crypto crypto also by steven levy Insanely Great: The Life and Times of Macintosh, the Computer That Changed Everything Artificial Life: How Computers Are Transforming Our Understanding of Evolution and the Future of Life The Unicorn’s Secret: Murder in the Age of Aquarius Hackers: Heroes of the Computer Revolution how the code rebels beat the government — saving privacy in the digital age crypto steven levy viking VIKING Published by the Penguin Group Penguin Putnam Inc., 375 Hudson Street, New York, New York 10014, U.S.A. Penguin Books Ltd, 27 Wrights Lane, London W8 5TZ, England Penguin Books Australia Ltd, Ringwood, Victoria, Australia Penguin Books Canada Ltd, 10 Alcorn Avenue, Toronto, Ontario, Canada M4V 3B2 Penguin Books (N.Z.) Ltd, 182-190 Wairau Road, Auckland 10, New Zealand Penguin Books Ltd, Registered Offices: Harmondsworth, Middlesex, England Copyright © Steven Levy, 2001 ISBN: 0-7865-0256-8 All rights reserved. This book, or parts thereof, may not be reproduced in any form without permission. Making or distributing electronic copies of this book constitutes copyright infringement and could subject the infringer to criminal and civil liability. First edition (electronic): January 2001 To Teresa and Andrew acknowledgments The backbone of Crypto is a series of interviews conducted over the past decade with the people who populate, or have had an impact on, the world of cryptography. Obviously, my deepest thanks go to those who have given time and attention to an outsider who wanted to tell a good story. I hope that none of those who cooperated with me will take offense if I single out a few for duty above and beyond: Len Adleman, Jim Bidzos, David Chaum, Whitfield Diffie, Mary Fischer, Eric Hughes, Tim May, Ray Ozzie, Ron Rivest, and Phil Zimmermann. From September 1994 to June 1995, I was a Fellow at the Freedom Forum Media Studies Center, then located on the Columbia University campus. I enthusiastically acknowledge the kindness of the Freedom Forum, the accommodations and assistance of the Media Studies Center staff, and the terrific company and well-timed wisdom of my fellow Fellows. My researcher there, Kaushik Arunagiri, dug out innumerable documents and also walked me through some math. John Kasdan kindly allowed me to audit his cyberlaw course and Matt Blaze and Joan Feigenbaum welcomed me to their computer science course on cryptography. Mark Rotenberg, David Banisar, and David Sobel of the Electronic Privacy Information Center gave me access to the astounding documents coughed up by the government under their skillful use of the Freedom of Information Act. John Gilmore and his lawyer Lee Tien also provided me with armloads of declassified materials. Roger Schlafly sent me a huge pack of documents related to RSA and Cylink. Simpson Garfinkel e-mailed me notes of interviews he did for his book, PGP. (Other suppliers will remain nameless, but thanks to them, too.) During the past eight years, I wrote a number of magazine articles on crypto, and some of these are reflected in this book, particularly those I wrote for Wired, beginning with the cover story on cypherpunks in its second issue and winding up with the first detailed account of nonsecret encryption in 1999. Thanks to all my editors there, especially Kevin Kelly. I also wrote crypto-related stories for The New York Times Sunday Magazine, Macworld, and Newsweek. The latter has been my professional home for the past five years, and I am grateful to everyone there for providing an inveterate freelance writer with a reason to actually hold a job. Thanks to Mark Whitaker, Jon Meacham, and the editor who suffers most with me, George Hackett. I also owe a large debt to the late Maynard Parker. At Viking, editor Pam Dorman hung tough throughout the marathon. Ann Mah kept the bits flowing. Victoria Wright was both a master transcriber and sharp observer. My agent, Flip Brophy, was once again a flawless advisor and facilitator. And some early readers caught mistakes and offered great suggestions (I won’t cite them by name because any errors are solely mine). Those who discover more are encouraged to get in touch with me through my Web site (www.steven levy.com), where I will post corrections and updates. Words, even in plaintext, can’t express what I owe my family, Andrew and Teresa. Steven Levy, September 2000 contents Acknowledgments Preface The Loner The Standard Public Key Prime Time Selling Crypto Patents and Keys Crypto Anarchy The Clipper Chip Slouching Toward Crypto Epilogue: The Open Secret Notes Bibliography Glossary crypto preface The telegraph, telephone, radio, and especially the computer have put everyone on the globe within earshot — at the price of our privacy. It may feel like we’re performing an intimate act when, sequestered in our rooms and cubicles, we casually use our cell phones and computers to transmit our thoughts, confidences, business plans, and even our money. But clever eavesdroppers, and sometimes even not-so-clever ones, can hear it all. We think we’re whispering, but we’re really broadcasting. A potential antidote exists: cryptography, the use of secret codes and ciphers to scramble information so that it’s worthless to anyone but the intended recipients. And it’s through the magic of cryptography that many communications conventions of the real world — such as