preface The Loner The Standard Public Key Prime Time Selling Crypto Patents and Keys Crypto Anarchy The Clipper Chip Slouching Toward Crypto Epilogue: The Open Secret Notes Bibliography Glossary crypto preface The telegraph, telephone, radio, and especially the computer have put everyone on the globe within earshot — at the price of our privacy. It may feel like we’re performing an intimate act when, sequestered in our rooms and cubicles, we casually use our cell phones and computers to transmit our thoughts, confidences, business plans, and even our money. But clever eavesdroppers, and sometimes even not-so-clever ones, can hear it all. We think we’re whispering, but we’re really broadcasting. A potential antidote exists: cryptography, the use of secret codes and ciphers to scramble information so that it’s worthless to anyone but the intended recipients. And it’s through the magic of cryptography that many communications conventions of the real world — such as signatures, contracts, receipts, and even poker games — will find their way to the ubiquitous electronic commons. But as recently as the early 1970s, a deafening silence prevailed over this amazing technology. Governments, particularly that of the United States, managed to stifle open discussion on any aspect of the subject that ventured beyond schoolboy science. Anyone who pursued the fundamental issues about crypto, or, worse, attempted to create new codes or crack old ones, was doomed to a solitary quest that typically led to closed doors, suddenly terminated phone connections, or even subtle warnings to think about something else. The crypto embargo had a sound rationale: the very essence of cryptography is obscurity, and the exposure that comes from the dimmest ray of sunlight illuminating the working of a government cipher could result in catastrophic damage. An outsider who knew how our encryption worked could make his or her own codes; a foe who learned what codes we could break would shun those codes thereafter. But what if governments were not the only potential beneficiaries of cryptography? What if the people themselves needed it, to protect their communications and personal data from any and all intruders, including the government itself? Isn’t everybody entitled to privacy? Doesn’t the advent of computer communications mean that everyone should have access to the sophisticated tools that allow the exchange of words with lawyers and lovers, coworkers and customers, physicians and priests with the same confidence granted face-to-face conversations behind closed doors? This book tells the story of the people who asked those questions and created a revolution in the field that is destined to change all our lives. It is also the story of those who did their best to make the questions go away. The former were nobodies: computer hackers, academics, and policy wonks. The latter were the most powerful people in the world: spies, and generals, and presidents. Guess who won. the loner Mary Fischer loathed Whitfield Diffie on sight. He was a type she knew all too well, an MIT brainiac whose arrogance was a smoke screen for a massive personality disorder. The year of the meeting was 1969; the location a hardware store near Central Square in Cambridge, Massachusetts. Over his shoulder he carried a length of wire apparently destined for service as caging material for some sort of pet. This was a typical purchase for Diffie, whose exotic animal collection included a nine-foot python, a skunk, and a rare genetta genetta, a furry mongooselike creature whose gland secretions commonly evoked severe allergic reactions in people. It lived on a diet of live rats and at unpredictable moments would nip startled human admirers with needlelike fangs. An owner of such a creature would normally be of interest to Mary Fischer, an animal lover who at that very moment had a squirrel in her pocket. At home she also had a skunk as well as two dogs, a fox, a white-wing trumpeter bird, and two South American kinkajous. Diffie saw that she was buying some cage clips and abruptly focused his attention on her. In future years, Whit Diffie would be known — extraordinarily well known — as the codiscoverer of public key cryptography, an iconographic figure with his shoulder-length blond hair, Buffalo Bill beard, and his bespoke suits cut by London tailors. But back in those days he was a wiry, crew-cut youth with “the angriest face I’d ever seen,” Fischer says, and he immediately began peppering Mary Fischer with questions. You keep exotic animals? Then you’ll need this, and this, and this. He took things out of her hands and put other things in as he lectured. His rudeness appalled Mary. But she hadn’t yet cracked his code. Mary Fischer didn’t know that Diffie was spending prodigious amounts of time thinking about problems in computer security and their mathematical implications. She had no idea that he was casting about for a new way to preserve secrets. All she knew was that Whit Diffie was unappetizing and he loved animals. But animals meant a lot to her, and soon Diffie and his girlfriend began visiting Mary and her husband, sometimes accompanied by their creatures. The skunks got along, some ferrets were exchanged, and Diffie’s visits to her home became routine. Mary began to reconsider her initial repulsion to Diffie. But, in his failure to decode her, he seemed generally oblivious to her. On his visits he interacted only with the man of the house. After Mary and her husband moved to New Jersey, where he started veterinary school, she would sometimes pick up the ringing phone and hear Diffie’s cuttingly precise voice brusquely ask for her spouse, as if she were an answering service. One day she made her feelings plain. “Look,” she said, “I understand I’m not as bright as you and some of your friends, and I understand your friendship is primarily with my husband. But I don’t really think it would kill you to say hello.” The message got through. Diffie’s demeanor toward Mary dramatically improved, and she was not just startled but saddened when one day in 1971 he told her that he was going to travel for a while. Mary didn’t know yet that Whit Diffie was preparing himself for a solitary — and romantic — quest, looking for answers to questions that the United States government didn’t want asked. The odds against his success were astronomical, because he was confronting a near complete blockade of relevant information on a subject that, on its most sophisticated levels, was almost unspeakably obscure. What were the odds against such an unheralded outsider’s transforming an entire field with an original discovery that would redefine the ground rules for personal privacy in the computer era? The length of those odds would shorten with the role of Diffie’s courtship of Mary Fischer in overcoming them — and a scientific breakthrough would result that affects every citizen in the digital age. “The discovery of public key,” says Fischer, “was a romance.” * * * Bailey Whitfield Diffie was born on the eve of D-Day, June 5, 1944. His professor father had just completed a wartime sabbatical in government service. (Though he disliked Communists — more for their humorless single-mindedness than their ideology — Whit Diffie’s father was a passionate antifascist and often lectured against the repressive movement in Europe.) Both of Whit’s parents were educated people. Bailey Wallace Diffie taught Iberian history and culture at City College in New York. Diffie’s mother was the former Justine Louise Whitfield, a stockbroker’s daughter from Tennessee who met her husband while working in the foreign service in Spain. She was a writer and scholar who studied Madame de Sévigné, a figure in the court of Louis XIII and Louis XIV. Whit Diffie was always an independent sort. As one early friend remarked, “That kid had an alternative lifestyle at age five.” Diffie didn’t learn to read until he was ten years old. There was no question of disability; he simply preferred that his parents read to him, which seemingly they did, quite patiently. Apparently both parents understood that their son was extremely intelligent and obstinately contrarian, so they didn’t press him. Finally, in the fifth grade, Diffie spontaneously worked his way through a tome called The Space Cat, and immediately progressed to the Oz books. Later that year his teacher at P.S. 178 — “Her name was Mary Collins, and if she is still alive I’d like to find her,” Diffie would say decades later — spent an afternoon explaining something that would stick with him for a very long time: the basics of cryptography. Specifically, she described how one would go about solving something known as a substitution cipher. Diffie found cryptography a delightfully conspiratorial means of expression. Its users collaborate to keep secrets in a world of prying eyes. A sender attempts this by transforming a private message to an altered state, a sort of mystery language: encryption. Once the message is transformed into a cacophonous babble, potential eavesdroppers are foiled. Only those in possession of the rules of transformation can restore the disorder back to the harmony of the message as it was first inscribed: decryption. Those who don’t have that knowledge and try to decrypt messages without the secret “keys” are practicing “cryptanalysis.” A substitution cipher is one where someone creates ciphertext (the scrambled message) by switching the letters of the original message, or plaintext, with other letters according to a prearranged plan. The most basic of these has come to be known as the Caesar cipher, supposedly used by Julius Caesar himself. This system simply moved every character in the plaintext to the letter that occurs three notches later in the alphabet. (For instance, a Caesar cipher with its “key” of three would change A to D, B to E, and so on.) Slightly more challenging to an armchair cryptanalyst is a cryptosystem that matches every letter in the alphabet to one in a second, randomly rearranged alphabet. Newspaper pages often feature a daily “cryptogram” that encodes an aphorism or pithy quote in such a manner. These are by and large easy to crack because of the identifiable frequency of certain letters and the all-too-often predictable way they are distributed in words. Like countless other curious young boys before him, Whit Diffie was thrilled by the process. In his history of cryptography, The Codebreakers, author David Kahn probes the emotional lures of secret writing, citing Freud’s theory that the child’s impulse to learn is tied to the desire to view the forbidden. “If you’re a guy, you’re trying to look up women’s skirts,” says Kahn. “When you get down to it basically, that’s what it is, an urge to learn.” For many, the fascination of crypto also deals with the thrill that comes from cracking encoded messages. Every intercepted ciphertext is, in effect, an invitation to assume the role of eavesdropper, intruder, voyeur. In any case, it wasn’t the prospect of breaking codes that excited Whit Diffie but the more subtle pursuit of creating codes to protect information. “I never became a very good puzzle solver, and I never worked on solving codes very much then or later,” he now says. He would always prefer keeping secrets to violating the secrets of others. Diffie’s response to Miss Collins’s cryptography lesson was characteristic. He ignored her homework assignment, but independently pursued the subject in his own methodical, relentless fashion. He was particularly interested in her off-the-cuff remark that there were more complicated ciphers, including a foolproof “U.S. Code.” He begged his father to check out all the books in the City College library that dealt with cryptography. Bailey Diffie promptly returned with an armload of books. Two of them were written for children; Diffie quickly devoured those. But then he got bogged down in Helen Forché Gaines’s Cryptanalysis, a rather sophisticated 1939 tome. Gaines offered a well-organized set of challenges that would provide hardworking amateurs an education in classical cryptographic systems. Many of these were refinements of advances made centuries ago, which in turn were more complicated variations of the earlier substitution ciphers. The best known were the polyalphabetic systems, first hatched in Vatican catacombs and later revealed in the early 1500s by a German monk named Johannes Trithemius. Published in 1518 — two years after his death — Trithemius’s Polygraphia introduced the use of tables, or tableaux, wherein each line was a separate, reshuffled alphabet. When you encoded your message, you transformed the first character of the text using the alphabet on the first line of the tableau. For the second character of your message you’d repeat the process with the scrambled alphabet on the second line, and so on. On the heels of Trithemius came the innovations of a sixteenth-century French diplomat named Blaise de Vigenére. Here was a man who had penetrated the soul of crypto. “All things in the world constitute a cipher,” he once observed. “All nature is merely a cipher and a secret writing.” In the most famous of almost two dozen books he produced after his retirement from the diplomatic service, Vigenère produced devastating variations on previous polyalphabetic systems, adding complexity with a less predictable tableaux and “autokeys” that made use of the plaintext itself as a streaming key. The Vigenère system won a lasting reputation for security — it was known as le chiffre indéchiffrable — so much so that until almost the twentieth century, some armchair cryptographers believed that a certain streamlined version of the system was the sine qua non of cryptosystems. Actually, by the time Diffie encountered them, the cryptologic arts had progressed dramatically since Vigenère. Still, Diffie’s juvenile inquiries led him to think that Vigenère was the endpoint of the subject. Bored by the thought that cryptography was a problem already solved, he didn’t delve too deeply into Gaines’s book. His obsession with codes faded. At the time, he also felt that everybody was interested in codes, and, as a dogged contrarian, “this made it seem vulgar to me,” he later recalled. “Instead, I learned about ancient fortifications, military maps, camouflage, poison gas, and germ warfare.” He came to share his interests with a small group of teenage friends, and even considered pursuing a career in the armed forces, checking out the ROTC programs of universities he was interested in. But only one of Diffie’s militia-minded clique actually enlisted in one of the armed services — and died in Vietnam. Ultimately it was mathematics, not munitions, which dictated Diffie’s choice of college. Math offered one thing that history did not: a sense of absolute truth. “I think that one of the central dilemmas of Whit’s life has been to figure out what is really true,” explains Mary Fischer, who says that early in the boy’s life, Diffie’s father was called to school and told that his son was a genius. As Fischer tells it, Bailey Diffie’s reaction was to offer a ruse, in hopes that it would provoke discipline. He told Diffie that he wasn’t as bright as other boys, but if he worked harder than those favored with high intelligence and applied himself, he might be able to achieve something. “With some children that might have worked,” says Fischer, “but with Whit it was a bad tactic. It shook him for years, and I think it gave Whit a real hunger for what was ground-zero truth.” Though Diffie performed competently in school, he never did apply himself to the degree his father hoped. He was sometimes unruly in class; he worked best with material untainted by the stigma of having been assigned. Once a calculus teacher, fed up with Whit’s noise-making, remarked, “One day you’ll be roasting marshmallows in here!” and sure enough, the next class Diffie brought a Sterno can to toast the marshmallows a friend smuggled into school. He failed to fulfill the requirements for a full academic diploma, settling for a minimal distinction known as a general diploma. Nor did he attend graduation; he left with his father on a European trip. (The great tragedy of Diffie’s high school years was the death of his mother; he still avoids talking about it.) Only stratospheric scores on standardized tests enabled him to enter the Massachusetts Institute of Technology in 1961. “I wasn’t a very good student there, either,” Diffie admits. He was, however, dazzled by the brainpower of the student body, a collection of incandescent outcasts, visionaries, and prodigies, some of whom could solve in a minute problems that would take Diffie a day to complete. Of these mental luminaries, Whitfield Diffie might have seemed the least likely to produce a world-changing breakthrough. But since his brilliant friends were human beings and not high-powered automata, their trajectories proved far from predictable. Some of the very brightest wound up cycling through esoteric computer simulations, or proselytizing smart drugs, or teaching Transcendental Meditation. Contemporaries from MIT recall Diffie vividly as a quirky teenager with blond hair sticking out from his head by two inches (“You wanted to take a lawn mower to it,” says a friend). He bounded through campus on tiptoe, a weird walk that became an unmistakable signature in motion. But he was noted for his deep understanding of numbers as well. He also took up computer programming — at first, Diffie now says, to get out of the draft. “I thought of computers as very low class,” he says. “I thought of myself as a pure mathematician and was interested in partial differential equations and topology and things like that.” But by 1965, when Diffie graduated from MIT, the Vietnam War was raging and he found himself deeply disenchanted with the trappings of armed conflict. “I had become a peacenik,” he says. Not to mention a full-blown eccentric. He and his girlfriend lived in a small Cambridge apartment that eventually became packed with glass-walled tanks to hold their prodigious collection of exotic fauna. An aficionado of Chinese food, Diffie was also known for carrying around a pair of elegant chopsticks, much the way a serious billiard player totes his favorite cue. To avoid the draft, Diffie accepted a job at the Mitre Corporation, which, as a defense contractor, could shelter its young employees from military service. His work had no direct connection to the war effort: he worked under a mathematician named Roland Silver, teaming up with another colleague to write a software package called Mathlab, which later evolved into a well-known symbolic mathematical manipulation system called Macsyma. (Though few knew of the nature of his contribution, the nerd cognoscenti understood that Diffie’s work here involved a virtuosic mastery of arithmetic, numbers theory, and computer programming.) Best of all, Diffie’s team did not have to work at the Mitre offices but, in 1966, became a resident guest of the esteemed Marvin Minsky in the MIT artificial intelligence lab. During the three years he worked there, Diffie became part of this storied experiment in making machines smart, in pushing the frontiers of computer programming and in establishing an information-sharing ethos as the ground zero of computer culture. One aspect of this hacker-oriented society would turn out to be particularly relevant to the direction that Diffie’s interests were heading. Just as some words in various languages have no meaning to drastically different civilizations (why would a tropical society need to speak of “snow”?), the AI lab had no technological equivalent for a term like “proprietary.” Information was assumed to be as accessible as the air itself. As a consequence, there were no software locks on the operating system written by the MIT wizards. Unlike his peers, however, Diffie believed that technology should offer a sense of privacy. And unlike some of his hacker colleagues, whose greatest kick came from playing in forbidden computer playgrounds, Diffie was drawn to questions of what software could be written to ensure that someone’s files could not be accessed by intruders. To be sure, he participated in the literal safecracking that was a standard hobby in the AI lab: a favorite hacker pastime involved discovering new ways of opening government-approved secure safes. But Diffie got more of a kick from the protection of a strongly built safe than the rush of breaking a poorly designed system of locks and tumblers. He liked to keep his things in high-security filing cabinets and military safes. In the information age, however, the ultimate information stronghold resides in software, not hardware: virtual safes protecting precious data. Information, after all, represents the treasure of the modern age, as valuable as all the doubloons and bangles of previous eras. The field charged with this responsibility back then was computer security, then in a nascent stage. Not many people bothered to discuss its philosophical underpinnings. But Diffie would often engage his boss in conversations on security. Inevitably, cryptography entered into their discussions. Silver had some knowledge in the field, and the elder man opened Diffie’s eyes to things unimaginable in his fifth-grade independent study. One day the pair sat in the cafeteria at Tech Square, the boxy nine-story building whose upper levels housed the AI lab, and Silver carefully explained to Diffie how modern cryptosystems worked. Naturally, they depended on machinery. The machines that did the work — whether electromechanical devices like the Enigma cipher machines used by the Germans in World War II, or a contemporary computer-driven system — scrambled messages and documents by applying a unique recipe that would change the message, character by character. (The recipe for those transformations would be a set of complicated mathematical formulas or algorithms.) Only someone who had an identical machine or software program could reverse the process and divine the plaintext, with use of the special numerical key that had helped encrypt it. In the case of the Enigma machines, that key involved “settings,” the positions of the various code wheels that determined how each letter would be changed. Each day the encrypters would reset the wheels in a different way; those receiving the message would already have been informed of what those settings should be on that given day. That’s why the Allied coup of recovering live Enigma machines — the key intelligence breakthrough of World War II — was only part of the elaborate codebreaking process that took place at Bletchley Park in England. The cryptanalysts also had to learn the process by which the Axis foes made their settings; then they could conduct what was known as a “brute force” attack that required going through all the possible combinations of settings. This could be efficiently done only by creating machines that were the forerunners of modern computers. With computers, the equivalent of Enigma settings would become a digital key, a long string of numbers that would help determine how the system would transform the original message. Of course, the intended recipient of the message had to have not only the same computer program, but also that same key. But both mechanical and digital systems had two components: a so-called black box with the rules of transformation and a key that you’d feed into the black box along with your everyday message in plain English. Such was the background for what Silver talked about to Diffie that day — but not being privy to government secrets, he actually knew few of the details. He was able to explain, however, how computer cryptosystems generated a series of digits that represented a keystream, and how that would be “xor-ed” with the plaintext stream to get a ciphertext. (As any computer scientist knows, an xor operation involves pairing a digital bit with another bit, and generating a one or zero depending on whether they match.) If the key is suitably unpredictable, your output would be the most imponderable string of gibberish imaginable, recoverable (one hoped) only by using that same key to reverse the process. Imponderable, of course, is a relative term, but those who devised cryptosystems had a standard to live up to: randomness. The idea was to create ciphertext that appeared to be as close to a random string of characters as possible. Otherwise, a smart, dedicated, and resourceful codebreaker could seize upon even the most subtle of patterns and eventually reconstruct the original message. A totally random stream could produce uncrackable code — this essentially represented the most secure form of encryption possible, the so-called one-time pad, a system that provided a truly randomly chosen substitute for every letter in the plaintext. One-time pads were the only cryptographic solution that was mathematically certain to be impervious to cryptanalysis. The problem with one-time pads, however, was that for every character in the message, you needed a different number in the “key material” that originally transformed readable plaintext into jumbled ciphertext. In other words, a key for a one-time pad system had to be at least as long as the message and couldn’t be used more than once. The unwieldiness of the process made it difficult to implement in the field. Even serious attempts to deploy one-time pads were commonly undermined by those tempted to save time and energy by reusing a pad. His conversations with Silver excited Diffie. The subject of “pseudo-randomness” was clearly of importance to both the mathematical and real worlds, where security and privacy depended on the effectiveness of those codes. How close to randomness could we go? Obviously, there was a lot of work going on to discover the answer to that question — but the work was going on behind steep barriers erected and maintained by the government’s intelligence agencies. In fact, just about all the news about modern cryptography was behind that barrier. Everyone else had to rely on the same texts Whitfield Diffie had encountered in the fifth grade. And they didn’t talk about how one went about changing the orderly procession of ones and zeros in a computer message to a different set of totally inscrutable ones and zeros using state-of-the-art stuff like Fibonacci generators, shift registers, or nonlinear feedback logic. Diffie resented this. “A well-developed technology is being kept secret!” he thought. He began to stew over this injustice. One day, walking with Silver along Mass Avenue near the railroad tracks, he spilled his concerns. Cryptography is vital to human privacy! he railed. Maybe, he suggested, passionate researchers in the public sector should attempt to liberate the subject. “If we put our minds to it,” he told Silver, “we could rediscover a lot of that material.” That is, they could virtually declassify it. Silver was skeptical. “A lot of very smart people work at the NSA,” he said, referring to the National Security Agency, the U.S. government’s citadel of cryptography. After all, Silver explained, this organization had not only some of the best brains in the country, but billions of dollars in support. Its workers had years of experience and full access to recent cryptographic discoveries and techniques unknown to the hoi polloi — however intelligent — without high security clearances. The agency had supercomputers in its basement that made even MIT’s state-of-the-art mainframe computers look like pocket calculators. How could outsiders like Diffie and Silver hope to match that? Silver also told Diffie a story about his own NSA experience years earlier while writing a random number generator for the Digital Equipment Corporation’s PDP-1 machine. He needed some information: his reasons were noncryptographic; he simply had a certain mathematical need, a polynomial number with some particular properties. He was sure that a friend of his at the NSA would know the answer instantly, and he put in a call. “Yes, I do know,” said the friend. What was it? After a very long silence, during which Silver assumed that the friend was asking permission, the NSA scientist returned to the phone. Silver heard, in a conspiratorial whisper, “x to the twenty-fifth, plus x to the seventh, plus one.” Diffie was outraged at this secretiveness. He’d heard about the NSA, of course, but hadn’t known that much about it. Just what was this organization, which acted as if it actually owned mathematical truths? * * * Created by President Truman’s top-secret order in the fall of 1952, the National Security Agency was a multibillion-dollar organization that operated totally in the “black” region of government, where only those who could prove a “need to know” were entitled to knowledge. (It was not until five years after its founding that a government document even acknowledged its existence.) The NSA’s cryptographic mission is twofold: to maintain the security of government information and to gather foreign intelligence. The double-sided nature of its duty led the NSA to organize itself into two major divisions: Communications Security, or COMSEC, which tries to devise codes that cannot be broken, and Communications Intelligence, or COMINT, which collects and decodes information from around the world. (Since the latter function most often involves intercepting and interpreting electronic information, it is more broadly referred to as signals intelligence, or SIGINT.) Over the years the NSA has established a vast network of listening devices and sensors to gather signals from even the most obscure reaches of the globe, an operation that expanded beyond the planetary atmosphere when the satellite era began in the 1960s. In the early 1970s, none of this was discussed publicly. Within the Beltway, people in the know jokingly referred to the organizational acronym as No Such Agency. Those very few members of Congress who had oversight responsibility for intelligence funding would learn what had to be conveyed only in shielded rooms, swept for listening devices. Access to the organization’s headquarters at Fort George Meade, Maryland, was, as one might imagine, severely limited. A triple-barbed-wired and electrified fence kept outsiders at bay. To work within the gates, of course, one had to survive a rigid vetting. “By joining NSA,” reads the introduction to a handbook presented to new hires, “you have been given an opportunity to participate in the activities of one of the most important intelligence organizations of the United States government. At the same time you have assumed a trust which carries with it a most important individual responsibility — the safeguarding of sensitive information vital to the security of our nation.” Since all the salient information about modern crypto was withheld from public view, outsiders could only guess at what happened in “The Fort.” The NSA undoubtedly operated the most sophisticated snooping operation in the world. It was universally assumed (though never admitted) that no foreign phone call, radio broadcast, or telegraph transmission was safe from the agency’s global vacuum cleaner. Signals were sucked up and the content analyzed with multi-MIPS computers, combing the text for anything of value. (These suspicions were later confirmed with leaks of Project Echelon, the NSA’s ambitious program to monitor foreign communications.) Were the results worth the billions of dollars and the questionable morality of the effort itself? This was something known only to the very few government officials who received briefings on the fabled intercepts — and even they were dependent on the quality of information that came from the agency itself. What’s more, the NSA considered itself the sole repository of cryptographic information in the country — not just that used by the civilian government and all the armed forces, as the law dictated, but that used by the private sector as well. Ultimately, the triple-depth electrified and barbed-wire fence surrounding its headquarters was not only a physical barrier but a metaphor for the NSA’s near-fanatical drive to hide information about itself and its activities. In the United States of America, serious crypto existed only behind the Triple Fence. Every day the NSA pored over new ideas for cryptographic systems submitted by would-be innovators in the field. “Their ideas disappear into the black maw of the NSA, and may see service in American cryptography,” wrote David Kahn, “but security prevents the inventor from ever knowing this — and may enable the agency or its employees to utilize his ideas without compensation.” But even those who did not submit ideas were not free of the NSA’s stranglehold. The agency monitored all patent requests concerning cryptography and had the legal power to classify any of those it deemed too powerful to fall into the public domain. As he learned more about the NSA, Whit Diffie came to feel a bit foolish that despite his having heard of the agency, the extent of its power had only belatedly dawned on him. Diffie had actually visited the Institute for Defense Analysis (IDA) at Princeton, a quasi-private outpost of the NSA, but he’d had only the vaguest idea about the organization’s mission at the time. Not that it would have helped him get information from those crypto illuminati. One may socialize and even exchange thoughts with those who had ventured behind the Triple Fence, but only as long as those thoughts did not involve the forbidden subject of cryptography. Cryptography, however, was exactly what Diffie wanted to talk about. He wanted to learn as much as he could, to have far-ranging conversations with the leaders in the field. Even the foot soldiers in the field would do. But he quickly became frustrated with those who would not, or could not, talk about it. For instance, Diffie quizzed an MIT colleague named Dan Edwards, who would join the NSA after graduating. “He was extremely unhelpful,” Diffie later reported, “failing to reveal things which were certainly not classified and which I later saw in the bibliography of his thesis.” And when a colleague at Mitre went to work at IDA, Diffie asked him if he could share anything about his work. After a tantalizing pause: no. Perhaps the idea of pursuing the forbidden was simply irresistible to a contrarian like Diffie. He kept thinking about crypto and the silent embargo against it. And the more he thought about the problem, the more he came to understand how deeply, deeply important the issue was. Especially in what he saw as the coming era of computational ubiquity. As more people used computers, wireless telephones, and other electronic devices, they would demand cryptography. Just as the invention of the telegraph upped the cryptographic ante by moving messages thousands of miles in the open, presenting a ripe opportunity for eavesdroppers of every stripe, the computer age would be moving billions of messages previously committed to paper into the realm of bits. Unencrypted, those bits were low-hanging fruit for snoopers. Could cryptography, that science kept intentionally opaque by the forces of government, help out? The answer was as clear as plaintext. Of course it could! Right at MIT there was an excellent example of a need for a cryptographic solution to a big problem. The main computer system there was called Compatible Time Sharing System (CTSS). It was one of the first that used time-sharing, an arrangement by which several users could work on the machine simultaneously. Obviously, the use of a shared computer required some protocols to protect the privacy of each person’s information. CTSS performed this by assigning a password to each user; his or her files would be in the equivalent of a locked mini-storage space, and each password would be the equivalent of the key that unlocked the door to that area. Passwords were distributed and maintained by a human being, the system operator. This central authority figure in essence controlled the privacy of every user. Even if he or she were scrupulously honest about protecting the passwords, the very fact that they existed within a centralized system provided an opportunity for compromise. Outside authorities had a clear shot at that information: simply present the system operator with a subpoena. “That person would sell you out,” says Diffie, “because he had no interest in defying the order and going to jail to protect your data.” Diffie believed in what he called “a decentralized view of authority.” By creating the proper cryptographic tools, he felt, you could solve the problem — by transferring the data protection from a disinterested third party to the actual user, the one whose privacy was actually at risk. He fantasized about a company that would invent and implement such tools. He even had a name for this imaginary concern: Privacy Protection, Incorporated. But in Diffie’s fantasy, it was someone else who devised the solution, someone else who founded the company — not him. Though he was becoming absolutely sure that the problems of maintaining privacy in a non-crypto-protected world were insurmountable, he assumed that others would be better qualified, better motivated, more practically oriented than he to create the crypto to tackle such problems. So he tried to convince others to work on the solution. With little success. “None of the people I tried to get interested in the subject did anything,” he recalls. So Diffie kept working on his main interest, which lay in a mathematical problem called “proof of correctness.” But he kept researching what he could on crypto, though at this point his efforts were far from methodical. One day at the Cambridge Public Library, Diffie was browsing the recent acquisitions and came across The Broken Seal by Ladislas Farago, a book about the pre–Pearl Harbor codebreaking efforts. He read a bit of it right there, and he certainly thought it worth reading further. But he never did. (Worse, he came to confuse this book with another book published at that time, David Kahn’s The Codebreakers, which delayed his reading of the more important work.) Similarly, one day at Mitre, a colleague moving out of his office gave Diffie a 1949 paper by Claude Shannon. The legendary father of information theory had been teaching at MIT since 1956, but Diffie had never met him, a slight, introverted professor who lived a quiet family life, pursuing a variety of interests from reading science fiction to listening to jazz. (Presumably, by the time Shannon had reached his sixties, he had put aside the unicycle he had once mastered.) Shannon’s impact on cryptography was considerable. After receiving an MIT doctorate in 1940, he had worked for Bell Telephone Laboratories during the war, specializing in secrecy systems. The work was classified, of course, but in the late part of the decade the two key papers in Shannon’s wartime work found their way into the public domain. In 1948, Shannon’s seminal article on information, “Mathematical Theory of Communication,” ran in the Bell System Technical Journal, and subtly set the stage for the digital epoch. A year later, “Communication Theory of Secrecy Systems” appeared in the same journal. Both efforts were highly technical; those without advanced math degrees could barely venture a few paragraphs without being snared in a thicket of thorny equations and formulas. But Shannon had a sense of clarity that enabled him to send a clear signal through the noise of high-level math. In the latter paper, he clearly and concisely examined the basic cryptographic relationship from scratch, addressing the “general mathematical structure and properties of secrecy systems.” He even provided a diagram of the classic cryptanalytic situation, beginning with a box representing the original message. This was transformed by an “encipherer” with access to a “key source.” The message would move to the “decipherer,” who’d use the same key source to return the message to its original form. But there was another line branching out from the cryptogram. It led to the “enemy cryptanalyst,” who might be able to intercept the encrypted message. That third party was always to be assumed. The challenge was to make it impossible for that enemy to crack the cryptogram. The concepts of signal and noise loomed large in Shannon’s view of cryptology. He saw crypto as a high-stakes zero-sum game between secret keeper and foe, where a successful secret was a signal that could not be teased out of the apparent noise. In his sixty-page discussion of the matter, he masterfully clarified the dilemma of both encrypter and enemy. The gift of the Shannon paper was undoubtedly one of the most valuable that a prospective cryptographer like Diffie could hope for in the late 1960s. Diffie himself would later consider it the last worthwhile unclassified paper published for over twenty years. Too bad that Whit Diffie, still pursuing knowledge in a scattershot manner, waited several years before actually reading it. * * * In 1969, Diffie finally left Mitre. His funding had run out, and now that he was approaching the draft cutoff age, he had the freedom to leave. He had never really liked Cambridge very much. In high school, Diffie had hung out with the left-liberal and even the red diaper set, and led a full social life, with folk-singing parties and lots of friendly girls. Though similar scenes undoubtedly existed in Cambridge, “I just didn’t find them,” Diffie now moans. But at the University of California at Berkeley, where he spent a summer after his freshman year, Diffie found a place among the left-leaning protest crowd. “I really believe in the radical viewpoint,” he says. “And I have always believed that one’s politics and the character of his particular work are inseparable.” So Diffie and his girlfriend moved west, and Diffie went to work at John McCarthy’s Stanford Artificial Intelligence Lab. Supposedly, he would continue working on proof of correctness and other mathematical problems that applied to computer science. But in conversations with McCarthy, Diffie was led into a deeper consideration of privacy concerns. A pioneer in time-sharing, McCarthy understood that soon computer terminals would find their way into the home. Inevitably, he believed, the nature of work itself would change, as the electronic office became something that moved out of the cloistered world of computer scientists and hackers and deep into the mainstream. This would open up not only a thicket of security problems, but also a host of novel challenges that almost no one was thinking about in 1969: If work products became electronic — produced on computer and sent over digital networks — how would people duplicate the customary forms of authentication (the means to verify that the author of a document was actually the person he or she claimed to be)? What would be the computerized version of a receipt? How could you get a computer-generated equivalent of a signed contract? Even if people were given unique “digital signatures” — say, a long, randomly generated number bequeathed to a single person — the nature of digital media, in which something can be copied in milliseconds, would seem to make such an identifier pointless. If you “signed” such a number to a contract, what would stop someone from simply scooping up the signature, making a perfect copy, and affixing it to other documents, contracts, and bank checks? If even the possibility of such unauthorized signed copies existed, the signature would be worthless. “I didn’t sign this,” someone could say. “Someone copied my signature!” Diffie began to wonder how one could begin to fix this apparently inherent flaw in the concept of digital commerce. Diffie and McCarthy spent hours in rambling discussions on issues like authentication and the problems of distributing electronic keys. But Diffie still was more interested in letting others create the solution. In the summer of 1972, however, machinations in Washington, D.C., indirectly changed his course. The government, under the aegis of the Defense Department’s Advanced Research Projects Agency (ARPA), had recently begun a program to link major research institutions. This was known as the ARPAnet, a system that would one day transmogrify into today’s Internet. ARPA’s director of information-processing techniques, Larry Roberts, realized that such a computer network, the first computer net to link multiple sites and handle hundreds if not thousands of users, would need a way to keep messages secure, and the obvious way of doing that was to devise new crypto solutions. But when Roberts approached the NSA, he got a quick brush-off. Ultimately, he enlisted the help of Bolt Baranek Newman, the Boston-based company that helped set up ARPAnet in the first place. In the meantime, he mentioned the problem to his friend John McCarthy, who encouraged people at Stanford to concoct some crypto programs. They began working on what Diffie later called “a very complicated system combining the effects of several linear congruential random number generators.” Since Diffie’s girlfriend was on that team, he also was drawn into the effort. Naturally, his curiosity led him to study the system closely. As he came to understand it, he found himself dissatisfied with its lack of efficiency. Diffie believed that if cryptography were to be used in a computer system, it was essential that users not have to suffer performance lags. Ideally, encryption should add but a tiny — or imperceptible — increment to the time it took to perform a function like copying a file. Diffie went over the group’s basic encoding algorithm and eventually wrote a routine that ran much faster. In the process — now that he was actually doing some cryptography — he began to spend even more time thinking about the larger issue of how to advance the field. Later that year he went to Cambridge and saw Roland Silver again; Diffie now had much more hands-on expertise to bring to a discussion of crypto, and their rich exchange fueled his interest even more. By now Diffie had finally gotten around to reading David Kahn’s The Codebreakers. Since Diffie was a very slow, methodical reader, tackling a book of a thousand densely packed pages was a major undertaking for him. “He traveled everywhere with that book in hand,” says his friend Harriet Fell. “If you invited him to dinner, he’d come with The Codebreakers.” But Diffie found the hundreds of hours he spent on the book to be well worth the trouble. Indeed, The Codebreakers was a landmark work — and one that the government had not wanted to see published. Kahn was a Newsday reporter who, as a twelve-year-old, had been thrilled, like Diffie and countless other boys, with his first exposure to the mysteries of secret writing. That moment first came on a visit to the local Great Neck (Long Island, New York) library, where the cover to a potboiler history called Secret and Urgent, by Fletcher Pratt, was on display. “This was about 1942 or ’43,” recalls Kahn. “That dust jacket was terrific; it had letters and numbers swirling out of the cosmos. I was hooked.” The hook sank deeper when he actually read the book and learned about how ciphers worked. The youngster joined what was then probably the most sophisticated cryptography organization outside the government, the American Cryptogram Association. Which wasn’t saying much. “It was a bunch of amateurs,” he says. “They solved cryptograms as puzzles, and used a little publication with articles on how to solve them.” Many of the members were elderly, or at least had time on their hands. There was even an offshoot called the Bedwarmers. “These were people with polio, or were in some sort of clinic, or were paralyzed,” says Kahn. “They couldn’t move around very well so they solved puzzles.” Such was the scope of crypto work outside the government. Unlike Diffie, however, Kahn loved to solve the puzzles himself, and kept his interest into adulthood. He discussed some sophisticated schemes with some fellow Cryptogram Association members. “Otherwise, you were totally isolated,” he says. “This was an unknown field; nobody knew anything about it.” But he didn’t detect a more general interest in cryptography until 1961, when two NSA cryptographers defected to the USSR and held a press conference about their experience. This was revelatory to Kahn; despite diligently monitoring all the public literature about cryptography, he had hardly known that the NSA existed! Still, since he knew something about crypto, he dared to ask editors at the New York Times Magazine if they would like a backgrounder on the subject. They did, and he produced it. The day after the story’s publication, Kahn received three book contract offers. He turned them down since they were from paperback publishers and he wanted his work between boards. He got his wish a week later when an editor named Peter Ritner asked him to do a hardcover for Macmillan. Kahn wrote up an outline for a general book about codes, and received a $2000 advance. But as he began working on the introductory section, his research efforts kept kicking up more and more interesting stories from disparate sources. By the time he reached page 250 of his “preliminary chapter” — he had barely gotten to the Renaissance — he realized that he was really writing the comprehensive history of cryptology. Two years into the project, Kahn quit his job to focus his efforts full time on the book. He lived off his savings, bunking at his parents’ house and eating meals cooked by his grandmother. He wrote hundreds of letters, spent days in the New York Public Library, and, most important, connected with people who had never previously told their stories. A high-ranking Department of Defense official allowed him access to two important World War II codebreakers — an astonishing event given how Cold War politics decreed that revealing any information of this sort was virtually treason — if he agreed to submit his notes from the interviews to the government. “I guess the [Defense official] didn’t know what he was getting into,” reasons Kahn, “and when the notes got submitted to the NSA, the government panicked, and said I had to [disregard the information]. I respectfully declined.” Kahn also constructed, with the help of an important confidential source, the first public account of the extent of the NSA’s power, constructing it from the bits and pieces that had dribbled out over the years. But the most explosive details of Kahn’s book lay in its methodical explanation of how cryptography works, and how the NSA used it. When The Codebreakers was finished in 1965, it contained the most complete description of the operations of Fort Meade that had ever been compiled without an EYES-ONLY stamp on each page. Quite correctly, officials at the National Security Agency had come to view Kahn’s book as a literary hand grenade, with the potential for serious damage to the government’s carefully maintained ramparts of secrecy. In his NSA exposé The Puzzle Palace, author James Bamford wrote that “innumerable hours of meetings and discussions, involving the highest levels of the agency, including the director, were spent in an attempt to sandbag the book.” Countermeasures considered behind the Triple Fence ranged from outright purchase of the copyright to a break-in at Kahn’s home. Kahn, who had moved to Paris to work for the Herald Tribune, was placed on the NSA’s “watch list,” enabling eavesdroppers to read his mail and monitor his conversations. To Kahn’s dismay, in March 1966 his editor sent the manuscript off to the Pentagon for its scrutiny and comments. Of course, it was then shipped to Fort Meade. The Defense Department wrote Macmillan’s chairman that publishing The Codebreakers “would not be in the national interest.” But Macmillan didn’t bend, less because of backbone, Kahn guesses, than the fact that by that point in the production process “they had too much money put into it.” So the NSA took an extraordinary step. In July 1966, its director, Lt. Gen. Marshall S. Carter — a man so secretive that his name never appeared in newspapers — flew to New York City and met with the chairman of the publishing company, its legal counsel, and Kahn’s editor, Peter Ritner. After attacking Kahn’s reputation and expertise, Carter finally made a personal appeal for three specific deletions. A few days later, Ritner presented Kahn with the request. The actual deletions struck Kahn as surprisingly inconsequential. “It didn’t really hurt the book, so I took the three things out,” Kahn says. “But I insisted that we put in a statement to the effect that the book had been submitted to the Department of Defense. In the end that had a good effect, because right-wing reviewers could otherwise have said the book was destroying the republic. Now they couldn’t.” While The Codebreakers never made the New York Times bestseller list, it became a steady seller, going through dozens of printings. And it did not, as the NSA had hysterically predicted, bring an abrupt close to the American century. It did, however, enlighten a new generation of cryptographers who would dare to work outside of the government’s wall of secrecy. And its prime student was Whitfield Diffie. “I read it more carefully than anyone had ever read it. . . . Kahn’s book to me is like the Vedas,” he explains, citing the centuries-old Indian text. “There’s an expression I learned: ‘If a man loses his cow, he looks for it in the Vedas.’ ” By the time Whitfield Diffie finished The Codebreakers, he was no longer depending on others to tackle the great problems of cryptography. He was personally, passionately engaged in them himself. They consumed his waking dreams. They were now his obsession. Why had Diffie’s once-intermittent interest become such a consuming passion? Behind every great cryptographer, it seems, there is a driving pathology. Though Diffie’s quest was basically an intellectual challenge, he had come to take it very personally. Beneath his casual attire and streaming blond hair, Diffie was a proud and determined man. He had an unusual drive for getting at what he considered the bedrock truth of any issue. This led to a fascination with protecting and uncovering secrets, especially important secrets that were desperately held. “Ostensibly, my reason for getting interested in this was its importance to personal privacy,” he now says. “But I was also fascinated with investigating this business that people wouldn’t tell you about.” It was as if solving this conundrum would provide a more general meaning to the world at large. “I guess in a very real sense I’m a Gnostic,” he says. “I had been looking all my life for some great mystery. . . . I think somewhere deep in my mind is the notion that if I could learn just the right thing, I would be saved.” And then, Diffie’s quest to discover truths in cryptography became intertwined with another sort of romance: his courtship of Mary Fischer. * * * It had not been Whit Diffie’s original intention to fall in love with a Jewish Brooklyn-born animal trainer who was already married. Up to the day when she upbraided him on the phone for ignoring her, he had in fact hardly thought of her. But her outburst struck a nerve, perhaps more so because his own longtime relationship was on the wane. When he bid goodbye to Mary on his way across the country, and told her he’d see her in a year, he meant it. With about $12,000 he had saved from his salary at Mitre and an intention to live “low on the hog,” as he later put it, he was out to learn all he could about crypto — and maybe do something about it. That seemed like a solitary mission. But in August 1973, when he stopped by Fischer’s New Jersey house for a visit, he found that her marriage was falling apart and that she was finding relief by going to charismatic prayer meetings. It was not the type of thing she felt comfortable talking about to mathematical types like Diffie, but when she came out with it, his reaction took her aback. “You know, Mary,” he said, “I’ve always had a soft spot for mystics.” They began to spend time together. Fischer didn’t drive, and Diffie fell into the habit of escorting her to zoos — especially to locate a King cobra — and then on longer trips to view architecturally interesting churches. At one point, on a Massachusetts road, Diffie impulsively pulled the car over and very quietly told Mary he loved her. She said she loved him back. And that was that. Though it was painful for Fischer to acknowledge the end of her marriage, Diffie hastened the process by daring her to join him on a sojourn to Florida to watch a launch of the Skylab mission. They drove straight through and arrived at Cape Canaveral at three in the morning. Some hours later, they watched together as the big rocket blew fire on its jump toward the cosmos. From that point, Mary Fischer was Diffie’s companion, and eventually his wife, as he drove thousands of miles in his search for an answer to the riddle of cryptography. They would pass the hours talking, or, more often, singing popular tunes. The National Security Agency had no clue that the man who was about to make life infinitely more difficult for them was spending endless hours in a Datsun 510, crooning “Sweet Caroline” with his new girlfriend. Though Fischer had little understanding of the technologies and mathematics that drove Diffie, she became his partner in the quest. His cryptographic muse. “I was terrified all the time because I’d abandoned everything that was familiar to me,” she recalls of those days. “Every now and then he’d stop off at a library, or see somebody, and it was really cloak and dagger — people who didn’t want to talk to him, people who put their coats over their faces, people who wanted to know how the hell he’d found out their names, people who had secrets, clearly, and were not about to share them. And Whit was trying to ferret those secrets out. It was a perpetual kind of voyage of discovery because he kept checking out these people. And sometimes he’d say, ‘I want you to stand here to listen. I don’t want anybody to see you but I just want you to listen.’ So I went on some of these encounters. But basically I didn’t have a clue what he was up to.” Sometimes Diffie would try to explain his motivations to her. The computer age, he told Mary, held terrible implications for privacy. As these machines become ascendant, and we use them for everyday communication, he warned, we may never experience privacy as we know it today. His apocalyptic tone unsettled Mary, but she wanted to hear more. Eventually, Mary understood how Diffie’s mission mixed the political with the personal. Devising a way to wedge open the NSA’s grip on crypto would satisfy not only Diffie’s sixties-style rebelliousness, but also what would later be identified as a strongly libertarian ethic in him. “Whit wants to uncover secrets,” she says. “Anything that’s secret is something that Whit has to know. When we first got together I couldn’t believe it. He was doing things like going through my garbage bags. He didn’t trust anything. He feels as though what ordinary people take for granted is just too simple and there must be more under the surface there. And he builds up terrible complications that way.” Of course, the most significant complication was his seemingly quixotic mission to discover something under the nose of the National Security Agency. He wondered whether he was putting himself at risk, and indeed, because of this, “my attitude was to keep my head down for the first couple of years,” he says. Ultimately, though, the length of the odds stacked against him only made the quest more attractive to Diffie. One thing Diffie did trust during this period was the Datsun 510 automobile. He kept buying and rebuilding them, even though the evidence indicates that the cars were far from immortal. “I was stubborn,” he explains, adding that “most of what I do is characterized by the fact that I’m stubborn.” Mary Fischer puts it differently. “When Whit decides he wants something, he’ll research it thoroughly, fix on the best idea of its kind, and from then on he is married to that thing.” His Datsun broke down in Nebraska, whereupon Diffie rented a truck and transported the car to the West Coast. He then purchased a second 510, a black junker with about 100,000 miles on it. “It had a fine set of insides in it,” Diffie recalls fondly. This took him and Mary on their second continental crossing. The car took sick in La Mesilla, New Mexico, emitting an ominous chink-chink-chink sound, but it got Whit and Mary back to California, only to go dead in a Redwood City parking space two days later. Diffie then purchased more Datsuns, initiating an elaborate process of vehicular organ transplants. “At one point we had five Datsuns,” recalls Mary Fischer. “Whit would work on them himself; he didn’t trust mechanics. He is not an utterly trusting soul.” What did Diffie encounter during his cross-country journeys? Many people who refused him. But a few helped, providing him with hints of contemporary crypto techniques, or even unpublished works. Among those helpers was Diffie’s personal Mao, David Kahn, who invited Diffie for pizza at his Long Island home after Diffie had cold-called to introduce himself. Though taken aback by Diffie’s appearance — an abundance of hair and ultracasual attire — The Codebreakers’ author was impressed with his knowledge. He agreed to provide Diffie with some crypto documents from his research. One important cache of papers dealt with William Friedman, the acknowledged godfather of the government’s cryptographic efforts. A naturalized American born in Russia late in the nineteenth century, Friedman had become interested in cryptography while researching the possibility that Francis Bacon was the true author of Shakespeare’s plays. (Many years later Friedman and his wife Elizabeth would authoritatively debunk this notion in their book, The Shakespearean Ciphers Examined.) During World War I, Friedman became involved in the U.S. government’s codebreaking efforts and developed a series of courses to train prospective cryptanalysts. Within the closed community, his works became classics, particularly those on his use of statistics to crack codes. Friedman’s World War II work was instrumental in breaking the Japanese cipher PURPLE, and he was an important figure in the early NSA, remaining active as a consultant long after his retirement in 1955. Throughout, virtually all his critical work was top-secret, so when Kahn offered Diffie a look at some rare, recently declassified materials, Diffie treated them like the original copies of the Constitution. Instead of handing the bound books over to attendants at a photocopying center, he lovingly photographed each page with a 35mm camera. This meticulousness proved prescient, as the NSA hadn’t yet realized that copies of these papers had slipped underneath the Triple Fence; when it did, the agency would attempt to retroactively classify the material, thus making criminals of those who did not immediately turn them over to the proper authorities. In the summer of 1974, Diffie heard that Jim Reeds, a Harvard doctoral student in statistics he had met a year earlier, was leading a seminar in cryptography there. Diffie headed back to Cambridge and sat in. Also attending was Bill Mann, a friend who was working on the ARPA security plan. At one point Diffie was trying to explain to Mann the meaning of something called a one-way function. This was a mathematical oddity that he had come across and couldn’t stop thinking about. A true one-way function is something that can be calculated easily in one direction but not easily reversed — a mathematical Humpty-Dumpty. One cryptographer would later explain that when you broke a dinner plate, you were using a one-way function: “It is easy to smash a dinner plate,” he wrote. “However, it’s not easy to put all of those tiny pieces back together again into a plate.” Diffie was increasingly convinced that one-way functions could figure into a new kind of cryptographic approach, but he wasn’t sure how. He couldn’t even explain what it was clearly enough for Mann to understand it. But Mann misunderstood it rather creatively. He came away with the impression that a one-way function was something that not only could be quickly computed in one direction but could be calculated in reverse as well — if you had the proper information. Using the plate analogy, Mann said it was as if the guy who broke the plate had some magic way to un-break it, like a film running backward showing those tiny shards of broken china fusing back into a pristine dinner plate. As he laid out his conception to Diffie, Mann was envisioning what one day would be called a “trapdoor one-way function.” It would prove to be a prescient misunderstanding. Also in Cambridge, Diffie talked about crypto with Richard Schroeppel. He was a former MIT hacker who had a reputation as a math wizard. Schroeppel had been thinking about the idea of electronic commerce, and was beginning to grapple with the same sorts of problems that Diffie and McCarthy had discussed: What if Company A wanted to place an electronic order with some Company B and no preexisting relationship existed? How could they secure their communications? Schroeppel was impressed that Diffie had done a lot of thinking about such problems. And he certainly respected Diffie, who had done great, though unheralded, work at MIT’s AI lab, building Macsyma. Schroeppel also knew that Diffie had written the complicated routines to handle large numbers in the Stanford version of the computer language LISP. “To my mind, writing a set of big number routines crosses you over a threshold,” says Schroeppel. “It’s like passing the Bar [exam]; it means you really know how to use a computer and you really know how to do arithmetic.” Over lunch one day Diffie floated the idea that perhaps there was a way to get around the electronic commerce problem. What about a one-way function, he suggested — a reversible one-way function, like the one Bill Mann had unwittingly suggested? Could that possibly be part of a solution? They talked about it for a while, but Schroeppel was skeptical. “Actually, you probably can’t find any of those functions,” he warned Diffie. “They probably don’t exist.” Undaunted, Diffie kept on, desperate for someone who could provide him with more clues. He and Fischer went to see a friend in Cambridge who mentioned a fellow named Alan Tritter. Tritter supposedly had done work in cryptography. He now worked for IBM. So during that same summer of 1974, Diffie tracked him down at the major center of cryptographic activity outside the government, IBM’s T. J. Watson Labs, in Westchester County, New York. Even in a field littered with brilliant oddballs, Tritter stood out. Due to a rare disease that generated a massive volume of body fat, he weighed what friends estimated as a minimum of 400 pounds. Rumor had it that his grandfather had been a wealthy man who had left Tritter only enough money to attend school. Though some regarded him as a mathematical genius, others felt that his reputation was unearned. “Immediately after he was hired, it was regretted, but IBM wouldn’t admit its error,” complained one former IBM colleague. “I don’t really think he did anything there.” On the other hand, Tritter was ahead of his time by acquiring an early mastery of telephone hacking. He would die young. Diffie was immediately gratified to learn that Tritter was knowledgeable about Identification Friend or Foe (IFF) devices. Reading Kahn’s book, Diffie had been intrigued by its mention of these systems, which are communications devices that essentially quiz each other to authenticate one’s identity. As Tritter explained it to Diffie, an IFF device works by issuing a cryptographic “challenge,” one that can be successfully met only by use of secret information to precisely solve the problem. The canonical IFF situation is a fighter plane encountering another airborne craft during a period of hostilities. If the intruder is a foe, it must be shot down, but it’s obviously unwise to fire before determining if the target might be an ally. The IFF process is an electronic equivalent to a sentry’s question to an approaching foot soldier: “What’s the password?” Of course, IFF systems relied on more complicated protocols than passwords. Since such communications were generally conducted by radio, it was assumed that enemies could listen in, and if a general password were issued to the forces of one side, a foe could easily discover the magic utterance that would enable its own planes to pose as friends. It turned out that one of Tritter’s colleagues at IBM, a German-born scientist named Horst Feistel, had performed crucial work in the field. (Unfortunately, Feistel had left for a Cape Cod weekend, and Diffie could not meet him then.) Tritter explained to Diffie how Feistel’s IFF system got around the eavesdropping problem: when confronting an as-yet-unidentified aircraft, an American plane could send a radio signal containing a challenge randomly selected from a large number of possible alternatives. Other U.S. planes would be supplied with the means to encrypt that signal in the correct manner and send that scrambled response back to the questioner. The questioner would validate the response by decrypting it. If this process yielded the original signal, the second craft was definitely a fellow American. If enemy planes were listening in, it would do them no good simply to copy the friendly response and use it as a response to a later challenge, because in any subsequent encounter, the American planes would choose a different signal, one that would be transformed to a different encrypted transmission. Tritter’s information was exciting to Diffie. By that explanation, IFFs worked in somewhat the same way that a one-way function might. He hoped for similarly helpful clues when he wangled an audience with the head of the mathematical group at IBM, Alan Konheim. He didn’t get any. “He was very secretive,” complains Diffie. Konheim, now a professor at the University of California at Santa Barbara, was one of those mathematicians who had taken several NSA-sponsored courses and had signed the fatal document that bound them to submit their future cryptographic works to the agency. “You sign it once and it’s forever,” he later explained. There was no way that Konheim was going to give any crucial information to the stranger who sat in his office along the curved-glass walls of the Watson research building. However, Diffie says that Konheim did give him one critical piece of information. “He only told me one thing, and since then, he’s wished he’d never said that,” crows Diffie. That datum was not a cryptographic tip but a referral, the name of someone who had been asking the same kinds of questions as Diffie had, a guy who had briefly worked at the lab and was now an assistant professor at Stanford. His name was Martin Hellman. Maybe, Konheim suggested, two people can work on a problem better than one. When Diffie and Mary next drove whichever Datsun 510 was running at that time to the West Coast for a stint of house-sitting for John McCarthy, one of the first things that Diffie did was phone this young professor of electrical engineering. “I arranged a half-hour meeting at my office at Stanford,” Marty Hellman now recalls, “figuring it’s just not going to go anywhere, but what the heck.” Thus was made the match that, in the world of crypto, would later attain the resonance of famous pairings elsewhere: Woodward-Bernstein. Lennon-McCartney. Watson-Crick. Diffie-Hellman. * * * Though he lived in California, Marty Hellman was pure Big Apple: pugilistic, in-your-face New York City. With his dark hair, beard, and intense stare, he resembled a Semitic version of Martin Scorsese. Born in 1945, he grew up Jewish in a tough Catholic neighborhood and learned to take an outsider’s view. He also took refuge in science. His father and uncle both taught physics in the public schools. Young Hellman had always been turned on by explorers and new frontiers, whether it was Magellan charting the New World or Einstein on redefining the way we understand the universe. He was accepted into the Bronx High School of Science; his avocation was ham radio. “That probably pulled me into electrical engineering,” he said. “It’s a very broad area; you can move from theoretical physics through solid-state physics and math.” He got his doctorate from Stanford in 1969, and his first job was at IBM research in Yorktown Heights, New York. Not long after he was hired, Hellman gave a paper at an information theory symposium held at the Neville hotel and resort, the headquarters of the Catskills’ Borscht Belt. The banquet speaker was David Kahn. Hellman had always believed that there was something kind of sexy about cryptography, but Kahn’s appearance got him thinking about it as a serious scientific pursuit, and those thoughts got stronger when he discovered that his new employer was already working in that field. Surely commercial applications existed, he figured. Though Hellman didn’t work directly with Horst Feistel, the German-born cryptographer worked nearby in the building, and sometimes the two of them would sit together at lunch, where the older man would describe some of the classical cryptosystems and some of the means of breaking them. Hellman left IBM in 1970, accepting a post as assistant professor at MIT. At that time Peter Elias, who had worked closely with Claude Shannon, was just stepping down as the head of the electronic engineering department. Elias’s talks with Hellman drew the young academic deeper into crypto, and for the first time he began thinking about making it the focus of his research. “Partially, it was the magician aspect, being able to impress people with magic tricks,” he now explains. “Also, the potential to make a real impact, and advance my career by doing it.” He resisted the temptation to do what the vast majority of scientists and academics in his field had already done: work within NSA strictures. “From the very beginning, once someone heard I had an interest in cryptography, the people from NSA would come at me,” he says. Hellman would profess interest in hearing what they knew, but only if he would remain free to publish his own findings. The officials would warn him he was wasting his time, and that by depriving himself of the research performed at The Fort, he’d never come up with anything worthwhile. But Hellman, brimming with chutzpah in those days, said, in effect, To hell with you, I’m doing it anyway! He figured that even if he wound up rediscovering something that was already in the classified literature, his feat would not be redundant, because his findings could be exploited for commercial use. “It was hard,” he says. “But it was also doing something exciting that no one else was doing.” Enter Whit Diffie. “It was a meeting of the minds,” says Hellman. It came at a propitious time: though Hellman had recently published his first paper in the field of cryptography — a gloss on Shannon’s work — he’d been stuck for a follow-up, and longed for a kindred ear. “I’d been working in a vacuum,” he says, “and was feeling, ‘Is this really worth it?’ I was really getting concerned about whether this was going to lead anywhere.” Showing up wearing what Hellman called “the AI uniform” — black chinos, white socks, white shirt, and tennis shoes — Diffie was undoubtedly quirky. But he knew his stuff. He knew volumes. Only someone like Hellman, who had banged his own head against the ramparts of crypto secrecy, could appreciate how well spent were Diffie’s months and years traveling, talking to anyone he could find, burrowing in libraries for forgotten books like Luigi Sacco’s 1938 treatise on cryptography, and poring over obscure texts like the Friedman papers that NSA had later tried to reclassify. “He’d dug up everything I had never seen or had the energy to dig up,” says Hellman. Finally, someone with whom he could toss ideas back and forth; it was like an elegant game of hard catch between two professional ballplayers. The half-hour meeting went on for an hour, two hours, longer. Hellman simply didn’t want it to end, and Diffie, too, seemed eager to continue for as long as possible. Hellman had promised his wife he’d be home by late afternoon to watch their two small children while she went off, so finally he asked Diffie back to his house. No problem! Diffie called Mary and she came over to have dinner with Whit and all the Hellmans, and it wasn’t until 11:00 or so that night that the dialogue broke up. Not surprisingly, the two decided to continue the conversation. “It was very nebulous,” says Hellman. “He had some great ideas, I had some great ideas, and there was some overlap. We just loved talking to each other. It wasn’t that we had a goal of doing this or a goal of doing that — we just wanted to go further down the path we had each gone down, without finding someone at the end of the path telling us what everybody else was telling us: that we were wasting our time.” Both Diffie and Hellman firmly believed that the advent of digital communications made commercial cryptography absolutely essential. All of these huge computer and telephone networks made life incredibly easy for eavesdroppers — it was going to be possible to fully automate spying. At least with radio broadcasts, snoopers had to monitor numerous points in the channel band; with a network, it was as if everyone were broadcasting on the same channel. A spy agency like the NSA could — and would — simply turn on the Hoover and inhale gigabytes of data. “Ninety-nine percent of what they suck up gets blasted out as hot air,” says Hellman. “But by combing the data for key words, key phrases, key names and addresses, one percent gets caught in the bag as dirt.” The antidote for this would amount to, in essence, a cryptographic revolution, which would allow ordinary people to encrypt the stuff they sent over the network. The big problem, as Diffie had discussed with McCarthy and Schroeppel, was scaling crypto for more users, and making it easier to use. Something had to replace, or at least augment, the old-style, classical form of symmetrical-key crypto (where the same key that scrambles the messages can unscramble it, too), because it was totally unfit for the massive numbers of private conversations and digital transactions that people would require. The problem was that in order to have those private conversations, both parties had to arrange in advance what the key would be, and then somehow use that key without exposing it to eavesdroppers or intruders. This was a fairly straightforward act for a military organization, but an absolute nightmare in a bustling marketplace. What were you going to do — send millions of bonded couriers out into the streets to personally hand someone a new key every time he wanted to start up a phone conversation or file a purchase order? The only feasible approach seemed to be an infrastructure of key distribution centers that would generate a key every time two people requested one for a private conversation. But Hellman shared Diffie’s deep-seated suspicion of such a centralized system. “I knew he’d be around for a couple of months, but I also had the feeling that he might pick up and leave, and I was really anxious to see him stay here,” says Hellman. So Hellman called his grant monitor in the National Science Foundation (NSF) and wheedled some more funds to spend working on cryptography. There was enough to hire Whit Diffie as a part-time researcher. “It might have been for ten to twenty hours a week, or about a quarter to a half of what a working person would normally make,” says Hellman, who also suggested that while they were at it, why not have Diffie enroll as a graduate student and get a doctorate in the process? That part of the arrangement didn’t work out. “Whit is a truly free spirit,” was Hellman’s postmortem. “When he’s interested in something for himself and no one’s making him do it, he will spend unbelievable hours a day, get by with little sleep. But [not] when he has homework assignments and the structure.” Ultimately, Diffie dropped out of the graduate program when the administrators noticed that he hadn’t taken the requisite physical examination. “I didn’t feel like doing it; I didn’t get around to it,” says Diffie. Though he finessed the matter for some months, ultimately, when the Stanford bureaucrats refused to register him without proof he had taken the physical, Diffie told them to go to hell. “I used to think of it as a handicap on Whit’s part,” says Marty Hellman, “but maybe he was just mature at an earlier age, thinking, Damned-if-I’ll-follow-some-of-your-stupid-rules. Because some of them are stupid.” Ultimately, it was only by questioning the conventional rules of cryptography and finding some of them “stupid” that Diffie made his breakthroughs. A case in point: the belief that the workings of a secure cryptosystem had to be treated with utmost secrecy. That might have held true for military organizations, but in the computer age, that didn’t make sense. There would be unlimited users who needed a system for privacy; obviously, such a system would have to be distributed so widely that potential crackers would have no trouble getting their hands on it and would have plenty of opportunity to practice attacking it. Instead, the secrecy had to rest somewhere else in the system. Maybe those one-way functions that obsessed Diffie could be involved in such a system. In the months that followed, they became close colleagues and friends. Mary and Whit often hung out at the Hellmans’. Marty’s wife Dorothy was an enthusiast of purebred dogs — obviously something Mary was interested in — and Mary got one of Hellman’s daughters interested in playing the harp. Whit and Marty would usually be off in a corner, talking cryptography. Between Whit and Mary there was now an understanding that the traveling was over. They began their Palo Alto house-sitting stint for John McCarthy, watching his teenage daughter Sarah while the AI pioneer was on a Japanese sabbatical. Meanwhile, they started looking for a place of their own in Berkeley. Mary took a job with British Petroleum in San Francisco. Whit had the house to himself all day, and he would clean and cook. Mainly, he would work with Marty, hoping against hope that his years of didactic study would bear fruit and he would make a contribution, however slender, to the maddingly secretive field of cryptography. His years of obsession had not decreased his passion for the subject. Nor had his deep affection for Mary Fischer — his other romance — distracted him. On the contrary, their relationship had only intensified his hunger for privacy, and the quest for a technology to provide it. His epic quest had begun from a lack of trust in computer systems and their keepers. Now it was about maintaining a valuable personal connection, too. “When he felt he’d finally found a trustworthy person,” as Mary Fischer later explained, “the question became, ‘How do you deal with a trustworthy person in the midst of a world full of untrustworthy people?’ ” the standard On March 17, 1975, a dry government document produced a shock wave that just about tore the plaster off the walls of Martin Hellman’s little cipher operation at Stanford University. It was a Federal Register posting from the National Bureau of Standards (NBS), ostensibly one of countless protocols proposed by that agency that, if adopted, would become the officially endorsed means of doing things for the federal government. By extension, it would become the no-brainer choice for private industry and just plain folks as well. This proposal involved something seldom ventured in the public literature: a brand-new encryption algorithm. And a strong one to boot. It was to be called the Data Encryption Standard, or DES. The Stanford team had known that the unprecedented move was in the offing — the NBS had been issuing requests for such a standard — and Hellman knew that his old and trusted colleagues at IBM had been cooking up a system designed to satisfy the government’s criteria. So at first they welcomed the announcement. “This was big news,” recalls Hellman. “We were happy to see a standard. We thought it was a wonderful thing.” Then they began to actually examine the DES system — and learned that the National Security Agency apparently had a hand in its development. And their enthusiasm turned to dismay. Right away, it was glaringly obvious that the flaw in the DES was the size of the encryption key, a metric that directly determines the strength of a cryptographic system. It was 56 bits long. That’s a binary number of 56 places. You could envision this as a string of 56 switches, each of which could be on or off. Though 2 to the 56th power was a hell of a big number in most circumstances — it meant that there were 256 possible keys, or about 70 quadrillion — Hellman and Diffie believed that it was too small for high-grade encryption. Sophisticated computers, they insisted, could eventually work hard enough to find solutions to such encrypted messages by “exhaustive search”: trying out billions of key combinations at lightning speed until the proper key was discovered and the message suddenly resolved itself into the orderly realm of plaintext. This would be a classic “brute-force” attack. “A large key is not a guarantee of security,” says Hellman, “but a small key is a guarantee of insecurity.” Diffie wrote as much in an otherwise respectful initial analysis of the standard, submitted in May 1975 as part of the NBS’s public comment process. “The key size is at best barely adequate. Even today, hardware capable of defeating the system by exhaustive search would strain but probably not exceed the budget of a large intelligence organization.” He postulated that a free-spending agency could feasibly build a customized machine that would crack such a key within a day. “Although cryptanalysis by exhaustive search is far from cheap, it is also far from impossible,” he wrote, “and even a small improvement in cryptanalytic technique could dramatically improve the cost performance picture. We suggest doubling the size of the key space to preclude searching.” Naively, the Stanford duo believed that such advice might be heeded by the United States government: Well, damn, you guys are right! Let’s double that silly key size! Instead, the government’s response was sufficiently evasive for Hellman to suspect that a smoke screen lay behind the NBS’s actions. In subsequent months, in fact, Hellman would publicly begin to question whether the DES algorithm might have been a daring ruse on the government’s part to lull citizens and perhaps even foreign foes into an illusion that they were protecting information — while that supposedly secure data was easily accessible to the NSA. At his most paranoid, Hellman wondered whether the DES had a “back door” implanted in it by Fort Meade’s clever cryptographers. While there was no direct proof of that, there was reason for suspicion. If everything was on the up-and-up, Hellman wanted to know, why was it that the design principles of the algorithm, as well as its inner workings, were being treated as government secrets? If the government had nothing to hide, why were they hiding something? Diffie and Hellman were only the first to question the murky origins of the Data Encryption Standard. The debate would continue even as the DES became a kind of gold standard for strong commercial cryptography — and an object of continued suspicion among the outsiders of the crypto and civil liberties world. Only with the passage of time would it become clear that the development and certification of DES was in a sense an inspiring story of its own, one that had elements in common with the quest of Diffie and Hellman themselves. * * * The story began with one of IBM’s most enigmatic researchers, Horst Feistel. He was the German-born cryptographer who had done the work on Identification Friend or Foe protocols that Whit Diffie had learned from Alan Tritter. Feistel had been working at IBM’s research division in Yorktown Heights since the late sixties. It was one of the few jobs in the private sector that involved work in cryptographic research. In fact, some of his colleagues suspected that Feistel had been in the NSA’s employ and was somehow still hooked up with it, even while working for IBM. In any case, his biography is somewhat sketchy. Born in 1914, he had left Germany as a young man. His aunt had married a Swiss Jew living in Zurich, and on the concocted pretext of tending to his aunt’s illness, Feistel joined them just before the Third Reich began a military conscription that would have prevented his escape. After studying in Zurich, Feistel came to the United States in 1934. He was about to become a naturalized citizen when America was thrust into World War II. Feistel was put under what he once described as “house arrest,” his movements restricted to the Boston area where he was living. But in January 1944, Feistel’s circumstances changed abruptly. He was not only granted citizenship but also given a security clearance and a job at a highly sensitive facility: the Air Force Cambridge Research Center. What he did there is unclear. Codes had fascinated him since his boyhood, but in the early 1990s he told Whit Diffie that while crypto work was indeed his desire, he was informed that this was not suitable wartime work for a German-born engineer. On the other hand, in a 1976 interview with David Kahn, Feistel said that during the war he had worked on Identification of Friend or Foe systems — not cryptography per se at that time, but close. There are other contradictions in Feistel’s various accounts of his activities. He told Diffie that before he was granted U.S. citizenship, he had to report to authorities every time he left Boston to visit his mother in New York. But he once told a coworker that his mother didn’t emigrate until the Cold War began. The U.S. had spirited her out of East Berlin, he reportedly said, just in case the Soviets discovered that Feistel was doing crypto and decided to pressure her. There was no doubt, however, that after the war, Feistel began to specialize in IFF. He headed a crypto group at the Cambridge Research Center, and part of his job was testing an advanced IFF system that depended on an amazing new invention, the transistor. This tiny marvel would enable an IFF system to be built so compactly that it could fit into the nose of a fighter plane. Another important project of Feistel’s was a longtime passion: constructing a strong cryptosystem based on block ciphers. (This kind of system encrypted messages by processing them in chunks, or “blocks,” as opposed to stream ciphers, which did their scrambling on text as it flowed, or “streamed,” by.) Did the NSA embrace Feistel’s work, or did it see his work as a threat, and try to stifle it? According to what Feistel told Diffie, the people at The Fort had closely monitored his air force work and used the NSA’s power to influence the direction Feistel’s work took. But the agency also regarded the project as a threat and eventually managed to kill the entire crypto effort at the Cambridge lab. When Feistel left for another job in the mid-1960s at Mitre (the same military contractor that would later put Whit Diffie on its payroll), he unsuccessfully tried to organize a group there that would resume his crypto work. He blamed the failure on more NSA pressure. So Feistel took the advice of his friend, A. Adrian Albert, and went to work for IBM, which seemed more open to such pursuits. (Albert was a mathematician, a onetime head of the American Mathematical Society, who had himself done extensive cryptography work for the government.) IBM was an amazingly rich company with little competition, and its research division was an intellectual playground where incredibly bright scientists were encouraged to explore whatever interested them. “If they hired you at Yorktown, you’d do what you wanted, as long as you did something,” says Alan Konheim, who became Feistel’s boss in 1971. “And Feistel did something — he formalized this idea for a cryptosystem.” The most remarkable aspect of Feistel’s creation was not its mathematics or its technology — or even its resistance to codebreakers — but the motivation behind it. His superstrong cipher wasn’t intended to defend government secrets or diplomatic dispatches, but to protect people’s privacy — specifically, to protect databases of personal information from intruders who might steal the contents to create detailed dossiers on individuals. “Computers,” wrote Feistel in a 1973 article for Scientific American, “now constitute, or will soon constitute, a dangerous threat to individual privacy. . . . It will soon be feasible to compile dossiers in depth on an entire citizenry.” Feistel declared that the antidote was cryptography, traditionally the domain “of military men and diplomats.” He proposed that computer systems be adapted “to guard [their] contents from anyone but authorized individuals by enciphering the material in forms highly resistant to cipher-breaking.” Considering Feistel’s familiarity with the government’s zeal for keeping cryptography to itself, this was a significant position to take. So important was privacy in the computer era, Feistel believed, that the knee-jerk national security arguments would have to be shelved. Meanwhile, Feistel was concocting a system that would grant people that privacy. The system was called Demon, so dubbed because file names in the computer language he used (APL) could not handle a word as long as his unimaginative choice for the first version, “Demonstration.” Later, in a burst of inspiration, an IBM colleague would change the name, carrying over the satanic theme from Demon, to “Lucifer,” thus containing a cryptographic pun. As a block cipher, Lucifer was a virtual machine that sucked in blocks of plaintext data and spit out blocks of ciphertext. Feistel created several versions; the best known used a digital key of 128 bits, an enormously tough target for a brute-force attack. Impossibly tough. Of course, the issue of key length would be of little importance if a codebreaker could quickly crack the system by detecting and exploiting structural weaknesses that would recover plaintext without having to bother with brute-force attacks. If even the most subtle pattern could be discernible in ciphertext, a codebreaker would be on his way to breaking the system. Lucifer’s strength, like that of any other cipher, depended on denying potential foes any such shortcuts. Feistel’s cipher avoided telltale patterns by subjecting the plaintext characters to a tortuous mathematical journey, leading them through a complicated whirl of substitutions. Ultimately, after sixteen “rounds” of furious swapping with other letters in the alphabet, the actual plaintext words and sentences would appear only as a block of seemingly random letters: an oblique ciphertext. The crucial rules of substitution took place by means of two substitution boxes, or “S-boxes.” These, of course, were not physical boxes, but sets of byzantine nonlinear equations dictating the ways that letters should be shifted. (At least one colleague of Feistel’s, Alan Konheim, believes that the idea of S-boxes had been given to Feistel by the NSA at a summer workshop, supposedly to get a technology well understood by Fort Meade into the mainstream. “Horst is a very clever guy, but my guess is he was given guidance,” says Konheim.) The S-boxes did not merely initiate a set of predictable substitutions in the letters; they used information drawn from a series of numbers that comprised a secret key to vary the sequence as the bits passed through the boxes. The security of the system ultimately rested with this key. Without knowing this key, even a foe who understood all the rules of Lucifer would have no advantage in transforming ciphertext into plaintext by some reverse-engineering technique. Such knowledge of the rules was to be assumed; the nuts and bolts of a well-distributed commercial cipher were much more likely to be accessible to eavesdroppers than the workings of military codes, which could be more tightly controlled. A cryptanalyst trying to crack an army code would often have no clue as to the system used to produce the ciphertext, a problem that required not only plenty of extra time to break the code, but also a huge amount of resources in the black art of undercover intelligence. Huge spy networks devoted themselves to learning the sorts of codes the enemy used. On the other hand, if Chase Manhattan Bank decided to use IBM’s brand-name code to encrypt its financial transactions, a potential crook would find it relatively simple to discover what cryptosystem the bank used. Since IBM might license the cryptosystem to others, the rules of that system would probably be circulated fairly widely. So in this new era of nonmilitary crypto, all the secrecy would rely on the key. IBM applied for, and received, several patents for Lucifer. As an innovation of its Watson Research Lab, Lucifer fell into the research category. But unlike some blue-sky schemes at Watson that were way ahead of their time, an invention that provided an instant answer to a pressing problem — data security in the communications age — was naturally positioned on a fast-track to commercialization. Lucifer’s first serious implementation came quickly, in Lloyds of London’s Cashpoint system, a means for distributing hard currency to bank customers. Undoubtedly, this was a harbinger of bigger things to come for both IBM and crypto. It was only a matter of time before Horst Feistel’s baby would no longer be a research project; it would be a major IBM initiative. And that would change everything. * * * As Feistel was refining Lucifer, a thirty-eight-year-old engineer named Walter Tuchman was working at IBM’s Kingston, New York, division. He was a Big Blue lifer, having first gotten his feet wet during a three-month period at IBM in 1957 between college and the army. When he finished his stint, IBM not only rehired him but sent him off to Syracuse to pursue a doctorate in information theory. Most of his classmates remained in academia, but Tuchman wanted to use his knowledge to actually create sophisticated technology, so he stuck with IBM and wound up heading product groups. Tuchman’s most recent IBM task involved an odd sort of computer security vulnerability. When computer terminals are in operation, they leak out faint electronic impressions that a sophisticated eavesdropper can use to reconstruct the information being shown on the screen. In effect, those blips represent an unauthorized computer-data wiretap. The government wanted a special means to shield its computers from such potential leaks, and IBM responded by devising what came to be known as Tempest technology. It was considered a big win, and when Tuchman’s team finished its work around 1971, people in the group wanted to stay together rather than disperse to other projects, a routine known internally as “volkerwanderung.” To do this, they needed a new mission. Tuchman’s boss knew there were some interesting things going on in the banking division that might require innovative advances in computer security, and suggested Tuchman and his team look into it. IBM’s banking division was fortuitously located just across the road from Tuchman’s offices in Kingston. He quickly found that his boss’s instinct was sound in sending him there. Building on the Lloyd’s project, IBM had decided to advance the idea of cash-issuing terminals, where bank customers could get money from their accounts without having to see a teller. The first cash-issuing machines had been giant safes that held not only the money but also all the electronic and computer equipment necessary to process the transaction. This was both costly and unwieldy. The better solution would be to spread the computer application between a terminal and the bank’s mainframe computer, which could do all the heavy-duty processing. This solution was not only efficient, but hewed to IBM’s recent, painful realization that the standard model of computing was headed to the junkyard. “Before then, data processing was all done on the mainframe. The security model was that you locked your door, you locked your desk, and you had a guy with a gun guarding the building,” explains Tuchman. But now, even the most tradition-bound minds in Armonk understood that in the future, as Tuchman puts it, “data processing was leaving the building.” And since a guard with a gun couldn’t be everywhere, the security model would have to change. Of course, a system that actually doled out cash would represent a trial by fire for whatever new type of security IBM employed. The crucial commands that flashed a green light to spit out twenty-dollar bills would be sent over the phone line. Tuchman was quick to understand how precarious this could be. Imagine if some techno-crook managed to elbow his way on to the phone line and mimic the messages that said, “Lay on the twenties!” The answer was cryptography. Though Tuchman had a background in information theory, he had never specifically done any crypto work. But he soon found out about the system that the guys in IBM research at Yorktown Heights had cooked up. He ventured down to Watson Labs one day and heard Feistel speak about Lucifer. He immediately set up a lunch with Feistel and Alan Konheim. The first thing Tuchman asked Feistel was where he had gotten the ideas for Lucifer. Feistel, in his distinctive German accent, mentioned the early papers of Claude Shannon. “The Shannon paper reveals all,” he said. Meanwhile, Tuchman’s colleague Karl Meyer was exploring whether Lucifer might be a good fit for an expanded version of the Lloyd’s Cashpoint system. Ultimately he and Tuchman concluded that it would probably need a number of modifications before it was strong enough to rely upon. But it would be a fine beginning. And so, they made an arrangement with Alan Konheim and his Information Theory Group. Tuchman and Meyer’s team at Kingston would build a revised algorithm for Lucifer. Then they would send it to Yorktown for evaluation and testing. The internal name for the cipher was the DSD-1. Before this arrangement was approved, however, a top IBM executive demanded to know why they were even bothering with Lucifer when he knew of a cheaper, faster algorithm. Tuchman took this supposedly superior algorithm home and broke it over the course of a weekend. (He and Meyer eventually published the break in the trade magazine Datamation.) Tuchman would often cite this triumph as proof that his team knew what it was doing — and to ensure that the work wouldn’t be disrupted by clueless interference from upstairs. “We can’t deal with amateurs in the field,” he remembers telling the muckety-mucks high on the corporate food chain. “There’s no cheap way out of doing a crypto algorithm. You’ve gotta work, work, work. Qualify, qualify, qualify. It’s going to take a long time.” This was a fairly difficult process because, as Whit Diffie could have told the Kingston group, there was pathetically little information available on how one could construct a modern, military-strength cryptosystem. “All of it was classified,” sighs Tuchman. “But we understood from our mathematics classes what makes a cipher hard to solve.” His group read everything they could in the library, and, as Feistel had predicted, the most helpful papers were those of Shannon. And they talked a lot to Feistel himself. But mainly they reinvented a lot of what must have been common knowledge among the algorithm weavers at Fort George Meade. “We sat around in our conference rooms working on the blackboard, teaching ourselves,” says Tuchman. Ideally, Feistel himself would have been recruited to temporarily move to Kingston. Tuchman kept asking Konheim, “What does Horst want to do? I’ll give him a nice desk and his own office, and he can come up here.” And Konheim would say, “Nah, I don’t think it’ll work out.” Tuchman eventually came to understand why. “Horst was like a European version of James Stewart in the movie Harvey,” he later said. “He was sort of living in a little magical world between what happens in a commercial business like IBM and his hobbies. I never quite felt that Horst understood what the business world — especially the high-tech business world — was all about. He was cloistered in research in Yorktown, and here we were, these crazy guys from Kingston who were actually willing to make products, to see if we could do something that made money.” Konheim agrees that Feistel was oddly misplaced in the corporate world and, as time went on, even in the research division of that universe. According to Konheim, as Lucifer became less and less Feistel’s invention and more the commercial product of an IBM division, Feistel would arrive at Yorktown later and later in the day. And even then, he wouldn’t seem to be working on the project, but rather spending a lot of time on the phone speaking German. Konheim says that Feistel’s elderly aunt had promised him a considerable inheritance, and a lot of that phone time was spent cultivating her almost fanatically. (According to Konheim, it was a bitter disappointment years later when she died and left him nothing.) And Feistel’s 1973 article for Scientific American — one of the most explicit scientific descriptions of crypto presented to the public in years — could have been interpreted as a rebellion of sorts. Certainly in some quarters such frankness about the cryptographic innards of a potential IBM product could have more than raised an eyebrow. Apparently, the NSA itself objected to the article; years later, Feistel would allude to the agency’s unhappiness with it, also remarking that if it hadn’t been for the Watergate scandal then turning Washington upside down, the NSA might have tried to shut down the entire Lucifer project, as it had with his previous ventures. The Kingston group was blissfully unaware of such intrigues. To them, the Lucifer effort was simply a product ramp-up. They focused on their goal of modifying the system, of increasing its complexity and difficulty so that its ciphertext would pass the Shannon tests for apparent information randomness. The first step was to set up a list of what they called “heuristic qualifiers,” a series of mathematical tests that would evaluate the cryptosystem’s output — the scrambled message — so that it bore no apparent relationship to the original message, appearing to be a random collection of letters. In Claude Shannon’s terminology, the apparent information content would be zero. Feistel’s version of Lucifer certainly attempted to reach this ideal but didn’t go far enough. Its strongest feature was its two S-boxes, where the trickiest substitutions took place — the nonlinear transformations designed to drive cryptanalysts batty. So the Kingston team decided that the new, improved Lucifer — DSD-1 — would have even more devious S-boxes. And the number of those would increase from Lucifer’s two to a much more formidable eight. Complicating that effort were the requirements for compactness and speed: “It had to be cheap and it had to work fast,” says Tuchman. To fulfill those needs, the entire algorithm had to fit on a single chip. So another part of the team was a VLSI (Very Large Scale Integration) group, split between Kingston and IBM’s Burlington, Vermont, labs, whose job was to put the entire scrambling system on a 3-micron, single wiring layer chip. If everything worked out, IBM would have the tiniest strong-encryption machine ever known. Working under those constraints, the Kingston team constructed the complicated DSD-1, still informally referred to as Lucifer. If all went well, their new Lucifer would take a 64-bit block of plaintext, submit those bits through a torturous process of permutation, blocking, expansion, blocking, bonding, and substitution involving a digital key, and then repeat the process fifteen times more, for a total of sixteen rounds. The result would be 64 bits of what appeared to be total digital anarchy, a Babel that could only be returned to order by someone reversing the encryption process by using the digital key that determined how the scrambling had been done. Then the Watson Lab team would try to attack it, to see if things really had gone well. * * * Though Horst Feistel was not involved in the actual reconstruction of DSD-1, he did help bring his colleagues in research up to speed for the testing process. On January 11, 1973, he gathered five fellow members of the Data Security Group at Yorktown Heights and gave them their first exposure to the Lucifer cipher. One of the group, Alan Tritter (the same eccentric computer scientist who had told Whit Diffie about IFF protocols), raised questions as to the wisdom of the entire enterprise. Was IBM putting itself at risk by vying to be a power in the new world of commercial cryptography? What if Lucifer could be cracked? Tritter’s comments drew interest because they seemed to echo some remarks made, but not proven, by a professor at Case Western Reserve University named Edward Glaser. A blind man who was one of the endless consultants IBM routinely hired with its bottomless budget, Glaser, according to Konheim, had blustered that if he were given twenty examples of ciphertext, along with the original plaintext (this is known as a chosen plaintext attack), he could break Lucifer’s system. (It turned out to be a specious claim.) But the point was well taken, and Tritter repeated it in a memo written later that year. “We were/are in an unusually exposed position,” he wrote. Noting that the first use of Lucifer was already implemented in a Lloyd’s cash terminal, he ticked off the consequences that could come if the system, like so many seemingly “unbreakable” ones before it, was somehow compromised. If someone was able to produce a valid key for a Lucifer cipher, he wrote, “a clever, resourceful, highly organized attempt to remove illicitly but without the use of force the entire cash contents of all the terminals in the ‘Cashpoint’ system, say over a single bank holiday weekend, would certainly succeed.” But such a possible loss was only the beginning of the sorts of perils IBM was courting by drawing on crypto’s implicit promise of security. With Big Blue’s fat cash reserves, it would be no problem replacing even a steep stack of twenties to reimburse Lloyd’s. More troublesome would be restoring public confidence. And then would come the lawsuits. “Were the security of [Lucifer] or of any other crypto product we may subsequently field to be breached publicly, the harm it would do us in the marketplace would be incalculable,” wrote Tritter. “And this is in addition to actual damages and the very real possibility of exemplary damages awarded against us in a lawsuit which would give the press, the industry, and the public a field day.” On the other hand, how could IBM not pursue cryptography? Its business was the information age, and without a means of protecting data as they moved from one computer to another, IBM would not sell nearly as many computers. The lack of cryptography was a potential roadblock to the computerization of America — and the computerization of the world itself. So on February 5, 1973, a high-level meeting was held to review “the status and plans of cryptography within the entire IBM corporation.” As Tritter later summarized the meeting, “It appeared to be broadly agreed . . . that IBM was apparently in the crypto business for keeps, and would have to acquire a corporate expertise in the area. In the meanwhile, attacks on Lucifer were to be intensified.” An outside expert, Jim Simons of the math department at the State University of New York at Stony Brook — who had also practiced cryptography at the Institute for Defense Analysis, the NSA satellite in Princeton — was recruited to organize a concentrated attack on Lucifer. He worked with three researchers from Yorktown Heights for about seven weeks in the late spring of 1973. Even before he issued his report, IBMers were buzzing with the good news: Simons and his team hadn’t cracked it. “The Lucifer machine is certainly stronger than I had originally thought,” Simons wrote in his report of August 18, 1973. But he didn’t exactly bestow a crypto seal of approval on it. “It seems highly improbable that Lucifer will be broken by two high school students as part of their science fair project,” concluded Simons. “On the other hand, there isn’t nearly enough evidence to feel confident that it won’t succumb to sophisticated attacks by a professional cryptanalyst.” Simons worried that if Lucifer, as currently constituted, was put into commercial use, it would almost inevitably be used to protect “traffic of genuine importance” (like money, or trade secrets), providing the incentive to encourage an intense, ultimately successful effort to break it. So while Lucifer seemed to be a good start for IBM, Simons warned, the company should work harder to come up with an improved product. “There really is no choice,” he concluded. Meanwhile, IBM itself kept wondering if Lucifer was up to the task. In a confidential memo in May 1973, its chief scientist Lewis Branscombe, summarizing the consensus of the firm’s Scientific Advisory Committee, emphasized the need for the company to “establish a single cryptographic architecture, technology and product strategy.” Lucifer, he wrote, was not the only candidate. But later in the month, another memo deemed the Kingston scheme superior, with one caveat: “Unless there is a clear evidence of a significant threshold of vulnerability.” The tests continued for months, conducted by private-sector researchers hired by IBM. “Alan would give them the algorithm and say, ‘Break it. Just go break it.’ And Alan kept reporting back that nobody could find a shortcut,” says Tuchman. “Finally I reached that magical psychological place where I figured this thing doesn’t have a shortcut, so there is just no shortcut solution. Forget it, guys, let’s concentrate on implementing the product now.” Still, compared to the world-class codebreakers behind the Triple Fence, most of the math professors hired to bang their heads against Lucifer were Little Leaguers. How could IBM be sure the scheme was really sound? They certainly didn’t want to find out its vulnerabilities by discovering that one day some former KGB cryptanalyst hired by the Mafia had cleaned out their virtual cash vault. * * * At the beginning of 1974, Tuchman figured his team was about halfway through its work. “We had a pretty good idea how much algorithm we could get on a single chip,” he says. And much of that algorithm was written. But two things happened that year that would profoundly affect the project. The first would throw it open to the public. The second would cast a clandestine shadow over it that would last for a generation. IBM was not the only institution aware of the vital need for cryptographic protection in the computer age. That view was also shared at the National Bureau of Standards, the government agency in charge of establishing commonly accepted industry standards for a wide variety of commercial purposes. The bureaucrats and scientists there believed that digital protection should be centered in a single system, one well-tested means of encrypting information that would be accessible by all. So NBS decided to solicit proposals for a standard cryptographic algorithm. (The NSA declined to submit one of its own ciphers, since allowing outsiders to examine its work was unthinkable.) In the May 15, 1973, Federal Register, the NBS listed a number of exacting criteria that such a standard should meet. Not surprisingly, the NBS received no submissions at that time that even vaguely met the criteria. By and large the only cryptographers in this country who had the wherewithal and expertise to meet this challenge were working behind the Triple Fence. And the work done there was never published, never revealed. But there was one cryptosystem in development that seemed to fit a lot of the government’s needs: Lucifer, the DSD-1. Lewis Branscombe, IBM’s chief scientist — who, not coincidentally, was himself a former head of the NBS — in particular felt that this work in progress might be an excellent candidate for the encryption standard for the next generation. Walt Tuchman was against the idea, primarily because of the trade-off involved in submitting the revised Lucifer as a federal standard: IBM would be required to relinquish its patent rights, essentially giving — not selling — the algorithm to the world. “I was this typical capitalistic product manager,” he explains. “I’m in this thing to make money, not to foster some great social improvement.” He argued his point before IBM’s high-level executive Paul Rizzo, who was then Big Blue’s number two. Branscombe presented the other point of view: make it public. Finally, Rizzo weighed in. Lucifer, he argued, was like a safety component that benefited all of society. If the Ford Motor Company came up with a seat belt superior to those of its competitors, one that saved the lives of moms and dads, would they allow General Motors to use it? You better believe they would, because it was the right thing to do. Jimmy Stewart couldn’t have topped that homily. You could almost hear the violins playing. The speech convinced not only the IBM board, but Tuchman himself, who called a staff meeting when he returned to Kingston. “Well, guys,” he said, “we’re going to give the stuff away.” Not completely, of course. The ways they built Lucifer into a chip, the ways they would implement it within a full-featured solution, the little tricks to get the most of it . . . these would be great selling points for IBM-created versions of the DSD-1. Other companies would get access just to the algorithm itself. So maybe it wasn’t such a bad idea from a business perspective to give the thing away. The feeling at IBM was that merely submitting its work to the NBS was sufficient to fast-track DSD-1 toward a coronation as the standard. Even though the response date for the NBS’s request for crypto algorithms in 1973 had long expired, Branscombe wrote to his NBS successor Ruth Davis in July 1974, offering what he described as the “Key-Controlled Cryptographic Algorithm,” developed at Kingston, as a candidate. With this favored new candidate already in hand, the NBS, somewhat superfluously reissued its request for crypto algorithms in the August 27, 1974, Federal Register. No serious competitor emerged. And thus the revised Lucifer, a.k.a. DSD-1, was destined to be known by a lofty, though generic, moniker: the Data Encryption Standard. The title would eventually become so familiar among the digital cognoscenti that it would be pronounced not as an acronym but as a single phoneme: Dez. * * * By then, the other crucial process in Lucifer’s transformation was well under way. It had been fairly early in 1974 when Walt Tuchman received what he later would refer to as “that deadly phone call.” It was his boss, telling him he had to take a trip down to the National Security Agency to cool them down about Lucifer. Tuchman didn’t like it. But he understood the importance of playing ball with Uncle Sam. By creating a cryptographic product for the commercial sector, IBM was treading on strange turf. If the company didn’t get export clearance to send its crypto chip to its international customers, the whole product might as well be scrapped. What good was a product for a global company like IBM if you couldn’t sell it to the global market? So Tuchman went on his first visit to The Fort. He eyeballed the Triple Fence, contemplated the armed marine guards, parked in the visitors’ lot, and entered the small concrete building where outsiders lacking previous clearance fill in a stack of papers and wait to be called. Then an elderly woman appeared and guided him through a labyrinth of hallways to the second-level manager assigned to the case, a guy just below the deputy-director level. He was not in a military uniform or even in a suit. And he quickly proposed a quid pro quo: We want to control the implementation of this system. You will develop it in secret, and we will monitor your progress and suggest changes. We don’t want it shipped in software code — just chips. Furthermore, we don’t want it shipped to certain countries at all, and we will allow you to ship it to countries on the approved list only if you obtain a license to do so. That license will be dependent on customers we approve signing a document vowing that they will not subsequently ship the product to anyone else. This went on for a while, until Tuchman finally had a chance to speak. “What’s the pro quo of the quid pro quo?” he asked. After all, the NSA man had focused entirely on restrictions and conditions, and had neglected to mention what IBM would receive for its troubles. “The pro quo will be something very useful to you,” said the NSA man. The agency itself would qualify the algorithm. Their all-star cryptanalysts would analyze it and bang away at it. If there was a weakness, it could be noted and corrected. And when the mathematical dust settled, IBM would have a priceless imprimatur, one that would assure the instant confidence of its customers: the National Security Agency Good Secret-Keeping Seal. This was a powerful offer. It spoke directly to Tuchman’s greatest fear — that outlaw codebreakers would discover a shortcut solution that would allow them to steal secrets and even money from IBM customers, thus exposing the fabled computer giant to international embarrassment and a legal Armageddon. Instead of having to rely on the smart but inexperienced amateurs at Yorktown and the random consultants they hired, IBM would have the ultimate in due diligence: the cryptanalysis gold standard. As soon as he returned from Fort Meade, he went to see his boss and urged him, “Let’s do it. Let’s work with these guys.” It was a solution that felt good to the top IBMers, who, after all, were virtually synonymous with the “Establishment.” So, just like that, the country’s single most important cryptographic effort in the private sector — save for that of Whit Diffie, still in obscurity struggling at Stanford with his weird ideas about one-way functions — came under the friendly but firm embrace of the National Security Agency. Unspoken was the question as to whether the NSA — which after all was not an arm of the Commerce Department but an intelligence agency, the ultimate spook palace — might discover a gaping weakness in DES but keep its collective mouth shut, smug in the knowledge that it could use that shortcut to quickly break messages encrypted in the IBM code. Tuchman understood the risk of this. As the development process unfolded over the next few months and years, he watched for signs that this might be happening. Ultimately, he was convinced of the NSA’s sincerity. “If they fooled me,” he says, “I will go to my grave being fooled. I looked at those guys eyeball to eyeball. I’m a bit of a film buff, and I’ve seen good acting and poor acting. And if the NSA people fooled me, they missed their profession. They should’ve gone to Hollywood and become actors.” From that point on, DES’s development process became, for all practical purposes, a virtual annex within the Triple Fence. The government issued a secrecy order on Horst Feistel’s Lucifer patent, known as “Variant Key Matrix Cipher System.” On April 17, 1974, an IBM patent attorney sent a memo to the crypto teams at Yorktown Heights and Kingston explaining that this meant there would be not only no publishing on the subject, but no public discussion whatsoever without the written consent of the Commissioner of Patents. Even the fact that a secrecy order existed was itself considered a secret, and talking about that was just as serious a crime as handing out encryption algorithms in the departure lounge at Kennedy Airport. A loose lip could result in a $10,000 fine, two years in prison, or both. Fortunately, the memo explained, “IBM has been granted a special permit which allows the disclosure of the subject matter in the application to the minimum necessary number of persons of known loyalty and discretion, employed by or working with IBM, whose duties involve cooperation in the development, manufacture, or use of the subject matter.” Without that exemption, of course, IBM could not have continued its effort, because of the obvious difficulty of collaborating on a project when one risked a jail term for admitting its existence to a co-worker. The NSA’s demands for secrecy were particularly rigid concerning the agency’s cryptanalysis of DES. Anything — anything — that shed light on the way that The Fort’s codebreakers went about their business was regarded as the blackest of black information. The agreement drawn between the agency and the corporation clearly outlined the limited nature of what IBM’s scientists could glean from the collaboration. IBM was strictly required to limit those who were involved in the evaluation, and to keep up-to-date lists of those people. Any contact between Big Blue and Big Snoop would come at a series of briefings with rules as circumscribed as a Kabuki performance: IBM would essentially present information, and the NSA people would silently evaluate it. No geeky chatter: the NSA people were formally prohibited “from entering into technical discussions with IBM representatives in regard to the information presented.” Afterward, the NSA folks would hold postmortems to determine whether the IBM scientists might have stumbled on information or techniques “of a sensitive nature.” In that case NSA would then formally notify the company, and IBM would keep the information under wraps. The NSA certainly did know its stuff. It was particularly interested in a technique discovered by the IBM researchers that was referred to at Watson labs as the “T Attack.” Later it would be known as “differential cryptanalysis.” This was a complicated series of mathematical assaults that required lots of chosen plaintext (meaning that the attacker needed to have matched sets of original dispatches and encrypted output). Sometime that year, the Watson researchers had discovered that, under certain conditions, the IBM cipher could fall prey to a T Attack — a successful foray could actually allow a foe to divine the bits of the key. To prevent such an assault, the IBM team had redesigned the S-boxes. After the redesign, under even the most favorable conditions, a T Attack would provide a cracker only a slight, virtually insignificant advantage. Hearing about this unhinged the NSA crowd. Apparently, the T Attack was very well known — and highly classified — behind the Triple Fence. So imagine the agency’s dismay when the IBM team not only discovered the trick (which, presumably, the NSA had been merrily employing to crack enemy codes) but had created a set of design principles to defend against it. The crypto soldiers at Fort Meade could not tolerate the possibility that such information might leak into the general literature. And so the NSA put its secrecy clamp down harder on IBM. “They asked us to stamp all our documents confidential,” says Tuchman. “We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it.” The man who probably did the most work for IBM on the T Attack, Don Coppersmith, would not discuss the issue for twenty years. It was not until 1994, long after other researchers had independently discovered and described the technique, that he divulged the S-box design principles. “After discussions with the NSA,” he explained in a technical article for the IBM Research Journal, “it was decided that the disclosure of the design considerations would reveal the technique of differential cryptanalysis, a powerful technique that can be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography.” Ultimately, IBM got what it wanted for DES — a clean bill of health from the NSA. (This was also a crucial factor in the process by which the National Bureau of Standards would place its imprimatur on DES as a federal standard.) But IBM paid a steep price for adhering to the NSA’s demands to keep its S-box design principles secret. The behavior of the S-boxes in the DES system involved complicated substitutions and permutations that put Rube Goldberg to shame. The best way that outsiders could evaluate whether those bizarre transformations were done simply to produce a tougher cipher — or were clandestinely jimmied to put in a back door by which the NSA could secretly get a head-start on codebreaking — was to know why the designers chose their formulas. So IBM’s refusal to explain the logic behind the S-box design encouraged critics like Diffie and Hellman to let their suspicions run wild and entertain all sorts of theories about secret back doors. Telling people that a presumably public algorithm was based on secret designs was a recipe for paranoia, and indeed, the resulting dish nourished critics for years. But to the NSA, this point was nonnegotiable. The Fort Meade brain trust might have considered it a necessary evil to allow a strong crypto algorithm into the world of banks and corporations. But permitting the release of sophisticated techniques that might encourage outsiders to bulletproof their own codes . . . well, that was quite unacceptable. The whole episode turned out to embody in a nutshell a dilemma that the NSA had yet to acknowledge, even to itself. For years, people at The Fort could be reasonably confident that when they devised a breakthrough technique like differential cryptanalysis, such information would be unlikely to tumble into the public domain. Those days were over. Consider that the IBM group had come across the T Attack on its own, without the help of government. Differential cryptanalysis was ultimately a mathematical technique just waiting to be rediscovered by someone outside the Triple Fence interested in sophisticated codes. The NSA couldn’t hold on to such mathematical machinations any more than an astronomer discovering a previously unknown nebula could cover up the skies to mask its presence to future stargazers. This was to be the reality of the dawning era of public crypto: whether the NSA liked it or not, bright minds were inevitably going to reinvent the techniques and ideas that had been formerly quarantined at Fort Meade — and maybe come up with some ideas never contemplated even by the elite cryptographers behind the Triple Fence. * * * S-boxes aside, the most controversial feature of DES would be its key length. Horst Feistel’s Lucifer specified a 128-bit key. But clearly the National Security Agency did not want the national encryption standard — even if it were used only by financial institutions and corporations — to lock information within such a mighty safe. By the time the algorithm had threaded its way through the Triple Fence and was released as a potential NBS standard, the key length had been cut in half, and then cut some more, down to the relatively paltry 56 bits. It’s hard to exaggerate the difference this makes. Assume that a codebreaker trying to crack DES is unable to discover any shortcuts to cracking. The only way that an intruder can recover an encrypted message, then, is to launch a brute-force attack, experimenting with every possible key combination until he finds the one that was used to scramble the original. Such a search is the equivalent of a safecracker painstakingly twisting the dial to stumble upon the exact series of numbers that would align the tumblers. Even with a computer twisting the virtual dials at high speed, a very large “keyspace” (a numerical range that contains all possible key combinations) can make such a search impossible to pull off. A 128-bit key is very, very large. If a computer tried one million keys every second — a million different combinations of the numbers on the safe dial — it would take aeons to try every possible key. So what would be the effect of cutting the key size in half? To assess this, you have to keep in mind the nature of digital numbers. Each bit in a binary key is like a fork in the road that a codebreaker must negotiate in order to get to the destination of the correct combination of ones and zeros. Every fork presents a random choice between the correct turn and the wrong turn; a 128-bit key means that you have to guess the correct way to turn 128 times in a row. To make the course twice as difficult, you simply have to add one more fork; then you’ve created twice as many possible paths to negotiate, but still only one is correct. But to make the course half as difficult, you don’t divide the number of forks by two, but simply remove one. That’s why removing a single bit from the key size means that the encrypted message is only half as safe as it was before. Switching from a 128-bit key to a 127-bit key means you’re cutting by half the work factor to break it. If you cut the key size one more bit, to 126 bits, then you’ve halved that key. And so on. According to Tuchman, the Kingston group figured that a 128-bit key was not only overkill but would require too much chip space and computation. “We had to fit the whole algorithm on there,” says Tuchman. “The S-boxes, everything. We were using two-micron CMOS chips, and the data coming in could only be 8 bytes wide [one byte equals eight bits]. So our first key length was 64 bits.” Sixty-four bits was a good fit for a chip, a number divisible by the eight-bit bytes. This was quite a dramatic reduction. It cut down the time required for a full search on the theoretical million-keys-a-second computer from billions of years to around 300,000. Still, a 64-bit key length was considerable in the mid-1970s, especially since it was agreed that computer technology would not be sufficiently advanced to conduct searches at such speeds for the next couple of decades. But then the Kingston group made a seemingly inexplicable second cut, to the mathematically awkward key length of 56 bits. And suddenly, the possibility of a brute-force attack was smack in the picture. Why did a lousy eight bits make such a difference? Remember, every time the key is reduced by a single bit, it becomes twice as easy to crack. So this eight-bit loss made the cipher 256 times easier to crack: from 300,000 years to a little over a thousand. Put another way: the percentage of key space that formerly would have occupied a foe’s computers from January to August could now be scanned in less than a day. What was IBM’s explanation for this? According to Tuchman, it was standard company practice in hardware design to allow a certain number of extra bits for “parity checks,” a sort of synchronization to make sure that the electronic signals were being properly read. “It was an IBM internal spec,” he says, at the same time admitting that it was a “foolish” requirement. “We don’t do that anymore, but at the time we had a standard — so I had to reduce the key size [to accommodate the extra bits].” Tuchman didn’t think that this further cut really compromised DES. (Privately disagreeing with this was Horst Feistel, who still preferred a 128-bit key. But he was no longer actively involved with the project and would soon be quietly eased out of IBM itself.) Tuchman and his colleague Karl Meyer believed that a 56-bit key, with its 70 quadrillion variations, was more than sufficient for the commercial, even the financial, secrets that DES would protect. The idea of DES, Tuchman would argue, was to provide computer networks the level of security that people had in their physical workplaces: “locked desk drawers, locked doors on computer rooms, and loyal, well-behaved employees.” Not the military secrets customarily transported in exploding briefcases handcuffed to couriers or entrusted to spies who were taught to ingest poison pills upon capture. Others, however, have always believed that the reduction was caused by NSA pressure. This even included skeptics inside IBM, like Alan Konheim, who headed the mathematical team on the DES project. “Fifty-six bits is very unnatural,” says Konheim, obviously disregarding Tuchman’s “parity check” explanation. “The government [must have] said, ‘Listen, 64 bits is too much — make it 56.’ ” Why would IBM go along with it? “You see, IBM does business all over the world. It can’t send a pencil outside the United States without an export license. Not only that, when [the NSA invokes] patriotism and national security, well, these are not things you can argue about.” To outsiders like Martin Hellman and Whit Diffie, of course, the key size was a smoking gun that proved the NSA had weakened the standard for its own nefarious purposes. In the months after the standard was first announced, the Stanford cryptographers wrote a steady stream of suggestions and objections to their contact at the National Bureau of Standards — and became increasingly frustrated that the officials kept insisting that there was no problem. Hellman came to believe that the NBS wasn’t speaking for itself but was acting as a stooge for Fort Meade. To prove his point about the weakness of the key size, Hellman challenged an executive he knew at IBM to contradict his and Diffie’s contention that this DES key could actually fall in a day to a sophisticated, high-powered machine. At this point, the Stanford researchers were postulating that such a machine could be built for $20 million. Thus, if one key was broken each day, over a five-year period the price of breaking each key would be around $10,000. Not a bad investment if some of the broken messages included precious data like oil reserve locations and corporate merger plans — such information was worth millions. “But even if we were off by a whole order of magnitude, and it would cost $100,000, that wouldn’t matter,” says Hellman. “Because in five years computers would be ten times faster, and the solution would cost only a tenth as much as it would now.” According to Hellman, the IBM executive ordered his own researchers to investigate. “He called me back and said that their numbers were in the same ballpark as ours,” says Hellman. “That was his exact word, the ‘ballpark.’ But he told me that the key size was set by the NBS, not IBM.” Meanwhile, officials at the NBS were assuring Hellman, in their responses to his frequent, increasingly pointed letters, that their own studies showed that a machine like the one envisioned by Hellman would take all of ninety-one years to search through a DES keyspace. Obviously, they were not playing in the same ballpark. Hellman believed that all of this was bald evidence that the Data Encryption Standard was a swindle from the start. It was all the NSA’s master plan. The supposedly benign NBS — acting as the NSA’s public face — allowed IBM to construct its algorithm independently. This gave it deniability: Hey, it wasn’t us spooks who cooked it up, Big Blue did. But by getting IBM to cut the key size to an infuriatingly puny 56 bits, the spooks got what they wanted anyway. “They knew they could control the key size, which would ultimately control the strength of the standard,” complains Hellman. And that was the kindest interpretation. If you wanted to be skeptical — and like any good cryptographer, Hellman and his colleagues were plenty skeptical — you’d still wonder about the possibility of an actual trapdoor that would allow the Fort Meade tricksters to decode a DES message within seconds. Why else were they keeping the design principles a secret? In any case Hellman rejected the government’s ninety-one-year estimate and decided to go over the heads of the NBS functionaries with whom he was corresponding. On February 23, 1976, Hellman stated his complaints in a letter to Elliot Richardson, who, as secretary of commerce, was the ultimate boss of the NBS: I am writing to you because I am very worried that the National Security Agency has surreptitiously influenced the National Bureau of Standards in a way which seriously limited the value of a proposed standard, and which may pose a threat to individual privacy. I refer to the proposed Data Encryption Standard, intended for protecting confidential or private data used by non-military federal agencies. It will also undoubtedly become a de facto standard in the commercial world. . . . I am convinced that NSA in its role of helping NBS design and evaluate possible standards has ensured that the proposed standard is breakable by NSA. The response Hellman received from Ernest Ambler, the acting director of the NBS, did little to cool him down. Instead of answering Hellman’s charges directly, Ambler gave some general comments defending DES, and praised the NSA for its contributions in certifying the algorithm. He helpfully attached an executive order which outlined “the functions and responsibilities of NSA.” Monkeying with private-sector algorithms didn’t make the list. That summer, Hellman, Diffie, and five other academics took a month to bang on the system and produced a paper called “Results of an Initial Attempt to Cryptanalyze the NBS Data Encryption Standard.” They were straightforward about their concerns: any algorithm approved by the NSA was “mildly suspect a priori” because “the NSA does not want a genuinely strong system to frustrate its cryptanalytic intelligence operations.” It was not surprising, then, that while falling far short of actually breaking a DES key, they concluded that the system could not be trusted. Besides the key strength, they found what they considered a “suspicious structure” in the S-boxes — possibly, they wrote, “the result of a . . . deliberately set trapdoor.” To IBM’s Walt Tuchman, though, the Diffie-Hellman complaints were a travesty born of paranoia and ignorance. He was no secret agent — he was a product guy — and to the best of his ability, he’d led a team to create a good product! It had been a happy day for his team when the first two DES devices were completed. They were shoe-box-sized metal cases stuffed with chips that went between a mainframe computer and a modem. Such a device on each end of a data transfer would allow two computers to communicate in a secret stream, impervious to eavesdroppers — no matter what Marty Hellman said. One box was sent to IBM’s Paris headquarters, the other to Lew Branscombe’s office in Armonk. Then they made some history. The Paris office sent off an encrypted message to the Armonk machine. The Armonk machine, having been previously fed the symmetrical key that performed both encryption and decryption, deciphered the message back to its original form. “It went to a little printer and the message was printed in all the IBM newspapers,” recalls Tuchman. “It was some innocuous little message, of course, because everybody knew it was going to be published in the clear.” All that happiness, though, was tempered by the attacks that came from Hellman and friends. Tuchman and his colleague Karl Meyer had to defend themselves at two public workshops sponsored by the NBS. The second, held in September 1976 at the NBS’s Gaithersburg, Maryland, headquarters, was the most contentious. I didn’t do anything wrong! insisted Tuchman. The key size was plenty big enough, and building a machine to crack DES would not take Hellman’s low-seven-figure pricetag, but a cool $200 million. And if that key size wasn’t large enough, people could design devices to run DES through its paces twice, with two different keys. Though such a process might be difficult to set up, this would effectively double the key size to 112 bits — enough keyspace to confound every damned computer on the planet for the next gajillion years. (Eventually, a process would emerge called “Triple DES,” which would use three keys and rule out even the most extravagantly brutish of attacks. But all of this was a moot point because the version of DES with the allegedly hobbled 56 bits was the one proposed for the standard.) Tuchman’s appeal failed to quiet the critics. Why didn’t you publish the design heuristics? they wanted to know. Did you put a trapdoor in DES? Then came the newspapers. “Those professors told the New York Times and the Washington Post,” Tuchman complains. The next thing he knew, at IBM’s request, Tuchman himself was being interviewed. After taking a gander at the newly famous desks of Woodward and Bernstein, he told the Post reporter the same thing he told the Times reporter: The NSA didn’t modify the algorithm. They didn’t put a trapdoor in. Look, you guys, it’s ridiculous; we’re not going to risk the entire IBM company by putting a trapdoor in its product. Even so, the publicity took its toll. It was bad enough that the Times, the Post, and the Wall Street Journal were listening to Hellman and the critics. Worse came when Tuchman’s own mother called him from her retirement home in Florida, concerned with what friends had been telling her after reading the New York papers. She pleaded with her son, who had started life so wonderfully as a whip-smart college boy from Brooklyn: Please, Walter, leave IBM and stop hanging around with those bad people. Tuchman had to explain to her that he wasn’t going to wind up in a jail cell with Ehrlichman and Haldeman — he was a good guy! After the publicity came hearings by the Senate Intelligence Committee. These top-secret sessions were closed, and the final report was classified. But a summary was issued for the general public, too. Its contents provided ammunition to both sides. On one hand, Hellman was proved correct in asserting who the power was that dictated the 56-bit key: “The NSA convinced IBM that a reduced key size was sufficient,” the report read. The reduction wasn’t, as Tuchman still insists, due to the rigor of chip design or the need for parity checks: it was the fact that the government wouldn’t tolerate anything more. IBM knew that it would need export licenses for approved customers. But the NSA, which had been charged to collaborate with the National Bureau of Standards in evaluating DES as a government standard, certainly was not going to rubber-stamp an algorithm that used, in its view, too long a key. Apparently, the 56-bit key length provided the NSA a certain comfort level. Though the work factor to break a cipher of that length seemed dauntingly high, it was clear that if anyone could contemplate a brute-force attack on DES, it was the National Security Agency itself, with what were assumed to be literally acres of computers in its top-secret basement. Obviously, while an ideal code for users was the strongest one possible, the ideal code for the NSA’s purposes would be one that was too powerful for criminals and other foes to break, but just weak enough to be broken by the billions of subterranean computer cycles at Fort Meade. Did a 56-bit key fit into that sweet spot? The NSA didn’t say. And never would. Despite its conclusion that the key size was a result of NSA demands, the committee concluded that there was no wrongdoing by either IBM or the government. The Data Encryption Standard had been determined fairly. Like it or not, this was something that Marty Hellman and his friends would have to accept. It took years, but eventually they not only accepted it, but came to eat some crow. As Walt Tuchman proudly notes, for more than two decades after the algorithm was formally accepted as a standard in 1977, no one had been successful at finding a significant shortcut to cracking a DES-encrypted message. (Of course, if the NSA had done so, it would never have admitted it.) In 1990, outside cryptanalysts revealed the technique of what was called differential cryptanalysis, proving that under certain (admittedly rare) conditions, one could crack a DES key using slightly less computation than a brute-force attack would require. But this was essentially the “T Attack,” discovered by IBM during the development process in time to fortify the algorithm against such assault. And kept confidential at the NSA’s request. (A different group of researchers introduced another theoretical attack on DES, linear cryptanalysis, in 1993 — but neither did it truly compromise the cipher.) So if the key size was indeed the only point of attack in DES — if one had to devote massive computational resources to breaking a single message and then wait for days, weeks, or months for the cipher to crumble — then the National Security Agency had certified what could be an extraordinarily powerful tool for the spread of strong encryption throughout the land, and maybe even the world. It had always been the impression of the folks behind the Triple Fence that the users of DES would be conservative, trustworthy institutions like banks and financial clearinghouses. They misjudged the situation. Instead, the development of DES marked the beginning of a new era of cheap, effective means of using computer power to keep personal information private. It was used not only in banks but in all sorts of commercial communications, and was widely available to private communications, too. Though the NSA still controlled its export, it quickly grew unfettered within U.S. borders. And while U.S. producers could not market DES overseas, the algorithm itself would find its way overseas, allowing foreign developers to make their own versions. The dawning of this era of increased protection might have pleased some of the people in the communications security branch of the NSA, which was in charge of securing American data as they moved around the globe. But it was already causing conniptions among those in the signals intelligence area, the people whose job it is to make sure that our guys can quickly intercept and circulate all the rich and fascinating information buzzing around the globe as electronic blips. If those blips were encrypted, and thus not easily read, well, then, that would be a problem. Making things even worse were the faster and cheaper computer technologies that made it feasible — made it the rule, in fact — for DES users to switch keys not every few months as the NSA assumed they might, but on a daily basis or even more often than that. Yes, the Data Encryption Standard was a problem for The Fort. Years later even Martin Hellman came to realize that his attacks sometimes were based more on bravado than substance. “They were Darth Vader and I was Luke Skywalker,” he says. “I was bearding the NSA, and that’s a pretty heady thing for a young guy to be involved in.” Now, however, he admits that there were two sides to the issue: that DES, despite its key size, was strong enough to provide a measure of security to people, and that even though the NSA could presumably marshal the resources to brute-force a DES key into submission, the process was certainly more cumbersome and costly than simply reading an unencrypted intercept. DES was the NSA’s first lesson that the new age of computer security was going to complicate its life considerably — perhaps even to the point of shaking the entire institution. Alan Konheim thinks that the bottom line on DES came from Howard Rosenblum. He was the deputy director for research and development at the NSA, where football fields of mainframe computers cracked the codes of the country’s friends and enemies and tested the codes that potentially protected our own secrets. One day, Rosenblum and Konheim were talking about DES, and the NSA official made an off-the-cuff remark that stayed with Konheim for years. “You did too good a job,” he said. “It was not,” Konheim says delightedly, “a comment of flattery.” public key Though Whit Diffie and Marty Hellman regarded the Data Encryption Standard as a tainted and possibly fraudulent gambit by IBM and the United States government, its introduction was in a strange way an important gift to the Stanford researchers. By combing through the available technical data on the proposed standard — and speculating on what was not made public — Diffie and Hellman had a new prism through which to consider their own efforts. Ever since Diffie had heard the first reports of the government standard, at a 1974 chowdown at Louie’s, the Chinese restaurant where Stanford geeks congregated, he had wondered about the possibility of an NSA trapdoor. This led him to a deeper consideration of the concept of trapdoors. Could an entire crypto scheme be built around one? Designing such a system would present considerable challenges, because it would have to resolve a fundamental contradiction. A trapdoor provides a means for those with proper knowledge to bypass security measures and get quick access to encrypted messages, something that seems efficient. But the very thought of using a trapdoor in a security system seems like a nutty risk, precisely because crafty intruders might find a way to exploit it. It’s the same problem posed by a physical trapdoor: if your enemies can’t find it, you can use it to hide. But if they do, they’ll know exactly where to look for you. This contradiction made the prospect of designing a trapdoor scheme incredibly daunting. After all, the strongest cryptosystems were finely tuned in every aspect to prevent their contents from leaking. Tampering with their innards to insert a back door — a leak! — could easily produce any number of unintended weaknesses. When Diffie explained this to Hellman, both of them concluded that such a system would probably be impractical. But Diffie still thought it was interesting enough to add to a list he was compiling entitled “Problems for an Ambitious Theory of Cryptography.” Still, in early 1975, for all of Diffie’s Sisyphean labors, even with the fruitful collaboration with Hellman, weeks were going by and he didn’t seem to be getting anywhere. Was all his work at learning crypto against terrific odds going to lead to nothing? Hellman at least had a job. But Diffie had nothing. Though his house-sitting stint for John McCarthy was pleasant enough, he was now over thirty years old, making peanuts at his research job, and it was clear that he could never cope with the nit-picking hurdles one had to jump before earning a doctorate. Though Diffie was by nature cheerful, these ruminations were bringing him down. Mary Fischer recalls the lowest point. One day she walked into the McCarthys’ bedroom and found Diffie with his head in his hands, weeping. “I asked him what was wrong,” she says, “and he told me he was never going to amount to anything, that I should find someone else, that he was — and I remember this exact term — a broken-down old researcher.” She tried to comfort him. She told him that the world didn’t know it yet, but he was a great man. Mary had been studying Egyptology, and she explained that the ancient Egyptians made a distinction between acquired and innate characteristics. She believed “greatness” must be one of those traits that were not acquired — it was just there, and one could see it in such a person. “I know what I’m looking at,” she told him, “and I know you’re a great man.” Whit Diffie did not feel like a great man. He felt like a failure. One day Diffie and Hellman brought in a Berkeley computer scientist named Peter Blatman to attend one of the informal seminars on crypto they had been convening on campus. Afterward, as Diffie drove him to the Stanford AI lab a few miles away, Blatman mentioned that a friend of his named Ralph Merkle was working on an interesting problem: how can you get a secure conversation over an insecure line when the two people in the conversation have never had previous contact? Obviously, if the two people hadn’t known each other previously they would have had no opportunity to exchange secret keys before a private conversation. This was, in effect, a different formulation of the big question that had been bugging Diffie for years: was it possible to use cryptography to protect a huge network against eavesdroppers, and wiretappers to boot? (More subtly, it reflected Mary’s observation of his dilemma: in a world of untrustworthy people, how do you maintain intimate contact with the one person you trust?) Because Diffie had enjoyed so little success at attacking that problem, he argued to Blatman that his friend’s scheme was in fact impossible. Diffie thinks that his outburst even convinced Blatman. But even as Diffie passionately argued the impossibility of such a feat, he secretly believed otherwise, and his mind was racing to figure it out. It was almost as if he needed there to be such a solution. How could you create a system where people who had never met could speak securely? Where all conversations could be conducted with high-tech efficiency — but be protected by cryptography? Where you could get an electronic message from someone and be sure it came from the person whose return address appeared? During his quest, Diffie had struggled to gather information in an atmosphere where almost all of it was classified. And he had wound up with more than anyone could have expected: one-way functions. Password protections. Identification Friend or Foe. Trapdoors. Somewhere in all of that had to be an answer to privacy. Diffie knew that reconciling the different protections offered by these disparate systems was crucial to his quest. As he thought more, he began to understand how you might be able to use some of those techniques to verify someone’s identity. He began mentally constructing a means by which this could be done by one-way functions, the mathematical phenomenon where something easily calculated could not easily be reversed. Such a scheme would be, as he later wrote, “a challenge which could only be answered by one person but whose response could be recognized by many as genuine.” In other words, a system of “one-way authentication,” which used the creative misunderstanding of his friend Bill Mann some years earlier: a trapdoor one-way function where the difficult reversal of a calculation could be performed if someone had a crucial bit of information on how the original figuring had been done. This addressed a key issue that Diffie had discussed in his conversations with McCarthy about electronic commerce. But that was only half the problem. What about privacy? Could the idea of a trapdoor one-way function work in a system that solved two problems — first, the authentication necessary for computer passwords and similar credentials, and, second, secret communication? That spring, Diffie had settled into a routine at the McCarthy house. Every morning he would make breakfast for Mary and Sarah, McCarthy’s fourteen-year-old daughter. Then Mary would go off to work, Sarah would go off to school, and Diffie would stay home. One day in May 1975, he spent the morning hours thinking. After a lunch break, he returned to his mental work. For the umpteenth time, he had been thinking about the problem of establishing a secure log-in password on a computer network. Again, there was that old problem of having to trust the administrator with the secret password. How could you shut that third party out of the scheme entirely? Sometime in the afternoon, things suddenly became clear to Diffie: devise a system that could not only provide everything in Diffie’s recently envisioned one-way authentication scheme but could also deliver encryption and decryption in a novel manner. It would solve the untrustworthy administrator problem, and much, much more. He would split the key. * * * Diffie’s breakthrough itself involved something that, in the context of the history of cryptography, seemed an absolute heresy: a public key. Until that point, there was a set of seemingly inviolable rules when it came to encryption, a virtual dogma that one ignored at the risk of consignment to crypto hell. One of those was that the same key that scrambled a message would also be the instrument that descrambled it. This is why keys were referred to as symmetrical. That is why keeping those keys secret was so difficult: the very tools that eavesdroppers lusted after, the decryption keys, had to be passed from one person to another, and then existed in two places, dramatically increasing the chances of compromise. But Diffie, his brain infused with the information so painstakingly collected and considered over the past half decade, now envisioned the possibility for a different approach. Instead of using one single secret key, you could use a key pair. The tried-and-true symmetrical key would be replaced by a dynamic duo. One would be able to do the job of scrambling a plaintext message — performing the task in such a way that outsiders couldn’t read it — but a secret trapdoor would be built into the message. The other portion of the key pair was like a latch that could spring open that trapdoor and let its holder read the message. And here was the beauty of the scheme: yes, that second key — the one that flipped open the trapdoor — was of course something that had to be kept under wraps, safe from the prying hands of potential eavesdroppers. But its mate, the key that actually performed the encryption, didn’t have to be a secret at all. In fact, you wouldn’t want it to be a secret. You’d be happy to see it distributed far and wide. Now, the idea of ensuring privacy by using keys that were exchanged totally in the open was completely nonintuitive, and on the face of it, bizarre. But using the mathematics of one-way functions, it could work. Diffie knew it, and for an illuminating instant, he knew how to do it using one-way functions. It was the answer. From that moment, everything was different in the world of cryptography. First, by presenting an alternative to systems that worked with a single, symmetrical key, Diffie had solved a problem that had become so embedded in cryptographic systems that it had occurred to almost no one that it could be solved: the difficulty of distributing those secret keys to future recipients of secret messages. If you were a military organization, you might be able to protect the distribution centers that handled symmetrical keys (though God knows there were lapses even in the most vital operations). But if such centers moved into the private sector, and masses of people needed to use them, there would not only be inevitable bureaucratic pile-ups but also a constant threat of compromise. Figure it this way: if you needed to crack an encrypted message, wouldn’t the very existence of a place that stored all the secret keys present an opportunity for some creep to get the keys by theft, bribery, or some other form of coercion? But with a public key system, every person could generate a unique key pair on his or her own, a pair consisting of a public key and a private key, and no outsider would have access to the secret key parts. Then private communication could begin. Here’s how it would work: say that Alice wants to communicate with Bob. Using Diffie’s concept, she needs only Bob’s public key. She could get this by asking him for it, or she might get it from some phone-book-type index of public keys. But it has to be Bob’s personal public key, a very long string of bits that could only have been generated by only one person in the world . . . Bob. Then, by way of a one-way function, she uses that public key to scramble the message in such a way that only the private key — the other half of that unique key pair — performs the decrypting calculation. (Thus the secret key is the “trapdoor” in the trapdoor one-way function Diffie was thinking about.) So when Alice sends the scrambled message off, only one person in the world has the information necessary to reverse the calculation and decipher it: Bob, the holder of the private key. Say that the scrambled message gets intercepted by someone desperate to know what Alice had to say to Bob. Who cares? Unless the snooper has access to the unique partner of Bob’s public key — the instrument Alice used to convert the message to seeming mush — the snoop would get no more than that mush. Without that private key, reversing the mathematical encryption process is too damn difficult. Remember, going the wrong way in a one-way function is like trying to put together a pulverized dinner plate. Bob, of course, has no problem reading the message intended for his eyes only. He possesses the secret part of the key pair, and he can use that private key to decipher the message in a jiffy. In short, Bob is able to read the message because he is the only person in possession of both sides of the key pair. Those who obtain the public key have no advantage in attempting to break the message. When it comes to encrypted messages, the only value of having Bob’s public key is to, in effect, change the message to Bob-speak, the language that only Bob can read (by virtue of having the secret half of the key pair). This encryption function was only part of Diffie’s revolutionary concept, and not necessarily its most important feature. Public key crypto also provided the first effective means of truly authenticating the sender of an electronic message. As Diffie conceived it, the trapdoor works in two directions. Yes, if a sender scrambles a message with someone’s public key, only the intended recipient can read it. But if the process is inverted — if someone scrambles some text with his or her own private key — the resulting ciphertext can be unscrambled only by using the single public key that matches its mate. What’s the point of that? Well, if you got such a message from someone claiming to be Albert Einstein, and wondered if it was really Albert Einstein, you now had a way to prove it — a mathematical litmus test. You’d look up Einstein’s public key and apply it to the scrambled ciphertext. If the result was plaintext and not gibberish, you’d know for certain that it was Einstein’s message — because he holds the world’s only private key that could produce a message that his matching public key could unscramble. In other words, applying one’s secret key to a message is equivalent to signing your name: a digital signature. But unlike the sorts of signatures that are penned on bank checks, divorce papers, and baseballs, a digital John Hancock cannot be forged by anyone with the minimal skills required to replicate the original signer’s lines and loops. Without a secret key, the would-be identity thief has scant hope of producing a counterfeit signature. Nor could a would-be forger hope to monitor a phone line, wait until his prey’s digital signature appears, and then snatch it, with the intention of reusing the signature to create faked documents or to intercept future messages. In practice, a digital signature is not applied as an appendage to the document or letter to which it is affixed. Instead it is deeply interwoven with the digits that make up the actual content of the entire message. So if the document is intercepted, the eavesdropper cannot extract from it the tools to stamp the sender’s signature on some other document. This technique also assures the authenticity of an entire document. A foe cannot hope to change a small but crucial portion of a digitally signed document (like switching the statement “I am not responsible for my spouse’s debts” to “I take full responsibility for my spouse’s debts,” all the while maintaining the signature of the unwitting sender). If the message was digitally signed with a private key but unencrypted, such a rogue could intercept it, use the sender’s well-distributed public key to descramble it, and then make the change in the plaintext. But what then? In order to resend the text with the proper signature, our forger would require the private key to fix the signature on the entire document. That secret key, of course, would be unobtainable, remaining in the sole possession of the original signer. If someone sending a signed message wanted secrecy in addition to a signature, that’s easy, too. If Mark wanted to send an order to his banker, Lenore, he’d first sign the request with his private key, then encrypt that signed message with Lenore’s public key. Lenore would receive a twice-scrambled message: shaken for privacy, stirred for authentication. She would first apply her secret key, unlocking a message that no one’s eyes but hers could read. Then she would use Mark’s public key, unlocking a message that she now knows only he could have sent. Digital signatures offer another advantage. Since it is impossible for a digitally signed message to be produced by anyone but the person who holds the private key that scrambles it, a signer cannot reasonably deny his or her role in producing the document. This nonrepudiation feature is the electronic equivalent of a notary public seal. For the first time, it became possible to conceive of all sorts of official transactions — contracts, receipts, and the like — to be performed over computer networks, with no need for one’s physical presence. In short, Diffie had not only figured out a way to assure privacy in an age of digital communications, but he had enabled an entirely new form of commerce, an electronic commerce that had the potential not only to match but to exceed the current protocols in commercial transactions. Even more impressive, his breakthrough had been performed completely outside the purview of government agencies in close possession of even the most trivial details of the most obscure cryptographic system. What a triumph for Whit Diffie! And what a panic he had when, scant moments after hatching one of the most important breakthroughs in cryptographic history, Whit Diffie almost forgot the whole thing. He went downstairs to get a Coke and for one horrible moment the idea simply fell out of his head. He stepped back around the kitchen counter, and, just like that, he got it back. This time, it stuck. Still, he didn’t write it down; suddenly, he was hyperaware that the computer on which he kept his notes was not secure. There was no way to encrypt his thoughts so that intruders could not steal them. He would have to tell Marty Hellman about it face-to-face. But first he waited until Mary got home from work. When Mary Fischer came home from British Petroleum that day, she found her husband waiting for her at the door. This was not usual. He had a strange look on his face, and he told her to come to him, that he wanted to talk to her. “I think,” said Whit Diffie, “I’ve made a great discovery.” He explained his idea to her. Though the mathematics of the procedure were beyond her, the concept rang true. What’s more, from Mary’s close observation of her husband during the years he had wrestled with the problem, she found the solution to be not just fitting, but poetic. “Whit has always been a dualistic individual,” she says of her husband, born under the sign of Gemini, “and I think that the notion of splitting the key emerged from that tension.” He was not a broken-down old researcher after all. * * * That night Diffie walked down the hill to Hellman’s house to tell him, for the first time, about public key cryptography. It took a bit of explaining, but Hellman quickly understood the significance of Diffie’s brainstorm. It remained, however, for them to formalize it, to put it into scientific context, and to publish it. Marty Hellman had just the place for it; he had been invited to write a paper for the journal IEEE Transactions on Information Theory, and he broached this idea to his editor, who enthusiastically endorsed his suggestion that he and Diffie collaborate on developing this concept. (The IEEE, or Institute of Electrical and Electronic Engineers, was a prominent academic engineering society which published a variety of journals, some the most influential in their disciplines.) They set about working on it immediately, squarely facing the fact that while Diffie had successfully envisioned a system that could catapult cryptography into a new era, his vision was all they had. Even to Hellman, the concept, he later recalled, sometimes “sounded a little crazy.” One day he decided to run it past his former IBM colleague Horst Feistel. It was a weird conversation. Hellman had barely begun talking when Feistel told him that they could only talk for twenty minutes or so because he was on his way to a doctor’s appointment. So Hellman hastily explained how he and Diffie had gotten around the key distribution problem by postulating a trapdoor one-way function that allowed you to use a public key. Feistel didn’t buy it at all. “You can’t do that!” he admonished Hellman, lecturing to him that the great Flemish cryptologist Auguste Kerckhoffs, in his landmark 1881 work La cryptographie militaire, had laid out six ironclad commandments for producing secure ciphers, and one of them was that all secrecy must reside not in the system but in the keys. How, then, concluded the IBM genius behind the Lucifer cipher, could you even think of making a key public? (Had Feistel not been in such a hurry to make his doctor’s appointment, perhaps he would have understood that Diffie and Hellman’s idea quite elegantly conformed to Kerckhoffs’s stringent requirements, that the security of public key systems lay in the fact that a private key was never accessible to anyone but its owner.) Feistel was right on one count: Diffie’s concept was a heresy. But “heresy is the way changes begin,” says Hellman. For the next few weeks the pair worked intensely on creating the mathematical basis for the theory of public key cryptography. Hellman by then had figured out how his collaboration with his mercurial partner would work: “Whit often, playing with ideas, sees something first in an embryonic form,” he says, “and then I take it to a more polished result.” In this case, the result was a paper called “Multiuser Cryptographic Techniques.” In a sense, the work was a placeholder — something that would express the public key idea while its authors burned brain cells attempting to find a way to actually execute the concept. “At present,” they admitted in the paper, “we have neither a proof that public key systems exist, nor a demonstration system.” While they had laid out the mathematical basis for such a system, they were still groping for the precise functions — particularly the trapdoor one-way functions — that would make it happen. Still, those who received early drafts of the paper found it an astounding twist on the conventional cryptographic wisdom, a foray into territory where no one, from Trithemius to Turing, had dared venture. Or had they? Of course, if someone had come up with this behind the Triple Fence or any of its foreign cousins, Diffie and Hellman wouldn’t have known it. Certainly, if anyone had actually published anything about it, Diffie would probably have discovered the paper in his extensive research of the past few years. As it turned out, there had been at least one outsider who had been thinking along the same lines as Diffie and Hellman. * * * In early February 1976, Marty Hellman received an intriguing letter from a graduate student at the University of California at Berkeley: Dear Dr. Hellman, About three days ago, a copy of your working paper, “Multiuser Cryptographic Techniques,” fell into my hands. Just prior to this, I had finished revising a paper on the same subject, which will shortly be re-submitted to the Communications of the ACM [Association of Computing Machinery]. (Original submission was in August 1975.) I enclose a copy of it in the hopes that you’ll find it interesting. Actually, I’m glad to know there’s someone else who’s interested in the problem. The people with whom I try and discuss it either fail completely to understand what’s going on, or regard any attempt at solution as impossible. Fortunately the (partial) solution described in the enclosed paper demonstrated that it is possible. Now, if only we can do better! . . . The letter ended with a proposal: “The possibility arises of doing joint work, and I would be interested in this possibility. I hope to hear from you, and wish you the best of luck in the hunt.” It was signed Ralph C. Merkle. The return address, in Berkeley, seemed to coincidentally reflect the speed with which things were now moving: Haste Street. Merkle’s name had actually come up some months before: he was the Berkeley student whose work had been mentioned to Diffie by mutual friend Peter Blatman, a mention that led Diffie to unkink his thought process and make the crucial public key connection. Now it appeared that, working totally independently and with no more equipment than his own brain, Merkle had already made a breakthrough similar to Diffie’s. What’s more, according to the unpublished paper he enclosed, he had actually turned the trick that Hellman and Diffie were still fumbling to perform: he’d created a public-private key scheme. Like Marty Hellman and Whit Diffie, Merkle was the son of an educated man; his father had been the associate director of the Lawrence Livermore Laboratory, one of the nation’s top military research facilities, until he died of colon cancer in 1966. (The illustrious nature of Merkle’s family extends to his great-uncle Fred, a professional ballplayer who made the famous omission of not touching second base in a game that ultimately decided the 1908 National League pennant race.) Young Ralph Merkle was, understandably, a science buff, a math whiz, and, by the time he enrolled as an undergraduate at Berkeley, a computer enthusiast. As for cryptography, “I had not displayed any noticeable high interest in the subject area,” he says. This changed during the fall 1974 semester, when Merkle, in his last term as an undergrad, took a class known as CS 244, on computer security. Taught by Lance Hoffman, an assistant professor in the department of electrical engineering and computer sciences, the course’s key requirement, besides a November midterm, was a term project. “Grading is done on a curve,” wrote Hoffman on the syllabus, “but if you do excellent work in a class full of geniuses, fear not! You’ll still get your A.” Hoffman included cryptography in CS 244 but not at a particularly sophisticated level. Since the varieties of crypto deployed by the government were classified, those used in the private sector, even in academia, were relatively rudimentary. “We didn’t get into the details,” admits Hoffman now. “I’m sure I would teach the Caesar cipher and things like that. Don’t forget, all you really had back then were substitution ciphers and transposition ciphers and combinations.” But almost from the moment the class first met on October 1, convening twice a week until December 5, when final papers were due, Ralph Merkle began thinking more ambitiously. Hearing about the way cryptography operated — as a means to protect information that might be exposed to eavesdroppers — he hardly paused to concentrate on what everybody since Caesar had considered the main problem: coming up with stronger, less crackable cryptosystems that would be encoded and decoded by a symmetrical key. Instead, for reasons that remain unclear but are probably related to Merkle’s unconventional mind, he fixated on what struck him as a weird, somewhat challenging aspect of a more basic dilemma. The essential cryptographic scenario assumed that the channel of communication was vulnerable. This was certainly the case in telegraph transmission, radio broadcasts, and the subject of Hoffman’s course, open computer networks. But what measures could you exploit if you wanted to communicate with someone who wasn’t already in possession of a prearranged, secure symmetrical key? Was there a way in which those two people could spontaneously engage in a conversation that would be clear to both of them but opaque to whoever was listening? As Diffie and Hellman now understood, this was a problem no one else had tackled, undoubtedly because it defied solution. Merkle, unpolluted with knowledge about the theory or history of crypto, was unaware of the apparent impossibility of his mission. He simply tried to solve the problem. The crucial aspect of the situation, he figured, lay in the different circumstances of two people who wished to privately communicate and a potential interloper. The pair were actively involved in a conversation, while the interloper was a passive listener. He sensed that his solution lay in exploiting the conspiracy of the private communicators, creating a situation where, says Merkle, “the active participants can confuse the heck out of the passive listener, even though the listener hears everything.” Merkle began thinking about this almost obsessively. And one night, in October 1974, sitting in bed in his small apartment staring at the ceiling, Merkle figured out a way this might be done. Puzzles. Here’s the scheme that Merkle conceived in the dark. The situation is classic: Bob and Alice want to communicate. Bob is a sender and Alice is the intended recipient of a secret message. Unfortunately, there exists an unwanted eavesdropper, Eve, who has access to anything that passes between those two parties. How can Bob send a message that Alice can read and Eve can’t? First, he creates puzzles. Each puzzle is an encrypted message scrambled by a relatively small key — something solvable with a modicum amount of brute-force effort, a challenging yet feasible task for Alice’s computer. “That’s why it’s a puzzle,” says Merkle. “It’s hard to solve but it’s solvable, by searching through all the combinations of the keyspace.” With the use of his own computer, Bob creates not one puzzle, but thousands, maybe millions, of these puzzles. All of these are sent off to Alice. Alice, in effect, spreads these puzzles on the floor and chooses one at random. (Eve, of course, is capable of intercepting all those puzzles — but she would not know which particular one Alice chose.) Then Alice attacks her chosen puzzle by having her computer search through the keyspace until the solution is revealed. That solution includes a string of numbers: it’s the decrypted message of that puzzle. At this point both Alice and Bob have the solution to that particular puzzle. Bob, of course, knows the solution because it’s his own puzzle — he has the answers to all the puzzles he’s sent off. But Eve doesn’t have that solution. Even though she may have intercepted Bob’s massive transmission to Alice, she doesn’t have the time or computer power to find the answer to all the puzzles — and she doesn’t know which one Alice selected. The next step requires Alice to inform Bob which puzzle was chosen. That’s easy; among the contents of the encrypted puzzle would be an identifier (something that says, for instance, “Hey! I’m Puzzle No. 3!”) and a long digital key. So when Alice ships back the message, “Puzzle No. 3,” Bob can look up which key is stored in that puzzle. At this point, they would both be in possession of a shared secret key they could use to conduct further secret communications. Eve may even hear that it’s Puzzle No. 3, but she would have no clue which one of the millions of puzzles that refers to. Remember, she has to crack all the puzzles in order to get the keys. While this might be a feasible task with the help of some extremely super computer, it would always require much more effort than it took Bob and Alice. Maybe millions of times more. But the amount of effort wasn’t the point. Here was the point: Ralph Merkle, in a tiny Berkeley apartment, totally off the National Security Agency’s radar screen, had figured out a way in which two people, with no prior agreement on a secret key, could send a secret message that would frustrate the cracking efforts of a diligent eavesdropper. What goes through the mind of someone who comes up with a totally novel concept of cryptography, something that confounds what has been the mainstream thought in this field for over a thousand years? “My first response was, ‘Gee this looks neat; I ought to be able to get a quarter project out of it.’ ” says Merkle. If that seemed like an understatement, it was nevertheless an overly optimistic one. The protocol for the research paper, or the “quarter project,” was to submit a proposal to Professor Hoffman, and Merkle promptly wrote up a description of what he wanted to do. Of necessity, it was skimpy and vague. “I couldn’t cite any previous literature saying this is an important problem because I’d never seen any literature saying this was an important problem,” explains Merkle. “I suspected [correctly] that there was no previous literature. So I basically wrote up a little thing about it.” As a backup, he also mentioned that he was also thinking about a paper on data compression. After reading the proposal, Lance Hoffman told his student he’d be better off writing about the data compression problem. Merkle tried to persuade his professor otherwise, recasting his proposal several times in an attempt to get Hoffman to concede that it was at least interesting enough to pursue further. But Hoffman wouldn’t even toss him that harmless bone. Why not? “Let me be polite and simply say he did not appear to understand what I was saying at the time,” says Merkle. “So I dropped the course.” Years later, Hoffman, now a Georgetown professor who has become an expert on issues of cryptographic policy, would ruefully recall the incident, attributing the rejection to a combination of Merkle’s abstruse writing style and his own failings as a mathematician. “Merkle struck me as a young sort of pimply faced kid who might have a good idea, but it wasn’t clear to me that I had the time to extract it out of him, or that he had the communication skills to deliver it in a way I could at least understand,” he says. “I’ve got a math degree from Carnegie Tech, but I’m not a mathematician, and so he probably needed somebody like Marty Hellman to really sit down with it.” Merkle, of course, did not know about Marty Hellman yet. He just wanted someone, anyone, to assure him that his instincts were correct, that he had stumbled on something significant. But the usual reaction of the Berkeleyites he asked was similar to Hoffman’s. “Basically people sort of stared at me and were utterly baffled by what I was talking about,” Merkle says, “on the grounds that it was obviously something very strange.” Finally, one of Merkle’s professors, Robert Fabry, offered some encouragement. This is a good idea, he told Merkle — you should try to get it published. So Merkle rewrote the paper more formally, hoping to publish it in the prestigious Communications of the ACM. He entitled it “Secure Communications Over Insecure Channels,” and in August 1975 formally submitted it to Sue Graham, the journal’s editor. On October 22, 1975, Graham wrote to Merkle. An “experienced cryptography expert” had gone over his paper, she explained, and found the article unworthy of publication. In the words of the reader (due to the practice of “blind refereeing,” his or her name was withheld, but typically such readers were the illuminati in a given field), the gaping flaw in the paper was its very premise: assuming that a cryptosystem could work without the secure delivery of keys. What made Merkle’s idea revolutionary also made it unacceptable. “I am sorry to have to inform you that the paper is not in the mainstream of present cryptography thinking,” said the reader. “Experience shows that it is extremely dangerous to transmit key information in the clear.” Sue Graham herself took pains to emphasize that she agreed with the referee. “I read the report myself and was particularly bothered by the fact that there are no references to the literature,” she wrote. “Has anyone else ever investigated this approach[?]” The answer, as far as published work was concerned, was no. Merkle was disappointed, but not defeated. His mien may not have been as swashbuckling as that of his father, who was once referred to as a “perfect combination of physicist and pitchman” and was known for blasting through the Livermore Lab parking lot at high speeds in a beat-up Packard convertible. But he did inherit a dogged perseverance. So he kept revising and rerevising his paper, despite a series of further rejections. “What was striking,” he said later, “was how the publication process was tuned to incremental improvements, but was very bad at handling something that is fundamentally different.” He just knew, though, that the idea was worth pursuing. “It couldn’t be wrong because it was simple,” he says. “It was unclear exactly what it would lead to, but it was pretty obvious it should be made available. I basically wanted to publish that idea and say, ‘Here is a neat idea — it clarifies what this problem is, it clarifies the fact that a solution is feasible, and it is now a well-defined research problem. Now let’s get some other folks in there and see what else we can find.’ ” In early 1976, just as Merkle was beginning to lose faith, a colleague told him that he knew some people who talked just the way he did, notably a guy named Marty Hellman. Coincidentally, one of Hellman’s courses was being carried on a closed-circuit broadcast line between Stanford and Berkeley. Merkle managed to tune into the audio portion of one of the sessions and immediately realized that Marty Hellman was indeed thinking the same things he was. By that time, a draft of Diffie and Hellman’s “Multiuser Techniques” paper was being privately distributed, and Merkle managed to get hold of a copy. Instead of grinding his teeth at seeing that someone else had published first, Merkle became excited at the idea that work on “his” concept was actually being done. His immediate instinct was to team up with the Stanford researchers. Thus his letter to Hellman of February 7, where he proposed a collaboration and included a draft of his paper in place of a vitae. Merkle’s work was a revelation to Diffie and Hellman, neither of whom had really thought that they would see a possible implementation of their idea for some time. Merkle’s puzzle concept, though it still had problems, was a definite advance. Soon Merkle became part of Hellman’s discussions with Diffie on implementing public key cryptography. Merkle wondered how his puzzle scheme could be jiggered to work within the kind of public key cryptosystem that Diffie and Hellman had suggested. In a letter dated April 2, 1976, he proposed a system in which each user would have a unique arrangement of puzzles — and that itself would be the public key. “Thus,” he wrote, “if anyone wishes to send a message to A, then all they have to do is select one of A’s puzzles at random. They then encrypt their message, and send it to A. A looks up the puzzle key using the puzzle ID on the front of the message. Anyone else is up shit’s creek, because they can’t figure out the puzzle key.” Merkle also speculated on how puzzles, integrated into a public key system, could also provide a way to get receipts to prove that messages had been delivered. With that as a lure, he confided that he was looking for a summer job. His concluding sentence referred to the main practical flaw of his system — that the level of security provided by puzzles was merely at the mathematically polynomial level, not the more rigorous exponential level. An eavesdropper would have to perform a lot of work in order to crack the puzzles, but that work factor was limited by the number of puzzles. Say that in the puzzle cryptosystem, Alice sent Bob a million puzzles to choose from, but intruder Eve had a computer that was a thousand times faster than Bob’s. (Not a wild assumption if you figure that wealthy governments with huge computational resources might want to break somebody’s message code.) Then, in the time it took Bob to solve a single randomly chosen puzzle, Eve would be able to solve a thousand puzzles. If it took Bob a minute to solve his puzzle, Eve would solve the entire set of one million puzzles in about sixteen hours — a totally intolerable situation for those needing strong protection. Even if Eve’s computer was no more powerful than Bob’s she could crack all the puzzles in less than two years. If maintaining secrecy was essential, that wasn’t very desirable, either. (On the other hand, such a spread was sufficient for authentication, since breaking a signature key a year after it was used wouldn’t give a foe any appreciable advantage.) Any decent encryption system had to assure that whatever one-way function was used, a mathematically exponential relation would exist between the easy calculation of the communicator and the more difficult task posed to the cracker. Ideally, this should jack up a foe’s work factor to a task requiring thousands, millions, or even billions or trillions of years of crunching. Merkle was hopeful that he could figure out a way for his system to satisfy these conditions. “Perhaps,” he wrote Hellman, “we can get exponential by the end of the summer.” While Merkle was figuring out how to get exponential, Diffie and Hellman focused on finding their own means of implementing a public key cryptosystem. Without some way of actually putting their ideas into action — or at least proving that some feasible scheme could exist — the whole concept of public key cryptography would be merely a mathematical mind-trick. One path was suggested by Stanford computer scientist Donald Knuth, whose encyclopedic series of books in progress, The Art of Computer Programming, would earn him the reputation as the high guru of algorithms. Knuth reminded them of an interesting mathematical phenomenon: while it is child’s play to multiply a pair of prime numbers, reversing the process — a task known as factoring — is an assignment that could confound the devil himself. Could this phenomenon be the basis for a devilishly challenging one-way function? Though Diffie and Hellman did not choose to pursue this idea, others would. Another alternative involved computational complexity, and Diffie pored over a book on the subject, particularly a chapter on what was known as NP-complete functions. The class of NP-complete problems, Diffie later wrote, are “problems thought not to be solvable in polynomial time on any deterministic computer.” This meant that they were so hard that you could set your Macintosh, or even your Cray supercomputer (if you were the NSA), to work on the problem and when you checked the results a few trillion years later, you wouldn’t even be in the general neighborhood of solving it. But though Diffie did have some ideas on using complexity to create a formula for a one-way cryptographic function, he never found a way to do it with trapdoors. It was a suggestion by one of Hellman’s colleagues in Stanford’s electrical engineering department, John Gill, that proved most promising. Gill pointed to a mathematical process known as “discrete exponentiation” as a potential function. Since the inverse of this process, known as discrete logarithm, was extremely difficult, this had the potential to fulfill the basic criterion of a one-way function: easy numbers for the good guys to crunch, and computational hell for the bad guys to reverse-calculate. Diffie was working at the Stanford AI lab one day in May 1976, rewriting the public key cryptography paper that he and Marty were planning to publish later that year in the major IEEE journal, when Hellman called, excitement in his voice. He’d been working on discrete exponentiation, and had actually cooked up a workable system. When he explained it, Diffie instantly realized that Hellman had tied up the tangled threads of a theory that had been swirling around in his own mind for weeks. The scheme would come to be known as the Diffie-Hellman algorithm. It presupposes two parties who want to communicate in secret; by using one-way functions, these parties can jointly generate a shared key, one that an eavesdropper listening in on the session cannot intercept. Here’s how it works. The two parties first choose two numbers. This is done openly, since knowing these numbers will not help an eavesdropper. Each party then selects his or her own secret number, which will not be revealed or sent to anyone else. Then, using a mathematical formula that involves exponentiation, each party takes his or her own secret number and performs a calculation that involves both that secret number and the two previously chosen public numbers. After this brief number crunching, each person has a transformed secret number that is then sent to his or her counterpart. There’s no problem in sending this number over an open channel because, in effect, it’s an encrypted secret number, scrambled by means of a one-way function that was easy to perform but extremely hard to reverse. (How hard? Undoing the process would, in theory at least, be as difficult as solving what is known as the discrete logarithm problem. This requires performing about a million million quadrillion more operations than the exponentiation used to transform the numbers. That’s a one-way function!) You can think of this second pair of numbers as sort of an offspring of the openly agreed-upon public numbers and the closely held secret numbers. Trying to figure out the secret number from the figure passed over the clear channel would be like examining the DNA in a human cell and trying to figure out which parent was the contributor of each individual gene. You couldn’t do it unless you had access to DNA from either the sperm or egg cells. That leads to the third and final step of the Diffie-Hellman algorithm. Both parties separately use a related mathematical formula that combines those transformed numbers, in conjunction with his or her original secret numbers (the source DNA!), to arrive at yet another number. The formula works in such a way that both parties, despite the fact that their original numbers are different, will get the identical final number, which can be called K, as in key. Thus both people will now have possession of an identical numerical key — calculated in such a way so that only someone who has one of the original secret numbers can get K. An eavesdropper, of course, never had a chance to get hold of the secret numbers; that foe would be holding only the nearly-impossible-to-convert transformed variations. The Diffie-Hellman algorithm was both more efficient and secure than Merkle’s puzzle system. But it was not even close to a complete implementation of the sort of public key cryptosystem that the two were envisioning. Diffie-Hellman did not provide for digital signatures and didn’t even supply a means to encrypt messages. But it did provide a method for two people who have had no prior communication to use an open channel and arrive at a secret key. That key could then be used with a conventional encryption system like DES to scramble messages and unscramble them. (This double-barreled approach — one method to find a key without a prior arrangement and another method to actually communicate in secret — would be called a hybrid system.) Including their new algorithm in the revision of “Multiuser Techniques” would make it a much more powerful document. The new paper, “New Directions in Cryptography,” was submitted on June 3, 1976. Later that month, they presented some of their ideas at conferences in Lenox, Massachusetts, and Ronneby, Sweden — appearances that would prove to have unintended patent implications. But thoughts about exploiting intellectual property were the furthest thing from the minds of these information scientists. In contrast to what struck them as a government refusal to provide all the details of the Data Encryption Standard, they were creating a fully open alternative to conventional cryptography itself. * * * Meanwhile, Ralph Merkle, who was now well along in the graduate computer science program at Berkeley, was finally reconciled to the fact that his puzzles scheme wasn’t likely to overcome its work-factor flaw. He began casting about for another public key approach. “I had various schemes involving circuits and complicated fiddling around with subsets of various types,” he said. None seemed to work. Merkle was further handicapped by his chronic difficulty in expressing complex ideas clearly; this made it difficult for colleagues to suggest modifications to his schemes. “You’re stretching your mind, and sometimes you get bizarre, baroque things,” he says in his defense. “It’s only after you’ve cooked up the idea that you start simplifying to the point where it’s clean and easy and straightforward to present.” Hellman took Merkle up on his offer to work together, giving him a summer research job. It would be exhilarating to work with the two people in the world who best understood the problem. “I was basically isolated until I met Whit and Marty,” he says. “I was ready to keep banging away until I got some response, but there was no one else who was interested in pursuing this.” Merkle arrived at Stanford convinced that his most promising idea revolved around a scheme built around finding trapdoor one-way functions involving the NP-complete problem. The system was built around a mathematical problem known as knapsacks. To understand his scheme, picture, naturally, a knapsack. “The idea is to put things into this knapsack, to exactly fill it to the brim without going either over or under,” he says. Diffie would later describe the problem as that of a shipping clerk faced with a collection of packages of various sizes and shapes who had to find the absolute best way to stuff the packages in the mailbag. The perfect solution is one that fills every cubic inch of space. Actually, in Merkle’s scheme, it would be more accurate to say that the shipping clerk must know the proper combination of packages that will precisely meet the weight limit of a given knapsack. With only a few packages to choose from, the optimal solution isn’t that tough to find, but if there are plenty of packages, it gets much harder. Since Merkle wanted these knapsacks to act as trapdoor one-way functions — something that would be easy for the right person to solve but nearly impossible for everyone else to crack — he needed to figure out a way to tame this difficult problem for the proper keyholder. He did this by first using a much easier variation of the knapsack problem called a superincreasing knapsack. In these problems, the list of weights is ordered in such a way that discovering the solution is a breeze. Merkle then figured out a way to transform that easy process to the far knottier problem that comes with figuring out the solution to a normal knapsack, where the weights aren’t so helpfully arranged. It was a complicated but logical process. Someone who wished to receive a private message would begin with her own superincreasing knapsack, which would essentially be her secret key. Then she’d use that key to create a hard-to-solve normal knapsack to act as a public key. With the formula Merkle devised (working with Marty Hellman), that second knapsack could act as an encrypting function, scrambling messages in such a way that they could be unscrambled only by someone who had the ability to solve the problem of that normal knapsack. In a practical sense, there would be only one way to do that — by using the secret key, which was the related superincreasing (easy-to-solve) knapsack. The impractical way would be to spend a few billion years trying to solve the problem by brute force. Was there a simpler way to break the system than using mega-computers for a brute-force attack, hoping to get the keys sometime before the sun went dead? In other words, could cryptanalysts find a shortcut, a flaw? Merkle was supremely confident that no such flaw existed and posted a challenge on his office door. “I’m offering $100 to the first person to break it,” he wrote to Hellman. “I’ve discreetly shown it to a few people here, and after listening to the resulting silence, I’ve concluded that the solution, if it exists, is at least not embarrassingly simple.” To be sporting about it, he made the task immeasurably easier, asking potential crackers to solve the problem with the difficulty of the knapsack problem set at a level so low that Merkle knew that there was at least a remote chance that someone might collect the reward. After that, he figured, he could raise the stakes and offer a higher bounty if someone cracked the real thing. “The point was that no one gave a damn about this stuff,” he says. “I figured that if I offered money for the [possibly unbreakable] knapsack, people would just throw in the towel. So I offered money for the [easier problem], because somebody might actually break that, or at least think they have a chance at breaking that.” (He would publish a paper on knapsacks with Hellman in 1978.) In November, Diffie and Hellman’s IEEE paper came out. “New Directions in Cryptography” was a revelation, a true blow against the empire. (The title itself drew upon the authors’ generational roots by evoking the mind-blowing paperbacks of the New Directions publishing house — ground-shifting beatnik bibles like Waiting for Godot, Siddhartha, and In the American Grain.) “We stand today,” their article began with a fanfare, “on the brink of a revolution in cryptography.” The computer age allows for dramatically cheaper implementations of scrambling devices, they explained, necessary tools for a world that features “effortless and inexpensive contact between people or computers on opposite sides of the world.” But because of the key distribution problem and the lack of a digital signature component, conventional cryptography is unable to handle those challenges: “Its use would impose such severe inconveniences on the system users as to eliminate many of the benefits of teleprocessing.” Thus, there is the need for something new, a means by which private conversations can actually be conducted without prior acquaintance, messages can be authenticated to guarantee that the actual senders and recipients are involved, and a true digital signature can be contemplated. Not only were Diffie and Hellman the first to articulate these problems in an open forum, but in the succeeding breath they proposed to solve them with their original creation, public key cryptosystems. Once, Diffie had harbored dreams of writing up any great cryptographic discovery he made, not as an academic paper but as an espionage novel. He had been disappointed in books of that genre that included great technical discoveries in their plot lines, because the fictional breakthroughs weren’t convincing; they had “feet of clay,” he complained. “Unfortunately,” he would note, “once I had the required technical discovery, I still did not know how to write a novel and had to content myself with publication in the professional journals like everyone else.” But he could take comfort in the fact that the paper he published with Marty Hellman was in many ways as enthralling as any page-turner that ever hit the bestseller list. This was science that broke the ground that science fiction had not yet contemplated; within its mathematical formulas lay a blueprint for twenty-first-century communications. Diffie and Hellman ended their paper with the observation that throughout the history of codes, it had often been amateurs who came up with the innovations in cryptography. They cited Thomas Jefferson, whose code wheel system was used two centuries after its invention, and also mentioned the four amateurs who independently came up with the implementations of electronic rotor machines that characterized Enigma-style crypto during World War II. Then they concluded with a wish that their efforts would be only the beginning of an effort to change the landscape of modern cryptography: “We hope this will inspire others to work in this fascinating area in which participation has been discouraged in the recent past by a nearly total government monopoly.” That monopoly had just been smashed open by a long-haired former MIT hacker and his passionate Stanford graduate school advisor. prime time “Here’s something interesting. . . .” A casual handoff of an academic paper from a graduate student to a professor. Ron Rivest, a twenty-nine-year-old assistant professor at the Massachusetts Institute of Technology, had no reason to believe that this paper was any more interesting than the hundreds of papers, articles in journals, and technical memos he had already seen in his nascent career in academia. One of its authors, Whit Diffie, had worked in the same building — Tech Square in Cambridge, where the AI lab was one floor above Rivest’s office at the Laboratory for Computer Science. But neither that name nor that of the coauthor, Martin Hellman, was familiar to him. And actually, Rivest knew very little about encryption and virtually nothing about how sensitive a topic it was. Nor did the paper contain any breakthroughs in mathematical reasoning; the spirit of Fermat was nowhere to be found in its equations. Even so, “New Directions in Cryptography” turned out to be more than interesting to Rivest: it thrilled him. Ultimately, it changed his life. The paper appealed to Rivest’s heart as well as his head. Rivest was a theoretician, but one for whom simple abstractions were not enough. The ideal for him was actually putting the ethereal mechanics of math to work, of making a tangible difference in the world of flesh and dirt. Diffie and Hellman’s breakthrough wedded the spheres of abstraction and reality, applying an original mathematical formula to meet a need in society. Ron Rivest wanted to spend his time in the neighborhood where those two realms met. Despite a prodigious talent for math, Rivest did not grow up as a classic numbers nerd. His father had been an electrical engineer at the General Electric lab at Schenectady, New York, and Rivest had taken advantage of the strong science programs in the public high school there. For one summer, he’d attended a special math program at Clarkson College. But as high school graduation loomed, he mulled over careers in psychology or law. He wound up majoring in mathematics at Yale but only, he remembers, because “it had the fewest course requirements, and it allowed me to take a lot of other courses.” These included plenty of classes in psychology, history, and other sojourns sans slide rule. Mathematics, he says, was “just one of many things I was doing.” He speaks of this in his characteristic soft, thoughtful cadence, a ruminative mumbling that draws a listener closer. Rivest is a balding man with pleasantly plump cheeks, neatly bearded. He certainly does not appear to be the sort of man who poses a threat to national security. While at Yale, Rivest attended a few marches protesting the Vietnam conflict, but he was far from a flaming activist. Thoughts of sedition had never truly crossed his mind. At Yale, Rivest discovered computer science. While taking courses offered by the engineering department, he realized that programming offered an opportunity to merge theory with tangible effect, and he fell in love with that form of instant karma. He used his programming skills in a part-time job for an economics professor. Working on a huge punch-card-munching IBM mainframe, Rivest hacked away at arcane subjects like price indices in Latin America or New Zealand — and felt just as powerful as if he were moving mountains. If Yale had offered a computer science major back then, Rivest would have signed up in a minute. In any case, after graduating from Yale in 1969 with a math degree, he went on to graduate school at Stanford, in the four-year-old computer science department. Rivest spent much of his time at Stanford’s cutting-edge artificial intelligence lab, helping with a fairly quixotic project involving an autonomous robot rover. The idea was to get the electronic beast to roam the parking lot with no human intervention, a typical overly optimistic task for AI workers in the 1960s. He had terrific fun with this, and was fascinated with the idea of making computers “smart.” But the problems of making robots behave forced him to concentrate on hard-core engineering problems, and he didn’t want to get too far from theory. He increasingly became drawn to understanding the mathematics of computation itself. His guru was not the AI elder John McCarthy but Don Knuth, Stanford’s Jedi Master of algorithms. But Rivest’s goal was always applying theory. “Artificial intelligence gets to be a bit mushy — it’s hard to tell what it is you’re doing, and hard to tell when you’ve done something right,” Rivest explains. “But with theory you can make a crisp model and say, ‘This is what I want to do and here’s the solution to it.’ ” There was nothing like using the beauty of mathematics to solve a problem. Not only was it possible to pull a cerebral arrow from your quiver and hit the bull’s-eye dead center, but you had the equivalent of a celestial arbiter — your proof — ringing the buzzer to let you know you’d scored. So while Rivest enjoyed writing AI software programs, his doctoral thesis involved database retrieval algorithm and research techniques. Very Knuth-ish. And in a yearlong postdoc at the Institut National de Recherche en Informatique et en Automatique (INRIA) outside Paris, he concentrated on other theoretical problems. In the fall of 1974, Rivest accepted his post as an assistant professor on a tenure track at MIT. It was an ideal job, one that would enable him to pursue his theoretical interests in a department that also allowed him the freedom to work on programming problems as well. Rivest had been married since graduating from Yale. At twenty-seven, he seemed poised to begin a productive yet quiet life as an academic in one of America’s best scientific institutions. From his eighth-floor window in the boxlike Tech Square building in Cambridge, he would watch the gorgeous campus sunsets, their drama enhanced by pollution spewed out by Boston-area industry. And then he would return to his algorithms. In December 1976, and throughout that entire winter, the algorithms Rivest grappled with were the ones suggested by Diffie and Hellman’s “interesting” paper. It might be more accurate to say that he was consumed by the formulas missing from that cryptologic manifesto. While the two Stanford researchers had indeed presented a mathematical outline for a new way of passing secret messages — and also digitally “signing” messages so that a communication could be definitively associated with its author — when it came to an implementation that one could really use, they’d come up dry. The Diffie-Hellman key exchange approach allowed two parties to set up a common key, but there was no obvious way that it could be extended to signatures. (Merkle’s not-yet-published knapsack solution also fell short of this.) Diffie and Hellman had speculated on various ways that one might eventually come up with a workable system where each individual could have his or her own key pair, one public and one kept secretly. But without the proper mathematical scaffolding, it was really nothing more than a suggestion. It all hinged on finding sufficiently powerful one-way functions. Was there indeed a set of these that could stand as the reliable scaffolding of a volks-cryptosystem? A set of functions so sound that the system based on them would be impervious to all sorts of eavesdroppers and codebreakers, even highly motivated ones equipped with high-speed computers, deep cryptographic experience, and a touch of genius themselves? Answering those questions became Rivest’s obsession. Though the mathematical component of the quest was exciting in itself, the process was charged with a thrilling frisson, in that a successful solution could potentially kick off an entirely new kind of commerce — business done over computer networks. This is important, Rivest thought, and immediately began evangelizing the challenge to his colleagues. Leonard Adleman was the first one to fall victim to Rivest’s exhortations. He was a young mathematician who also split his time between the computer science lab and the math department. One day that December, he recalls, he walked into Rivest’s office just a few doors down from his own at Tech Square. “Did you see this paper?” Rivest asked. “It shows how you can build this secret code, where if I wanted to send you something and we wanted it to be secret, and somebody was listening . . .” As Rivest gushed about the workings of public key, Adleman asked himself, Do I care about this? Unlike Rivest, Leonard Adleman worshipped theory, pure and simple. He often thought about Gauss, Euler, Fermat . . . giants of previous centuries who had discovered the foundations of mathematical truth, blue-sky brainiacs without regard for any practical applications their constructs may have had. These geniuses were as gods to Adleman, and he longed for nothing less than to play in the same arenas of pure mind. This stuff about cryptography that so excited Rivest sounded to Adleman like some problem about how to build a better automobile or something. Not the sort of intellectual gauntlet that a math god like Carl Friedrich Gauss would have jumped at. So Adleman waited patiently until Rivest was finished, then remarked, “That’s very interesting, Ron.” And changed the subject. Rivest had more luck with another recent addition to MIT’s computer faculty. Just that month, Adi Shamir, a rail-thin, witty Israeli, had arrived at MIT for a visiting professorship in the Laboratory for Computer Science. Shamir was having a hectic time. Though he was a world-class mathematician, he had yet to learn much about computer algorithms. So he had been unhappily surprised when, several weeks earlier, Rivest had sent him a letter “to discuss the contents of the advanced algorithm course you will teach this spring term.” Shamir winced: bad enough an algorithm course — but an advanced one? To doctoral candidates? Fortunately, Shamir was a lightning-quick study. As soon as he arrived at Tech Square he zoomed to the library and checked out a shelf full of books on the subject; in the next two weeks, he learned everything he needed to know about algorithms. It was sometime during that remedial reading period that his new colleague, Ron Rivest, popped into his office and enlisted him in the effort to implement public key cryptography. Once he got a look at it, Shamir agreed with Rivest that the Diffie-Hellman paper was significant. Not that it was groundbreaking from a mathematical point of view. He figured that if you took anyone experienced in number theory and tried to explain the Diffie-Hellman scheme to him, it would have taken exactly two minutes. The novelty was how the Stanford guys took something that had absolutely no relation to cryptography in the past and suddenly applied it to a new field. Shamir quickly became Rivest’s partner in the search for the perfect mix of one-way functions. As the winter progressed, Rivest and Shamir became friends; with Adleman they formed a jolly threesome. Adleman, at first almost as a social concession, joined in the algorithmic hunt. “We were roughly the same age, we were all in the same discipline, and we liked each other, so we became not only colleagues and collaborators but hung out all the time,” Adleman says. Adleman and Shamir were bachelors, and Rivest’s more domestic existence served as a sort of anchor to the group, both at work and in his home in Belmont, a warm, open apartment with access to a nice yard. (Adleman lived in an apartment in Arlington and Shamir had a place in Cambridge.) As the weeks progressed, the young men, with adjoining offices on the eighth floor of Tech Square, began working seriously on their quest. Not surprisingly, Rivest was the most focused of the group. Though he taught classes during this period, his mental efforts never strayed far from crypto. “Whatever Ron decides to do, he does extremely well,” says Adleman. “If he decided, say, to start building rocket ships, I’d put my money on it that in five years he’d be one of the five best rocket builders on earth.” Shamir was similarly dogged. “Adi’s like an intellectual lion; you just throw some meat in front of him and he’ll chew it up,” says Adleman. Adleman himself acted as more of a foil. Of the three, he was the one who most looked and acted like a classic, dreamy mathematician — the kind of shaggy-haired young guy who would be the helpless prey of a wacky heroine in a screwball comedy (by the end of the movie, though, we’d learn that he had his own devilish streak). Perhaps once or twice a week, Rivest and Shamir would come up with a scheme, and then present it to Adleman, the group’s Mr. Theory, who would then set about to identify its flaws and break the scheme, sending the other two mathematicians back to the blackboard. To Adleman the exercise was like swatting flies, and not much more intriguing. Even weeks into the project, he was convinced that the whole project was not really worth his effort — it was too grounded in the real world. He understood that both his friends had this sense that the potential practical applications made the quest desirable. That didn’t matter to Adleman. He loved math because its beauty transcended earthly concerns. At first, every scheme they came up with was easily obliterated by an Adleman attack. Frustratingly so. “We experimented with a lot of different approaches, including variations on things that Diffie and Hellman suggested,” says Rivest. “We weren’t happy with the approaches we came up with.” At one point, they got so discouraged that they wondered whether an answer existed at all. Maybe Diffie and Hellman’s apparent breakthrough was a dud. So for a little while, they switched gears and attacked the problem from the opposite end, trying to come up with a proof to show that public key cryptography was impossible. “We didn’t get very far at that,” says Rivest. In February, the three MIT mathematicians went to the Killington ski resort in Vermont. It was definitely a working holiday. Even as the three computer scientists tried to teach themselves to ski, their minds were never far from the problem. For Shamir, and even more for Rivest, it was almost a biological drive; Adleman was literally along for the ride. “All the way up in the car, around the fire, riding the ski lifts, that’s what they were talking about, so that’s what I was talking about,” he says. Of course, when actually schussing down a mountain on skis, they couldn’t continue the discussion — so they thought about it. Shamir later recalled, only half facetiously, that they settled into a routine of each racing down the hill for a half hour devising a new public key cryptography scheme. And then the others would break the scheme. On only the second day that the Israeli had ever been on skis, he felt he’d cracked the problem. “I was going downhill and all of a sudden I had the most remarkable new scheme,” he later recalled. “I was so excited that I left my skis behind as I went downhill. Then I left my pole. And suddenly . . . I couldn’t remember what the scheme was.” To this day he does not know if a brilliant, still-undiscovered cryptosystem was abandoned at Killington. In a way, their difficulties were only to be expected. Why would anyone think that three young computer science assistant professors could ever come up with a sound cryptosystem, let alone a bulletproof scheme that for the first time in history allowed people to communicate with each other in total secrecy without having to make arrangements beforehand? A reasonable mind would conclude that this could only be done by someone intimately familiar with the field. If you had a magical instrument that measured cryptographic knowledge, the combined experience of the MIT Three wouldn’t have moved the needle even a tickle. But such ignorance was perhaps their most valuable asset. “We were extremely lucky,” Shamir later said. “If we’d known anything about cryptography and known about differential sequences and Lucifer and DES we probably would have been misled into expanding those ideas and using them for public key cryptography. But we were rank amateurs — we knew nothing about cryptography. And as a result we were just exploring the ideas we were taught at university.” These ideas were a mathematical grab bag that suggested all sorts of possibilities — everything from linear algebra to equation sets. And they went through them all. Generally they’d meet in Rivest’s office, scrawling equations on the blackboard. Someone would come up with an idea and they’d think about it for a while, and then maybe they’d see a flaw with it. “Sometimes I would break my own scheme, or Adi would break his, or I would break Adi’s,” says Rivest. The more promising possibilities would go to Adleman, who, despite his initial lack of interest, was developing quite a talent for locating, then tugging at, the threads that would unravel a given scheme. Eventually, they found a system that looked like it might fly. It was about the thirty-second candidate. Adleman immediately thought this one looked more interesting than the predecessors. He pulled an all-nighter before he broke it — “It took real research to break it, as opposed to observation,” he says — and discovered that he had mixed feelings about his success. He was now hooked, too. (Several years later, some researchers published a paper proposing an almost identical scheme, only to be embarrassed when other mathematicians rediscovered Adleman’s “scheme 32” attack.) By then their solutions were beginning to utilize the idea of a promising one-way function: factoring. Though Knuth had suggested this to Diffie and Hellman, the Stanford researchers hadn’t followed up on it; by coincidence, Rivest was settling on his former mentor’s hunch. Once again, factoring is a mathematical problem tied to the use of prime numbers. A prime number, of course, is one that cannot be arrived at by multiplying two numbers together (the lone exception being the prime itself and the number one). If you multiply two large primes together, then, you get a much larger number that isn’t a prime. To factor that number, you have to somehow reverse the process, identifying the two original seeds that produced it. This had been understood as a hard problem ever since a few years before Christ’s birth, when Eratosthenes of Alexandria devised a mathematical process called a “sieve” to try to perform this task. At that time, people considered factoring to be virtually the same problem as trying to figure out whether a number was a prime or not. Twelve hundred or so years later, Fibonacci improved the method somewhat, but by no means did he offer a way to reasonably break down a large product into its two parent primes. When Gauss in 1801 recognized that factoring and finding primality were two different problems, he identified the former conundrum as a vexing but critical challenge: The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. . . . The dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and celebrated. Gauss never did find an efficient solution to the factoring problem, and no one else did either, though no proof existed that a solution was impossible. Not that it was a very hot topic in the mid-1970s. “Factoring at the time was not a problem that people cared about very much,” Rivest says. “Publications were few and far between.” Still, as the MIT Three continued trying different variations of schemes to implement the Diffie-Hellman concept, they became increasingly drawn to using factoring in their system. On April 3, 1977, a graduate student named Anni Bruce held a Passover seder at her home. Rivest was there, and Shamir, and Adleman. For several hours ideas of mathematical formulas and factoring were put aside for a recapitulation of the escape of the Jewish people from Egypt. As is customary with seders, people downed a lot of wine. It was nearly midnight when Rivest and his wife returned home. While Gail Rivest got ready for bed, Ron stretched out on the couch and began thinking about the problem that had consumed him and his colleagues for months. He would often do that — lie flat on the sofa with his eyes closed, as if he were deep in sleep. Sometimes he’d sit up and flip through the pages of a book, not really looking, but reworking the numbers. He had a computer terminal at home, but that night he left it off. “I was just thinking,” he says. That was when it came to him — the cognitive lightning bolt known as the Eureka Moment. He had a scheme! It was similar to some of their more recent attempts in that it used number theory and factoring. But this was simpler, more elegant. Warning himself not to get overexcited — Shamir and Adleman, after all, had broken many of his previous proposals — he jotted down some notes. He did allow himself the luxury of saying to his wife that he’d come up with an idea that just might work. He doesn’t remember phoning the guys that night. Adleman, though, insists that he received a call sometime after midnight. “I’ve got a new idea,” Rivest announced, and explained it. Essentially, Rivest’s idea was to strip the factoring problem down to almost naked essentials. A public key is generated by multiplying two large (over 100 digits), randomly chosen prime numbers. Easy. Then another simple step (if you have a computer): randomly choose yet another large number, one that had certain easy-to-calculate specified properties. This would be known as the encryption key. The complete public key consists of both that encryption key and the product of those two primes. Rivest then provided a simple formula by which someone who wanted to scramble a message could use that public key to do so. The plaintext would now be ciphertext, profoundly transformed by an equation that included that large product. Finally, using an algorithm drawn from the work of the great Euclid, Rivest provided for a decryption key — one that could only be calculated by using the two original prime numbers. Using the decryption key, one could easily revert the ciphertext to the plaintext message. Thinking of it another way, on its way to ciphertext, the original message was intimately intertwined with the product of the two primes. What made the information in the plaintext unreadable was a mathematical transformation involving that large product — a transformation that could only be reversed if you knew what those two primes were. Then everything would become clear. Some of the mathematics of the decryption key — which works as the private key in this system — was derived from the work of another legendary mathematician, Leonhard Euler, who in 1763 devised an equation that dealt in the remainders of numbers obtained after dividing whole numbers. Almost two hundred years after its Swiss inventor first conceived it, an idea that had been deemed valuable only in theoretical math had found an application in the real-world mechanics of codemaking. The scheme satisfied all of Diffie and Hellman’s requirements. A user could confidently broadcast a public key, because its essential component was only the product of the two primes. If snoops wanted to unscramble an intercepted message that had been encrypted with the public key, that information would be useless. In order to cook up a decryption key, they’d need the original primes. How could they do that? Only by factoring, and even Gauss couldn’t crack that nut. This was the beauty of the one-way function: easy to do if you’re going in the right direction, next to impossible if you approach it from the wrong end. If the people using the system used primes as big as Rivest was specifying, factoring that product would require hunkering down with some supercomputers for a long winter — and for some billions of winters thereafter. As long as factoring remained difficult, this new scheme was secure. The scheme wasn’t limited to encryption, either. If you used the decryption (private) key to scramble a number, that jumbled result could be unscrambled by using the encryption key and the product of the primes — the public key. Since only the owner of the closely held private key could do this, this process would reliably authenticate the source of the message. What Diffie and Hellman had first imagined now seemed real: a solid formula for digital signatures, the enabler for new kinds of commerce, and a means to establish trust on an electronic network. The formulas sounded beautiful to Adleman. It was a much less messy system than any they’d been dealing with. Others had used relatively convoluted schemes involving multiplication, division, addition. But Rivest had hit the target dead on. “I think that’s it, Ron,” said Adleman. “I think that’s going to work.” But Adleman, too, held off on popping a champagne cork. Too often, midnight excitement dissipates when a scheme is examined in cold morning light. When morning broke, though, the elegance of Rivest’s solution hadn’t dimmed. When the three researchers convened in Tech Square as usual, a flushed and breathless Rivest presented a manuscript to his colleagues with the whole shebang written out in a near-publishable format. It was signed Adleman, Rivest, Shamir. “I looked at this,” said Adleman, “and it was the description of what he’d said the night before.” He felt it was Rivest’s breakthrough, not his. “Take my name off,” he said. “It’s your work.” Rivest insisted that it was a joint project, that Shamir’s and Adleman’s contributions were crucial, that the scheme was the final point in an evolutionary process. To Rivest, it was as if the three of them had been in a boat together, all taking turns rowing and navigating in search of a new land. Rivest might have stepped out of the boat first, but they all deserved credit for the discovery. Still, Adleman objected again. Maybe Shamir had contributed conceptually, but Adleman had mostly stuck pins in various algorithmic trial balloons. No way he could take credit. Rivest urged Adleman to reconsider overnight. “So I went home and thought about it,” said Adleman. He was, after all, a logical man. Though he felt in his bones that he didn’t deserve to share credit, he knew that as an aspiring academic, any publication credit might help when he came up for tenure. And after all, breaking their “Scheme 32” hadn’t been trivial. What if he hadn’t been around to break it, and Rivest and Shamir had gone on to publish a faulty paper — they certainly would have looked like morons if some pimply grad student cracked their scheme. Given that he had made a contribution, why fight Ron on the matter? After all, Adleman thought, it wasn’t as if this was a paper anyone would actually see. “I thought that this would be the least important paper my name would ever appear on,” he recalls. So Adleman agreed to keep his name on it, if it were listed last. Meanwhile, Adi Shamir agreed with Adleman that Rivest’s name should go first. This order determined the name of the algorithm itself: RSA. With input from his collaborators, Rivest quickly turned his original draft into MIT/Laboratory for Computer Sciences Technical Memo Number 82: “A Method for Obtaining Digital Signatures and Public Key Cryptosystems.” It was dated April 4, 1977. Though Adleman might still have dismissed the outcome as mathematically unimportant, a quick glance at the “key words and phrases” offered for indexing purposes demonstrated that this was at the least an unusual effort for three number crunchers from MIT. In fact, the words offered a remarkable blueprint for a network society that would not be widely discussed for twenty years: . . . digital signatures, public key cryptosystems, privacy, authentication, security, factorization, prime number, electronic mail, message-passing, electronic funds transfer, cryptography. With fanfare reminiscent of the Diffie-Hellman work that had first triggered the project, the paper’s first words proclaimed, “The era of electronic mail may soon be upon us; we must insure that two important properties of the current ‘paper mail’ system are preserved.” These properties were that messages remain private and able to be signed. And then the authors promised to unveil a means by which these characteristics, long accepted as only the domain of hard copy, could be used in the coming, networked era. The paper was also notable for a more whimsical touch. Instead of what had been the standard form of delineating the recipient and sender of a message by alphabetic notation — A for the sender, B for the recipient, for instance — Rivest personified them by giving them gender and identity. Thus the RSA paper marks the first appearance of a fictional “Bob” who wants to send a message to “Alice.” As trivial as this sounds, these names actually became a de facto standard in future papers outlining cryptologic advances, and the cast of characters in such previously depopulated mathematical papers would eventually be widened to include an eavesdropper dubbed Eve and a host of supporting actors including Carol, Trent, Wiry, and Dave. The appearance of these dramatis personae, however nerdly, would be symbolic of the iconoclastic personality of a brand-new community of independent cryptographers, working outside of government and its secrecy clamps. Despite their confident language, Rivest wasn’t sure how significant the discovery was. “It was unclear at the time whether [the scheme] would be broken within a few months,” he says. “It was also unclear whether there were better approaches.” Still, he initiated a journal publication process, with an eye to the Communications of the ACM, where he was a contributing editor. He sent copies to colleagues for peer review. One to Don Knuth. And, in his first contact with the authors of “New Directions in Cryptography,” on whose system his own was built (a connection made explicit in his paper), he sent one to Whitfield Diffie and Martin Hellman. (Rivest later explained that among researchers it is not particularly unusual for a group of academics to build upon previous work without notifying the original team until a result is obtained.) There were still some things that needed to be nailed down before the paper was submitted to a journal. One of them was definitively pinpointing the current state of factoring — the system, after all, relied on the difficulty of extracting two long primes from their product. Through Marty Hellman, they got in touch with Rich Schroeppel, the former MIT hacker whom Diffie had visited on his transcontinental crypto adventure. (Ironically, Schroeppel had been pessimistic about the prospect of cryptosystems based on one-way functions.) Schroeppel was among the few people on earth still doing very serious thinking on factoring. Schroeppel now was ready to discard his skepticism of one-way functions and was eager to contribute. After reading what Don Knuth had offered as the best available formula for factoring, Schroeppel had done a timing analysis of it and had a deep realization of how truly knotty the problem was: no matter how you tackled it, it seemed that the work required to factor something was many, many times larger than the effort expended on the initial multiplication. “I think it was the first time anybody had looked at how hard it was to factor,” he says. Schroeppel was impressed with the RSA paper and sent some suggestions, including an analysis of how long it would take the fastest factoring scheme (an unpublished one by Schroeppel himself) to crack keys. Conclusion: plenty long enough for a good cryptosystem. Rivest also sent a paper to Martin Gardner, who wrote the “Mathematical Recreations” column for Scientific American. “He was always writing these columns about big numbers, and looking for primes,” says Rivest. Gardner had a loyal following among both amateur figure twiddlers and serious mathematicians: it was not unusual for one of his monthly dispatches to catapult a hitherto obscure problem into an international obsession. On April 10, 1977, less than a week after Rivest’s breakthrough had occurred, Gardner wrote back. “Your digital signature scheme is indeed fascinating,” he wrote. “The whole idea behind it is new to me, and I think a very interesting column could be written around it.” He invited Rivest to explain the scheme to him personally. An excited Rivest headed out to Gardner’s home in Hudson, New York. Gardner was an old-school gentleman and something of a scamp. The columnist performed a few card tricks; years later Rivest was still wondering how the hell he did them. The magic show completed, Gardner asked for examples of how the RSA system worked, and it was Rivest’s turn to produce magic. Eventually they decided to offer a challenge to readers of the column. Rivest would generate a public key of 129 digits and use it to encode a secret message. If the system worked as promised, no one in the world would be able to read that message, with two exceptions. One would be someone who had both a powerful computer set to break the message with brute force and a very large amount of time on his hands: if the computer was, for instance, a million-dollar PDP-10, the effort would take somewhere in the neighborhood of a quadrillion years. (This estimate, provided by Rivest on an apparent misinterpretation of Schroppel’s factoring time analysis, was an error on his part; what he meant to say was that it would take merely hundreds of millions of years to crack the code by calculation. Still not an undertaking for mortals.) The other exception, of course, was the person holding the private key match to that particular 129-digit public key. That person could decode the message in a few seconds. And if the RSA system didn’t work as promised? Then some bright, motivated reader might figure it out. In that case, Rivest, Shamir, and Adleman would present that person a $100 prize. And the RSA system would be given a quick funeral, as it would be useless for protecting people’s privacy and authenticating their identities. Gardner’s column appeared in the August 1977 edition of Scientific American. It was spiked throughout with enthusiasm for the achievement of the three young MIT scientists. Gardner, in fact, predicted that the breakthroughs by Diffie-Hellman, and then RSA, meant an end to an entire era of codebreaking: “[They are] so revolutionary,” he wrote, “that all previous ciphers, together with the techniques for cracking them, may soon fade into oblivion.” From now on, he wrote, armed with RSA and similar systems, we would enter a golden age of secure electronic communications, where all messages could be secure, unreadable even by the masters of cryptanalysis. In fact, Gardner used the moment to declare void Edgar Allan Poe’s contention that “human ingenuity cannot concoct a cipher which human ingenuity cannot resolve.” In Gardner’s view, the ingenuity of the Stanford and MIT “outsiders” had concocted that very cipher. The columnist, while excited by the discovery, confessed to a wistfulness at the new reality, where the spy vs. spy aspects of encryption would be relegated to antiquity. “All over the world there are clever men and women, some of them geniuses, who have devoted their lives to the mastery of modern cryptanalysis. . . .” he wrote. “Now these people are standing on trapdoors that are about to spring open and possibly drop them completely from sight.” Gardner completed the column by printing the message encoded by Rivest with the RSA system using a 129-digit key, inviting anyone to try his or her luck, skill, and cryptanalytic prowess at breaking the code. Readers were invited to begin the process, or simply learn more about the system, by sending a self-addressed, stamped envelope to MIT and requesting a copy of the technical paper. Though the three professors were all on summer break, the secretaries at Tech Square could attest to the instant impact of Gardner’s column — thousands of letters began pouring in. When Shamir finally returned to Cambridge after spending the summer backpacking in Alaska, he encountered a near avalanche as the stacks of envelopes that had been stored in his office engulfed him on his way to his desk. But that was only the first indication of the excitement that Gardner’s column inspired. This was the first public notice of the movement that began with Whit Diffie’s iconoclastic quest, and it seemed to have unleashed all the pent-up frustrations of anyone who once had been temporarily obsessed with the dark art of codes, only to have sublimated that attention elsewhere, since all the good stuff in the crypto world existed only behind the Triple Fence or, perhaps, its international counterparts. Reading Gardner’s account of what seemed like a turning point in this history of cryptography — not only in terms of what the tools were but who had forged them — was like the sun breaking through after decades of gray gloom. Len Adleman first saw the evidence of this that August, when he was browsing in a bookstore in Berkeley. Waiting to pay for his purchase, he overheard a conversation between a clerk and a customer buying a new copy of Scientific American. “Did you see the thing in here about this new code system?” asked the customer. “Yeah, I read about it,” said the clerk. “Isn’t it wild?” Adleman could not contain himself. “That’s the stuff we did,” he exclaimed, identifying himself as one of the three MIT professors in Gardner’s column. When the magazine buyer understood that Adleman was on the level, he held out the issue. “Would you sign this for me?” he asked. As an instrument of crypto’s liberation, Len Adleman was suddenly being asked for autographs à la Tom Cruise. Even Fermat hadn’t gotten that kind of treatment! And what about the people who were supposedly standing on those trapdoors Gardner mentioned — namely, the codemakers, codebreakers, analysts, and outright spooks who disappeared each day into the Cone of Silence at Fort George Meade? How did they view the work of Rivest, Shamir, and Adleman and the advances of Diffie and Hellman? As one might expect: with sheer horror. * * * The midseventies had already been traumatic for the NSA. For twenty-five years, its relationship with Congress had proceeded with nary a legislative speed bump. The agency addressed only the few representatives who sat on classified intelligence oversight committees. After briefing sessions held in shielded rooms swept for bugs, the legislators routinely rubber-stamped all of The Fort’s requests. But in 1975 and 1976, the NSA found itself the focus of a fearlessly insolent investigation of its eavesdropping practices by Senator Frank Church’s Intelligence Committee. The committee was shocked to discover the extent of the NSA’s snooping efforts, particularly a strategy called Project Shamrock that included surveillance of American citizens. Church was incensed at the agency’s blithe insistence that such eavesdropping, performed without benefit of warrants, was still within its authority. The senator’s final report concluded with an almost biblical admonition on what could happen if the agency continued on its course without restraint, warning that its monitoring capabilities “could at any time be turned around on the American people and no American would have any privacy left, such [is] the capability to monitor everything. . . . There would be no place to hide.” While the NSA avoided any serious repercussions, this “indecent exposure” (as described by an NSA official in an internal memo) was sobering. The wiser heads of the NSA obviously knew that if there was ever a time to lie low, this was it. Still, Diffie-Hellman’s work, and its alarmingly practical follow-ups, represented an encroachment into what the NSA had regarded as its birthright: the domination of cryptography. This was something that the agency could not ignore. After all, if people had access to the means to encrypt their private communications, there could be a place to hide — and a universal means to privacy was exactly what an agency charged with eavesdropping is hell-bent to prevent. Though the realization of a such a threat to its mission was slow to filter through the complex bureaucracy at Fort Meade, clearly some officials recognized the problem. As early as 1975 the NSA began to work behind the scenes (where else?) to restrict the nascent academic field. Its first efforts were directed at the National Science Foundation. The NSF was an independent government agency designed to foster research into all sorts of scientific inquiries; it was extremely common for mathematicians and computer scientists to have work funded, at least in part, by NSF grants. (These would come to include Diffie, Hellman, and the RSA team.) In June 1975, the NSF official in charge of monitoring such grants, Fred Weingarten, was warned that the NSA was the only government agency with the authority to fund research on cryptology. Weingarten was alarmed that he may have been breaking the law. So he held off awarding any new grants while he sought to clarify the matter. What he found was interesting. Neither the NSF lawyers nor the National Security Agency itself, when pressed for documentation, could come up with any statutory justification for the agency’s claim. So Weingarten felt free to ignore the warnings and resume his grants. Marty Hellman, for one, always appreciated Weingarten’s backbone. “When the NSA told him that he couldn’t fund cryptography, that the NSA had a monopoly on that funding, Fred not only was courageous but he handled it very well,” says Hellman. “He didn’t say, ‘You’re full of shit,’ but asked them to put it in writing so he could take it to his counsel for an opinion.” But then came the Diffie-Hellman paper, followed by the RSA discovery. Together, of course, these created the underpinnings for the NSA’s worst fear: a communications systems where everyone used a secure code. So it seemed hardly a coincidence that on April 20, 1977 — barely three weeks after Rivest dashed off his MIT technical memo — the NSA’s assistant deputy director for communications security, Cecil C. Corry, ventured from Fort Meade to the capital to meet with Weingarten. He was accompanied by a colleague. Once again the officials attempted to ax any NSF grants that might involve crypto, invoking what they portrayed as a presidential directive giving them “control” over such research. Weingarten reminded them of his previous experience, which established that no such directive was ever issued. While he did agree to forward relevant proposals to the NSA so that the security agency could offer a technical evaluation to use in considering the grant, he insisted that the process be conducted openly, with no decisions made under the shroud of silence. The NSA people weren’t happy with that compromise, offhandedly remarking to Weingarten that “they would have to get a law passed” — presumably to ban such academic research unless the Diffies, Hellmans, and Rivests of the world were willing to deep-six their work under the classified seal. Later, Corry wrote to John R. Pasta, Weingarten’s boss, thanking him for a concession that the NSF never made — agreeing to consider “security implications” when evaluating grant proposals. Pasta made it clear that the NSF made no such promise. In a memo he wrote at the time, Fred Weingarten summarized his views of the agency’s motives: NSA is in a bureaucratic bind. In the past the only communications with heavy security demands were military and diplomatic. Now, with the marriage of computer applications with telecommunications . . . the need for highly secure digital processing has hit the civilian sector. NSA is worried, of course, that public domain security research will compromise some of their work. However, even further, they seem to want to maintain their control and corner a bureaucratic expertise in this field. . . . It seems clear that turning such a huge domestic responsibility, potentially involving such organizations as banking, the U.S. mail, and cable televisions, to an organization such as NSA should be done only after the most serious debate at higher levels of government than represented by peanuts like me. Clearly, NSA wasn’t going to slink away. As the skies darkened inside the Beltway, the MIT professors, crypto virgins all, were unaware of anything but sunshine. They certainly didn’t know of anything in the nation’s export laws and agreements that could conceivably affect the dissemination of their work. They had no idea that while the first half of 1977 was marked by their major contribution to the field of cryptography, the latter portion of that year would be marked by the government’s efforts to stop people from knowing about such work. That summer a letter dated July 7, 1977, arrived at the New York offices of the IEEE, addressed to E. K. Gannett, the staff director of the organization’s publications board. “I have noticed in the past months,” the correspondent began, “that various IEEE groups have been publishing and exporting technical articles on encryption and cryptology — a technical field which is covered by federal regulations. . . .” There followed detailed citations, down to the proper subsections of individual regulations that may have already been violated, not only by the publishing of certain articles in IEEE publications, but at various symposia sponsored by the group, including the event in Ronneby, Sweden, where Hellman had first presented public key crypto. As further documentation, the letter writer included photocopies of “a few pages of the relevant law,” namely the International Traffic in Arms Regulation (ITAR) code. These regulations were drawn to “control the import and export of defense articles and defense services.” While people like Ron Rivest had always assumed that defense articles were things like nuclear detonating devices, Stinger missiles, and aircraft carriers, it turned out that these “instruments of war” were joined on the United States munitions list by “privacy devices [and] cryptographic devices.” None of these was allowed to be shipped overseas without specific permission from the State Department. Furthermore, these restrictions did not cover merely the actual devices, but any “technical data” covering these “weapons.” This was defined as “any unclassified information that can be used . . . in the design, production . . . or operation” of a restricted weapon. If you disseminated that information to a foreign national, or even allowed such a person to get his or her hands on your matériel (so to speak), you were in violation of the law — an enemy of the state. The letter writer noted that in October the IEEE planned an International Symposium on Information Theory at Cornell that would include papers on encryption. Under current law, he warned, such presentations or publications were restricted, and if preprints were sent abroad, “a difficulty could arise, because, according to ITAR, an export license is required.” His implication seemed to be that such a violation of the law could lead to fines, arrests, and even jail terms. At the Ronneby conference, the letter darkly noted, “this formality was skipped.” The message was clear: You academic cryptographers may believe that your ideas were conceived under the protection of academic freedom and that your mathematical formulas belonged to no one but perhaps the God who first crunched them . . . but that is not the case when it comes to ideas and algorithms that can be used to encrypt information. Those ideas should be kept under close watch — and government control. Clearly, the letter implied, by allowing the Cornell conference to proceed, the IEEE would be illegally providing the equivalent of heavy-duty military equipment to our nation’s foes. “As an IEEE member,” the writer concluded, “I suggest that IEEE might wish to review this situation, for these modern weapons technologies, uncontrollably disseminated, could have more than academic effect.” The letter was signed by a J. A. Meyer, who identified himself only by his home address in Bethesda, Maryland, and his IEEE membership number. Who was this concerned member? It turns out that in January 1971 this same Joseph A. Meyer had written an article for an IEEE publication called Transactions on Aerospace and Electronics Systems, a paper so unusual that the editors felt compelled to include an introductory note on its controversial nature. Entitled “Crime Deterrent Transponder System,” it proposed a system whereby “small radio transponders would be attached to criminal recidivists, parollees, and bailees to identify them and detect their whereabouts.” By tagging likely lawbreakers, Meyer claimed, we could create “an electronic surveillance and command-control system to make crime pointless.” The biographical material described Meyer as a New Jersey native born in 1929 who got a math degree from Rutgers, spent two years in the air force in the early 1950s, and, from that point, “joined the Department of Defense, where he has worked primarily in the field of mathematics, computers, and communications in the United States and overseas.” Even a moderately seasoned observer could guess that the unspoken branch of the Defense Department was a three-letter agency whose name seldom appeared in print in 1971. Indeed, several weeks after the Meyer letter was received, Science magazine confirmed the rumors: Joseph A. Meyer worked at the National Security Agency. The timing of Meyer’s missive aroused deep suspicions about the NSA’s involvement in crushing independent work on crypto. It was sent almost at the moment that Vice Admiral Bobby Inman assumed the NSA directorship and began waging the very war that Meyer had declared against academic cryptographers. In the succeeding years, however, nothing has emerged to contradict Meyer’s claim (vociferously seconded by the NSA) that he had received no orders from Inman or anybody else to send his notorious letter. (Inman now says that on the day Meyer was writing his letter, he was getting a “turnover” briefing from the outgoing director, Lewis Allen — and the topic of public cryptography never even came up.) The Senate Intelligence Committee, looking into the matter, came to that same conclusion in 1978, and now even Marty Hellman believes that it’s probable that Meyer was simply a loose cannon. On the other hand, the NSA conspicuously refused to repudiate the letter, and Inman later asserted to Congress that he believed that Meyer’s comments were valid ones. In any case, the Meyer letter had an immediate effect. Certainly, the organizers of the Cornell conference took the letter seriously — after all, if Meyer was right, they and the speakers at their conference could wind up in jail for simply presenting their research! It turned out, however, that the issue of technical data and the export regulations had come up a decade before at the society, and, as E. K. Gannett, the recipient of the letter, wrote back to Meyer in a fawning letter dated July 20, 1977, “All IEEE conference publications and journals are exempted from export license requirements under [ITAR] Section 125.11 (a) (1).” He went on to cite a footnote to that section that “places the burden of obtaining any required government approval for publication of technical data on the person or company seeking publication.” In other words, he was saying, it’s not our problem — it’s the problem of those members who dare perform research in the field. He expressed his gratitude to Meyer for “bringing this potentially important question to our attention,” and promised to bring the problem to the attention of “potentially interested parties.” Sure enough, on the same day, Gannett wrote a memo to Dr. Narenda P. Dwivedi, the organization’s director of technical activities, suggesting that the IEEE should perhaps ensure that the researchers “are aware of the rules of the game.” On August 20, Dwivedi wrote to researchers at six institutions. “A concerned and good-meaning member has drawn our attention to a possible violation by authors of ITAR regulations. . . . It appears that IEEE and its groups/societies/councils are exempt but the individuals (and/or their employers) have to watch out.” Dwivedi then offered some advice for the new breed of researchers in cryptography: they “should refer the paper to the Office of Munitions Control, Dept. of State, Washington, D. C., for their ruling.” What Dwivedi was suggesting was neatly in line with J. A. Meyer’s wishes. But if a researcher submitted a paper to the State Department, he or she would effectively yield control of the work to the government. As far as the MIT researchers were concerned, there would be, as Science put it, “a censorship system by the NSA over the research of the MIT Information Theory Group.” One of the recipients of Dwivedi’s letter was Marty Hellman. He quickly showed it to Ron Rivest, who was spending his summer break at Xerox PARC in Palo Alto, just down the road from Stanford. “It was probably my first realization that our work might involve sensitivities,” he says. As soon as he got back to MIT, a worried Rivest consulted the institution’s lawyers. Rivest, of course, was concerned about the legal implications of stuffing copies of Technical Memo Number 82 into the self-addressed letters with 35-cent stamps as part of the Scientific American “contest.” Was distribution of the RSA paper to the publication’s readers an illegal act? Could MIT be held at fault? Could Rivest and Adleman be jailed? And what about Shamir — he wasn’t even a U.S. citizen! Could MIT be cited for distributing a paper to one of its coauthors? “The requests for our paper were from all over the world,” says Rivest. “Some were from foreign governments. It wasn’t clear to me what we should do. When you receive this sort of ominous note from the NSA that this stuff is illegal, you want to be conservative and get it checked out.” Rivest even considered the possibility that some of the foreign requests for the memo might have been planted to entrap him under the export regulations, making him a poster boy for mathematicians who ventured too deeply into the forbidden turf of spy agencies. An answer came back quickly from the MIT administration — don’t send out those papers until this mess is resolved. To their credit, however, the heads of the university, sensitive to principles of academic freedom, worked diligently to clear the path for a free distribution of the tech memo. Despite MIT’s long history of working with national security agencies, often in top-secret research, this wasn’t easy. This time it was dealing with the National Security Agency — and at least some NSA officials, now face-to-face with an open challenge to their crypto monopoly, were themselves running scared. But this time, they had clear-eyed foes who believed that intellectual freedom should not be compromised on the basis of unproved claims of national security. In this new academic research area, new ground rules would be laid and most of the major decisions would be made in the early days. After setting the precedents, the MIT researchers believed, it would be much harder to change things in a fundamental way. At Stanford, Marty Hellman also wasted no time getting an opinion from the university lawyers. On October 7, university counsel John J. Schwartz assured him that “it is our opinion that the dissemination of the results of the research you describe is not unlawful.” Of course there was the danger that the lawyers were wrong, and the views of J. A. Meyer reflected those of the federal government; if so, Hellman might be prosecuted for delivering his paper. Schwartz promised that if that were the case, the university would defend him. “Nevertheless,” he added, “there would always remain a risk to you personally of fine or imprisonment if the government prevailed in such a case.” In the end, the Cornell conference — the ostensible focus of Meyer’s letter — went on as scheduled, including the very talks that Meyer had tagged as potential violations of the export rules and a threat to national security. It turned out that the professors had more backbone than the IEEE, which had urged them to vet their papers with the government. When two of Hellman’s graduate students fretted over the implications of getting cited by the government in the tender beginnings of their careers, he volunteered to read their papers himself. “I have tenure at Stanford,” Hellman told the New York Times, “and if the NSA should decide to push us in court, Stanford would back me. But for a student hoping to begin a career, it would not be so pleasant to go job hunting with three years of litigation hanging over his head.” Ralph Merkle spoke at a panel discussion, too. And Whit Diffie, who was not scheduled to speak at the conference, went out of his way to give a presentation at an informal session. “There was no trouble at the meeting,” he says. “My attitude was that the Meyer letter should be ignored.” Meanwhile, MIT’s lawyers were still wrangling with the National Security Agency over the legality of stuffing Tech Memo No. 82 into the 7000 self-addressed, stamped envelopes moldering in Shamir’s office and dropping them off at the post office. The academics had pointed out that a clause in the ITAR rules put them in the clear: a specific exemption on “published materials.” What did The Fort say to that? “As usual with NSA, it was hard to get any complete answer from them,” Shamir later recalled. More to the point, it became increasingly clear that the NSA could not come up with a legal rationale for its actions. So MIT allowed its professors to proceed. In December 1977, half a year after Gardner’s column appeared and the requests began tumbling in, the namesakes of the RSA algorithm invited grad students to a pizza and envelope-stuffing party. And then the papers were mailed. The RSA algorithm had gone global. * * * Perhaps the existence of these thousands of papers circulating around the world, in addition to thousands of reprints and photocopies of the Diffie-Hellman papers, should have been a signal to the NSA that the crypto toothpaste was out of the tube, and no decrees or scare tactics could generate the requisite physics to squeeze it back in. But for the next few years the agency, perhaps more from reflex than an expectation of success, kept trying to suppress the intellectual activity in the crypto world that now seemed to be exploding outside the Triple Fence. In retrospect, the institutional behavior seems strange and conflicted. But what else could the NSA do? The CIA may have had a rich and sordid history of bag jobs, honey traps, and other nut-squeezing enterprises, but the Fort Meade culture was dramatically different. Though the agency had certainly stepped over the line at times (as the Church committee documented), the organizational ethos always seemed to regard heroism in terms of the highly intellectual tasks of sucking up signals, concocting ciphers, and cracking codes. During the years that Whit Diffie crisscrossed the nation seeking guidance in his crypto efforts, there hadn’t been even a veiled threat against him, and certainly no indication that anyone would sneak up behind him in a Palo Alto coffeehouse and quietly use the end of a doctored umbrella to inject him with some exotic, slow-acting poison. That just wasn’t the NSA’s style. A better question would be, “Given that the law might not back up the agency, why bother to fight the movement toward research in crypto?” Surely some of the smarter strategists within the Triple Fence recognized that, in some ways at least, an independent crypto movement would not be so bad for Fort Meade. Who was better positioned to exploit the revolutionary advances in cryptography than the NSA, whose expertise and knowledge of the field was infinitely ahead of anything resembling competition in either the private or public sectors? This was the dilemma facing Vice Admiral Bobby Inman literally within days after he took his post as director in July 1977. Though he had considerable experience with crypto as the director of naval intelligence — and years before that as a military recipient of signals intelligence — the idea of outsiders making important cryptologic advances was new to him. He had believed, along with most of his peers in the intelligence community, that “the NSA had a monopoly on talent,” he now says. “If there were incredibly bright people who wanted to work on cryptographic problems, the odds were high that they either worked inside the NSA, or worked with one of the scientific advisory groups [whose work was classified].” This insurgent revolt hit him like a fighter sucker punched at the instant the bell rang to begin the fight — especially since the furor over Meyer’s letter drew articles in the New York Times and the Washington Post. Inman understood immediately that not only was this a new sort of threat to his agency, but that new, perhaps unprecedented, responses were called for. Nonetheless, during the first few months of Inman’s tenure, the NSA kept acting as if the rules had not changed. In October 1977, an electrical engineering professor at the University of Wisconsin named George Davida applied for a patent for a device that used mathematical techniques to produce stream ciphers. He had produced the plans for this invention without any access to classified information, and his funding from the National Science Foundation had no strings attached to require him to clear his work with any defense agency. The patent itself was filed in the name of the university’s Alumni Research Foundation, conforming to a process whereby the university community retains the bulk of any invention profits by Wisconsin professors funded by the NSF. Davida next heard from the government on April 28, 1978, not with a patent approval but with a piece of paper marked SECRECY ORDER. The National Security Agency had declared his invention classified material. It was bad enough that the NSA had banned production of his device. Worse was the dilemma in which Davida found himself. The order put a clamp of secrecy not only over his device, but over the intellectual material behind the patent application as well. In effect, the NSA regarded Davida’s actual ideas as a sort of poison, a forbidden substance he was banned from circulating. Davida had little guidance as to how he might adhere to the ban, since his materials had already been well distributed. Was he really expected to follow the requirement to report all the people who might have seen his work — in effect, to drag his colleagues into this kafkaesque realm of ideas too dangerous to share? On the other hand, if he refused to comply with the secrecy order, he was subject to a $10,000 fine and two years in the pokey. Davida was not alone. On that same day in April, the NSA had slapped a secrecy order on the “Phasorphone,” a voice-scrambling device created by a team of scientists led by thirty-five-year-old Seattle technician Carl Nicolai. Five months after applying for a patent for an invention that he hoped would make him a fortune, Nicolai was not only prevented from selling his invention, but also from even using it. In spook parlance, Davida and Nicolai had become “John Does,” stripped not only of their work but of the credit due to them. As James Bamford explained in The Puzzle Palace, theirs were the relatively rare cases in which objectionable inventions were not independently discovered duplications of devices that already existed behind the Triple Fence but original creations that the government unilaterally regarded as too dangerous to be produced. But as the NSA was to learn, the days were gone when it could casually apply a secrecy order to the work of an academic or entrepreneur and have the matter closed. Davida and Nicolai went public, organizing well-placed letter-writing campaigns, educating their representatives in Congress, and spilling the story to the press. Davida, in particular, a compact, scrappy man who was disinclined to take the U.S. government at its word, was strident in his own defense. In his case, a quick meeting of university officials led the chancellor to write a furious letter to the NSF, demanding due process. The chancellor also brought the matter before Commerce Secretary Juanita Kreps, who was apparently dismayed at how easily her patent office could become an instrument of censorship. Meanwhile, Davida raged to Science magazine that the NSA’s actions were a form of academic McCarthyism. The NSA backed down. On June 13, it rescinded the order. Vice Admiral Inman’s later explanation, offered during a House hearing on “The Government’s Classification of Private Ideas,” was that the Davida decision was a mistake by a middle-level employee. Several months later, the restrictions on the Nicolai patent were also reversed. Since Inman himself had signed off on that secrecy order, he later offered a “heat of battle” excuse to the House subcommittee. “From dealing day to day with the Invention Secrecy Act, you have to make snap decisions,” he explained. Overall, he insisted that the problem with those two orders was “not a faulty law but inadequate government attention to its application.” Still, that double rebuke made it clear that the NSA no longer had free rein in using the law to keep crypto in government-approved sealed containers. By then Inman had decided to take his concerns directly to the institutions he was worried about. In what David Kahn called a “soft sell” attempt to quash work in cryptography, he embarked on a tour of research institutions. One memorable session occurred in the faculty club at the UC Berkeley campus, where Inman’s attempts at explaining his point of view were met by relentless, hostile questioning. “It was a dialogue of the deaf,” he says. Still, some comments made at the session led him to believe that a more productive relationship was possible. In an extraordinary move for an NSA director, he phoned Marty Hellman and asked for a meeting. “I liked him,” says Inman of the coinventor of public key crypto and DES’s most virulent critic. “I think he was impressed that I had driven down to see him, so his answer [to the request to begin a dialogue on how public crypto should be handled] was a tentative yes.” Inman tried to diffuse the most blatant of the NSA’s restrictive acts against researchers, many of whom believed that, more than ever, the NSA was trying to lure them behind the Triple Fence, where their findings could be restricted. One of those who learned this firsthand was Len Adleman, the once-reluctant “A” in the RSA algorithm. For years Adleman had been receiving research funds from the NSF, routinely renewing his grants every three years. In the first proposal he filed after being involved with the RSA algorithm, he included a section outlining some work involving mathematics that might apply to cryptography. After fielding the normal questions on such a proposal — budget questions and the like — Adleman was startled by a phone call from an NSF official informing him there would be additional changes. Specifically, the portion of the work that involved crypto would be funded by the National Security Agency. “I didn’t submit a proposal to the NSA,” Adleman told him. “I submitted it to the NSF, right?” The official conceded that this was so. But, he said, “It’s an interagency matter,” and ended the conversation. Adleman was incensed. He understood that there might be legitimate national security concerns about the direction of academic cryptography. (What if someone suddenly released a means to crack an important code?) But this was over the line. It meant that the country’s most secretive intelligence agency was influencing the premier scientific funding agency. “In my mind this threatened the whole mission of a university, and its place in society,” he says. Adleman decided to go public with his concerns. He called Gina Kolata, the reporter for Science who had been covering the conflict, and told her the story. Not long afterward, Adleman got another call — from Bobby Inman himself. The whole thing, explained the director of the National Security Agency, was a misunderstanding. “He was very nice,” recalls Adleman. The researcher wound up getting his entire grant funded by the NSF. For Inman, such compromises were in the service of eventually reaching some sort of détente with the academics that would satisfy both national security concerns and the researchers’ insistence on academic freedom. He believed that, ultimately, he held the trump card — one that would not only force the academics to play ball but also actually stem the potential tide of actual crypto implementations from covering the world. This winning hand lay in the laws known as the International Traffic in Arms Regulation. When Inman first arrived at The Fort, he told Congress at a hearing some years later, “I didn’t even know what an ITAR was.” But, he added, “my education went at a pretty fast pace.” Specifically, he now says, he came to realize that when it came to controlling crypto late in the twentieth century, “the whole issue is export.” Those laws were all that prevented a disastrous free-for-all in the distribution of cryptography — the equivalent of a national security meltdown. Inman recognized that restrictions on what could be shipped overseas, and the threat of prosecution if those laws were broken, would force people to deal with the NSA not only in what they were permitted to export, but in what they produced for domestic use. Those regulations would become the linchpin of the agency’s efforts to stop worldwide communications from becoming ciphertext. Ironically, the NSA’s own attempts to control private research about cryptography had set events in motion that threatened to thwart those regulations. The then–White House science advisor was a man named Frank Press. The controversy over public crypto had piqued his interest, and he asked the Justice Department to provide a legal opinion as to whether the ITAR laws violated First Amendment free-speech protections. The job fell to an assistant attorney general named John Harmon, who carefully analyzed the way the regulations were drafted. He discovered that ITAR required a license not only from arms dealers, but also from “virtually any person involved in a presentation or discussion, here or abroad, in which technical data could reach a foreign national.” Presentations and discussions? That was the First Amendment turf! On May 11, 1978, the Office of the General Counsel issued its opinion. It was a bombshell: It is our view that the existing provisions of the ITAR are unconstitutional insofar as they establish a prior restraint on disclosure of cryptographic ideas and information developed by scientists and mathematicians in the private sector. Inman was furious at this analysis, and he set about to fight it. He recruited “a brilliant new lawyer that I had persuaded to come work for NSA” to argue against the opinion. One gambit was to claim that a recent legal precedent had rendered the Harmon opinion moot. But a Justice official rebuffed that interpretation. “We do not believe that [the precedent] either resolves the First Amendment issues presented by restrictions of the export of cryptographic ideas or eliminates the need to reexamine the ITAR,” wrote deputy assistant attorney general Larry Hammond. Meanwhile, the NSA was treading a fine line. It was attempting to threaten crypto researchers who circulated their findings and ideas while it was fully aware that the Justice Department had concluded that such threats violated the Constitution. All of this wrangling was conducted out of the public eye. And none of it seemed to have affected the way that the NSA chose to interpret the export laws. So even though Vice Admiral Inman’s sharp young counsel was legally unable to overturn John Harmon’s findings, the attack against his opinion was effective. Because by not circulating its judgment in the matter, the Justice Department was effectively colluding with the NSA to ignore the possibility that its enforcement of the ITAR regulations violated the Bill of Rights. All of this came out in 1980, when the government operations subcommittee of the House of Representatives held hearings on “The Government’s Classification of Private Ideas.” At one point, the committee staff director, Tim Ingram, posed a pretty good question. “How would I know, as a private litigant somehow ensnarled in the ITAR regulations, that I am being involved in a matter that the Justice Department, two years previously, has declared unconstitutional?” he asked. A Justice official explained that the opinion hadn’t been offered for the benefit of such citizens, but simply as advice to the department itself. This was not acceptable to Ingram. Perhaps thinking of the Rivests and Hellmans who had been threatened with jail for presenting their papers, or the Davidas and Nicolais who had been confronted with secrecy orders, or all the current researchers like Adleman who were now encountering more subtle pressures, Ingram had another question to ask: You have this two-year-old opinion finding the regulation unconstitutional. There has been no change in the regulations. Is there any obligation on the department at some point to go to the president and force the issue and to tell the president that one of his executive agencies is currently in violation of the Constitution? No satisfactory answer was forthcoming. In any case, Bobby Inman was worried about the new movement in cryptography and his limited power to stem it. His worst fear was that public adoption of encryption “would very directly impact on the ability of the NSA to deliver critical information.” He became convinced the agency needed a more formal authority to regain the controls over crypto. In his attempt to obtain this, he did something no one in his place had ever done. He went public. His chosen venue for this debut was Science magazine, the most aggressive press watchdog over the past few years. Of course, the very fact that the interview was granted was news in itself. The article quoted F.A.O. Schwarz, who had been chief counsel in the Church investigation, as saying, “I’m flabbergasted. Back when we dealt with the NSA, they considered it dangerous to have even senators questioning them in closed session.” But there was news in Inman’s message, too — the NSA director was now openly extending his invitation for researchers to engage in “dialogue” with him and his people. “One motive I have in this first public interview,” he said, “is to find a way into some thoughtful discussion of what can be done between the two extremes of ‘that’s classified’ and ‘that’s academic freedom.’ ” But in almost the next breath, he conceded that if he got his way — and was able to censor academic research that involved national security — his proposed “thoughtful discussion” would probably end in “a debate between the Administration and the academic community” (one in which presumably the pissed-off college professors wouldn’t have much of an impact on making the government change its national security policy). A few weeks later, Inman made an even more extraordinary break with the NSA’s tradition of secrecy. He actually delivered a public speech in defense of his agency. True, the venue wasn’t exactly hostile — it was the January 1979 gathering of a trade association of electronics manufacturers who dealt largely in defense contracts. Yet the very fact that he was doing it represented a sea change that could provoke vertigo in even a vice admiral like Bobby Inman. He acknowledged this in his very first words: “A public address by an incumbent director of the National Security Agency on a subject relating to the agency’s mission,” he said, “is an event which — if not of historic proportions — is, at least to my knowledge, unprecedented.” In fact, just a few years previous, merely uttering the name of the agency would have been unprecedented. Now Inman was frankly admitting that the world had changed, and not by his choice. He referred wistfully to the days, only now gone, when his people “enjoyed the luxury of relative obscurity,” remaining closemouthed about their work to spouses and even office mates . . . the days when NSA “could perform its vital functions without reason for public scrutiny or public dialogue.” But now, in what he called “the encounter between the NSA and the rest of the world,” a new era had begun, where the NSA’s happy life spent “entirely in the shadows” was replaced by an era of “complex tensions” between the government and those wishing to communicate securely. Inman’s hope for his talk was to explain the NSA’s point of view on those tensions, the better for people to understand why it was, well, necessary to do things his way. Trust the NSA? Yes, said Inman. His people had gotten a bad rap recently, and he wanted to set the record straight. Did his agency cook the specifications for DES, perhaps inserting a trapdoor? No way. Did the NSA use export regulations to suppress scholarly work? Uh-uh. Exert influence to quash research grants? Please. The NSA, he insisted, was anything but “some kind of all-powerful secret influence.” In fact, that was the problem: while outsiders griped about a mighty spy agency with too much power over cryptography, “My concern,” said Bobby Inman, “is that the government has too little.” In a way, Inman had an excellent point; despite being the richest intelligence agency on the planet, the NSA was relatively toothless. But for its first decades of existence, the agency hadn’t needed laws of its own. Its advantages included not only the force of law but the fact that sophisticated cryptography was a devilishly specialized field, one that few people attempted to engage in, and even fewer could gain sufficient knowledge in to be a player. It was nearly inconceivable that outsiders, or even small governments, could compete with its fire-breathing computers, its world-class mathematicians, its unparalleled experience, its understanding of crypto history. But then came the Whit Diffies of the world — mathematically knowledgeable, with access to computers, and knowledge gleaned from books like David Kahn’s, books that the NSA had failed to suppress. Now there were dozens of them, academics like Ron Rivest and potential entrepreneurs like Carl Nicolai. These outsiders were backed by a cadre of civil libertarians, screeching that crypto breakthroughs could strike a blow to Big Brother. And suddenly, even the weak-hearted attempts of the NSA to stop the tide were being demonized on the front page of the New York Times. In Inman’s view, the victim was not free speech, but national security. But Inman’s proposed solution — a national sacrifice of free speech to preserve the national security — was doomed. He wanted trust. If he were to get academics to consciously forgo their freedom of speech, he needed trust. If trust were currency, though, the NSA’s balance would be roughly zero. It had never even bothered to open a bank account! It would take more than historic speeches by a sitting director for the NSA to figure out how to manipulate the increasingly out-of-control beast of nongovernmental crypto. As far as stopping academic research in cryptography, Inman lost that round. Despite his attempts to get Congress to grant the NSA legal authority to suppress publications, the First Amendment prevailed. Most impressively, the exemption in the ITAR for “technical publications” was clarified to the point that even a Fort Meade apparatchik couldn’t call it ambiguous. “Provision has been added,” went a 1980 revision of the rules, “to make it clear that the export of technical data does not purport to interfere with the First Amendment rights of individuals.” Bob Inman ultimately did forge a sort of compromise with the research community. At the NSA’s request, the American Council on Education organized a Cryptography Study Group to seek common ground. The group, which included both the NSA’s general counsel and a host of academics, including critics Marty Hellman and George Davida, held its first meeting in March 1980 to consider Inman’s proposal that some sort of statutory review process be imposed on private crypto researchers. The group rejected the idea, citing First Amendment considerations and the NSA’s inability to show evidence that such laws were absolutely necessary to defend the nation. The group’s alternative solution was a two-year experimental process by which those publishing work with relevance to cryptography could voluntarily submit papers to the NSA for review. If the NSA read the paper and felt that the information would somehow compromise national security, the researcher could consider such warnings and decide for himself whether or not to publish. Meanwhile, the agency would continue to fund the research of professionals willing to follow its rules, while allowing others to pursue funding by the NSF or any other agency. George Davida issued his own minority report, rejecting even voluntary review. He dismissed the NSA’s concerns outright, including its worry that research results might help foes crack our own cryptosystems. “This is not likely,” he wrote, “because researchers do not engage in cryptanalysis.” His conclusion was “the NSA’s effort to control cryptography [is] unnecessary, divisive, wasteful, and chilling. The NSA can perform its mission the old-fashioned way: STAY AHEAD OF OTHERS.” Nonetheless, the policy worked quite well from the point of view of researchers, since this meant that there was a way to deal with the NSA — or ignore it — without having to worry about getting their work deemed a government secret. The two-year trial period of this policy passed peacefully, after which the NSA quietly dropped any pretense of demanding a presubmission of anything produced by an American academic. It faithfully read papers in the field submitted voluntarily, and one of its scientists would occasionally address a question to an author, even pointing out a mistake here and there. It was all done cordially, because the NSA had no authority to go further than that. As the 1980s began, the first decade in the NSA’s existence when it had private competition, no one understood the challenge better than Bobby Inman, whose agency was charged with routinely intercepting foreign communications concerning the Iran hostage crisis and the Russian war in Afghanistan. He was haunted by the idea that one day Fort Meade would not be able to deliver such high-quality intelligence — because cryptosystems conceived and developed in the United States would be put into widespread commercial use. “I began to appreciate the export concern much more strongly,” he says. In a world where the basic concepts behind sophisticated encryption were found in public libraries and articles in Scientific American, and where a cryptosystem endorsed by the government itself — DES — was turning out to be more popular than the NSA expected, it was more important than ever to stop crypto at the border. The NSA director had it pegged: the whole issue is export. Diffie, Hellman, and the MIT trio might have broken the NSA monopoly, but Inman and his successors were not without their weapons. In a way, the war over crypto was only beginning. selling crypto For the next few years, tensions seemed to ease between the government and the newly emerging independent forces in the world of crypto. After Bobby Inman’s unsuccessful campaign to censor crypto researchers legislatively, the agency seemed willing to coexist with academics treading on turf it once had owned exclusively. There might have been some wishful thinking in all of this, a sense at the NSA that all of these greenhorn academics were unlikely to turn up anything that might truly threaten The Fort’s mission. If the bureaucrats behind the Triple Fence believed that, though, they were in deep denial. The seminal breakthroughs at Stanford and MIT had turned a beacon upon the imaginary crossroads of crypto, where mathematics, computer science, and data security met. In 1971, when Whit Diffie wanted to talk to someone about crypto, he had to travel miles for morsels. A decade later, over a hundred members of the new crypto community were spending days together on a Pacific beach, discussing everything from cutting-edge algorithms to cryptanalysis. The “Crypto” conferences began in 1981, when a University of California at Santa Barbara electrical engineering professor named Alan Gersho invited about 120 potential attendees to his campus, a sprawling collection of modest structures on a bluff overlooking the ocean. He’d gotten the names from a list Len Adleman had compiled of people who’d shown an interest in nongovernmental cryptography. Gersho had wheedled a grant from the National Science Foundation to stage the event. About one hundred people showed up, including Diffie, Rivest, Merkle, and other newly minted luminaries in Cipher Land. They delivered papers — many of them offering refinements on the new public key schemes like knapsacks and RSA — gave talks, and schmoozed at cafeteria lunches and a barbeque on the beach. Gersho had planned the conclave as a one-time gathering, and despite the excitement, there were no immediate plans for a follow-up. Not long afterward, some European cryptographers held an invitation-only meeting in Germany, but that was also designed to be a stand-alone event. It was a then-minor player in the Santa Barbara shindig, a mere graduate student, who actually took the lead in making sure that such meetings would be held regularly. His name was David Chaum, and he would not be a minor player in the field for long. Working with no support, he got a copy of Adleman’s list of crypto academics and began organizing a return to the beachfront campus. Chaum also felt that the overseas event should be repeated, but under a different group of leaders. He hadn’t been invited to the German meeting but had gotten the impression that its organizers were “a little off to the right.” So he talked to some European cryptographers about organizing an annual spring “Eurocrypt.” Finally, Chaum thought that both yearly shebangs should be under the care of an actual organization of independent cryptographic researchers. He quietly made plans to form such a group. His inspiration was a speech by Martin Luther King Jr. he’d once heard that emphasized the word “organization” as a path to liberation. Concerned about possible pressure from the NSA to smother his plans in the bassinet, Chaum kept his communications to a minimum. You never know who’s listening, especially in a government of snoops. He took care to compartmentalize the information he discussed with people: while he landed Ron Rivest to chair the Santa Barbara conference program, for instance, he didn’t share his plans for the crypto society with Rivest. He avoided the telephone, instead arranging face-to-face meetings with those he wanted to reach. He typeset the conference notices himself, and got them printed at the same small Berkeley type shop that produced Covert Information Bulletin, a well-known newsletter critical of U.S. intelligence activities. His efforts paid off: the second conference, Crypto ’82, turned out to be even more exciting than the first. Serendipitous events, like the freewheeling “rump session” held toward the end of the week, solidified into traditions. The rump sessions, usually hosted by Diffie, mixed frivolous parodies of mathematics papers with serious, last-minute cryptological developments, but the tone was often raucous and irreverent. One year, speakers were required to speak in a code that replaced certain words with silly alternatives (for instance, instead of “Diffie-Hellman,” you had to say “Coke bottle”). Missed cues were greeted with a shower of water. Another year, some foreign visitors took too literally Diffie’s announcement that there would be a special session before breakfast the following morning with ninety minutes of Belgian jokes. One well-anticipated session at Crypto ’82 was the presentation of a collection of papers on cryptanalysis, chaired by Whit Diffie. The very inclusion of the topic on the agenda couldn’t have pleased the NSA: in its view, any knowledge of codebreaking outside the Triple Fence represented a possible threat to its own codes. Diffie himself had been worried that the session would be a bust. Over the winter he had arranged for the presentations. But one by one, for various reasons, his presenters dropped out. By late spring only one survived — a talk entitled “The Bombe at Bletchley Park,” by one of the original World War II codebreakers. It was Adi Shamir who came to the rescue. Shamir had been studying Ralph Merkle’s knapsack scheme for public key cryptography. And now, several weeks before the conference, he thought he had broken it, at least the weaker variation of the system known as the single-iteration knapsack. In the days following his announcement, others figured out a way to use his techniques — which themselves were based on mathematical innovations discovered by Hendrick Lenstra — to launch wider attacks. Diffie’s panel would be the ideal time to test these ideas. So by the time the cryptographers met in Santa Barbara that summer, Diffie’s program was filled with would-be assaults on knapsacks. The most interesting one would be Len Adleman’s. He not only had come up with a variation on Shamir’s ideas, but had also actually programmed the technique on his Apple II personal computer. The cryptographers in Santa Barbara decided to try a little experiment. During the first night of the conference, a gauntlet was tossed to Adleman — an encrypted knapsack message. Could he use his little machine to decode it? (If so, he would presumably collect the $100 reward Merkle had offered some years earlier.) The answer would come a couple of days later, right there in Diffie’s session, when Adleman’s attack would either bring him new glory — or leave him mortified in front of his crypto contemporaries. Adleman was scheduled to speak last. “The hour passed,” Diffie later recounted. “Various techniques for attacking knapsack systems with different characteristics were heard; and the Apple II sat on the table waiting to reveal the results of its labors.” When Adleman came forward to speak, he appeared anything but confident. He said he’d give “the theory first, the public humiliation later.” (He subsequently would explain that the humiliation he referred to was not Merkle’s but his own, if “the numbers didn’t turn out right.”) Then he proceeded with a description of his methods. While he talked, Carl Nicolai (the inventor whose crypto device had been temporarily suppressed by an NSA secrecy order in 1978), fiddled with the Apple II, which had been working away for the past few days, using Adleman’s formula to crack the encrypted message. Before long, Nicolai began painstakingly copying a screenful of numbers from the Apple’s monitor onto an overhead-projector transparency sheet. Finally, Adleman finished describing how his attack worked. It was time to see whether it worked. Nicolai gave the transparency to Adleman, who handed it to Adi Shamir. He also gave Shamir the sealed envelope with the numerical message encrypted earlier in the conference. Shamir placed the sheets side by side in the overhead, beaming the results on the screen. They matched precisely. Diffie would later write that “the public humiliation was not Adleman’s — it was the knapsack’s.” Indeed, this crack was the pen-ultimate blow in what would turn out to be the utter destruction of the groundbreaking, clever, yet ultimately useless Merkle knapsack public key cryptosystem. The coup de grâce was instigated by Merkle himself. Paying the $100 to Adleman had not been particularly traumatic; Merkle had half expected someone to break the single-iteration knapsack scheme, which was the much weaker cousin of the real thing, the multiple-iteration version. In fact, Merkle felt secure enough to cast another challenge. In November of that year, he wrote a letter to Time magazine, offering $1000 to the first intrepid cryptanalyst who successfully decoded a multiple-iteration knapsack. Two years later, Merkle had to write a check for a cool grand to a researcher from Sandia National Laboratory named Ernie Brickell, who used a government Cray supercomputer to rip open a 40-iteration knapsack. When later asked what the problem was with the knapsack scheme, Merkle was succinct: “It didn’t work.” The significance of the knapsack attacks went far beyond the destruction of Merkle’s system. In fact, the moment at which Len Adleman’s Apple publicly destroyed a potentially valuable cryptosystem could be seen as a symbolic turning point in the still uneasy balance between the NSA-affiliated crypto spooks and the swelling ranks of outsiders who independently studied the protocols of crypto and routinely published their results. It was now clear that simply by sending scientists to a conference and subscribing to a few journals, a foreign government could get the kind of training in cryptology that was previously limited only to a sanctioned elite. It meant that codebreakers everywhere would be more resourceful. Only months before, government critic George Davida had mocked the NSA’s calls for prepublication review by asserting that the agency’s biggest worry — that the outsiders would circulate codebreaking methods — was ridiculous. “Researchers do not engage in cryptanalysis,” he wrote. But clearly, they did. Some at the NSA understood the threat that an independent crypto community represented: one of them approached Diffie and glumly observed, “It’s not that we haven’t seen this territory before, but you are covering it very quickly.” The only thing worse for the NSA would be watching the work of these academic cryptographers put to practical use. If an industry could be built on selling cryptography, and masses of people started using coding technologies, then the clear unencrypted signals intercepted by the NSA’s listening devices — whether cell phone calls or computer e-mail and files — would change to a dense white