signatures, contracts, receipts, and even poker games — will find their way to the ubiquitous electronic commons. But as recently as the early 1970s, a deafening silence prevailed over this amazing technology. Governments, particularly that of the United States, managed to stifle open discussion on any aspect of the subject that ventured beyond schoolboy science. Anyone who pursued the fundamental issues about crypto, or, worse, attempted to create new codes or crack old ones, was doomed to a solitary quest that typically led to closed doors, suddenly terminated phone connections, or even subtle warnings to think about something else. The crypto embargo had a sound rationale: the very essence of cryptography is obscurity, and the exposure that comes from the dimmest ray of sunlight illuminating the working of a government cipher could result in catastrophic damage. An outsider who knew how our encryption worked could make his or her own codes; a foe who learned what codes we could break would shun those codes thereafter. But what if governments were not the only potential beneficiaries of cryptography? What if the people themselves needed it, to protect their communications and personal data from any and all intruders, including the government itself? Isn’t everybody entitled to privacy? Doesn’t the advent of computer communications mean that everyone should have access to the sophisticated tools that allow the exchange of words with lawyers and lovers, coworkers and customers, physicians and priests with the same confidence granted face-to-face conversations behind closed doors? This book tells the story of the people who asked those questions and created a revolution in the field that is destined to change all our lives. It is also the story of those who did their best to make the questions go away. The former were nobodies: computer hackers, academics, and policy wonks. The latter were the most powerful people in the world: spies, and generals, and presidents. Guess who won. the loner Mary Fischer loathed Whitfield Diffie on sight. He was a type she knew all too well, an MIT brainiac whose arrogance was a smoke screen for a massive personality disorder. The year of the meeting was 1969; the location a hardware store near Central Square in Cambridge, Massachusetts. Over his shoulder he carried a length of wire apparently destined for service as caging material for some sort of pet. This was a typical purchase for Diffie, whose exotic animal collection included a nine-foot python, a skunk, and a rare genetta genetta, a furry mongooselike creature whose gland secretions commonly evoked severe allergic reactions in people. It lived on a diet of live rats and at unpredictable moments would nip startled human admirers with needlelike fangs. An owner of such a creature would normally be of interest to Mary Fischer, an animal lover who at that very moment had a squirrel in her pocket. At home she also had a skunk as well as two dogs, a fox, a white-wing trumpeter bird, and two South American kinkajous. Diffie saw that she was buying some cage clips and abruptly focused his attention on her. In future years, Whit Diffie would be known — extraordinarily well known — as the codiscoverer of public key cryptography, an iconographic figure with his shoulder-length blond hair, Buffalo Bill beard, and his bespoke suits cut by London tailors. But back in those days he was a wiry, crew-cut youth with “the angriest face I’d ever seen,” Fischer says, and he immediately began peppering Mary Fischer with questions. You keep exotic animals? Then you’ll need this, and this, and this. He took things out of her hands and put other things in as he lectured. His rudeness appalled Mary. But she hadn’t yet cracked his code. Mary Fischer didn’t know that Diffie was spending prodigious amounts of time thinking about problems in computer security and their mathematical implications. She had no idea that he was casting about for a new way to preserve secrets. All she knew was that Whit Diffie was unappetizing and he loved animals. But animals meant a lot to her, and soon Diffie and his girlfriend began visiting Mary and her husband, sometimes accompanied by their creatures. The skunks got along, some ferrets were exchanged, and Diffie’s visits to her home became routine. Mary began to reconsider her initial repulsion to Diffie. But, in his failure to decode her, he seemed generally oblivious to her. On his visits he interacted only with the man of the house. After Mary and her husband moved to New Jersey, where he started veterinary school, she would sometimes pick up the ringing phone and hear Diffie’s cuttingly precise voice brusquely ask for her spouse, as if she were an answering service. One day she made her feelings plain. “Look,” she said, “I understand I’m not as bright as you and some of your friends, and I understand your friendship is primarily with my husband. But I don’t really think it would kill you to say hello.” The message got through. Diffie’s demeanor toward Mary dramatically improved, and she was not just startled but saddened when one day in 1971 he told her that he was going to travel for a while. Mary didn’t know yet that Whit Diffie was preparing himself for a solitary — and romantic — quest, looking for answers to questions that the United States government didn’t want asked. The odds against his success were astronomical, because he was confronting a near complete blockade of relevant information on a subject that, on its most sophisticated levels, was almost unspeakably obscure. What were the odds against such an unheralded outsider’s transforming an entire field with an original discovery that would redefine the ground rules for personal privacy in the computer era? The length of those odds would shorten with the role of Diffie’s courtship of Mary Fischer in overcoming them — and a scientific breakthrough would result that affects every citizen in the digital age. “The discovery of public key,” says Fischer, “was a romance.” * * * Bailey Whitfield Diffie was born on the eve of D-Day, June 5, 1944. His professor father had just completed a wartime sabbatical in government service. (Though he disliked Communists — more for their humorless single-mindedness than their ideology — Whit Diffie’s father was a passionate antifascist and often lectured against the repressive movement in Europe.) Both of Whit’s parents were educated people. Bailey Wallace Diffie taught Iberian history and culture at City College in New York. Diffie’s mother was the former Justine Louise Whitfield, a stockbroker’s daughter from Tennessee who met her husband while working in the foreign service in Spain. She was a writer and scholar who studied Madame de Sévigné, a figure in the court of Louis XIII and Louis XIV. Whit Diffie was always an independent sort. As one early friend remarked, “That kid had an alternative lifestyle at age five.” Diffie didn’t learn to read until he was ten years old. There was no question of disability; he simply preferred that his parents read to him, which seemingly they did, quite patiently. Apparently both parents understood that their son was extremely intelligent and obstinately contrarian, so they didn’t press him. Finally, in the fifth grade, Diffie spontaneously worked his way through a tome called The Space Cat, and immediately progressed to the Oz books. Later that year his teacher at P.S. 178 — “Her name was Mary Collins, and if she is still alive I’d like to find her,” Diffie would say decades later — spent an afternoon explaining something that would stick with him for a very long time: the basics of cryptography. Specifically, she described how one would go about solving something known as a substitution cipher. Diffie found cryptography a delightfully conspiratorial means of expression. Its users collaborate to keep secrets in a world of prying eyes. A sender attempts this by transforming a private message to an altered state, a sort of mystery language: encryption. Once the message is transformed into a cacophonous babble, potential eavesdroppers are foiled. Only those in possession of the rules of transformation can restore the disorder back to the harmony of the message as it was first inscribed: decryption. Those who don’t have that knowledge and try to decrypt messages without the secret “keys” are practicing “cryptanalysis.” A substitution cipher is one where someone creates ciphertext (the scrambled message) by switching the letters of the original message, or plaintext, with other letters according to a prearranged plan. The most basic of these has come to be known as the Caesar cipher, supposedly used by Julius Caesar himself. This system simply moved every character in the plaintext to the letter that occurs three notches later in the alphabet. (For instance, a Caesar cipher with its “key” of three would change A to D, B to E, and so on.) Slightly more challenging to an armchair cryptanalyst is a cryptosystem that matches every letter in the alphabet to one in a second, randomly rearranged alphabet. Newspaper pages often feature a daily “cryptogram” that encodes an aphorism or pithy quote in such a manner. These are by and large easy to crack because of the identifiable frequency of certain letters and the all-too-often predictable way they are distributed in words. Like countless other curious young boys before him, Whit Diffie was thrilled by the process. In his history of cryptography, The Codebreakers, author David Kahn probes the emotional lures of secret writing, citing Freud’s theory that the child’s impulse to learn is tied to the desire to view the forbidden. “If you’re a guy, you’re trying to look up women’s skirts,” says Kahn. “When you get down to it basically, that’s what it is, an urge to learn.” For many, the fascination of crypto also deals with the thrill that comes from cracking encoded messages. Every intercepted ciphertext is, in effect, an invitation to assume the role of eavesdropper, intruder, voyeur. In any case, it wasn’t the prospect of breaking codes that excited Whit Diffie but the more subtle pursuit of creating codes to protect information. “I never became a very good puzzle solver, and I never worked on solving codes very much then or later,” he now says. He would always prefer keeping secrets to violating the secrets of others. Diffie’s response to Miss Collins’s cryptography lesson was characteristic. He ignored her homework assignment, but independently pursued the subject in his own methodical, relentless fashion. He was particularly interested in her off-the-cuff remark that there were more complicated ciphers, including a foolproof “U.S. Code.” He begged his