noise, a chaotic fugue that the agency’s computers might, with some effort, decipher. Or might not. * * * Could crypto be commercialized? Although the common use of personal computers, and, later, the Internet, demanded a way to protect information and verify who was sending it, the means of getting there was at best a rutted path. The bumps and potholes in that road are best illustrated by the fortunes (or lack of them) of the company founded by Ron Rivest, Adi Shamir, and Len Adleman. As with their landmark algorithm, the firm bore their initials. But while the RSA algorithm quickly reached an enthusiastic audience, the trajectory of their commercial operation initially threatened to resemble a busted missile launch. In fact, despite the rosy predictions of a crypto Renaissance in the seminal Diffie-Hellman and Rivest-Shamir-Adleman papers, there was little reason in the early 1980s to believe that serious bucks would ever be earned with the technology. Who would get venture capital to manufacture crypto products? How would those products be built into systems so that one could reasonably be assured that a scrambled document could actually be unscrambled by its recipient, or that the person receiving a digital signature would have the wherewithal to verify it? Nobody knew whether actual paying customers would be willing to put up with the difficulties that would come with having their computers crunch huge numbers for encryption and authentication. In fact, nobody knew if a substantial enough set of customers existed who were willing to pay for those things at all. “Some people said our stuff might turn out to be useful, but it wasn’t clear whether this would turn out to be successful in a commercial sense,” says Rivest. Still, the universities that had employed the crypto researchers hedged their bets by patenting their public key breakthroughs. In December 1977, MIT filed for its patent on the RSA algorithm. Ironically, the very act of filing for a patent made crypto’s widespread adoption potentially less likely. There was a definite Catch-22 aspect to claiming crypto as intellectual property: if algorithms were patented, then they could be used only by those who licensed them from the owners (presumably for a fee). But such tariffs might create a disincentive to universal adoption. If crypto was to be useful on a large scale, it stood to reason that everyone had to be using the same system, a convergence that would come about much more quickly if the system was free. It was a classic example of the Network Effect, a positive feedback loop in which value comes only with ubiquity. If everyone wasn’t using the same algorithms, then communicating with others in secret would be infinitely more difficult. It would be as if Bob had to worry about what brand of phone Alice used before he could ring her up. Not that this bothered the institutions that helped subsidize the public key research. While MIT had only the RSA system as its intellectual property, Stanford actually pursued a number of patents, ranging from a general claim for public key crypto to more specific implementations, including the Diffie-Hellman key exchange protocol and Merkle’s knapsack scheme. But the benefits of holding patents would be limited. For one thing, the largest current market for crypto — the government — didn’t have to pay to exploit either the Stanford or the MIT work. Both sets of cryptographers had enjoyed the support of the National Science Foundation, and the fruits of such subsidized research were, by law, available without charge, in perpetuity, to any and all federal agencies. And if that weren’t enough of a handicap, it turned out that both the Stanford and the RSA patents were valid only in the United States. In the case of both breakthroughs, the researchers had presented their findings before actually applying for the patent, an innocent mistake that didn’t affect their patent rights in the States but that did (because of the way patents are treated abroad) disqualify them from such protection in Europe. Still, once the patent filings were under way, it became clear to Rivest, Shamir, and Adleman that they still had the inside track on exploiting those patents. MIT was known to be generous in licensing its intellectual properties to the people who actually created them. (Any other stance would have risked a faculty revolt.) But the trio faced a unique situation: their crypto scheme had the potential to be a worldwide standard for privacy and commerce, but so far, the only thriving commerce in the field was in the realm of defense contractors and the relatively new market for DES-based products for financial institutions. In any case, none of the three researchers had any business experience. Nonetheless, they decided to forge ahead, hoping to transform their mathematical breakthroughs into something that actual human beings could use to communicate. Their hopes were high, and at least one of them thought that a payoff was around the corner. Len Adleman splurged on a flashy red Toyota. “It cost three or four thousand bucks, a big investment since I was making, like, thirteen thousand a year,” he says. “But I thought I would soon have money to throw away.” One of the problems in the late 1970s was that the most common general-purpose computers were too weak to generate good RSA encryption. In order to efficiently perform the calculations required to generate primes for a key and do all the mathematics required in encryption, decryption, and authentication, the MIT professors essentially would have to build a little computer-within-a-computer (on a circuit board loaded with specially designed chips) dedicated to those tasks. Rivest, aided by his colleagues, began working on such a device. After months of work they came up with hardware that could crunch two 50-digit primes in less than a second. Then reality sank in. There was no way that these relatively expensive circuit boards could become a mass-market product. It was absurd to assume that millions of people would pay several hundred dollars to install a complicated circuit board inside their computers in order to participate in a revolution that they hardly understood. So in 1981, the MIT trio came up with a more plausible scenario. They would put the RSA algorithm on a chip. Semiconductor chips could be mass-produced, and when millions of them were churned out, their costs shrank. You could even put tiny chips on credit-card-sized “smart cards” for people to carry around. The timing seemed right. Just a few years earlier, when IBM used its vast resources to make history by putting DES on a chip, it had been inconceivable that a few academics could attempt such a feat without a passel of deep-pocketed investors. Back then, such a feat would have been about as unlikely as a few grad students in some random engineering department deciding to launch a rocket to the moon. But in the interim, a Caltech professor named Carver Mead had changed all that. Mead, a veteran of the Silicon Valley semiconductor industry, was the guru of Very Large Scale Integration (VLSI), a technology that shrank what was once a huge computing machine into a thumbnail-size silicon chip. Eager to encourage research in the field, Mead had not only published a book on the subject, but helped set up a fabrication facility — known as a fab — to help academics actually build their own chips. At the time MIT was gearing up its own VLSI program, and Rivest signed up to run an experimental project that would result in getting the entire RSA process on one of those tiny chips. Meanwhile, they continued what had become an ongoing, if unintentionally comedic, effort to interest a big business mogul — any mogul — in the world of cryptography. As math nerds unschooled in the niceties of venture capital and unsuited for poker-faced negotiations, they were at the mercy of any random suit they hooked up with. But sometimes they lucked out and met someone who actually connected with the religion of it all. One such fellow was Pat Cremen, a loquacious Irishman who worked for the big Ericsson electronics firm. But he, too, was more of a vision seeker than a deal cutter. After examining the MIT crew’s algorithms, he broke into rhapsodies about the coming age of electronic wallets and virtual money. Rivest and his colleagues were transfixed by that vision, and probably wound up mentally counting the megabucks that would fill their own digital wallets when this new world came into being. They traveled to Dublin to pursue the idea. While the mutual admiration society was morale building, it turned out to be nothing more than that. Cremen ultimately failed to convince his bosses at Ericsson to put up the bucks. Maybe the bosses were right. There is a telling anecdote from this period. To implement RSA on a chip, the MIT scientists found themselves on the cutting edge of VLSI chip design. They had to invent their own tools, which potentially became valuable intellectual property in and of themselves, stuff that corporations and foreign spies might covet. For instance, in order to keep track of the hundreds of thousands of logic gates and transistors on the chip design, Rivest wound up writing elaborate chip-simulation software to organize the project. His program made things much easier when negotiating the chaos the scientists were generating on the fifth floor of Tech Square — when they would spread out huge layouts of the chip, parts of which Adleman had designed, parts of which Rivest had modeled, and other pieces that Shamir had created — wondering where this wire went or what that transistor did. So much easier, in fact, that it began to dawn on the trio that the software they were using to create the chip might have as much commercial or military value as the RSA algorithm itself. By creating this valuable technical property, they found themselves in the situation in which they imagined their future customers might one day be: possessing secrets worth protecting and in need of a system to protect it. So one night they sat down together and wondered whether they should protect all their precious ideas . . . by encrypting them. Did these pioneers of cryptography indeed use their own system to protect their ideas? “I remember our decision was, ‘Naaah, it’s too much trouble,’ ” says Adleman. “Too much work to encrypt it. And we never did.” The irony was lost on them. But the reality was they were harboring big-time hopes for a technology that even its inventors considered a pain in the ass to use! They all thought that Rivest’s chip-simulation system was a masterpiece. “We didn’t just throw this thing together and hope that a hundred thousand things were going to work out,” says Adleman. “Ron’s software simulated the chip according to Mead’s rules.” Because the simulation was sound, boasts Adleman, “we knew the chip would work.” But when they tested the actual chip, it didn’t work. Instead of crunching primes and other stuff, it did nothing. Adleman blames the failure on their overreliance on Carver Mead’s publications. “The rules in his book weren’t complete,” he says. But in fairness to Mead — who in any case wasn’t working for the MIT trio — the RSA project was larger than any he had contemplated to date. While other researchers were creating little baby projects like chips that would operate streetlights, the MIT people were using advanced mathematical algorithms, with huge prime numbers and zillions of calculations, to choose keys, encrypt text, decipher scrambled missives, process public keys, and sign messages with digital signatures. So much was going on that the silicon “wires” in the chip were, by standards of microtechnology, extremely long, sort of nano-equivalents of transatlantic cable. This made it all too easy to place those silicon microthreads too close to each other, causing deadly “crosstalk” that would flip bits and ruin the calculations. That’s not what you want when performing precision math. “It had simulated perfectly.” Rivest sighs. “But the fabrication process didn’t return working chips. It probably just needed some little tweak in the processor design.” In other words, though the experiment was a technical failure, Rivest was confident that the system could ultimately work. Still, the failure to produce a working prototype was not a great selling point. Nonetheless the three scientists persisted. In 1983, they formally joined the world of commerce by creating RSA Data Security, Incorporated (they had originally hoped to call it simply “RSA,” but that was the name of a garbage collection company in Maine). There was no product, no customers, and no evidence of demand. And not even their dreams at that point flirted with the possibility that one day hundreds of millions of people would use their new company’s technology on a daily basis. By that point, Len Adleman was getting fed up with the whole process. He felt that he was getting further away from where his talents lay, in theoretical math. All the intellectual effort expended in squeezing formulas into silicon, he thought, might be better spent trying to discover Fermat’s last theorem or some similarly epochal challenge. Still, he hung in, hoping that if he and his colleagues could get their new company on a solid commercial footing, they would cash in. Then Adleman, at least, could return to his vocation, gleefully covering white-boards with intricate equations that had no discernable practical application. As mathematicians, they knew that the principle of Occam’s razor applied: the shortest solution to the problem was a straight line. But in this real-world puzzler of making a business succeed, there were endless detours in getting to point B. “We were clueless on this stuff,” says Adleman. Their first CEO was the reluctant Adleman himself, a man whose head was clearest when among the clouds. “At various times I was the prime mover; other times it was Ron,” he says now. (Adi Shamir, in the process of moving back to Israel to work at the Weizmann Institute, wasn’t as active.) Adleman naively figured that he’d handle this moonlighting lark in the spare moments left over from his new post as an associate math professor at the University of Southern California. They did understand they needed someone with experience to advise them. Somehow, they hooked up with a business consultant named Ted Izen, who was able to concoct one thing that the three brilliant MIT professors collectively had not managed to produce: a business plan. They also looked to Izen to come up with investors — fast. After months of delay and revision, the government was expected to finally grant MIT the patent for the RSA work. The Stanford patents had already been granted; on April 29, 1980, U.S. Patent 4,200,770, “Cryptographic Apparatus and Method,” credited Diffie, Hellman, and Merkle as the inventors of public key cryptography. And on August 19 of that year came another Stanford patent, for the work of Hellman and Merkle. Called “Public Key Cryptographic Apparatus and Method,” it specifically dealt with knapsacks but more broadly claimed to cover any implementation of the public key idea. The impending MIT patent built upon those Stanford patents to cover the RSA algorithm. If the new company was to succeed, it required the exclusive rights to that innovation; otherwise, more established competitors could simply license the RSA work from MIT and blow away the company formed by the actual R, S, and A. Here’s where MIT’s generosity kicked in. The university agreed to grant Rivest, Adleman, and Shamir the exclusive rights to their invention. For a price — $150,000. (Generosity goes only so far.) Where would these young math professors find that kind of cash? Izen delivered the answer: a Reno, Nevada, physician and businessman named Jack Kelly. He had a company called Sierra Microsystems in Lake Tahoe that designed chips and which could be a potential business partner for this new company. One day Kelly flew his private plane to Burbank to meet with the RSA trio. For the researchers, the easy part turned out to be convincing him that in an emerging information age, a technology like RSA’s was going to be absolutely pivotal. The harder part was forging a deal that the novice entrepreneurs would feel good about in the morning. Adleman later came to view the experience at a philosophical distance. “He was an experienced businessman, and I was an inexperienced businessman,” he says. “And when that combination gets together, it is often the case that the inexperienced businessman gets some experience.” Nonetheless, Kelly provided the requisite six-figure sum — $225,000 — that RSA Data Security needed to survive. And so, when, in September 1983, MIT was granted U.S. Patent 4,405,829, entitled “Cryptographic Communications System and Method,” its inventors were ready. Nine days later the fledgling company paid MIT the $150,000 (plus 5 percent of all its future revenues) for exclusive rights to the patent. With a real investment and control of its intellectual property, it was time to begin behaving like a business, creating and selling uncrackable cryptographic tools to anyone with a computer. With the remainder of Kelly’s investment, they set up an office in Silicon Valley and hired a professional manager to run the company. His name was Ralph Bennett. He had an impressive résumé — he’d worked at respectable companies like Fairchild Semiconductors — and from the point of view of the MIT professors, this fifty-something businessman seemed as good as anyone else around. With Bennett’s help, the company began gathering a workforce, including a sharp young marketer named Bart O’Brien. Even to an academic like Len Adleman, O’Brien, who had worked for a Florida high-tech company called Paradyne, was impressive. He was a slick dresser and an aggressive salesman who dreamed of running his own business. One day Adleman accompanied O’Brien on a sales call and was dazzled at the deft manner with which O’Brien parried the potential customer’s objections. Having deemed the RSA-on-a-chip scheme too complicated, the team’s first product was to be a software program mainly used to encrypt e-mail and stored data on personal computers. It would be called Mailsafe, a public key cryptosystem that would run on the most popular business personal computer, the IBM PC, and its clones. Adleman worked on the algorithms and Rivest concentrated on the implementation. Though Adleman did not find the work as intellectually thrilling as pure theory, he was engaged by the challenge of the alchemy of commercial programming, discovering tricks to make the math routines run more efficiently. Since both professors were working in their spare time, Mailsafe turned out to be a long project. During the development period, of course, RSA Data Security had no revenues. And Kelly’s investment was just about dried up. The situation became increasingly desperate. In theory, the company could get income from outside investors or advances paid on licensing deals. But under Ralph Bennett, not much of that was happening. Some of the people involved with the company would later claim that Bennett didn’t understand the nature of high-tech start-ups, and he wasn’t ideally prepared to evangelize the groundbreaking area of cryptography. In any case, the state of the young enterprise was, to say the least, precarious when Bart O’Brien called upon an old Paradyne friend of his named Jim Bidzos to help out with sales for RSA. At the time, it seemed like just one more random call. But the entrance of Jim Bidzos not only changed the future of the company, but the technology itself. Crypto had found its first supersalesman. And the repercussions would ripple from Silicon Valley to Fort Meade. * * * Jim Bidzos was an unlikely savior for public key cryptography. The closest he came to processing algorithms was figuring out backgammon odds in the high-stakes Las Vegas tournaments he liked to frequent. Bidzos was then thirty-one, a Greek national born on February 20, 1955, in a mountainous region near the Albanian border: “A very, very small village in the middle of nowhere, no roads, maybe seventy people,” he says. Bidzos’s family had been there for ages; his father had taken a bride from a neighboring village in an arranged marriage. Bidzos was the second of four children, born in a small stone house. In the late 1950s, his father left Greece to do what Bidzos calls “the classic immigrant thing: he didn’t speak the language, had no training, no education, no skills, but he joined some people from the village who had gone to Ohio.” About two years later, when Bidzos was five, he and his mother and siblings followed. Young Jim Bidzos took to America quickly. While his parents instilled some values from the old country in him, his iconoclastic nature seemed to fit the looser pace of American life. A naturally bright, though not particularly diligent, student, he breezed through school. He describes himself as a rebellious teenager: not necessarily a troublemaker but the kind of kid who made it a point to do precisely what he was told not to do. He wound up in the marines. After his military stint (though not as a U.S. citizen; he held, and still does, a Greek passport), Bidzos attended the University of Maryland. While he majored in business, he did take some courses in computer programming. He claims to have written one of the earliest computer viruses, “just to prove it could be done.” After a couple of years at Maryland, he took a job at IBM and never went back to school. In the early 1980s, he got a visit from a headhunter. Would he be interested in working for Paradyne, a Florida firm that made networking equipment for IBM mainframes? The position was in marketing, but technical skills were required to explain products to customers. Paradyne was a fairly buttoned-down company, with almost two football teams’ worth of vice presidents who had come over from IBM and had adopted some of the company’s uptight culture: the black shoes, the starched white shirts, the feeling that you’ve screwed the pooch if you’re the first one to leave on a given day. But Bidzos had learned how to play the corporate game. Indeed, he thrived at it, racking up a series of promotions. At Paradyne, he also learned how to use an expense account. During vacations he’d blow off steam: his passions included motorcycle racing, high-stakes backgammon, and women. His journals from the seventies are permeated with notations about this woman or that. Still in his late twenties, he was living a Hugh Hefner–esque bachelor existence. This status was endangered only once, by a young woman he began dating; Bidzos sensed that she might really be the one. The matter was brought to a head by a change in his job situation. Bidzos had been getting bored at Paradyne. The white-shirt culture was making him nuts; he wanted to be in a less structured, more freewheeling environment, with high risks and rewards. To strike out on his own. But when he finally cut the cord at Paradyne and began a global marketing firm with some friends, his girlfriend uttered the words every confirmed bachelor dreaded: it’s now or never. She felt that if they didn’t marry, this new venture would take him away. Ever the deal maker, Bidzos chafed at being handed an ultimatum. It would be submitting to her terms. He would never get married under pressure, even to a woman he loved. So it was over. His girlfriend had been right about the lifestyle: his new job selling high-tech equipment to international customers and his own services to clients was all-consuming. Almost every month he’d go to Europe or the Far East — some months he’d hit both continents, a global ricochet — staying in the best hotels, dining in the best restaurants, choosing the priciest wines, and doing the deal, always doing the deal. Then he hit a wall. Was this to be his life — on the road all the time, looking for the next client? He began to ponder his lost love affair. He quit the company and began working on freelance marketing projects. If he needed a few bucks, something would come up. He was bored with Florida by this time and wanted to move to California. A firm for whom he’d sold IBM-compatible computer terminals offered him a job that would take him west, but he wasn’t interested. The president of the small company came back with a counteroffer. “I know you want to come here,” he said, “and I know you like my receptionist, so if you come and work for me two days a week, I’ll pay for the move — just give me six months.” The guy had pegged Bidzos right — he did like the receptionist — so he was in California by August 1985. Then he got in touch with his friend Bart O’Brien at RSA Data Security. O’Brien had mentioned RSA to Bidzos back in May, had even FedExed him a business plan. But Bidzos, who’d been about to leave on a five-week trip to Europe, couldn’t make any sense of it. He’d forgotten about it in the excitement of his travels. When he returned to his Florida apartment there were a few more envelopes waiting for him, all of which contained new and different RSA business plans, which apparently reversed course quicker than a backgammon game. Obviously, this strange new company was a work in progress. But O’Brien kept pushing. He invited Bidzos to stop in San Francisco on his way back from a trip to the Far East. Bidzos had barely arrived when O’Brien immediately embarked on a business trip of his own, leaving Bidzos with the keys to his apartment and car and a mandate to stay for a week and have some fun. Naturally, Bidzos took to Baghdad by the Bay, and began to make frequent return visits. O’Brien used these opportunities to ask for advice on RSA’s revolving business plans, and to solicit ideas on raising money. “You should come here to work,” O’Brien kept saying. Bidzos wasn’t quite ready for that, but he began to spend more time doing freelance projects for RSA, writing up a marketing plan and studying the possibilities of selling the entire system to IBM. The more he learned about the company’s mysterious product, the more intrigued he got. Despite being a motorcycle-racing, woman-chasing, wine-quaffing, high-risk gambler, Bidzos also had an intellectual streak, and he got a huge kick out of hanging out with the engineers, and particularly the cryptographers. One amazing night in late 1985, he met the most brilliant guy of all: Whit Diffie. Bidzos joined a group of RSA people treating Diffie to dinner at a Mexican restaurant at the Stanford Mall. The company had long been urging the public key inventor to become its chief scientist (at one point Diffie had even accepted, but wound up holding off until the company got more funding). The group included O’Brien, Ralph Bennett, and Al Alcorn, who’d been a key figure in the early days of Atari and Apple; RSA had been wooing him to join the company as well. Bidzos was dazzled at the conversational interplay between the brainy Alcorn and the enigmatic Diffie. After some cursory discussion about RSA’s future, the two minds just sort of hooked up and Bidzos grooved on the conversation like an uptown hipster wanna-be who’d sneaked into a secret jam session between Miles and Trane. As the group broke up, Bidzos asked Diffie if he might be available for lunch sometime to talk more. “I’m always available for lunch,” said Diffie. Over the next few months — years, really — Bidzos would take Diffie out for meals in Palo Alto and Berkeley for what was essentially a roaming tutorial in cryptography, public key, privacy, and politics. He eventually became quite knowledgeable on crypto’s fine points. On the other hand, Ralph Bennett — at least as far as Bidzos could tell — didn’t seem to be as charmed by Diffie. And vice versa. Bidzos recalls one lunch with the three of them at which Diffie began eyeing Bennett’s ham-and-cheese croissant sandwich. The stare was so intense that Bidzos was sure that Diffie was about to lunge at the food. Bennett must have noticed, too, because he offered Diffie a piece. Diffie declined, but kept staring at it. Suddenly, the long-haired, bearded cryptographer pulled out a large knife he’d been carrying, pulled the plate toward him, and whacked off half the sandwich. Then he calmly ate it. God knows what Bennett thought about that. But it obviously wasn’t a bonding moment. Bidzos soon realized that this little company trying to sell a crazy product to scramble computer data was in huge trouble. They had yet to ship a product or even license an algorithm. Operating expenses were murderous. The rent alone was a huge burden. O’Brien, ever the optimist, had rented the company a huge space in Redwood City near the Bay, just across from Oracle. It was the size of a soccer field, even though layoffs had left fewer than five employees. There was another potential land mine waiting to explode. It involved a loan from an investment banking operation run by two guys in New York. One was an Italian named Vinnie, who spoke with a profusion of disses and dats. His associate was a more soft-spoken Jewish fellow named Steve. They liked to hold meetings at Kaplan’s Deli in New York City. Though everything was on the up-and-up with these two, they still seemed like escapees from an Elmore Leonard novel. Drawing upon a list of about fifty investors (including, Bidzos says, dozens of New York doctors, dentists, and the comedian David Brenner), they had loaned RSA half a million dollars in December 1985. But RSA Data Security went through the money like a sugar-toothed eight-year-old gobbling Halloween candy. The $500,000 had barely been counted before it was almost gone, drained by accrued salaries, debt, and a bridge loan to cover operating expenses. The company was going bust. If that wasn’t enough to worry about, Bidzos then learned that Ralph Bennett, a Scientologist, had indicated that he might transfer his own considerable shares in the company to that organization. This would have made the Church of Scientology one of the biggest shareholders in the company — and the keeper of modern cryptography. Oddly, one thing that was not considered a problem at the time was the possibility that RSA, by launching a new and powerful form of cryptography into the growing ether of computer communications, might alienate the National Security Agency, or provoke a response from law enforcement agencies that felt threatened by the advent of cryptography. “Bart and Ralph understood the NSA had an interest in this sort of thing,” says Bidzos. “But they saw the agency as a potential customer.” As far as the visible lack of interest from the NSA itself — no queries or threats had emerged from behind the Triple Fence — Bidzos came to believe (correctly, as it turned out) that the spooks had figured that the smartest course of action would be to leave RSA alone . . . because the company almost certainly was falling apart on its own. “Bart was just lost and didn’t know what was happening,” says Bidzos. “He’s an optimist and a very enthusiastic fellow, and he was going to do a $10 million deal with every computer company in the world. But there were no prospects of making money anywhere.” Even so, drawn by the big-idea-ness of it all, Bidzos found himself more and more interested. In mid-January 1986, he agreed to accompany O’Brien to Boston to brainstorm with Rivest about the company’s problems. They flew on People Express, a discount airline with all the frills of a Greyhound Bus route on the Texas plains. The night before the meeting he and O’Brien went over the numbers, which looked bleaker than ever. It appeared that the flag bearer for public key cryptography might die without ever even raising the damn flag. Some revolution. In Rivest’s office the next day, Bidzos laid out the whole mess, scrawling the specifics on his blackboard. At first Rivest’s attitude was . . . professorial. After hearing the bad news, he sighed and said, “Oh, gee, I’d really hoped it would do well.” Bidzos tried to tell him that he simply wasn’t getting it. RSA’s failure wasn’t analogous to not winning some academic honor. There were consequences. When you take money from people, there’s a different kind of accountability. They all could be sued. Finally, as Rivest began to get the picture, he began to flip out. Then they got Adleman on the phone in Southern California. After hearing how dire the circumstances were, the mathematician once again realized why it was so much more pleasant dealing with theoretical problems in number space. So he decided to make his involvement theoretical. “I resign from the board of directors,” he said, and hung up. Years later, Adleman was philosophical about his role. “A large part of why the company wasn’t working was me,” he said. “In the beginning, RSA was a nonentity; it existed on paper but didn’t really exist. Somebody had to pick up the ball, and there was good news and bad news in my picking it up. If I hadn’t, the technology would have been picked up by someone else, and the patents would have gone to someone else. But while I gave birth to RSA to a certain extent, I didn’t do a good enough job to get a baby out that didn’t have some serious defects.” After O’Brien and Bidzos returned to California, they hired a management consultant who worked with them to try to find a way through the mess. As the meetings progressed, the consultant commented that Bidzos’s ideas seemed both inventive and practical. A crazy idea crossed Bidzos’s mind: maybe he should be running things. Even now, Bidzos cannot come up with a coherent sense of the reasoning that led him to join the endangered company full time as the instrument of its salvation. Indeed, in the months to come, trying to unravel the ongoing crisis late at night before the computer screen, he would often ask himself: Am I really here? I could be in a first-class cabin, flying to Paris to drink bordeaux at the Tour d’Argent with sweet Dominique! Yes, there was the opportunity to finally run a business. Yes, there was the excitement of a new technology. And yes, there was the lure of San Francisco with its women, its restaurants, its hot-tub parties in Tiburon. But it still really didn’t make sense. Though he went through the motions of figuring out how he might personally avoid the consequences if everything wound up in a horrid thicket of lawsuits and recriminations, deep down, he understood that he was involving himself in a potential train wreck. For a while, he maintained to himself that his role was only temporary — he would help the company secure some funding, hire a new leader, and eventually collect some stock for his labors. Then he’d be on his way. But by the end of March, everybody else on the payroll had left or been cleared out. (Bennett technically didn’t leave until mid-August, after some tough negotiations that led to a buyout and, incidentally, the end of a possible relationship between RSA and the Church of Scientology.) It was Good Friday, but Bidzos called it Black Friday. He went out to dinner that night with Rivest and Bennett, and officially took the title of vice president of sales and marketing. Later on, he realized that since he was the only official there, he might as well call himself the president. His chief concern was the financial crisis. Some bills simply could not be paid. And, of course, no money was coming in. He called debtors and negotiated. “You call a law firm and tell them the company’s winding down — we owe you $175,000 and we’ve got $10,000 to give you,” says Bidzos. And they’d settle for the cash! Meanwhile, he set off to keep Vinnie and Steve happy. Fortunately, he had a good relationship with them. One day at Kaplan’s Deli, Bidzos was signing the credit-card bill for the meal, and he mistakenly underpaid, writing a three instead of an eight. The waitress went ballistic, calling him a cheater. Bidzos was mortified. But Vinnie and Steve beamed. “We like that,” they joked. Affection aside, Vinnie and Steve had to think of their investors, and a lawsuit against RSA was still a possibility. They decided to get the opinion of a respected outsider, a guy whom they called “the Wizard of Wall Street.” He was a no-nonsense cigar smoker who cut to the chase when Bidzos was brought to meet him. “What’s the story?” he asked. Bidzos drew on his own cigar and launched into a spiel about the brilliant young MIT geniuses who figured out a way to secure computer data and enable commerce in the next century. The wizard was impressed, and Vinnie and Steve decided to keep the faith. The process that would truly save RSA, however, would be convincing large companies that they needed crypto, and then selling them the technology. While the encryption software program Mailsafe was getting closer to a finished version (it would finally ship in July), the current business plan assumed that it would not be software sales but licensing fees that brought in the bulk of RSA’s revenues. Before leaving the company, Bart O’Brien had compiled a list of about thirty potential large customers, and Bidzos went through it. Discussions with AT&T, which O’Brien had figured for a $10 million contract, had stalled. Bidzos kept taking meetings, seeing executives at IBM, DEC, and Xerox. But that first major contract seemed frustratingly elusive, a siren just out of reach. If RSA didn’t rope in a big score, all of Bidzos’s efforts would be wasted. The debts would be due, and the lawsuits would follow. Then the MIT patent, the crown jewel of the company, would be auctioned off for peanuts. He needed money now. But who would buy first? Would anyone bite? One potential savior stood out — a small software company called Iris Associates that was funded by the spreadsheet giant Lotus Development Corp. Iris’s product, called Notes, was the first example of a new software category called groupware, a program meant to be used by dozens or even thousands of people over a network. Notes was an ideal candidate for a built-in encryption system since it assumed that users would electronically exchange virtually all their messages, even ones involving the most confidential corporate secrets. Without a means of securing that information against eavesdroppers, Lotus’s potential customers — major corporations whose data were worth zillions — would be unlikely to purchase Notes. No one understood this better than the inventor of Notes. Ray Ozzie was one of those double-threat computer geniuses who not only could code their way out of a trunk loaded with rocks dropped into the middle of the ocean, but were equally visionary in the analog world, with an instinctive sense of the marketplace. He began his career at Data General, the minicomputer company, but when he saw the IBM PC microcomputer he realized that the future lay in these personal devices. So he moved to what was then one of the biggest PC software companies, Software Arts, creator of the original spreadsheet, VisiCalc. But in his head Ozzie was thinking about what could happen when all these personal computers got networked together. He felt that IBM itself would eventually get into the business of writing software for that world, but in the meantime there was a total vacuum — one that he hoped to fill with a program of his own design. That was Notes, and he founded Iris Associates to produce the program. But he spent much of 1982 unsuccessfully seeking start-up funding. In early 1983, he set out to pitch his vision to Mitch Kapor, the founder of Lotus, which had recently released a spreadsheet called 1-2-3 that immediately supplanted VisiCalc as the industry gold standard. Kapor’s main concern was finding a master software wizard to write Symphony, a multifunction program for Lotus, one that melded a spreadsheet, word processor, and database. So they made an agreement: if Ozzie would create Symphony for him, Kapor would fund Iris Associates to create Notes, and Lotus would distribute it. On the day Symphony shipped, in 1984, Kapor said, “Okay, Ray, do your thing.” Ozzie knew early on that security would be a key feature in Notes, and he looked forward to developing a technology to frustrate snoops and crooks. As a kid, he’d loved the TV show The Man from U.N.C.L.E. and played secret agent with his friends. That took a backseat to electronics and, eventually, computer science, but he’d gotten excited when he read Martin Gardner’s article about RSA in 1977. So he suspected that his product might benefit from a public key cryptosystem. Coincidentally, in early 1984, not long before he finished Symphony, he came across an article in Dr. Dobb’s Journal (a sort of programming guide for granola-chomping hackers) with a FORTRAN source code for encrypting with RSA. “It was so cool,” he recalls. In 1984, though, the appearance of an early implementation of RSA in a computer hobbyist magazine was a symbol of public key’s status: although the advance had made a lot of noise in the academic community, no one had seriously considered using it in a software product. But Notes needed something like it. In a memo Ozzie wrote about security issues, he identified the problem that his groupware product faced, both in protecting privacy and establishing authenticity: Mitch Kapor wants to send mail to Jim Manzi [Lotus’s second-in-command] about some (perhaps sensitive) subject. Mitch sends it to Jim. First, although this mail SAYS that it is from Mitch, has some hacker on the network “faked” the message and put it into Jim’s mailbox? How can he be sure that this mail is really from Mitch? Second, he realized that this message passed through several intermediate machines; did anyone “take a peek” at the message as it was on its way to Jim? Ozzie continued to describe the way a traditional computer security system would deal with the problem, that is, via a central authority that delivered passwords off-line, and became, essentially, a mandatory hub through which all traffic passed. This model was not only vulnerable in exactly the way that had made Whit Diffie so dissatisfied in the late 1960s — if the central authority screwed up, turned crooked, or turned you in, the whole system failed — but its very spirit was locked into an age that was destined for the junk heap. That system was synced with the mainframe model of computing, where some huge hulking circuit-laden beast did all the crunching, flipping computations to dozens or hundreds of users like some giant robotic blackjack dealer. Ozzie saw Notes not only as a pioneering product but also as a seminal example of the networked future, where the masses would have their own computers and not have to check in with some massive digital Big Brother. Like the phone system, communications would be one-to-one, people communicating directly with their peers (as opposed to some now-antiquated models where communications were funneled through a central authority). “We believe that this is a bad approach,” wrote Ozzie of the central-authority model. “It changes the distributed nature of the network back into the old ‘centralized data’ approach of mainframes. . . . It also resurrects the problems with the ‘traditional solution,’ that is, trust in people and/or mechanisms that are not completely understood.” The way to deliver security in the far-preferable decentralized manner was, of course, via public key. Diffie and Hellman’s landmark paper seemed almost to have Notes in mind when it outlined how Ozzie’s problems could be addressed. Through use of a “global phone book,” everybody in the organization would have access to everybody else’s public key. Public key provided a way that Notes users could not only send messages in complete privacy but could also make sure that the message wasn’t forged: Consider the aforementioned scenario where Mitch sends a message to Jim. . . . Mitch writes a memo. In Notes, it invokes a menu item called “Sign Message.” Notes uses Mitch’s private key and the message itself to attach to the original message a “Signature,” a code that uniquely identifies both Mitch and the actual contents of the message. Once the message is signed, Mitch invokes the “Send Message” menu item. The message then leaves Mitch’s PC, goes across the network, and ends up in Jim’s PC. Jim, receiving the message, reads it and wonders if Mitch really sent him this message. He invokes a menu item called “Verify Message” (this, of course, could have been done automatically). Notes now looks at the directory of users to find Mitch’s Public Key. Once found, Notes uses the message’s attached “Signature” and Mitch’s Public Key to do the verification. When Notes says “OK,” it is indicating that the message was indeed sent by Mitch and the message is in its original form and has not been modified between Mitch and Jim. Ozzie concluded that the only viable implementation of public key crypto was RSA. He needed a heavy-duty system. While the Dr. Dobb’s program was a fun hack, it was many magnitudes too slow to be used in a commercial program, let alone to be used to encrypt large messages. When Ozzie and his team got serious about encryption, they decided to go with a more sophisticated use of RSA: a hybrid system, using the public key method as a way for users securely to create symmetrical keys, which would be used to encrypt messages in a conventional cryptosystem. They figured the proper combo was RSA as a key-exchange algorithm and DES to actually scramble the message content. Around that time, Mitch Kapor got an unsolicited letter from Ron Rivest. I don’t know if you have any need for this, the letter went, but there’s this useful algorithm called RSA, and we have the exclusive rights. . . . “Do you know what this is?” Kapor asked Ozzie. “Oh, shit,” said Ozzie. “RSA is subject to licensing?” A meeting was arranged. On April 29, 1985, Bart O’Brien and Ron Rivest came to Iris. It was by far the most promising sales call in RSA company history. When O’Brien launched into his standard song and dance about the wonders of their system, Ozzie cut him off — the Iris people were already sold on the virtues of RSA. Discussion immediately switched to how the companies might work together. Ozzie was particularly excited at the prospect of having Rivest himself available for consultation: “Who can better verify an algorithm than its inventor?” he wrote in a memo. The main sticking point turned out to be money. When it came time to give actual figures, O’Brien, offering what he called “a first-guess estimate,” asked for the moon: $100 a unit for the first 15,000 customers (or “seats”) with a sliding downward scale that stopped at $50 a seat after the 100,000th user. Ozzie told them those estimates were “tremendously out of line with reality.” After all, the wholesale price of the entire software package was to be only a couple of hundred dollars. Ozzie promised, though, that he’d discuss pricing with Lotus, which would ultimately be paying the licensing fees. But he knew that there was no way Lotus would ever pay that kind of money. Sometime during the discussion Bart O’Brien mentioned that Ozzie might want to check out whether including encryption in its product might affect overseas sales. Ozzie admitted that he’d never given any thought to the issue. Rivest and O’Brien suggested that he make contact with the National Security Agency on this, but first Iris or Lotus — whichever was going to export the product — should figure out a government strategy. “These are not people you want to deal with casually,” they told Ozzie. “You want to understand the endgame.” When the meeting was over, Ozzie quickly realized that no matter what system Notes used, this might be an issue, and in his memo he requested that Lotus’s lawyers look into how the export regulations might affect the product. The meeting ended amicably, but the sticking point remained: RSA’s outrageous asking price. On the other hand, the public key algorithms were perfect for Notes. “We knew technologically what we wanted — we’d already prototyped it,” says Ozzie. “I wasn’t going to put all my cards on the table at the first negotiation, but they could tell we were clearly excited.” But for a while it remained a stalemate. RSA regarded Lotus as one of many potential big scores, and Ozzie began what he saw as a sales job to Lotus, trying to get them to shell out for a reasonable license fee. By the time Jim Bidzos joined the talks, almost a year had passed since the initial contact between RSA and Ozzie, with little progress made. In fact, after making some tentative inquiries with the government, the Notes people had reason to second-guess the whole idea of licensing crypto: they’d been given hints that the National Security Agency would be less than pleased at the prospect of a major software product with technology to scramble information that the supercomputers behind the Triple Fence could not easily read. But as soon as RSA’s new leader came in — this fast-talking thirty-one-year-old Greek who was obviously not a hacker, not from the Silicon Valley culture at all — the Iris guys knew that negotiations had reached a new phase. Bidzos jacked up the urgency quotient instantly. He clearly wanted to cut a deal and wasn’t afraid to take the conversation in an adversarial direction. He emphatically reminded Lotus that RSA had the technology Notes needed, technology unattainable elsewhere. Without crypto, big corporations that wanted their communications protected would never use Notes. As far as he was concerned, Jim Bidzos had Ray Ozzie by the balls, and made sure he knew it. This aggressiveness unnerved Ozzie and his colleagues. Bidzos’s come-on was so intense that for weeks the speculation at Iris and Lotus was whether this pushy Greek was actually some sort of intelligence agent who’d been planted at RSA to control crypto. Still, Bidzos’s appearance broke the stalemate. He could switch from an iron glove to a velvet one. He reassured the Iris people that RSA — meaning Ron Rivest and some moonlighting MIT colleagues — could actually help to build the RSA algorithm into the product. And his financial demands were nowhere near the fantasy figures that Bart O’Brien had demanded earlier. In fact, one of his chief criticisms of his predecessors was their ridiculous financial demands. Meanwhile, Ozzie had convinced Lotus CEO Mitch Kapor that public key technology was essential to Notes and it was time to come in with a solid offer. Lotus dangled before the troubled crypto company something it needed desperately: a cash advance against royalties. The figure was $200,000, but Lotus wouldn’t pay all of that until the development work was done. Upon signing, however, Bidzos would get a check for $50,000. At that point, $50,000 represented the difference between life and death for RSA Data Security. The contracts were drawn that summer, to be executed in October, when Bidzos would go to Lotus’s new headquarters on the Charles River in Cambridge, and he and Mitch Kapor would both sign the contract. But when the RSA contingent arrived that day they sensed a profound disarray at Lotus. Sitting in the waiting room, Bidzos reached for a copy of the Wall Street Journal. On the front page was one of its trademark ink-pen portraits — of Mitch Kapor. It accompanied a story that said that Kapor was resigning from Lotus to pursue those ever-compelling personal goals. Essentially, the former transcendental meditation teacher had grown intolerant of the business world’s soul-battering minutiae, and he was following his muse out the door. Before Bidzos had a chance to assess the impact of this on the still-unsigned contract, a receptionist summoned him upstairs. Kapor was there, his muse apparently still loitering in the building. “I don’t work here anymore,” he said. “But Ed Belove will take care of you.” Belove, a vice-president who had worked on the deal, had the authority to sign the contract, and he did. With that money, RSA was able not only to keep its doors open, but also to start distributing Mailsafe. Who was the audience for such a personal computer–based cryptography product? The RSA people really didn’t have an idea. The mainstream of the American public didn’t consider encrypting e-mail a pressing concern. On the other hand, there was a vast number of career paranoids who found the product immediately attractive. One particular caller seemed to embody this arcane demographic. Around the time Mailsafe shipped, calls started coming in to RSA that began with heavy breathing. Then an anxious voice would burst out, How big are the keys that come with Mailsafe? And they’d tell him, “One hundred forty digits.” Then, puff puff, he’d ask, How hard is that to break? and they’d say it would take a supercomputer a trillion years to find the key. Can I set bigger keys? he’d ask, pant pant, and they’d tell him yes and then hear heavy, almost frenzied wheezing on the line. Can the government break that? Uh-uh. Can the NSA break that? The next day, he’d call back, asking essentially the same questions. He became known at RSA as the Obscene Crypto Caller. “He obviously thought we were some huge company that wouldn’t know it was the same guy calling,” says Bidzos. “In fact, we’d all huddle around and listen to him when he called.” Would RSA sell its product to the Obscene Crypto Caller? Yes, it would. Just as the NSA had feared, here was a company that would sell to anybody. And as long as RSA didn’t send it across the borders of the United States, the company was perfectly within its rights to do so. It wouldn’t ask why people wanted to use it: that was nobody’s business but the buyer’s. It would even ship to post office boxes. Sometimes Bidzos himself would talk to customers when they called. One fellow in Pittsburgh quizzed him at length on the strength of the product, particularly on whether the government was able to break it. Bidzos asked him why he wanted Mailsafe. It turned out the guy sold surveillance countermeasures, like equipment that swept rooms for electronic monitoring bugs. Bidzos immediately realized that he had something in common with the man: both of them dealt in tools that were regulated by a government with a high stake in restricting the most powerful technology in the field. The conversation would also get Bidzos wondering whether he was being bugged. But Mailsafe was a sideshow; Bidzos realized that RSA’s revenue stream would mainly be the big companies that licensed the RSA toolkit and built encryption directly into their own products. After the hurdle of the first big deal with Lotus was cleared, a number of large customers — including some of the most influential in the land — fell into line over the next few months. First came Motorola, which wanted public key technology for secure telephones. Then came Digital Equipment Corporation and Novell, both companies that required a means to secure computer networks. All of these deals were closed by RSA’s supersalesman Jim Bidzos. When negotiating with potential licensees, he had the ultimate weapon: the patents for the technology. Before naming a price, he would speak at length about the nature of encryption and authentication, drawing deeply on his informal tutorials from Diffie, Rivest, Adleman, and Shamir. By then, Diffie had decided not to work for RSA formally — “I’ve never had a start-up personality; I’ve never been able to work on anything but what I was interested in at the moment,” he later explained. The company instead needed people like Rivest, who could focus his attention and write thousands of lines of product code in a few weeks. Bidzos had himself become quite an explicator of the crypto revolution. He understood completely how what would later be called the Network Effect was absolutely crucial when it came to public key cryptography: its value increased exponentially by the degree to which it spread throughout the population. For that reason, he almost always insisted that RSA be built into the basic product, so buyers would get crypto without specifically having to ask for it. Only when Bidzos finished his rap would he get into the terms of the deal. The kind of arrangements he liked the best were those that involved getting encryption into the hands of thousands, maybe even hundreds of thousands, of users. With a customer base that size, RSA would demand only a few dollars per seat. A dream began to form: a world where everybody could, and did, communicate with the privacy that encryption provided; a world where people could not only swap mail but sign contracts and pay bills with all the safeguards available in the physical world. And RSA would get a piece of all that. It was the ultimate salesman’s dream. But it was also the NSA’s nightmare. For a crucial period in the mid-1980s, however, Bidzos heard little from the government. He says that there were occasional rumors that some officials were quietly urging some sort of action against RSA, action that might have been devastating to the fragile young company. “Buy them, threaten them, do something — just stop them,” he’d heard they were saying. “There are a million ways to do it.” But nobody did. So, his theory went, the government simply sat back and waited for RSA to self-destruct. The government skeptics underestimated Jim Bidzos. By the end of the summer of 1986, he had transformed the company and won the trust, if not the total enthusiasm, of all three of the firm’s namesakes. Ron Rivest had become a good friend, and was the most committed of the trio. He saw Len Adleman in Berkeley, who was amiable but somewhat reserved — though still a shareholder, he’d apparently had enough of the business life. Then in August Bidzos met Adi Shamir, who had moved back to Israel but was in the Bay Area before heading to Santa Barbara for the annual Crypto conclave. Bidzos spent the day with him. He found Shamir very bright and very intense, and the businessman took pains to solicit ideas from the cryptographer — who was, after all, also a shareholder — on RSA’s various opportunities for success. Relations were not as good, though, with Marty Hellman. In the 1980s, Diffie’s coinventor of public key had tried to go into business himself selling crypto solutions under the name Hellman Associates. But the venture never took off, perhaps because much of his energy in the eighties was devoted to intense involvement in an antinuclear group called Beyond War. “The importance of cryptography couldn’t compare to the importance of the danger to human survival, and so I worked on the issue of making sure the human race survived,” he later explained. Still, now he seemed upset, even hurt, that this company based in part on his ideas was finally beginning to make it, particularly since he disagreed with parts of RSA Data Security’s approach to public key. Bidzos says he tried to bring Hellman in, and arranged a sort of reconciliation with all the other public key creators in a dorm room at Crypto ’86 that August. Hellman, Bidzos recalls, was emotional as he voiced his complaints. But nothing came of the meeting, and for years there was a chill between Hellman and the others. Bidzos says he later offered Hellman stock in the company, begged him to take it — he’d already given shares to Diffie. But Hellman refused, claiming that he wasn’t a stock guy. (He did accept a stipend to become a “distinguished associate.”) Had he taken the stock, he would have eventually cleared well over a million dollars, as Diffie did. This was in contrast to the pitifully low sum paid to them by Stanford, which held the actual patents for their breakthroughs — Diffie’s own share came to only about $10,000. In any case, RSA Data Security, Inc., was beginning to take off. But now it was triggering the NSA’s radar. And the first to notice were RSA’s customers. patents and keys To Ray Ozzie the whole thing was a no-brainer. He was creating a product by which people exchanged information that they might want to protect. Including encryption in the product was simply a means of providing them that protection. It was simple business. It was common sense. But now that Lotus was actually preparing to include RSA as an essential component of Notes, he found himself waist deep in a thicket of red tape concerning its export — almost as if he were a virtual enemy of the state. To his horror, he discovered that as far as the export rules were concerned, even a strictly commercial program that helps people run their businesses is considered a weapon. Not a handgun or a stiletto, either, but a weapon of mass destruction, like a Stinger missile or a nuclear bomb trigger. Ozzie could have simply avoided the whole mess by not exporting his product. On a practical level, though, limiting sales to America was unthinkable. It would mean cutting potential revenues at least in half. Software for personal computers was a global market, particularly when it came to big corporations that were the prime consumers of Notes. But such a market hadn’t existed when the export regulations were created. When Ozzie and the Lotus lawyers did their research, they found that crypto export licenses were generally issued only when the exporter (typically some company with ties to the military establishment) was able to identify and vouch for the friendliness and trustworthiness of the final users. The process was called an “end-user certification.” But Notes was a mass-market product, sold shrink-wrapped like a cassette tape. The users would be . . . just plain people. To their dismay, the Lotus lawyers were unable to find any previous case where a crypto export license had been issued in those circumstances. To wend one’s way through the political, technical, and spookified minefield of these regulations and restrictions, you needed a white-shoed D.C. lawyer-minesweeper, so Lotus went out and got one. His name was Dave Wormser. His first piece of advice was to go directly to what would be the source of all objections: the NSA. The law didn’t require this — the specified avenue was the State Department — but Wormser knew that even filling out an application would be a waste of time unless they knew what the minds behind the Triple Fence might find troublesome in the product. So, in mid-1986, not long after inking the deal with RSA, Ray Ozzie went to Fort Meade, Maryland, to see what he was up against. He was accompanied by Wormser and Alan Eldridge, the Iris engineer who was in charge of the security components in Notes. Ozzie was thirty years old at the time, just a bit too young to have been swept up in the sixties rebellion but still old enough to have a skeptical attitude toward the military. As a heads-down engineer and product developer, though, he had little idea of what he had stumbled into. Ray Ozzie, of course, knew nothing about the similar journey made over a decade earlier by Walt Tuchman of IBM. Tuchman, too, had been an outsider with a plan that would extend the powers of crypto beyond the area that The Fort had cordoned off for itself. The NSA, confident that a company like IBM would never defy a request made in the name of national security, had originally felt it had risen to that challenge, but in the years after the approval of the Data Encryption Standard, it had become clear that the problem had not gone away. As crypto edged its way more and more into the public sector — and DES became more and more common within U.S. borders — certain forces within the NSA now saw the approval of DES, despite IBM’s extraordinary concessions, as a horrible mistake. Who knew that everybody from middle managers to grandmas were going to be using computers strong enough to do industrial-strength encryption? To some in the agency, the arrival of the Lotus team was probably the strongest indication yet that crypto was already leaching out into the mainstream. To those NSA people, Ray Ozzie’s visit meant that the crypto barbarians were indeed at the gate. Fort Meade, with its fences, its guardhouse, the long hallway with pictures of obscure generals, the generic meeting room you’re ushered into with furniture that looked like it had been there since the McCarthy era, was pretty intimidating. It made Ray Ozzie think, These people are obviously in control and they know it. The meeting began when several NSA officials came in. One of them, apparently the case officer on this matter, began questioning the trio. (This particular functionary — Ozzie is loath to disclose his name — wound up following the progress of Notes for more than ten years.) What was the product? When would it be ready? What sort of cryptography do you hope to use? Ozzie and his team described their hybrid crypto scheme: RSA for the key exchange and DES for the actual encryption. But the very mention of DES made the NSA people go nuts. “I’ll tell you right now,” one of them said. “You’re not going to export DES, no way, under no circumstances . . . you will never export DES.” This seemed strange: hadn’t the NSA put its seal of approval on DES? Not to be exported to anyone with a couple hundred bucks to spend, baby. The NSA functionary explained that DES was not merely a cryptosystem but a red-hot political issue at The Fort, with implications that a private-sector engineer would not understand and had no need to understand. Ozzie didn’t know it then, but the NSA was going through a period of post–Data Encryption Standard remorse. In fact, the agency was just then working on a project of its own called the Commercial COMSEC Endorsement Program, which it hoped would kill off the Lucifer-based cipher and replace it with a cryptosystem of its own, dubbed Project Overtake. The ostensible reason was that widespread use of DES “could motivate a hostile intelligence organization to mount a large scale attack” on the cipher. This in itself was sort of ironic, since it was the NSA that mandated the smaller key size for the code, thus making it vulnerable to such an attack. The real problem wasn’t that DES was weak, but that it was sound, too sound for a cryptosystem used by the general public. DES now threatened to fall into much wider use than the agency had estimated — and if mass-market public key systems like Notes used DES, the problem would get far worse. So Fort Meade now viewed the cipher as a rogue element in its global mission. The solution was for the NSA to come up with its own cipher, which would be strictly under its control. Yet Project Overtake was a doomed initiative because its potential private-sector customers weren’t buying. For one thing, its technology was expensive and clunky. It involved audiocassette-sized devices built to snap into computers. The boxes cost well over $1000 each. Worse, the banks and other financial institutions asked to participate in this project were given no control over the system. The algorithms themselves were protected. The boxes would be tamperproof. Even the keys were to be generated and distributed by the NSA itself. What assurances did the NSA give that the agency would not be keeping copies of the keys for itself? In a rare public interview in the Wall Street Journal, an NSA representative sniffed, “We have better things to do with our time.” In other words: Trust us. Elsewhere in that article, the NSA’s neo-Stalinistic marketing tactics were examined. A banking executive described a typical Project Overtake sales call: “An NSA guy stands up and makes pronouncements. ‘You guys have to do this.’ It’s a directive. You can imagine how far this gets them.” No, thank you, said the banks. They’d stick with DES. Though Ray Ozzie was unaware of all this, he was beginning to realize that the idea of exporting crypto was a very big deal for these guys. As the obstensibly amiable interrogation continued that day, it became clear that the NSA people did not even have the vocabulary to deal with a mass-marketed product with strong security like Lotus Notes. “They had dealt with people who knew their customers, and could vouch for them with end-user certifications,” says Ozzie. “But we had to explain to them that our industry didn’t work that way.” When Ozzie tried to elaborate on this, his attorney began kicking him under the table — this wasn’t the kind of thing that the NSA wanted to hear. But Ozzie felt it important to defend the crypto component in Notes, explaining that if people were going to use the product, they’d be risking their entire businesses on the security of the information. That argument didn’t seem to impress the spooks. Flying back to Boston after that first meeting, Ozzie asked himself, Would it really be so bad to distribute Lotus Notes only within the United States, and avoid this whole battle? But that approach would be financial suicide. You simply could not compete if you wrote off the global marketplace. So Ozzie had the lawyers arrange another meeting, this time in Cambridge. Had the National Security Agency softened its position at all? “Just to make sure you know where we stand,” said one of the NSA representatives to the Lotus people, “we’ve long known you’ve had encryption in Lotus 1-2-3, and from our standpoint that’s within our jurisdiction. We could stop your shipments of 1-2-3 tomorrow if we felt like it.” Lotus 1-2-3, of course, was the spreadsheet that provided the lion’s share of the company’s revenues. It was the most popular software product in the world and a huge percentage of its sales was overseas. What was the “encryption” to which the NSA referred? Lotus’s spreadsheet program contained a simple password option that blocked access to unauthorized users. Now, it was highly unlikely that the U.S. government would dare halt all shipments of software that used passwords, an act that would cause the entire personal computer software industry to collapse. Still, the threat had its effect. Ozzie glanced over at his lawyer, and saw a look of sheer panic. In the course of that meeting and several others over the next three years, it became very clear to Ray Ozzie that no matter how crucial Lotus Notes might be to his company or even to the U.S. economy, any approval he got for export would be on the government’s terms only. On the other hand, he was relieved that no one dealing on behalf of the NSA ever made any demands on what encryption might be sold within the borders of the United States. (Such a demand would have been a violation of the Computer Security Act, but who knew where those guys would stop?) Whenever Ozzie indicated that export restrictions might force Lotus to release two versions of Notes, one with strong encryption for domestic use and the other for approved export, the government negotiators would shrug and say, “Well, that’s your decision.” At times Ozzie would wonder whether the NSA wanted Lotus to create some secret skeleton key by which the spooks could quickly unscramble messages encrypted by Notes. He once probed to see if that was the case. “What the hell do you want?” he asked his tormentors. “Are you waiting for me to offer you a back door?” The response was immediate: No, we don’t want you to compromise the security of the product. “So what the hell do you want?” Ozzie would ask, and he’d get no good answer. And the stalemate would continue. Finally, around the middle of 1987, Ozzie and his team got a concession from the NSA: If Lotus dropped DES and found a replacement cipher, the government would evaluate that cipher’s strength and allow Notes to be exported, with a key length that the parties would then negotiate. Lotus immediately hired Ron Rivest to cook up a new encryption algorithm. After a few weeks of intense work, he came up with his own cipher that he named RC-2, for Rivest Cipher 2. (A first effort was shelved.) Rivest’s system was similar to DES in that it was a block cipher that used complicated substitutions, but unlike DES, it had a variable key length. Lotus paid for all the development costs but allowed RSA to hold the patents. Rivest submitted the code to the NSA in 1987; not long afterward, he heard that the Triple Fence crypto wizards required a couple of tweaks. “How do you know they’re not doing something to weaken it?” Ozzie asked him. Rivest replied that the government’s comments actually made good sense, so he felt safe making their changes. That took a month or so, and the negotiations picked up again. Not that they were getting anywhere. “The content of the meetings was getting very thin,” says Ozzie. “I believe we were definitely being stalled.” His impression was that there was strife within the NSA itself on how to proceed. During 1987 and 1988, the lack of an export license wasn’t that much of a crisis for Lotus, because Notes was one of those ambitious software efforts that were years late in production. So the encryption issue wasn’t holding up the product itself. But as 1989 rolled around, it looked like the program might finally be ready to ship. Now an export solution was essential. The only thing that Lotus had going for it, really, was perseverance. Not that Ozzie had any alternatives. Every time he’d mention the possibility of shipping a product only in the United States, the marketing people insisted such a course was just not financially viable. So he kept pressing. Kept asking for more meetings with the NSA. Kept supplying any and all information the government requested. So much information, he figured, that if he ever did get an export license, there wouldn’t be a chance in hell that the government could come back and say, “Hold on, you didn’t tell us that the system works like this.” That would give it an opportunity to stop shipments. So Ozzie made sure that Lotus completely fulfilled even the Defense Department’s most trivial requests. While Ozzie was definitely the supplicant, he did have some leverage. “Are you telling me that I have to go to my congressman and tell him you’re preventing me from shipping my product overseas?” he’d ask the export gatekeepers. “How much of an issue do I have to make of this?” Lotus may not have been a multibillion-dollar company, but it was the biggest company in the software industry at the time, and it wouldn’t have looked very good to have some faceless spooks barring the door to the darling of the business press. Suddenly, inexplicably, the ice broke in mid-1989. Ozzie is convinced that the struggle within the NSA had finally ended in a compromise. “It was clear that there were people for us and people against us,” he says. “Originally they’d been meeting with us because it was their job and they were curious about what we in this new personal computer industry wanted. Then I believe there were severe internal battles, with some people in favor of letting a little crypto out, to make us go away. And others who didn’t want a precedent set, and wanted nothing out.” Apparently the former prevailed. An offer materialized. Verbally, of course. A written offer would be akin to a binding promise, an animal that does not exist in the export control menagerie. Here was the offer: Lotus Notes could ship overseas with RSA and RC-2 encryption built in, with a key size of 32 bits. The NSA people thought that was a major concession on their part. After all, their job was to break codes. So they had to be very concerned about what might happen if the president or the National Security Council came and asked them to break a message encrypted in a program they’d allowed exported. Their first instinct had been to permit only a 24-bit key. But “after serious leaning on NSA senior policy people,” said one of the government reps, they were willing to “go the extra mile” and allow what it considered unusually strong 32-bit keys. Unusually strong? The Lotus team was appalled. That meant that the keys one chose to encrypt and decrypt data were limited to a universe of just over four billion keys. While you wouldn’t want to try to crack this by hand, it was totally lame in the age of supercomputers. For the silicon sweathogs in the basement of Fort Meade, finding a key among four billion was a definite yawner. In the meeting, the NSA folks admitted that their supercomputers could indeed crack such keys inside of a couple of days (an estimate that seemed rather modest). But potential data thieves didn’t really need supercomputers to crack a code scrambled with a 32-bit key. If they were determined enough, and had serious dollars to spend as well as time to kill, they’d be able to throw enough personal computing power at the problem to find the keys. According to RSA estimates, this could be accomplished within 60 days. The government officials insisted that this was plenty of security. “Who would go to the trouble to break a single corporate message or several of them at 60 days a pop?” they asked. This seemed to ignore the guiding high-tech principle of Moore’s Law, which dictated that personal computers would double in power every eighteen months or so. So, that 60 days would soon be less than a month. By 1995, the time to crack a 32-bit key would be less than a week. But all of that was almost beside the point. True, for most relatively innocuous messages sent on Lotus Notes, spending days or weeks on decryption was excessive. But some of the information transmitted by these multimillion-dollar companies was bound to be valuable. And how would Lotus be able to assure those firms if the key length was limited to 32 bits? It couldn’t say that breaking the code was unimaginable — or even a challenge. Basically, getting hold of a secret message would be little more than a nuisance. There was no legal reason, however, to stop Lotus from producing two versions of the product: an export version with 32 bits and a much more secure version for use only within the United States. The latter used Lotus’s preferred key length of 64 bits, a degree of strength many times more difficult to crack than the export version. (Remember, each single bit doubles the size of the keyspace. A key that’s twice as hard to guess as the 32-bit version would not be 64 bits long, but only 33 bits. The domestic version, then, was like doubling the difficulty 32 separate times, changing the time frame to crack a key from days to aeons. The bottom line was that it required no stretch of the imagination to use brute force to come up with a 32-bit key. But considering 1989 computer power, one could reasonably declare such an attack on a 64-bit key next to impossible.) The drawbacks of producing two products of different key strengths were daunting. The obvious logistical costs — two packages, two sets of disks, two inventories of products — were only the beginning. Ozzie and his team had to make sure that both versions operated with each other. Because the target customer base for Notes included multinational companies like General Motors, the software had to be written so that companies with some users in the United States and others overseas could communicate securely. So Lotus had to have the product work in such a way that people didn’t have to worry whether or not some of the recipients of an e-mail might be in Spain or Kansas City. Essentially (though none of this was apparent as one used the product), each person who used Notes was given two sets of keys — an international pair and a domestic pair. Implementing this was a programming nightmare. But, says Ozzie, “we were not going to compromise in this country,” so Lotus went ahead and did the work. The one problem that simply could not be coded around was that the government-imposed limitation made the international product much, much weaker than its American cousin. You could view it as a bug, but one that was built into the product. Would international customers reject it for that reason? At first, they didn’t — mainly because the entire idea of buying a product with built-in encryption was so novel that customers weren’t attuned to the nuances of security. “We were trying to sell a product that was for uses they didn’t know they had,” says Ozzie. “It required a network card they didn’t have, a graphical interface they didn’t have. Only after we convinced them to put these things in did they ask, ‘Is it secure?’ And we’d tell them, ‘Yeah, it’s secure; not as much as the version in the U.S., but it’s secure.’ And they’d ask, ‘Can someone break in?’ And we’d go, ‘Well, if you ganged together thirty or forty personal computers, maybe you could. But you’d have to write special software and all.’ It was a customer education process to let them know we were trying to protect their data. It wasn’t for a few years that the questions began coming about why the international version isn’t as strong, and why didn’t we use DES.” Lotus’s hope was that by the time international customers got wise to the fact that their version of the software offered significantly weaker protection, the government would bend its restrictions and allow larger keys. Thirty-two-bit keys were just a compromise Ozzie made to get the product out the door. “Once we were shipping, and we had customers who had pull, we could [have the clout to argue for] a change to forty-eight-bit keys [in the export version],” says Ozzie. “That was what we were pushing for.” But the government seemed to be pushing in the opposite direction. The NSA believed that the export version, even with that lame key size, was still too strong because of certain design elements. These concerned the possible reencryption of already-encrypted information — something Ozzie figured that, at worst, would make decrypting messages only slightly more difficult. Without explaining its reasons, the government suggested design changes that might satisfy them. The best Ozzie could figure was that the issue probably related to the way that NSA cryptanalysts broke codes. But settling the matter took months of further negotiations, ultimately resulting in significant product redesign that made the program run more slowly in certain instances. Ozzie couldn’t help but wonder: what was the point of all this? Did shipping Lotus Notes overseas only in a 32-bit version really improve national security? * * * The struggle with Lotus over software exports was only one sign that after years of inaction, the National Security Agency had to wake up and face the challenge of a crypto revolution. After the mild panic following the first breakthroughs in the late 1970s, officials at The Fort thought things were under control. Though Bobby Ray Inman’s compromise — the scheme by which crypto researchers would voluntarily submit their work to the NSA for a once-over — was not foolproof, an impressively high percentage of the top independent cryptographers actually went through the process. Because the choice was theirs, they could justify their decision to comply with the principles of academic freedom. Besides, these academics had no desire to destabilize national security. Correspondence with the spooks was also fun, in a way. It provided a certain frisson, not to mention an implicit validation that one’s work was indeed serious. In over nine times out of ten, the NSA made no suggestions, and other times, a minor adjustment would be requested — typically, this would be when the researcher inadvertently stumbled on some issue that was related to the NSA’s techniques in either its codes or its cryptanalysis. Furthermore, in at least one case, the NSA actually appeared to have intervened on behalf of a researcher. This was none other than Adi Shamir. In the years since leaving MIT, Shamir had been extraordinarily productive. Using the ideas of public key as a starting point, he and various colleagues had come up with new ideas for crypto. Some of them were amazing. One that he worked on with Adleman and Rivest involved a way to play “mental poker . . . played just like ordinary poker, except there are no cards.” A more significant creation was “secret sharing.” Only two years after helping invent RSA, Shamir had been intrigued by what he considered to be a problem looking for a solution — how do you share a single key among several parties, particularly when mistrust and suspicion festers among them? The classic situation is an electronic equivalent of what happens in nuclear missile silos: in order to launch, multiple keys must be turned simultaneously, requiring more than one person. Could you replicate this safeguard in cyberspace? It turns out you could, and once Shamir got to thinking about it, he came up with the idea of secret sharing, a means to parcel out a decryption key among several people. If a foe got hold of any individual’s share of the key (known as a “shadow”), he or she would have no advantage in an attempt to retrieve the entire key. Implementing that was the only the beginning, though. It was obvious how to do it in a way requiring the cooperation of all the participants to reconstruct the key. But then Shamir thought a little. . . . What would happen if one of those people disappeared or died or was kidnapped? This led to the idea to build tolerance, so that if you were given any predetermined subset of the keys, you would be able to reconstruct the secret. This came to be known as a “threshold scheme,” and its uses were endless. A trade secret like a recipe for Coca-Cola, for instance, could be distributed among ten people, and then you could prearrange any number of complicated combinations to retrieve the key. If, say, the six least trusted people holding shadows of the key got together, they might not be able to reconstruct the key. But the most trusted shadow holder might be able to build the key with any two other people in the consortium. In 1986, Shamir and two of his colleagues at the Weizmann Institute came up with another innovative and potentially valuable technique, known as “zero-knowledge proofs of identity.” Using one-way functions, these allowed Alice to verify that she knew a number (typically something that identified her, like a social security or credit-card number) without revealing that number to the interrogator. Using this system, Shamir later said, “I could go to a Mafia-owned store a million successive times and they would still not be able to misrepresent themselves as me [and use that information to buy goods, etc.].” Recognizing the value of this scheme in future e-commerce transactions, Shamir and his coinventors applied for a patent. But in early 1987, the patent office informed the cryptographers that, by order of the U.S. Army, their invention was now an official secret; circulating information on it “would be detrimental to the national security.” Not only were the Israeli scientists prevented from discussing it, but they were instructed to warn anyone who had seen the paper that sharing the idea could put one in jail for two years. Since they had already presented the paper at several universities as well as the Crypto ’86 conference, and had submitted it to the Association of Computing Machinery for publication that May, this seemed a difficult, if not futile, task. Furthermore, since the authors weren’t even Americans themselves, how could the U.S. government tell them what they could and could not talk about? The NSA apparently wasn’t involved in that secrecy order, but soon heard about it from concerned American scientists — and from the New York Times, which had been tipped off about the controversy. Within two days the order was quietly lifted. It was weeks before Shamir learned about the reprieve, and he became convinced that the NSA had intervened in his behalf. Why? As Susan Landau, an academic researching crypto policy, later guessed, the agency had intervened to preserve its prepublication submission program. If the perception was that submitting a good crypto idea could lead to a sudden embargo, the flow of papers to the NSA would end. And, as Landau wrote, “it is much easier to find out what the competition is doing if they send you their papers.” As the 1980s came to a close, however, it was clear that the voluntary submission system had reached the end of its usefulness. The turning point came, significantly, with a paper written by Ralph Merkle. Merkle had gone to work at the Xerox Corporation, in its famed Palo Alto Research Center (PARC). His main area of study — indeed, his passion — was nanotechnology, a new science based on molecule-sized machines. But he kept up with the crypto world. In 1989, he wrote a paper that introduced a series of algorithms that would speed up cryptographic computation, driving down the price of encryption. This in itself was threatening to the NSA’s mission. But Merkle’s paper was particularly worrisome to the agency because it included a discussion of the technology of S-box design. Ever since Lucifer, this had been a hot-button issue at The Fort. Xerox sent the paper off to the NSA for a prepublication review. (Apparently, it had hopes of one day getting an export license for a product based on Merkle’s research.) As usual, the NSA itself circulated it to experts both inside and outside the Triple Fence. But this time the result was not a helpful correction or gentle request for a change in wording. The agency wanted the whole paper suppressed, claiming — without explaining why, of course — that circulating Merkle’s scheme would be a national security risk. Xerox, as a huge government contractor, quietly agreed to the agency’s request. Normally, that might have been the end of it. But in this case, apparently one of the outside reviewers of Merkle’s paper was upset that the agency had spiked it — so upset that he or she slipped it to an independent watchdog, a computer-hacker millionaire named John Gilmore. Gilmore had a weapon that wasn’t available a decade earlier, when the prepublication process was initiated: the Internet. One of the most popular Usenet discussion groups on this global web of computers was called sci.crypt. It was sort of an all-night-diner equivalent of the yearly Crypto feasts in Santa Barbara, featuring a steady stream of new ideas, criticism of old schemes, and news briefs from the code world. Gilmore posted Merkle’s paper to the group, and in an instant, it went out to readers on 8000 different computers around the world. Cyberspace had made the NSA’s prepublication system irrelevant. The agency rescinded its request to withhold publication. Anyway, by then even the bureaucrats at The Fort were getting wise to a new reality: its real challenges weren’t coming from academic papers but from the marketplace. And the prime example was that once moribund public key software company, now rejuvenated by Jim Bidzos. * * * As the 1990s approached, Bidzos was dancing a complicated pas de deux with the National Security Agency. Though he had no real proof of it, he now imagined that behind the scenes it was working overtime to sabotage him and his company. It seemed that a lot of his potential customers showed enthusiasm at first, but then mysteriously stopped returning his calls. There were also government agencies whose interest in deploying his products suddenly evaporated. Bidzos felt in his bones that the silence resulted not from a failure of his sales prowess, but from clandestine pressure from Maryland. He even came to wonder about the nature of a relationship he had with a woman who for some reason spontaneously began giving him inside dope on the NSA. It had seemed plausible at the time, but later he wondered whether she was being paid to feed him disinformation. “I believe in the intelligence community they call it a ‘honey trap,’ ” he later said. It was ironic that from time to time people would still wonder whether Bidzos was some sort of double agent, putting on a charade of fighting the NSA while secretly implanting back doors in his company’s technology. In his mind, he truly believed that he was the single greatest thorn in the agency’s cybernetic paw. But what really scared Jim Bidzos circa 1990 was not the National Security Agency, but a far more immediate threat to his business. It involved not the government but the public key cryptography patents that were the foundation of his technology. The problem involved a company whose products didn’t compete directly with those of RSA — but whose patents threatened the company’s existence. The company was named Cylink, and its own history was considerably more placid than the roller-coaster ride of RSA. Its cofounder, Jim Omura, was a Stanford Ph.D. who became a UCLA professor in electrical engineering. His main field was information theory. Like just about everyone in computer science back then who didn’t work for the NSA, he knew almost nothing about cryptography. But he knew of a young associate professor at Stanford who was interested in the subject. “I used to ask him, ‘Why waste your time in cryptography?’ It seemed like there was nothing there,” says Omura. Fortunately for the invention of public key cryptography, the professor — Marty Hellman — didn’t take Omura’s advice. By the late 1970s, Omura’s views had changed, however, and he became an expert in the field. For extra money he would teach a five-day cryptography course to people in industry, mainly government contractors who wanted to develop products for the military. It covered the basic principles of crypto, and he taught it not only in the United States but also in places like Switzerland. “We had to be careful not to include any classified knowledge,” he says. Omura himself had never been briefed with classified material, but who knows what the government might consider verboten? After a few years, Omura and a friend began tinkering with actual code, and they came up with a hardware product: a silicon-chip implementation of public key, using the Diffie-Hellman key exchange. He went to another friend, Lew Morris, who was an early participant in Sun Microsystems, and they began to explore the idea of making a business out of it. They wrote a business plan, and started making the rounds of venture capitalists. This was in 1984, about the same time that RSA was going through its roughest period. Omura and Morris didn’t find the going any easier. “The venture community then couldn’t have cared less about information security,” says Omura. It was only through a private referral that the business plan fell into the hands of Jim Simons, who was not only a mathematician and cryptographer (he’d been one of the early reviewers of Lucifer) but dabbled in venture capital as well. He agreed to help put the newly dubbed Cylink company on its feet. Unlike RSA, which had a mission of getting crypto into the hands of the general public, Cylink focused on securing the communications of big companies, typically those that were government contractors. Cylink wasn’t about to push the envelope of what the NSA would or would not permit. Its first product, shipped in 1986, was dubbed the CIDEC-HS (so much for sexy branding). It was a chip-stuffed metal box that scrambled telephone communications within a company, using a hybrid crypto system: Diffie-Hellman to generate keys, DES to encrypt the data. Since many of Cylink’s customers were financial institutions that had already won clearance to use DES-based cryptography (including SWIFT, the international clearinghouse for bank transactions, which handled over a trillion dollars on a slow day), Cylink didn’t run into the export problems plaguing software companies like Lotus. It quickly became profitable. From the start, of course, Cylink had gone to Stanford University to license the Diffie-Hellman patent. At first, the arrangement was nonexclusive. “Stanford was deliriously happy,” says Robert Fougner, Cylink’s general counsel. “They’d finally found someone who was going to actually use the patent, and we made a very, very good deal with Stanford.” During the mid-1980s, in fact, while RSA was struggling to establish itself, Cylink seemed to be the only company turning a buck from public key. The relationship with Stanford flourished. Eventually, Cylink proposed that the university give the company additional rights to the public key patents. Essentially, it wanted to control all the patents itself. When others sought to devise and market potential public key crypto schemes, they would go not to Stanford for the licensing rights, but to Cylink for sublicensing rights. Stanford agreed to this, but there was a significant wrinkle: a continuing conflict over its patent rights and those of MIT, which owned the RSA patent. Stanford believed that its patents were, essentially, the public key patents, since they embodied the broad idea of split-key cryptography. By this logic, anyone who wanted to use the RSA scheme would also have to license the Stanford patents. MIT’s lawyers, however, believed that RSA could stand alone. This disagreement triggered tension between the universities that went on for several years. It was (pardon the expression) a low-key dispute, since there wasn’t much money involved at the time. Even so, everyone felt that a dispute between two august institutions was unseemly, and finally the parties reached a compromise. Stanford bundled all its public key patents and sublicensed them to MIT. MIT in turn transferred those rights to RSA Data Security, Inc. This removed a huge cloud hanging over RSA, whose system really did depend on the original public key idea of Whit Diffie and Marty Hellman. Now its software was not only fully covered by patent protection, but there was no question of infringing on the Stanford patent. While this was fine for RSA, it put Cylink at a disadvantage. Now if someone wanted to license public key crypto, they could go either to Cylink or to RSA Data Security. But only from RSA could they acquire the rights to the public key system created by its founders. This didn’t become a problem immediately, since the two companies were pursuing different customers. While both championed public key and were located within ten miles of each other, Cylink was, in Fougner’s words, “very insular, very inward . . . focused on our technology, on making a good product, on selling that product to a [limited, but] nice portfolio of customers.” On the other hand, RSA’s marketplace was the broader world of personal computing, with their eyes on a mass market. Almost inevitably, though, the companies found themselves up against each other. Because of the way the patents were divided, each company had an interest in encouraging a certain approach to public key software — and disparaging the other approach. Because Cylink didn’t have access to MIT’s patents, it aggressively promoted the idea of using the Diffie-Hellman key exchange. Previously, people in the field had thought that, in a practical sense, the Stanford-derived work only provided for a way for two parties to agree upon secret keys; unlike RSA, it didn’t outline the means for a full and efficient public key cryptosystem. But Cylink believed that by cleverly using the Diffie-Hellman patents, users could do everything that RSA did, just as elegantly: privacy, authentication, the whole works. Jim Omura had written a paper about it in 1987. “You could use the Stanford patents to do the same thing as RSA,” says Omura. “I think this upset Jim Bidzos because suddenly his technology wasn’t the unique technology.” “In order for RSA to succeed, it had to promote its software implementations, which were really focused on the MIT software,” says Fougner. “And here was Cylink having obvious commercial success with the Stanford-type technology. There was going to be a fight, or there was going to be a business deal.” Fougner himself joined Cylink as counsel in 1989 specifically to deal with this issue. On his second day of work, he met with Jim Bidzos. He had little idea what to expect. Would Bidzos, who already had gained a reputation within the budding industry as a pressure artist, play tough? Far from it. As Fougner recalls, Bidzos took pains to appear submissive, acting as if he were almost in awe of Cylink’s financial success. RSA, he told Fougner, was still struggling to keep its head above water: Cylink had nothing to worry about from RSA. On the other hand, both companies faced an uphill battle getting crypto established more widely. Both of them, Bidzos said, were evangelizing a technology that nobody understood, that nobody wanted to pay for. On top of that, here were the two top public key companies, each promoting a different implementation, and confusing the hell out of everybody! Let’s not fight each other, said Bidzos. Why not pool all the patents, work together, agree on a public key standard, and license the hell out of it? We’ll make a gazillion dollars! It made a lot of sense to Fougner. Why not join forces? For one thing, he figured, it would probably make Stanford’s lawyers happy. They had long regretted granting MIT the sublicensing rights to its patents. By making RSA a one-stop shop for public key, Stanford had cut itself out of the loop! “The joke at Stanford,” says Fougner, “was that the MIT deal was often used in their seminars as an example of what not to do in patent licensing.” So Bidzos’s idea of putting all the patents in one pot (with the promise of more fees for the public key patents) sounded very attractive to the Stanford people, and they urged Cylink to go along with it. On October 17, 1989 — the same day that an earthquake charting 7.0 on the Richter scale rocked the Bay Area — the two companies and the two universities came to an understanding. (The formal contract was signed the following April.) The patents would all belong to a new corporation jointly owned by RSA and Cylink. Control of the new entity, called Public Key Partners (PKP), would be shared equally between the two parent firms. Bidzos, arguing that the MIT rights were worth more (RSA had already gained some access to Stanford’s patents whereas Cylink had no rights to use RSA’s technology), negotiated a favorable revenue split: 55–45 in his company’s favor. Meanwhile the universities themselves got only a fraction of the potential cash: out of every dollar paid to PKP by sublicensees for patent rights, Stanford University would get nine cents and MIT would take in a little under fourteen cents. Omura recalls that after the partnership was established, Bidzos tried to get Cylink to downplay the idea that people could perform public key functions without the RSA algorithm. “He essentially said to me, ‘Now that we’re partners, I hope you’ll stop promoting the Diffie-Hellman approach and support RSA.’ ” Omura told him that his company would still use the alternative method, but didn’t see why that should be a problem. “It doesn’t matter what technology we use,” he said to Bidzos. “We’re partners.” “In 1990, who cared?” explains Fougner. “Within a couple of years, though, a lot of people cared.” Initially, the two executives of Public Key Partners, Fougner and Bidzos, worked well together. Technically, Fougner was head of licensing and Bidzos the president. But the bylaws dictated unanimous consent on any decisions. For Fougner, an unassuming corporate lawyer, teaming up with a swashbuckling deal-maker like Bidzos, the enterprise was sort of a mad adventure. Two wild and crazy guys, trying to set a global standard for public key cryptography — and make tons of money for their respective companies. So enamored was Fougner of the idea that he tended to shrug off the almost immediate signs that in many ways the interests of RSA and Cylink remained divergent. The first order of business for PKP was to send a letter to the National Institute of Standards and Technology (NIST), the government agency that acted as the ultimate referee of what protocols the marketplace should agree upon as a standard. In large part, the success of the partnership between the two companies would depend on whether NIST adopted as standards the patents now jointly controlled by Bidzos and Fougner. There were actually several different cryptographic standards that NIST would have to approve: one for digital signatures, one for encryption, one for key exchange, and so on. Once these were determined, the crypto revolution would be poised for liftoff. All the software developers would know exactly which algorithms were required for privacy and authentication, and they would build them into their programs. All the programs would then interact with each other: once this got going, a user of Lotus would be able to send encrypted mail to someone using WordPerfect, and a Microsoft Word user could stamp a digital signature on his or her Intuit account ledger. It was a crucial step for a crypto society, and NIST knew it. The government decided to establish the digital signature technology as the first standard. Uh-oh. Cylink and RSA had different approaches to signatures, each one based on their separate public key religions: Stanford or MIT. Which one would PKP offer to the government as its official candidate for a standard? Jim Bidzos had the answer: Let’s make this one RSA, he said. The Cylink people were unsure; after all, they’d been working on Diffie-Hellman signatures for six years. Bidzos had an answer to that: We’ll do RSA for signature, and when it comes to a key-management standard (the means of handling and verifying the zillions of digital keys that a large-scale system would handle), we’ll do Diffie-Hellman. The Cylink people agreed. Public Key Partnership’s letter to NIST, under Fougner’s signature, went out on April 20, just two weeks after PKP was formally established. It urged that the agency adopt the RSA scheme as a standard. “Public Key Partners,” the letter said, “hereby gives its assurance that licenses to practice RSA signatures will be available under reasonable terms and conditions on a nondiscriminatory basis.” But when it came to digital signatures, the government had its own ideas. * * * In the midst of all that wrangling, Jim Bidzos was still concerned with keeping his company afloat. He was now working on his biggest licensing deal yet — a broad arrangement with the most powerful software company on earth: Microsoft, the White Whale of high tech. For the previous few years, its wizards had become increasingly aware that their customers might need cryptography built into Microsoft products. From the company headquarters in Redmond, Washington, its chief technical officer, Nathan Myhrvold, had begun to circulate memos on how crucial this would become. Myhrvold often invoked his grandmother, who lived in a small farm community where people left their doors unlocked: This was fine in an isolated setting where strangers were seldom seen, but simply would not do in an urban setting. It was the same with computers, he would say; they were moving from isolated, unconnected units on desktops to networked nodes in a large infrastructure. To protect everything from taxes to medical records, you needed locks, and Myhrvold understood that public key cryptography would provide those locks. Myhrvold had been in college when Martin Gardner’s Scientific American article about RSA appeared. “I thought it was infinitely cool,” he said, and the future physicist (who would study under Stephen Hawking at Cambridge University) devoured the RSA paper as well as the Diffie-Hellman paper that inspired it. A decade later, after a software company Myhrvold had started was bought out by Microsoft, he had become one of Bill Gates’s most trusted lieutenants. He was excited about his opportunity to help get public key into the mainstream. As was the case with Ray Ozzie and Lotus, he wound up dealing with the obvious person: Jim Bidzos. The Microsoft license was crucial to Bidzos. It would make his technology a security standard for the hundreds of millions of customers who used Microsoft’s DOS and Windows operating systems as well as its applications like the word-processor Word and the spreadsheet Excel. Nonetheless, Bidzos approached the negotiations with his usual aggressiveness, boasting that, as the patent holder, he was the only game in town for crypto supplicants. Myhrvold wasn’t intimidated. If RSA is so great, he wanted to know, why isn’t anybody else using it? He conceded that public key systems may be inevitable, but joked with Bidzos that they might not catch on until the patents ran out toward the end of the century. Bidzos wasn’t fazed, and the negotiations proceeded — two major egos, each giving as good as he got. The issues were complicated because Microsoft wanted the right to modify the code of RSA’s crypto toolkits to suit their products. Inevitably, though, as Ray Ozzie had already learned, there was an even bigger hurdle facing all of them: the export laws. Anticipating that including crypto in its products would be problematic, Microsoft had begun a dialogue with the NSA. Though cordial, the new relationship was uneasy. The first few times representatives from Fort Meade ventured to the Redmond headquarters, they wouldn’t even reveal their last names; to get them building passes, Myhrvold had to go to the reception desk to approve badges with first names only. “They were reflexively secretive,” says Myhrvold, half amused and half annoyed. Worse, they never seemed to be explicit about what was and was not permitted. But they were vocal about one thing: RSA Data Security. They seemed to have it in for the company. Obviously, the NSA people did not relish the prospect of this upstart company providing a surveillance-proof shield to hundreds of millions of Microsoft customers. As Myhrvold tells it, they tried to turn him against Jim Bidzos and his company. Their method of dissuasion was interesting. Without saying it outright, they began dropping broad hints that behind the Triple Fence, the cipher devised by Rivest, Shamir, and Adleman had already been broken. Myhrvold was worried about giving his customers reasonable security — if the government could crack the code, why not a crook? — so he grilled Bidzos about the NSA’s claim. Bidzos was stunned: he’d felt the Microsoft deal was almost completed. He sprang into action to refute the charges. “We contacted every number theorist, every mathematician, every researcher in this field we knew, and within twenty-four hours had gotten back,” he says. “[Microsoft was] blown away by what we had done and they said that obviously the charge isn’t true.” Myhrvold’s recollection is different. He says that the refutation was superfluous: he always did believe the RSA algorithm was sound. But Myhrvold does say that he teased Bidzos by noting that no system short of a one-time pad could be provably impervious to cryptanalysis. Bidzos answered, quite reasonably, that one could trust a publicly published cipher — open to challenge from anyone in the community — more than one of the NSA’s secret algorithms. RSA’s future was totally linked to the strength of its codes, so it had every incentive to make sure those codes were strong. “If somebody breaks it,” Bidzos said, “what you’ve got are the remnants of a once-valuable company.” In any case, Bidzos convinced Myhrvold. To Myhrvold the NSA’s antipathy toward RSA was in a sense an endorsement: why would the agency want it stopped so much unless it was actually hard to break? But the NSA wasn’t through. According to Myhrvold, the agency made another eleventh-hour attempt to discourage Microsoft from licensing RSA, this time questioning the validity of the company’s patents. In addition, its people speculated that future government standards would not use RSA technology, and Microsoft might have an orphaned set of algorithms. Bidzos rushed back to Redmond to orchestrate a presentation that conclusively proved the solidity and breadth of his patent rights. According to Bidzos, the final NSA attempt at sabotaging the deal came when an agency official called Myhrvold and said, basically, “Don’t do it.” (Myhrvold says that he doesn’t recollect those words specifically, but confirms the NSA conveyed to Microsoft that it believed licensing RSA would be a mistake: a powerful disincentive for the software giant to link up with this unproven company.) Bidzos was furious. As he recollects now, he dialed up the highest ranking person he knew behind the Triple Fence and laid out what he had heard. Then, before his contact could utter a word in reply, he demanded that the official fix the problem and call Microsoft back to tell them that the agency had made a big mistake. “If that doesn’t work, you’re going to answer to the congressman in my district,” he said. “If that doesn’t work, you’re going to answer to a district attorney, because I’m going to file a complaint. If that doesn’t work, I’ll try the New York Times. But one way or another, if you don’t fix this, I’m gonna make you answer for it.” Bidzos more or less expected his contact to deny everything, or at least insist that he knew nothing of the sabotage. Instead, Bidzos claims, the man said, “I’ll call them.” And, according to Bidzos, his contact called Microsoft and recanted. The path was now clear for a deal. One small point holding up the arrangement had been Bidzos’s insistence that Bill Gates personally sign the contract. Bidzos wanted to display that final page of the contract on his wall, and what would it look like without the John Hancock of Microsoft’s famous CEO? By implying that Gates’s signature might be a problem, Myhrvold brags that he was able to get a few deal sweeteners from Bidzos. (But Bidzos got a sweetener, too — Gates’s presence at an RSA event.) A few days later, over Memorial Day weekend in 1991, Bidzos called Fougner to boast about the now-completed deal. Fougner recalls being blown away. “Jim, that’s amazing,” he said. “You got Microsoft to license your proprietary toolkit, and they’re going to put it in their operating system? That’s unbelievable! How did you do that?” “Salesmanship, Bob,” said Jim Bidzos. “I’m a great salesman.” * * * Salesmanship or not, by early 1991, the future of the public key patents was very much in doubt because of the lack of a government endorsement. Bidzos was, of course, desperate to have RSA established as the standard. Early in the process, NIST, the arbiter of the process, had been enthusiastic about doing just that. RSA, wrote a senior scientist at the agency, was “a most versatile public key system.” Indeed, as late as December 1990, NIST was trying to convince Bidzos’s foe, the NSA — whose voice in the process was crucial — that the system should be adopted. Not only was it commercially effective, said its representatives in meetings with the intelligence agency, but there was no reasonable technical argument for anything else. But then progress stalled. None of the entreaties from Bidzos or Fougner to establish RSA as the standard seemed to have been effective. And on August 30, 1991, it became clear why. The National Security Agency had devised its own scheme. Publishing in the Federal Register, NIST proposed a new set of algorithms as the prime candidate for a standard. The government’s product, known as the Digital Signature Algorithm (DSA), was written by an NSA employee named David Kravitz. In many ways, it was similar to the RSA signature scheme. Both schemes employed a public-private key pair. In both, when Alice wishes to prepare a digitally signed message, she first applies an algorithm known as a hash function, which boils the content down to a compressed “message digest.” (This, essentially, is the message boiled down to its essence, for easy processing.) Then, by way of a mathematical function that uses Alice’s unique private key, that message digest is scrambled, or “signed.” Both the original message and the digest are then sent off to Bob. When Bob — or anyone else — gets the message, he now has a way to verify that it was indeed Alice who sent it and that the message itself wasn’t tampered with in transit. He uses Alice’s public key to “unsign” the message and the digest. Then he uses the hash function to recreate Alice’s message from the digest. Only if the letter came from Alice and only if the content was unchanged would the re-creation match the original. The government method differed from RSA’s signature scheme in one profound way: its public-private key pair could be used only for authentication, not encryption. In other words, this was a public key system that couldn’t keep a secret. Thus it presented no threat to national security or law enforcement — literally, it was just what the government ordered. “Our underlying strategy,” an NIST official would testify to Congress, “was to develop encryption technologies that did not do damage to national security or law enforcement capabilities in this country. And our objective . . . was to come out with a technology that did signatures and nothing else very well.” But NIST, which originally looked favorably on adopting the RSA solution, came to adopt this objective only after pressure from Fort Meade. During the last months of 1990, the NSA had been pushing hard for its system, and in February 1991, its new director, General William O. Studeman, forced the issue, urging NIST to “cut short the debate and get on with the things that need to be done to provide the necessary protection.” At the next meeting of the two agencies’ joint technical working group, NIST representatives raised the white flag, and indicated that their management “has accepted the NSA’s proposal.” But when NIST publicly signed off on the NSA-created algorithm in April, nothing was mentioned about the involvement of the secret intelligence agency. Bidzos wasn’t fooled, though, and was furious about the government’s choice of the DSA as its standard. He contended that the NSA had completely subverted the Commerce Department, the agency to which NIST belonged. Instead of helping American industry, he charged, the Commerce Department was now working against it, totally in service to the spooks. (This suspicion was later bolstered by a congressional investigation that led the House Government Operations Committee to declare, “NSA is the wrong agency to be put in charge of this important program.”) The next step, Bidzos warned, would be the unveiling of an encryption standard that didn’t adopt the familiar algorithms — his algorithms! — but some new ones that the government could break. Bidzos had a lot of ammunition for his attack. In purely technical terms, it was clear that the DSA was inferior to RSA. It was, as one observer put it, “an oddball standard,” much slower to verify signatures than RSA’s system (though faster to sign messages), more difficult to implement, and more complicated. And, of course, it didn’t have encryption. Unlike RSA, it had no track record. The government scheme did offer one advantage over RSA, however, something that Bidzos was hard-pressed to match. It was free. Indeed, in the August 30 announcement, the government had proclaimed its intention to make its signature standard available worldwide on a royalty-free basis. Bidzos felt he could fight the proposed standard by way of a patent challenge. But that would not be easy. Public Key Partners, of course, controlled the Stanford patents that involved the first digital signatures. But the government claimed that its scheme bypassed those patents by relying on a different implementation of digital signatures, one designed by another Stanford cryptographer named Tehar ElGamal. A former student of Hellman’s, ElGamal had refined the idea of using the hash algorithm and the message digest for digital signatures. But ElGamal had made the mistake of publishing before applying for a patent (his paper had appeared in 1985), thus forfeiting his rights to a patent. So if the government’s claim was correct, the DSA was free and clear of any patent claims. Bidzos disagreed, but he understood that staking his claim would be time-consuming and costly. Still, there was one other way to accuse the government of pilfering intellectual property. It involved yet another patent. This one was based on the work of a German cryptographer named Claus Schnorr, who’d patented his own digital signature scheme in February 1991. After hearing about the DSA, Schnorr insisted that it infringed upon his patent, and demanded $2 million from the United States. To many observers, this was overstepping: the conventional wisdom was that both Schnorr’s and Kravitz’s systems were variations of ElGamal’s work. Nonetheless, the government was concerned. In its own patent application, it took pains to assert that the ideas behind the DSA were independent of Schnorr. Still, Schnorr had at the least a “scarecrow” patent: a claim that might not prove to be defensible in a long, drawn-out lawsuit, but one that nonetheless gave its holder a plausible reason to attack a similar concept. As long as Schnorr was unhappy, the government had a problem. Bidzos saw this as a great opportunity. While the government dithered, he would try to add the German’s patent to the Public Key Partners portfolio. It would be like landing on Park Place after already owning Boardwalk: patent monopoly! Bidzos found out that Schnorr was attending a conference in Marseilles, so he flew there with Fougner in tow. They arranged to have lunch at a one of the fanciest restaurants in town. The meal lasted for hours, with multiple bottles of fine wine delivered to the table. Schnorr was in his midforties, a conservative scientist who was proud of his most recent triumph — winning the lucrative Leipzig Prize. Bidzos quickly figured out the way to handle him. “I talked to him like a coach would to a tennis player,” says Bidzos. “That he could do it himself, or he could let me negotiate his deals and manage his contracts and endorsements, so he could work on his game.” Fougner was impressed at the hard sell. “Bidzos regaled him with tales of his friendship with Bill Gates and his global vision of public key cryptography and the universe,” he says. The meal finally wound down, with the waiters standing around, anxious to clear this final table. They moved to a pub by the waterfront. Fougner quickly sketched out on a piece of paper a transfer by which PKP would receive all rights from Schnorr’s patent. At the pub, in the shadow of a fifteenth-century galleon, Schnorr, whether captivated by Bidzos’s promises of riches, or just plain exhausted, signed the paper. When Bidzos got back to the States, he had another in his endless series of meetings with NIST. His contacts were Dennis Branstad and Lynn McNulty, two computer scientists at the agency who were often caught between the demands of the public and those of their bosses. In hoping to resolve the government’s patent problems, they had been desperately urging NIST to buy the Schnorr patent. They also wanted to pay off RSA to clear up any alleged conflict with the Stanford patents, and they assumed the meeting would focus on such an offer. Instead, Bidzos began by declaring, “I represent Claus Schnorr and you’re infringing on my patent.” Bidzos was exultant. “I had never seen two guys look more tired,” he later boasted. Meanwhile, Bidzos was helping engineer opposition to the DSA on other fronts. As a response to the August 30 Federal Register announcement, NIST had received 109 comments on the scheme, the vast majority of them critical. Companies already using RSA, including Microsoft and Lotus, were unhappy that their investment in that scheme would be lost, and they would have to develop new software for the new standard. Other complaints dealt with the relatively laggardly computation rate of the DSA. Also, critics were concerned about the vulnerability of the scheme. Because the proposed standard used only 512-bit keys to calculate the signatures (RSA used 1024 bits), there was a question about whether the powerful computers inside the Triple Fence might be able to churn out forgeries. How could anyone assert that a signature was valid beyond question when an intelligence agency had the potential to create counterfeits? To Ron Rivest, the whole thing was symbolic of the government’s policy in general: “What crypto policy should this country have?” he asked at a 1992 conference held in D.C. “Codes which are breakable or not?” Though the controversy never caused major debate within the general public, it did ignite some civil liberties groups, which had been closely watching the relationship between the NSA and NIST. In fact, the balance of power between the two agencies was risible — one was the flagship of our multibillion-dollar intelligence operation, the other a dime-store government backwater. While the liberals and the libertarians hoped that the latter organization would protect the interests of ordinary citizens, they had little confidence it would do so. Their fears were justified. A look at the prior history of the two organizations laid the blueprint for an imbalance of power. After the Church hearings in the seventies, the entire organization of the NSA had felt chastened. But in 1984, at the apex of Ronald Reagan’s presidential power, the NSA showed signs of reentering the realm of domestic policy. At the apparent behest of Fort Meade, Reagan issued a National Security Decision Directive intended to monitor information in databases — both in- and outside government — that fell into the vague category of “sensitive, but unclassified, government or government-derived information.” This caused a minor firestorm, and eventually, the NSA’s congressional nemesis, Representative Jack Brooks of Texas, gave the agency a tongue-lashing: “The basement of the White House and the back rooms of the Pentagon,” he said in a hearing, “are not places in which national policy should be developed.” Eventually, the government backed down. The experience led some in Congress, urged by frantic lobbying from civil liberties groups, to create a law that would set boundaries for the government in the computer age. In what was an unusual act of independence from the demands of an intelligence agency, Congress in 1987 passed the Computer Security Act, which specifically turned over the responsibility for securing the nation’s computer infrastructure — particularly in recommending the standards to which industry would adhere — from the NSA to the National Bureau of Standards (which was about to take on the higher-tech appellation of National Institute for Standards and Technology). Why did Congress flout the spooks? True, the civil liberties groups had lobbied hard. But more to the point, says Marc Rotenberg, who was then a staffer for Senator Patrick Leahy, “U.S. business didn’t particularly like the NSA setting the standards. The NSA’s concerns about computer security are not the concerns that businesses face — they weren’t worried about the Kremlin, they were worried about their competitors.” Bolstered by industry support, the lawmakers moved fast and the NSA was caught flat-footed. Not even an appearance by then–NSA director General William E. Odom could stop the bill. His complaint that shifting security responsibilities to the civilian agency would be an unnecessary “duplication” of functions really missed the point: industry preferred that the Commerce Department, and not the spies, set standards for the national computer infrastructure. As one NSA official later wrote in a memo, “By the time we fully recognized the implications . . . [Brooks] had it orchestrated for a unanimous-consent voice-vote passage.” Of course, The Fort was not shut totally out of the process of securing the nation’s computers. As the undisputed world capital of crypto, it had invaluable expertise in computer security, and Congress outlined an advisory role for Fort Meade to NIST. The question was, how would the two work together? In negotiations to determine that, the NSA sat across the table from the acting director of NIST, a bureaucrat named Raymond Kammer. Not only was Kammer sympathetic to the National Security Agency, he was actually the son of two of its veterans! The official Memorandum of Understanding reached between the two agencies did preserve the concept that NIST would take the lead in establishing standards, but formalized an NSA role as well. In “all matters related to cryptographic algorithms and cryptographic techniques,” said the memo, NIST would solicit the NSA’s help. To implement this, the two agencies would work through a “technical working group.” Though NIST was supposedly in charge of the process, it would not hold a majority presence in the group, which consisted of three people from each agency. Though both agencies insisted that NIST was really in the driver’s seat, skeptics suspected otherwise. Even with its zippy new name, NIST was the nerdy Mr. Peepers of government agencies, suddenly thrust into the center of a huge political and national security battle. At least one high-ranking official of the agency later admitted that NIST not only hadn’t sought the powers granted by the Security Act, but it didn’t want them once the bill was passed. “It put us in charge of what we didn’t want to be in charge of,” he says. The skirmishes over the digital signature standard seemed the ultimate proof that NIST was pretty much Fort Meade’s stooge. In the years to follow, investigations would bear this out; one General Accounting Office report concluded that, contrary to congressional intent, “NIST follows NSA’s lead in developing certain cryptographic standards.” Declassified documents outlining the discussions in the monthly meetings of the two agencies’ technical working group clearly illustrated this. At every step, the NIST people seemed to be waiting for the NSA’s verdict on the signature issue. Even NIST’s own oversight group, the Computer System Security and Privacy Advisory Board, had serious problems with the relationship between the two agencies. In March 1992, it determined that “a national-level public review of the positive and negative implications of the widespread use of public and private key cryptography is required.” But the NSA wanted no part of a discussion or review, and squelched that idea. In a classified memo, the new NSA head, Admiral Mike McConnell, put it bluntly: “The National Security Agency has serious reservations about a public debate on cryptography.” Still, the government was beginning to feel some heat. Once again, Representative Jack Brooks held hearings. They featured scorching testimony by the NSA’s critics. Nathan Myhrvold of Microsoft testified that “the government’s late publication of its proposed signature standard, together with its serious technical flaws . . . made it impossible for the computer industry to adopt the government standard for commercial use.” Addison Fischer, an early RSA Data Security investor who used the company’s algorithms in the mainframe computer products of his eponymous company, invoked a powerful metaphor that would reappear in crypto debates to come: “Cryptography, especially public key cryptography, is entering the mainstream,” he said. “It is simply another of a long line of technological genies which is exceedingly useful, and which cannot be put back into the bottle — even if there may be some unpleasant side effects.” All of this criticism, of course, was music to Jim Bidzos’s ears. While he had become a crusader for the free rein of crypto, his main goal had always been strengthening his company. If the pressure on the government continued — and he kept threatening to exercise the Schnorr patent to fight the government’s candidate — he figured that eventually the standards process might go his way, and RSA technology would at least win approval as the official digital signature standard. And then, astonishingly, the feds caved. Or at least seemed to. As Bidzos tells it, the government finally concluded that its own standard would fail not on crypto grounds but on patent grounds. At a June 1993 meeting at the Commerce Department, a NIST lawyer said the words Bidzos longed to hear: “We want to work with you.” While Bidzos and his attorneys sat stunned, the official continued. “Why don’t you make us a proposal for a licensing situation if you want to be compensated?” Bidzos said he would get back to them in writing. And a negotiation began, with the government offering an amazing financial concession to Public Key Partners: an exclusive patent on the government’s algorithm, the DSA. The United States would use the DSA as its standard, and would pay PKP a royalty fee. It was estimated that this could be as high as a dollar a user. Since millions of dollars would potentially come from this — every citizen would use this standard to communicate with the government, in everything from making contracts to filing IRS returns — there was a huge incentive for Bidzos to accept. So he did. In this sense, he was acting on behalf of his company’s bottom line and against the interests of the general public. After all, his company would now be party to the use of the NSA’s product as a standard, an algorithm Bidzos himself had gleefully trashed in public. Some people began to question whether RSA’s strategy of protecting crypto by patents was itself a path that retarded the progress of computer privacy. Maybe Bidzos was in league with the spooks. After all, as one observer noted, “One of the purposes of the patent system is to cause technology to be exploited. . . . Public key cryptography was invented almost twenty years ago, and yet is not yet in widespread use. A visit to the supermarket checkout counter reveals no digital signatures. Why not?” But the deal would never be closed. In its haste to eliminate a nasty patent battle, the government underestimated the outrage that would come from its abandoning a commitment to make the algorithm royalty-free. When the government solicited comment on the deal, the criticism was withering. Critics called it a $2 billion giveaway to Public Key Partners. The Canadian government and the European Commission indicated that they wouldn’t pay the royalties, and to hell with the patents claimed by the United States government. It was a revolt that the government didn’t need. So NIST reneged on its offer to Bidzos, and reaffirmed that whatever standard it chose, it would be royalty free. And so, once again, it was back to square one on the digital signature standard. Bidzos was philosophical about the turnaround. He did regret losing all that potential cash. But with the plan killed, Bidzos could once again take the side of the angels, a foe of a government that wanted to crush individual privacy, even if it meant impoverishing American software companies. In any case, the bickering over the signature standard was to continue for another year. It wasn’t until October 1994 that NIST finally made its choice. It chose to dismiss the patent issue, ignore the overwhelmingly negative public response, and endorse the DSA as its own candidate as the official standard for digital signatures. “NIST reviewed all the asserted patents and concluded that none of them would be infringed,” it stated in a fact sheet. (To assure those who still had qualms, the agency took the extraordinary step of assuming liability for anyone using the standard who might later be sued for patent infringement.) While NIST made some beneficial technical changes from its original proposal, most notably extending the key length from 512 to 1024 bits, essentially the result was an authentication system created in secret by the government intelligence agency, one that virtually no one in industry had found attractive enough to adopt. This instead of a system already implemented by Microsoft, Apple, IBM, and Novell. Is it any wonder that years later, the digital signature standard would still be an orphan — and that in the midst of an electronic boom, there would exist no universal means of authenticating e-mail? The funny thing is, as NIST scientist Lynn McNulty later said, “We thought that the digital signature would be the easy one.” But as contentious as it was, the battle over signatures was only a warm-up for the main event in the cryptography war: the war over encryption. crypto anarchy When Phil Zimmermann began his cryptography adventure, he had no idea that he would end up both hailed as a folk hero and investigated for violations of federal law. He acted out of scientific curiosity, a hobbyist’s passion, and a bit of political paranoia. Born in 1954, and raised in various Florida towns, he was a self-described nerd, “not naturally a party guy.” An odd, awkward duck. His father was a truck driver; both parents were alcoholics. He wanted to be an astronomer. In the fourth grade, though, he became captivated by codes. A Saturday afternoon Miami television show called M.T. Graves and the Dungeon had a kids’ club. Members were sold a physical “key” to unscramble a secret code. During the show, a series of numbers were flashed on the screen and club members could use the key to translate them into magical, clear messages. Zimmermann never sent in the money to buy the key, but he jotted down the numbers anyway — and managed to decode them into plaintext. To an only child in a troubled family, transforming such gibberish into something familiar gave a sense of mastery, of belonging. A sense of an organized home. No wonder Zimmermann sought to learn more about ciphers. He found a book by children’s author Herbert S. Zim called Codes and Secret Writing. Published by Scholastic and directed at ten- to twelve-year-olds, this thin volume straightforwardly conveyed the excitement of cryptography, almost as if its author were a senior intelligence executive instructing a bright, though green, recruit. “The idea of this book is not to give you codes to copy but to help you invent your own codes — not one or two but, if you like, hundreds of codes,” wrote Zim. “How you use your knowledge of codes is, of course, up to you.” The book became Zimmermann’s Bible. He faithfully attempted all its exercises, such as making invisible ink out of lemon juice, creating original ciphers, and, of course, cracking the encoded messages presented in the book. A couple of years later, in junior high, a friend boasted of a code he’d made up and Zimmermann accepted the challenge of breaking it. “Make sure it’s a long message,” Zimmermann told the kid, who complied, foolishly thinking that a longer message would be harder to crack. The message was written in runic-style symbols, vaguely evocative of the languages of Tolkien’s Middle Earth. Zimmermann did a frequency analysis, an elementary technique of cryptanalysis that simply involves counting how often alphabetic letters appear. This enabled him to solve it like a garden-variety cryptogram. All to the amazement of his buddy. His interest in codes waned during his teenage years, and it wasn’t until he was in college, at Florida Atlantic University, that Zimmermann realized computers could be cryptographic tools. Though he was majoring in physics, he wound up spending a lot of time in the computer room, at first doing course-related work, but eventually just drinking in the elixir of programming itself. The appeal was creating one’s own world in the machine. “You could interact with something that wasn’t a living thing but seemed to be like one,” he says. Best of all, he was good at it, in contrast to his physics abilities. His nemesis: calculus. Though he began programming his first week at college in 1972, he didn’t actually see a real computer for a year, because his school only had terminals connected to distant machines. After all, Florida Atlantic wasn’t MIT or Stanford. Not even a big state school. Zimmermann became a student assistant, teaching others to use the terminals. And after his second year, he dropped physics for computer science. He rediscovered his passion for ciphers in that computer room. One of his experiments involved writing his own secret code, using the now-antiquated FORTRAN computer language. His scheme used random number functions to substitute each character in a plaintext message with a different character. The random number function was keyed with a password. Because his code couldn’t be broken by frequency analysis (the randomizing function would change a “t” early in the message to one thing and subsequent “t’s” to different characters), Zimmermann figured that not even the CIA could break it. He’d never imagined techniques like chosen plaintext attacks, or deconstructing random number generators. (And he’d never heard of the NSA.) As it was, years later he would encounter that same “unbreakable” cipher, presented in a student homework assignment as a cipher that could be easily broken with basic cryptanalytic techniques. “So much for my brilliant scheme,” he says. In the summer of 1977, with only one course to go before graduation and already employed at a minicomputer company in Fort Lauderdale, Zimmermann came across the Mathematical Recreations column of Scientific American, and found something that blew his mind. It was, of course, Martin Gardner’s description of public key and the RSA algorithm. He was hungry to know more. Out of the blue, he called Ron Rivest at MIT and asked him about the possibilities of implementing the system on a computer. Rivest told him that in the course of experimenting, the MIT group had already done that in LISP, a tony computer language used for artificial intelligence work. “That’s out of my reach,” said a disappointed Zimmermann, who had never had access to the flashy LISP machines; they were luxury items costing $100,000 and geared for research, not practical tasks like accounting. Though high-level arithmetic wasn’t his strong point, Zimmermann understood that the odds of getting a LISP box at Florida Atlantic University approached infinity to one. He wondered, however, whether he could do RSA on one of those cheap new microcomputers. That would be different. Zimmermann had a partial share in one of the clunky low-cost machines of the time — it ran on a Zylog Z-80 processor, sort of the Model A of the mid-1970s. But as he thought about implementing RSA, he realized that he had little idea of how to do some of the extended arithmetic routines explained in the MIT paper. So he didn’t try. There were other things happening in Phil Zimmermann’s life then. The same year he discovered RSA, he married his girlfriend Kacie Cavenaugh, who worked on the college switchboard. Not long afterward, the young couple visited friends in Boulder, Colorado, and fell in love with the area. Zimmermann returned to his Florida job but began planning for a move, and a year later he and Kacie packed up their Volkswagen Rabbit and drove to the Rockies. He got a job at a software company making workstation word processors, and began raising a family: their son was born in 1980. And then he heard Daniel Ellsberg speak at a nuclear freeze rally in Denver. In high school, Phil Zimmermann had pretty much ignored Vietnam, but at Florida Atlantic he had come to adopt a passive but heartfelt antigovernment stance. The Nixon scandals had opened his eyes to how brazenly the government could lie. By the time of Ronald Reagan’s presidency, he had totally soured on politics. He read Robert Scheer’s With Enough Shovels, and worried about nuclear annihilation. Zimmermann and his wife decided to move to New Zealand, the better to avoid the coming holocaust. They went so far as to acquire passports and immigration papers. (He had yet to learn that there wasn’t much of a computer industry in New Zealand.) And then he attended the 1982 rally where he heard Ellsberg, who, after his famous moment as the emancipator of the Pentagon Papers, had become a leading antinuclear activist. Zimmermann was galvanized. From that point on, he forgot about emigrating and decided to become active himself — to stay and fight. He and some friends were starting a company they called Metamorphic Systems, and they planned to produce a circuit board for Apple computers that would run Intel-compatible programs. But Zimmermann still found time to dig into every book he could find on NATO policy, weapon systems, and the like. He would spend hundreds of dollars at a bookstore and tear through the volumes. Then he began teaching military policy at the Free University in Boulder. He spoke at nuclear freeze rallies and advised a couple of candidates for Congress. Twice he was arrested at rallies, once at the Nevada nuclear testing range, alongside his heroes Ellsberg and Carl Sagan. (Neither arrest resulted in any charges filed.) But as the eighties moved on, the nuclear freeze movement seemed to lose steam. Metamorphic Systems wasn’t doing well either: once the IBM PC became dominant, the idea of putting Intel processors into Apple II computers seemed kind of ridiculous. Zimmermann himself was a bit lost. But then, everything changed with a single phone call from a programmer in Arkansas who had a scheme few people could appreciate more than Phil Zimmermann. The guy’s name was Charlie Merritt, and it turned out that he was actually doing the thing that Zimmermann had dreamed of since reading Martin Gardner’s column in 1977: he was implementing an RSA public key cryptosystem on a microcomputer. Merritt had experienced a similar reaction to Zimmermann’s when he’d read about the work of the MIT researchers. Moving from his native Houston to Fayetteville, Arkansas, he started a company with several friends and they actually managed to create a public key program running on Z-80 computers. It ran very slowly, but it worked. But no one seemed to want to buy it. After a while, his friends dropped out, and Merritt, with his wife Hobbit, began selling the program themselves. Eventually news of their tiny enterprise reached the multibillion-dollar intelligence operation in Fort Meade. Periodically the NSA would send its representatives to Arkansas to warn Merritt of the dire consequences that might ensue if he sent any encryption packages out of the country. Since Merritt Software’s customers were largely overseas companies that wanted encryption to circumvent the peeping thugs of corrupt regimes, this restriction virtually shut the company down. To try to get some domestic leads, Merritt was reduced to calling obscure companies he’d read about in computer magazines, hoping they would package his program with their stuff. That was how he found Metamorphic and Phil Zimmermann. When Zimmermann heard what Merritt was up to, his excitement was so over the top that Merritt suspected a practical joke was being played on him: no one he’d ever met had been so nuts about encryption. Zimmermann told Merritt all about his own passion for crypto, about M.T. Graves and the Dungeon and Herbert Zim and Ron Rivest. He professed his hatred for Big Brother. But mostly, he wanted to know everything Merritt had learned about making RSA work on a personal computer. Now that he knew it was possible to do so, Zimmermann became driven to write his own public key encryption program — for the people. Whereas his previous efforts in crypto had been solely performed as neat hacks, and as an expression of his passion for codes in general, he now was a sophisticated political activist who had twice been dragged off to a holding pen for asserting his opinion. He now understood that in the computer age, government had an extremely powerful tool for monitoring dissent: electronic surveillance. Not only could Big Brother types stick their collective ear into phone conversations, but they could pluck the increasingly popular e-mail messages out of the digital ether and read business plans and shameful secrets to their black, black hearts’ content. While electronic mail was a terrific thing, it actually represented a step backward in privacy: even with relatively insecure physical mail, people had sealed envelopes to protect the privacy of their messages. What Zimmermann hoped to produce was the electronic equivalent to sealed envelopes. But if you gave people a crypto program to protect e-mail, you’d have something much better than sealed envelopes. If people all agreed to use it, he thought, it would be a form of solidarity, a mass movement to resist unwanted snooping. Right on, baby! Understanding the speed limitations of public key, Zimmermann figured that his program should be a hybrid cryptosystem, using the slow public key RSA protocols to exchange keys and some other, speedier algorithm to perform the bulk encryption of the actual message. He was unaware of Lotus Notes, which was already implementing such a hybrid system, and was certainly in the dark about RSA Data Security, Inc., which was going to base an entire business on licensing public key for the kind of systems Zimmermann thought he was himself pioneering. (Neither did Zimmermann have a clue about the RSA patents.) In any case, neither of those firms had a shipping product in 1984. Zimmermann did understand several things correctly: A useful program should run not just on a single brand of computer, but on all sorts of machines. To do this, it had to be written in a computer language that was amenable to all sorts of different processors, and as any programmer knew, the language that best satisfied that requirement was called C. Fortunately, Zimmermann knew C inside out. The program also had to be easy to use. And its circulation had to be so widespread that a near-ubiquity could quickly be realized. Thus it would benefit by the Network Effect. Charlie Merritt was a holdout who still hadn’t tackled C, but he was strong in an area where Zimmermann was sadly deficient: the complicated mathematics that enabled one to work with the huge numbers required by RSA. This was particularly important in implementing RSA on a personal computer, which used 8-bit “words” in its calculations: it was a challenging process to apply those relatively small numbers in a way that could process the mighty numbers that RSA demanded — 512 bits, 1028 bits, and even more. If you didn’t do it efficiently, the program would run so slowly that no one would ever use it. Though no immediate business deal came of Merritt’s call to Metamorphic, he and Zimmermann became constant telephone correspondents, with Zimmermann soliciting all of Merritt’s knowledge of multiprecision arithmetic functions. It was such a complicated process that eventually they decided that Merritt should come to visit Zimmermann in Boulder for a sort of arithmetic boot camp, in November 1986. It was an action-packed week, and not only because of the math that Zimmermann learned. Merritt was working on a project for the navy, producing a conventional cipher; he taught it to the younger man. The project had been subcontracted to Merritt by a company for whom he’d been consulting: RSA Data Security. Before he flew to Boulder, he’d called the company’s new president to ask if they might meet in Colorado, a place that was a sight easier to get to than Fayetteville, Arkansas. Jim Bidzos agreed. Bidzos had been looking forward to a testosterone-charged get-to-know-you dinner with Merritt — two guys in a steak house lighting cigars and swapping lies. Instead he found a third wheel was included, Zimmermann. And instead of a steak house, they wound up at The Good Earth, a brightly lit emporium of salads and grains. The actual conversation at the restaurant would become a matter of dispute. Jim Bidzos later said he had been startled when Phil Zimmermann spoke of his plan to create a program that used RSA’s proprietary protocols. In fact, RSA had a similar program, and Bidzos had brought along two copies. This was Mailsafe, written by Rivest and Adleman, two guys who by now had more math and cryptography knowledge in their little fingers than Zimmermann had managed to glean from Merritt in two years. Zimmermann, however, would claim that Bidzos was impressed with his plans, so much so that he offered the programmer a free license to the RSA algorithm. Bidzos would later vociferously deny making any such offer. In any case, Zimmermann saw no reason to change his own plans, and he spent the next few years furthering his didactic education on cryptography so he could complete his own encryption program. He wrote up some of his ideas in a paper that was published, to his pride, in IEEE Computer, a well-regarded computer-science journal. Not bad for a kid from Florida Atlantic University. Then he began working on the actual program. One crucial step was producing the bulk encryption algorithm that would perform the actual encoding of message content. Eschewing DES and the RSA-owned RC-2 standard devised by Ron Rivest, he attempted the risky course of producing his own cipher. It was based on the one that Charlie Merritt had taught him, the cipher Merritt had produced for the navy. But Zimmermann toughened the system by introducing multiple rounds of substitution. As he refined his concept, he recalled a Dan Aykroyd routine from the original Saturday Night Live television show. Portraying a fast-talking late-night huckster, Aykroyd hawked a blender so powerful that you could throw a fish into it: the liquefied output would be a healthy juice (yum). This was the Bass-O-Matic, a perfect name, Zimmermann figured, for an encryption algorithm. Any cryptanalyst who confronted his scrambled messages would be as ineffectual at reconstructing them, he hoped, as someone attempting to reconstitute a silvery, flopping fish from the noxious goo emerging from the Bass-O-Matic blender. Zimmermann went on to other problems, and pieces fell into place — message digests, interface, and a range of protocols. But after months and months of work, all he really had were separate components that still weren’t tied together into a working program. “It took a lot more work to put them together,” he says. By 1990 — six years after first talking to Charlie Merritt and four years since Merritt’s visit to Boulder — Zimmermann realized that in order to finish he would have to make a total gung-ho commitment, even if it meant having to tighten his budget, cut out the consulting, and spend less time with his family. He embarked on a full-time regimen of programming. Zimmermann had dreamed up a name for his work in progress, though not one as irreverent as Bass-O-Matic. Zimmermann had been an early devotee of the Macintosh computer, and had experimented with a simple data communications program when none had existed. Thinking of “Ralph’s Pretty Good Grocery,” an imaginary sponsor from Garrison Keillor’s A Prairie Home Companion radio show, he had called it “Pretty Good Terminal.” This gave him the idea for the name of his crypto program: Pretty Good Privacy. He never really considered that it might become a major brand name. But then, his marketing plans were vague. He did hope to make some money selling PGP, but figured on a modest amount using shareware rules, where people would download the program and pay him on the honor system. For the next six months, Zimmermann worked twelve-hour days in a bedroom of his house, which he almost lost because he didn’t have the money to make the mortgage payments. Maybe, he figured, if he finally finished PGP and released it, enough users would send him money to get him back on his feet. As the software got closer to completion, he called Jim Bidzos to see if they could finally clear up the intellectual property issue that the RSA chief had brought up during that ill-fated dinner. Zimmermann explained his product and asked for a go-ahead to use the RSA algorithm. Bidzos was appalled at the request: this guy thinks we’ll just give him our crown jewels? Maybe instead of asking for handouts, he suggested, Zimmermann should develop his product for some company rich enough to get a standard RSA license. The whole conversation was so out of line with Zimmermann’s vision for his product — and the dim view he took of the high-powered business world — that he basically ignored the whole problem and went back to work. By early 1991, Zimmermann was making progress toward a working product. Then something happened to change his course — and to make PGP famous. The unlikely agent in this shift was U.S. Senator Joseph Biden, the head of the Senate Judiciary Committee and a cosponsor of pending antiterrorist legislation, Senate Bill 266. In a draft of the bill introduced on January 24, Biden inserted some new language: It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plaintext contents of voice, data, and other communications when appropriately authorized by law. [Emphasis added.] A poison needle in a haystack of clauses and qualifications, this passage originally escaped scrutiny. But its appearance was no accident. The language of the bill had been forged with the help of law enforcement agencies. That sentence was included at the explicit request of the FBI. And what a sentence it was! It plunged a virtual dagger into the heart of the crypto revolution. How could tech companies and services promise to deliver the plaintext contents of encrypted texts — the original messages meant to be read only by their intended recipients — if people scrambled them with programs like Mailsafe, Lotus Notes, and PGP? Logically, the only way that the “sense of Congress” could be satisfied would be a ban on any encryption except that equipped with “trapdoors” that the manufacturers and services could flip open at the demand of the feds. It wasn’t until April 1991, however, that the crypto community itself learned of this legislative time bomb. A consultant who had done work for the NSA revealed the offending clause on various Internet bulletin boards, along with apocalyptic commentary: “Are there readers of this list that believe that providers of electronic communications services can reserve to themselves the ability to read all the traffic and still keep the traffic ‘confidential’ in any meaningful sense? . . . Any assertion that all use of any such trapdoors would be only ‘when appropriately authorized by law’ is absurd on its face. . . . Any such mechanism would be subject to abuse.” The message ended with a warning that would galvanize Phil Zimmermann: “I suggest you begin to stock up on crypto gear while you can still get it.” To Zimmermann, S. 266 was the ultimate deadline. If he didn’t get PGP out into the world now, the government might prevent its very existence. At least for the time being, domestic crypto was legal. So Zimmermann decided to finish up the first version of PGP quickly and get it out to as many people as possible. He also gave up his financial hopes for PGP. Instead of releasing it as shareware, he designated it “freeware.” This meant not only that the software didn’t cost anything, but also that users could themselves distribute it far and wide to others with the blessing of its creator. Fortunately, a medium existed that made it easier than in any time in history to circulate an encryption system like PGP: the Internet. In 1991, the formerly government-owned computer network was just beginning its meteoric rise to ubiquity. Thousands of discussion groups abounded, and millions of files were downloaded every day. The majority of users at the time did not yet reflect the public at large — most were very computer savvy, and a lot of them were outright nerds. But these were exactly the types of people who would respond to PGP, which, despite Zimmermann’s best efforts, was still not as easy to use as MacWrite or Tetris. Oddly, at that time, Zimmermann himself was not much of an Internet devotee. He hardly knew how to use e-mail. In this sense he was still the outsider looking in. But in recent months he had begun a correspondence with a fellow crypto enthusiast in California, Kelly Goen, whom he had met through Charlie Merritt. In the month after the on-line call to action about S. 266, Zimmermann apparently gave Goen a copy of his PGP software so that it could be spread on the Internet “like dandelion seeds,” Zimmermann later wrote. On May 24 Goen e-mailed Jim Warren, a computer activist and columnist for MicroTimes, a Bay Area computer-oriented newspaper, and explained the purpose of flooding the networks with PGP. “The intent here,” wrote Goen, “is to invalidate the so-called trapdoor provision of the new Senate bill coming down the pike before it makes it into law.” In other words, if thousands of copies of PGP were in use, Senate Bill 266 would be rendered irrelevant; when confronted with PGP-encrypted files, the AT&Ts of the world would not be able to guarantee plaintext to G-men or spooks. On the first weekend in June, Jim Warren got a series of calls from Goen, who told him that PGP day had arrived. Goen was obviously intoxicated with the drama of it all, taking precautions that were more from the book of Maxwell Smart than James Bond. “He was driving around the Bay Area with a laptop, acoustic coupler, and cellular phone,” Warren later wrote in MicroTimes. “He would stop at a pay phone, upload a number of copies for a few minutes, then disconnect and rush off to another phone miles away. He said he wanted to get as many copies scattered as widely as possible around the nation before the government could get an injunction and stop him.” Apparently, Goen was also careful to upload only to Internet sites inside the United States. Of course, once a software program appears on a file server, anyone in the world can download it: Pakistani hackers, Iraqi terrorists, Bulgarian freedom fighters, Swiss adulterers, Japanese high schoolers, French businessmen, Dutch child pornographers, Norwegian privacy nuts, or Colombian drug dealers. Though not yet a cliché, an Internet slogan was already becoming a familiar refrain: On the Information Highway, borders are just speed bumps. How quickly did PGP leave the United States and find its way overseas, without as much as a howdy-do to the export laws? Instantly. Zimmermann would later marvel at hearing that the very next day people in other countries were encrypting messages with PGP. How could Zimmermann have avoided this potentially illegal passage of his program to distant shores? “I could have not released it at all,” he later said. “But there’s no law against Americans having strong cryptography.” And, after all, Phil Zimmermann engineered his sudden release of PGP not to circumvent export laws, but to arm his countrymen, the people who might be affected by Senate Bill 266. His motto, as expressed in his documentation to the program, was “When crypto is outlawed, only outlaws will have crypto.” Ironically, Joseph Biden’s offending language, the impetus for Zimmermann’s extraordinary step, met a much less enthusiastic response than PGP did. Senator Biden had been taken by surprise at the huge expression of public outrage (fueled by civil liberties groups) at the stealth antiprivacy language he had introduced. By June, he had quietly withdrawn the clause. But the incident left an unexpected legacy: hundreds of thousands of PGP-encrypted messages circulating throughout the world. Pretty Good Privacy had escaped from Phil Zimmermann’s hard drive and had now been cloned countless times. He could no more recall it than one could take back one’s words after they were uttered. Zimmermann was proud of PGP 1.0 though defensive at its shortcomings. Maybe it didn’t introduce any mathematical innovations. And maybe the coding was so disorganized that he felt compelled to apologize for it in the documentation. But it was one of the first really usable personal computer solutions for a complete cryptosystem, from digital signatures to encryption. “If you look at what was available at that time, there were only laboratory petri-dish versions of RSA,” he says. “One had been published in Byte; it took all afternoon to do an RSA calculation. Mine did that in a few seconds. I had brought together a practical implementation that had all the things you needed to do public key cryptography. It was a major event . . . it was a watershed event.” One person disagreed strongly: Jim Bidzos of RSA and Public Key Partners. When he saw PGP, he was outraged. This was no original product, he felt — look at Mailsafe — but a blatant rip-off of his com-pany’s technology and patents. Why didn’t Zimmermann get honest and call it Pretty Good Piracy? Bidzos called the Colorado programmer and, literally screaming at him, demanded he remove the software from circulation. Despite all Bidzos’s previous animosity, Zimmermann was actually taken aback at this response: “I thought he would be delighted,” he says. He attempted to defend himself. He had done PGP for political reasons, not to challenge any commercial enterprises. After all, the Fortune 500 companies that were RSA’s potential customers don’t use freeware; they buy their software from companies that will back it up and support it. So what was the problem? Bidzos accused him of actually playing into the NSA’s hands — because anything that hurt his company was music to Fort Meade. Not long afterward, Bidzos had his lawyer put Zimmermann on legal notice that he was infringing on PKP’s patents. This worried Zimmermann, and he called Bidzos once again to try to make a deal. The basis of the agreement was simple: Zimmermann would not distribute his software with the RSA protocols, and Bidzos would not sue him. An agreement was indeed drawn up to that effect, and Zimmermann signed it. But each party had his own interpretation of that phone conversation. Bidzos felt that the deal compelled Zimmermann actually to kill PGP. Zimmermann insisted that he had only affirmed his understanding of a hypothetical agreement: if he stopped distribution of PGP, then he would not be sued. Zimmermann would also claim Bidzos gave him verbal assurances that RSA would sell licenses to PGP’s end-users so they could use the software without infringing on RSA’s patents. Bidzos denied those claims. It later became clear that Zimmermann’s interpretation of “distributing PGP” was somewhat narrow. By leaving the distribution to others, he felt that he was free to continue his involvement with the software. In fact, Zimmermann was supervising a second release of PGP, this one with the help of some more experienced cryptographers. He’d realized that he needed help after a sobering experience at Crypto ’91 in Santa Barbara. His main mission had been to get a reading from the wizards there on the security of PGP. (Admittedly this task was overdue, considering that thousands of people were already using the program.) Right away, he ran into Brian Snow, one of the top crypto mathematicians at the NSA. Zimmermann, of course, was curious as to whether the government was upset about PGP. “If I were you, I would be more concerned about getting heat from Jim Bidzos than from the government,” said Snow. This puzzled Zimmermann — why wasn’t the government worried? Then he sought private comments on his program. After first getting a brush-off from Adi Shamir — the Israeli cryptographer told him to send the program to Israel and he’d spend ten minutes with it — Zimmermann got the attention of Shamir’s colleague at Weizmann, Eli Biham. They retreated to the UCSB cafeteria, scene of many a bull session and impromptu cryptanalysis at the annual conference. For Zimmermann, it was a long lunch in more ways than one; Biham quickly embarrassed the amateur cryptographer by uncovering several fatal flaws in Bass-O-Matic. The cipher was, for instance, vulnerable to a differential cryptanalysis attack. While not exactly a dead fish, the Bass-O-Matic was far from a prize catch. Zimmermann now realized that he could only truly improve PGP if he were to recognize his own limitations. His ultimate success at codemaking would come from realizing that he wasn’t really a great cryptographer. He was a knowledgeable packager and programmer who would need ace mathematicians and cryptographers to help him with the hard-core details. Fortunately, a lot of very smart people had been excited by the release of PGP 1.0. Instead of feeling burned by its weaknesses, they were eager to pitch in and fix them. Soon Zimmermann had recruited volunteers in New Zealand, Holland, and California to be his mainstay engineers. A casual collection of kibitzers also contributed advice and small pieces. Together they began work on version 2.0. Zimmermann was the chief designer, approving every decision, every line of the code, but he hid his role so that Bidzos wouldn’t think that he was abandoning his promise not to violate RSA’s patents. The result was PGP 2.0, an infinitely stronger product. Bass-O-Matic had been tossed aside (“Calling it that wasn’t too good an idea, anyway,” says Zimmermann. “Cryptography is something you can’t joke about”). In its place, Zimmermann chose a preexisting Swiss cipher called the International Data Encryption Algorithm, or IDEA. Written in 1990 by two celebrated cryptographic mathematicians, IDEA had quickly stood up to public scrutiny. Zimmermann felt the IDEA cipher was even stronger than DES, particularly with the 128-bit keys he recommended. “This is not,” he wrote in the 2.0 documentation, “a home-grown algorithm.” Another crucial improvement came in an area that Zimmermann basically had ignored with PGP 1.0: key certification, the process by which public keys are authenticated. Certification is often seen as the Achilles’ heel of public key systems. The classic conundrum in such systems arises when Alice wants to send something to Bob. She scrambles it with Bob’s public key, and only Bob can unscramble it. But what if Alice has never met Bob — how does she get his public key? If she asks him for it directly, she can’t encode her request (obviously not, because she doesn’t have his public key yet, which she would use to encrypt the message). So a potential eavesdropper, Eve, could act as “a man in the middle,” and snatch that message en route. Then Eve, pretending to be Bob, could send her own public key to Alice, falsely representing it as Bob’s key. (This deceptive masquerade is known as “spoofing.”) If Alice is duped, she’ll encode her secret message to Bob with the key. Alas, Bob won’t be able to read anything scrambled with that key — only tricky Eve can. So much for the security of direct requests. What about the idea of publishing something like a digital phone book full of public keys? The forging problem persists, unless you have a certifiably secure means of protecting that book and assuring that the keys really do belong to their purported owners. Yes, it would require an extravagant effort to pull off such a fraud. But it’s possible, and as long as the vulnerability exists, any public key system has to figure out a way to get around this security hole. Many people have come to think that the answer lies in a large-scale “certification authority” to distribute and verify public keys. Such a center would be able to process millions of public keys. Using the certification authority’s own public key — presumably a key so well-circulated that no one could spoof it — you could securely query it to get someone’s key, or verify a public key someone sent you. Of course, such an ambitious solution was impossible for Zimmermann. He didn’t have the wherewithal, or money, to set up a closely monitored certification authority to distribute and verify public keys. So he had to come up with another method. His solution was quite ingenious, especially since it reflected the outsider sensibility that generally characterized his efforts. Instead of a central key authority, he envisioned the PGP community itself as an authority. “PGP allows third parties, mutually trusted friends, to sign keys,” explained Zimmermann in a 1993 interview. “That proves that they came from who they said they came from.” By “signing” keys, Zimmermann was talking about a technique whereby someone in effect attached his or her own public key to someone else’s, as a sort of stamp of approval. After you generated a public key, you’d get the key signed by people who knew you personally. These signings were to be performed face-to-face, to minimize the threat of spoofing. So if Alice knows Bob personally, she arranges to meet him, and physically hands him a disk with her PGP public key. Using his copy of PGP, Bob signs it with his own private key. (This is done simply by selecting a function in the software program and clicking the mouse.) He gives her back the signed key and keeps a copy for his own “public key ring,” a collection of signed keys that PGP users are encouraged to keep on their hard drives. Later, a third party, Carol, might want to communicate with Alice but doesn’t know her. So Carol seeks out Alice’s public key, either from her directly or from a bulletin board full of public keys. In the latter case, how does she know it’s really Alice’s? She checks to see who has signed the key — does it have the imprimatur of anyone she knows? Since Carol knows Bob — and has earlier received a verified copy of Bob’s public key — she can establish the veracity of his signature. If it checks out, that means that Bob has really met the person who holds this new key and is implicitly telling Carol, “Hey, it’s really Alice.” So Carol can be sure that Alice is who she says she is. At least to the degree she trusts Bob. This system — known as a “web of trust” — requires some judgment on the user’s part. After all, Carol can’t be sure of Alice’s identity unless she personally knows someone who has physically met her and signed her key. What if she doesn’t know anyone who’s physically signed it? Is it worth trusting a second-level verification? Maybe her friend Bob hasn’t signed Alice’s key, but he has signed a key of someone named Ted. And Ted has signed Alice’s key. Whether you’ll trust that signature depends on Ted’s reputation: who are the people who have signed his key? As more and more people used PGP, some were bound to develop a reputation for being scrupulous in verifying the keys they sign. Seeing one of those trusted introducers on a key ring would be a strong assurance of authenticity. In any case, PGP allowed users to set what cryptographer Bruce Schneier refers to as “paranoia levels”: how many levels of separation you’re willing to accept, depending on the degree to which you trust various signers. With this web of trust, a stronger encryption algorithm, a better interface, and a number of other improvements, PGP 2.0 was — unlike Zimmermann’s favorite weekend comedy show — ready for prime time. The informal team of programmers had even prepared translations of the interface in several languages, so people worldwide could use it from the day of release. In September 1992, two of Zimmermann’s helpers posted PGP 2.0 on the Net from their respective homes in Amsterdam and Auckland. This way, the program could be imported into the United States, violating no export regulations. In almost no time, the new version supplanted and exceeded the first one. “I got more mail in the month after the release than I had received the whole previous year,” says Zimmermann. “It was like lighting a match to dry prairie grass.” Jim Bidzos became, if possible, even angrier. He was particularly outraged at a contention of Zimmermann’s included in the documentation that came with every download of PGP. Zimmermann claimed that Public Key Partners was ripping off the American public by making people pay for technology developed on the government dime. After Zimmermann’s attempts to cover himself with disclaimers (“The author of this software implementation of the RSA algorithm is providing this . . . for educational use only. . . . Licensing this algorithm from PKP is the responsibility of you, the user, not Philip Zimmermann. . . .”), he launched into a long justification of his actions, claiming that he didn’t think he was infringing on any patents. He implied that by controlling the patents to public key cryptography, Public Key Partners — “essentially a litigation company,” he called it — was doing the NSA’s dirty work by denying crypto to the people! Finally, while not giving any assurances, he told potential users that they didn’t have much to worry about by violating PKP’s patent rights: “There are just too many PGP users to go after,” he wrote. “And why would they single you out?” “He’s misleading people, defaming us as a way of getting support for his own agenda,” said Bidzos in 1994. “There’s the evil government trying to deny you your right to privacy and the evil patent holders bent on ripping you and the government off — it’s not really clear who’s worse, but you can put them both off by using this software. He knew it was false.” Bidzos did have a point: RSA itself had already produced Mailsafe, an implementation of the public key patents. Both parties agree that during the contentious 1986 dinner meeting, Bidzos gave Zimmermann a copy of Mailsafe, but Zimmermann claimed he never tested the software or read the documentation because he’d already figured out how his product would work. “This guy says he was blown away by the invention of RSA,” says Bidzos. “We’re supposed to believe that he took software written by the people who invented it, his heroes, and never was curious enough to look at it?” Yet much of Bidzos’s fury was directed not just at Zimmermann’s actions but at the runaway popularity of PGP. Because it was free, available worldwide regardless of export laws, and had quickly attained a patina of coolness among the high-tech crowd, its usership quickly exceeded that of Mailsafe, and was now threatening to become an Internet standard. Despite not being an accomplished cryptographer with a Stanford or MIT pedigree, despite having virtually no sense of business or marketing, Zimmermann had done what neither the original world-class public key mathematicians nor the market-savvy Bidzos had succeeded in doing: create a bottom-up crypto phenomenon that not only won over grassroots users but was being described as the major challenge to the multibillion-dollar agency behind the Triple Fence. No wonder that by the end of 1992, Phil Zimmermann had gone from total obscurity to the hero of the crypto underground. “If I go to Europe, I’ll never have to buy lunch,” he said. “I have a huge number of adoring fans.” * * * Zimmermann’s do-it-yourself effort to create a crypto program and distribute it to the people — an effort consciously undertaken to circumvent government control — marked a new dimension in the ongoing battle between the NSA and the cryptographers who worked outside its reach. The agency had once felt that its voluntary prepublication compromise with academics had mitigated much of the potential damage of that community’s emergence. (And with the troublesome First Amendment in play, there was little choice in the matter.) Fort Meade’s minions were also fending off the commercial threat to its dominance by budging only slightly on the export situation. But it was getting harder to convince people that it made sense to control cryptography. It was becoming increasingly clear that this was not a weapons technology but one that might fit in as a common artifact of everyday life. All those millions who used Lotus Notes were already aware of its benefits. Those with garden variety e-mail were shocked to find that basic protections just weren’t there — sending mail on the Internet seemed secure but was actually one step removed from broadcasting. And as more people began using cellular phones, for instance, they wondered why it was that their calls could be so easily monitored by any wirehead who plunked down a hundred dollars for a scanner. Even the Prince of Wales had his cell calls to his mistress intercepted, with the whole world now chuckling at endearments he uttered to her, endearments that were intensely personal (OK, they involved menstruation supplies). In a world of highly evolved communications, why shouldn’t everything be protected? Even the National Football League figured this out: it used crypto to encode the radio signals sent from coaches in the observation booth to quarterbacks on the field. This was something anyone could understand. Here was something as straightforward as a means to prevent the Green Bay Packers from stealing the next play from John Elway . . . and we called this national security? These were tough questions for a branch of government not used to answering any questions at all. But the questioning was about to become more intense as a new force, in part inspired by Zimmermann, now came into play: cryptoactivism. Strong cryptography distributed on the Internet — and a revolutionary movement built around producing and distributing strong codes — seemed on its face a fringe activity. But with the crypto controversy heating up, it turned out that the time was ripe for a small movement to apply leverage. So it seemed to two crypto enthusiasts who hatched an idea for a group that would be outside even the outsiders in the battle for cryptography. The concept developed spontaneously when Eric Hughes, a young mathematician living in the north Bay Area and thinking of moving down the California coast, visited his friend Tim May in Santa Cruz to do some house hunting. Hughes and May were an interesting combination, bound by scientific passion, political libertarianism, and a slightly unnerving paranoia. (Hughes liked to joke about this, citing an unknown philosopher who supposedly said, “Cryptography is the mathematical consequence of paranoid assumptions.”) Both cut striking figures, eschewing a math-nerd look for the frontier garb of the Old West: crypto cowboys. Hughes was often seen in a felt Stetson. At forty, May was a physicist who had retired from Intel seven years earlier with a bundle of stocks. His major contribution at the semiconductor giant had been his proof that quant