father to check out all the books in the City College library that dealt with cryptography. Bailey Diffie promptly returned with an armload of books. Two of them were written for children; Diffie quickly devoured those. But then he got bogged down in Helen Forché Gaines’s Cryptanalysis, a rather sophisticated 1939 tome. Gaines offered a well-organized set of challenges that would provide hardworking amateurs an education in classical cryptographic systems. Many of these were refinements of advances made centuries ago, which in turn were more complicated variations of the earlier substitution ciphers. The best known were the polyalphabetic systems, first hatched in Vatican catacombs and later revealed in the early 1500s by a German monk named Johannes Trithemius. Published in 1518 — two years after his death — Trithemius’s Polygraphia introduced the use of tables, or tableaux, wherein each line was a separate, reshuffled alphabet. When you encoded your message, you transformed the first character of the text using the alphabet on the first line of the tableau. For the second character of your message you’d repeat the process with the scrambled alphabet on the second line, and so on. On the heels of Trithemius came the innovations of a sixteenth-century French diplomat named Blaise de Vigenére. Here was a man who had penetrated the soul of crypto. “All things in the world constitute a cipher,” he once observed. “All nature is merely a cipher and a secret writing.” In the most famous of almost two dozen books he produced after his retirement from the diplomatic service, Vigenère produced devastating variations on previous polyalphabetic systems, adding complexity with a less predictable tableaux and “autokeys” that made use of the plaintext itself as a streaming key. The Vigenère system won a lasting reputation for security — it was known as le chiffre indéchiffrable — so much so that until almost the twentieth century, some armchair cryptographers believed that a certain streamlined version of the system was the sine qua non of cryptosystems. Actually, by the time Diffie encountered them, the cryptologic arts had progressed dramatically since Vigenère. Still, Diffie’s juvenile inquiries led him to think that Vigenère was the endpoint of the subject. Bored by the thought that cryptography was a problem already solved, he didn’t delve too deeply into Gaines’s book. His obsession with codes faded. At the time, he also felt that everybody was interested in codes, and, as a dogged contrarian, “this made it seem vulgar to me,” he later recalled. “Instead, I learned about ancient fortifications, military maps, camouflage, poison gas, and germ warfare.” He came to share his interests with a small group of teenage friends, and even considered pursuing a career in the armed forces, checking out the ROTC programs of universities he was interested in. But only one of Diffie’s militia-minded clique actually enlisted in one of the armed services — and died in Vietnam. Ultimately it was mathematics, not munitions, which dictated Diffie’s choice of college. Math offered one thing that history did not: a sense of absolute truth. “I think that one of the central dilemmas of Whit’s life has been to figure out what is really true,” explains Mary Fischer, who says that early in the boy’s life, Diffie’s father was called to school and told that his son was a genius. As Fischer tells it, Bailey Diffie’s reaction was to offer a ruse, in hopes that it would provoke discipline. He told Diffie that he wasn’t as bright as other boys, but if he worked harder than those favored with high intelligence and applied himself, he might be able to achieve something. “With some children that might have worked,” says Fischer, “but with Whit it was a bad tactic. It shook him for years, and I think it gave Whit a real hunger for what was ground-zero truth.” Though Diffie performed competently in school, he never did apply himself to the degree his father hoped. He was sometimes unruly in class; he worked best with material untainted by the stigma of having been assigned. Once a calculus teacher, fed up with Whit’s noise-making, remarked, “One day you’ll be roasting marshmallows in here!” and sure enough, the next class Diffie brought a Sterno can to toast the marshmallows a friend smuggled into school. He failed to fulfill the requirements for a full academic diploma, settling for a minimal distinction known as a general diploma. Nor did he attend graduation; he left with his father on a European trip. (The great tragedy of Diffie’s high school years was the death of his mother; he still avoids talking about it.) Only stratospheric scores on standardized tests enabled him to enter the Massachusetts Institute of Technology in 1961. “I wasn’t a very good student there, either,” Diffie admits. He was, however, dazzled by the brainpower of the student body, a collection of incandescent outcasts, visionaries, and prodigies, some of whom could solve in a minute problems that would take Diffie a day to complete. Of these mental luminaries, Whitfield Diffie might have seemed the least likely to produce a world-changing breakthrough. But since his brilliant friends were human beings and not high-powered automata, their trajectories proved far from predictable. Some of the very brightest wound up cycling through esoteric computer simulations, or proselytizing smart drugs, or teaching Transcendental Meditation. Contemporaries from MIT recall Diffie vividly as a quirky teenager with blond hair sticking out from his head by two inches (“You wanted to take a lawn mower to it,” says a friend). He bounded through campus on tiptoe, a weird walk that became an unmistakable signature in motion. But he was noted for his deep understanding of numbers as well. He also took up computer programming — at first, Diffie now says, to get out of the draft. “I thought of computers as very low class,” he says. “I thought of myself as a pure mathematician and was interested in partial differential equations and topology and things like that.” But by 1965, when Diffie graduated from MIT, the Vietnam War was raging and he found himself deeply disenchanted with the trappings of armed conflict. “I had become a peacenik,” he says. Not to mention a full-blown eccentric. He and his girlfriend lived in a small Cambridge apartment that eventually became packed with glass-walled tanks to hold their prodigious collection of exotic fauna. An aficionado of Chinese food, Diffie was also known for carrying around a pair of elegant chopsticks, much the way a serious billiard player totes his favorite cue. To avoid the draft, Diffie accepted a job at the Mitre Corporation, which, as a defense contractor, could shelter its young employees from military service. His work had no direct connection to the war effort: he worked under a mathematician named Roland Silver, teaming up with another colleague to write a software package called Mathlab, which later evolved into a well-known symbolic mathematical manipulation system called Macsyma. (Though few knew of the nature of his contribution, the nerd cognoscenti understood that Diffie’s work here involved a virtuosic mastery of arithmetic, numbers theory, and computer programming.) Best of all, Diffie’s team did not have to work at the Mitre offices but, in 1966, became a resident guest of the esteemed Marvin Minsky in the MIT artificial intelligence lab. During the three years he worked there, Diffie became part of this storied experiment in making machines smart, in pushing the frontiers of computer programming and in establishing an information-sharing ethos as the ground zero of computer culture. One aspect of this hacker-oriented society would turn out to be particularly relevant to the direction that Diffie’s interests were heading. Just as some words in various languages have no meaning to drastically different civilizations (why would a tropical society need to speak of “snow”?), the AI lab had no technological equivalent for a term like “proprietary.” Information was assumed to be as accessible as the air itself. As a consequence, there were no software locks on the operating system written by the MIT wizards. Unlike his peers, however, Diffie believed that technology should offer a sense of privacy. And unlike some of his hacker colleagues, whose greatest kick came from playing in forbidden computer playgrounds, Diffie was drawn to questions of what software could be written to ensure that someone’s files could not be accessed by intruders. To be sure, he participated in the literal safecracking that was a standard hobby in the AI lab: a favorite hacker pastime involved discovering new ways of opening government-approved secure safes. But Diffie got more of a kick from the protection of a strongly built safe than the rush of breaking a poorly designed system of locks and tumblers. He liked to keep his things in high-security filing cabinets and military safes. In the information age, however, the ultimate information stronghold resides in software, not hardware: virtual safes protecting precious data. Information, after all, represents the treasure of the modern age, as valuable as all the doubloons and bangles of previous eras. The field charged with this responsibility back then was computer security, then in a nascent stage. Not many people bothered to discuss its philosophical underpinnings. But Diffie would often engage his boss in conversations on security. Inevitably, cryptography entered into their discussions. Silver had some knowledge in the field, and the elder man opened Diffie’s eyes to things unimaginable in his fifth-grade independent study. One day the pair sat in the cafeteria at Tech Square, the boxy nine-story building whose upper levels housed the AI lab, and Silver carefully explained to Diffie how modern cryptosystems worked. Naturally, they depended on machinery. The machines that did the work — whether electromechanical devices like the Enigma cipher machines used by the Germans in World War II, or a contemporary computer-driven system — scrambled messages and documents by applying a unique recipe that would change the message, character by character. (The recipe for those transformations would be a set of complicated mathematical formulas or algorithms.) Only someone who had an identical machine or software program could reverse the process and divine the plaintext, with use of the special numerical key that had helped encrypt it. In the case of the Enigma machines, that key involved “settings,” the positions of the various code wheels that determined how each letter would be changed. Each day the encrypters would reset the wheels in a different way; those receiving the message would already have been informed of what those settings should be on that given day. That’s why the Allied coup of recovering live Enigma machines — the key intelligence breakthrough of World War II — was only part of the elaborate codebreaking process that took place at Bletchley Park in England. The cryptanalysts also had to learn the process by which the Axis foes made their settings; then they could conduct what was known as a “brute force” attack that required going through all the possible combinations of settings. This could be efficiently done only by creating machines that were the forerunners of modern computers. With computers, the equivalent of Enigma settings would become a digital key, a long string of numbers that would help determine how the system would transform the original message. Of course, the intended recipient of the message had to have not only the same computer program, but also that same key. But both mechanical and digital systems had two components: a so-called black box with the rules of transformation and a key that you’d feed into the black box along with your everyday message in plain English. Such was the background for what Silver talked about to Diffie that day — but not being privy to government secrets, he actually knew few of the details. He was able to explain, however, how computer cryptosystems generated a series of digits that represented a keystream, and how that would be “xor-ed” with the plaintext stream to get a ciphertext. (As any computer scientist knows, an xor operation involves pairing a digital bit with another bit, and generating a one or zero depending on whether they match.) If the key is suitably unpredictable, your output would be the most imponderable string of gibberish imaginable, recoverable (one hoped) only by using that same key to reverse the process. Imponderable, of course, is a relative term, but those who devised cryptosystems had a standard to live up to: randomness. The idea was to create ciphertext that appeared to be as close to a random string of characters as possible. Otherwise, a smart, dedicated, and resourceful codebreaker could seize upon even the most subtle of patterns and eventually reconstruct the original message. A totally random stream could produce uncrackable code — this essentially represented the most secure form of encryption possible, the so-called one-time pad, a system that provided a truly randomly chosen substitute for every letter in the plaintext. One-time pads were the only cryptographic solution that was mathematically certain to be impervious to cryptanalysis. The problem with one-time pads, however, was that for every character in the message, you needed a different number in the “key material” that originally transformed readable plaintext into jumbled ciphertext. In other words, a key for a one-time pad system had to be at least as long as the message and couldn’t be used more than once. The unwieldiness of the process made it difficult to implement in the field. Even serious attempts to deploy one-time pads were commonly undermined by those tempted to save time and energy by reusing a pad. His conversations with Silver excited Diffie. The subject of “pseudo-randomness” was clearly of importance to both the mathematical and real worlds, where security and privacy depended on the effectiveness of those codes. How close to randomness could we go? Obviously, there was a lot of work going on to discover the answer to that question — but the work was going on behind steep barriers erected and maintained by the government’s intelligence agencies. In fact, just about all the news about modern cryptography was behind that barrier. Everyone else had to rely on the same texts Whitfield Diffie had encountered in the fifth grade. And they didn’t talk about how one went about changing the orderly procession of ones and zeros in a computer message to a different set of totally inscrutable ones and zeros using state-of-the-art stuff like Fibonacci generators, shift registers, or nonlinear feedback logic. Diffie resented this. “A well-developed technology is being kept secret!” he thought. He began to stew over this injustice. One day, walking with Silver along Mass Avenue near the railroad tracks, he spilled his concerns. Cryptography is vital to human privacy! he railed. Maybe, he suggested, passionate researchers in the public sector should attempt to liberate the subject. “If we put our minds to it,” he told Silver, “we could rediscover a lot of that material.” That is, they could virtually declassify it. Silver was skeptical. “A lot of very smart people work at the NSA,” he said, referring to the National Security Agency, the U.S. government’s citadel of cryptography. After all, Silver explained, this organization had not only some of the best brains in the country, but billions of dollars in support. Its workers had years of experience and full access to recent cryptographic discoveries and techniques unknown to the hoi polloi — however intelligent — without high security clearances. The agency had supercomputers in its basement that made even MIT’s state-of-the-art mainframe computers look like pocket calculators. How could outsiders like Diffie and Silver hope to match that? Silver also told Diffie a story about his own NSA experience years earlier while writing a random number generator for the Digital Equipment Corporation’s PDP-1 machine. He needed some information: his reasons were noncryptographic; he simply had a certain mathematical need, a polynomial number with some particular properties. He was sure that a friend of his at the NSA would know the answer instantly, and he put in a call. “Yes, I do know,” said the friend. What was it? After a very long silence, during which Silver assumed that the friend was asking permission, the NSA scientist returned to the phone. Silver heard, in a conspiratorial whisper, “x to the twenty-fifth, plus x to the seventh, plus one.” Diffie was outraged at this secretiveness. He’d heard about the NSA, of course, but hadn’t known that much about it. Just what was this organization, which acted as if it actually owned mathematical truths? * * * Created by President Truman’s top-secret order in the fall of 1952, the National Security Agency was a multibillion-dollar organization that operated totally in the “black” region of government, where only those who could prove a “need to know” were entitled to knowledge. (It was not until five years after its founding that a government document even acknowledged its existence.) The NSA’s cryptographic mission is twofold: to maintain the security of government information and to gather foreign intelligence. The double-sided nature of its duty led the NSA to organize itself into two major divisions: Communications Security, or COMSEC, which tries to devise codes that cannot be broken, and Communications Intelligence, or COMINT, which collects and decodes information from around the world. (Since the latter function most often involves intercepting and interpreting electronic information, it is more broadly referred to as signals intelligence, or SIGINT.) Over the years the NSA has established a vast network of listening devices and sensors to gather signals from even the most obscure reaches of the globe, an operation that expanded beyond the planetary atmosphere when the satellite era began in the 1960s. In the early 1970s, none of this was discussed publicly. Within the Beltway, people in the know jokingly referred to the organizational acronym as No Such Agency. Those very few members of Congress who had oversight responsibility for intelligence funding would learn what had to be conveyed only in shielded rooms, swept for listening devices. Access to the organization’s headquarters at Fort George Meade, Maryland, was, as one might imagine, severely limited. A triple-barbed-wired and electrified fence kept outsiders at bay. To work within the gates, of course, one had to survive a rigid vetting. “By joining NSA,” reads the introduction to a handbook presented to new hires, “you have been given an opportunity to participate in the activities of one of the most important intelligence organizations of the United States government. At the same time you have assumed a trust which carries with it a most important individual responsibility — the safeguarding of sensitive information vital to the security of our nation.” Since all the salient information about modern crypto was withheld from public view, outsiders could only guess at what happened in “The Fort.” The NSA undoubtedly operated the most sophisticated snooping operation in the world. It was universally assumed (though never admitted) that no foreign phone call, radio broadcast, or telegraph transmission was safe from the agency’s global vacuum cleaner. Signals were sucked up and the content analyzed with multi-MIPS computers, combing the text for anything of value. (These suspicions were later confirmed with leaks of Project Echelon, the NSA’s ambitious program to monitor foreign communications.) Were the results worth the billions of dollars and the questionable morality of the effort itself? This was something known only to the very few government officials who received briefings on the fabled intercepts — and even they were dependent on the quality of information that came from the agency itself. What’s more, the NSA considered itself the sole repository of cryptographic information in the country — not just that used by the civilian government and all the armed forces, as the law dictated, but that used by the private sector as well. Ultimately, the triple-depth electrified and barbed-wire fence surrounding its headquarters was not only a physical barrier but a metaphor for the NSA’s near-fanatical drive to hide information about itself and its activities. In the United States of America, serious crypto existed only behind the Triple Fence. Every day the NSA pored over new ideas for cryptographic systems submitted by would-be innovators in the field. “Their ideas disappear into the black maw of the NSA, and may see service in American cryptography,” wrote David Kahn, “but security prevents the inventor from ever knowing this — and may enable the agency or its employees to utilize his ideas without compensation.” But even those who did not submit ideas were not free of the NSA’s stranglehold. The agency monitored all patent requests concerning cryptography and had the legal power to classify any of those it deemed too powerful to fall into the public domain. As he learned more about the NSA, Whit Diffie came to feel a bit foolish that despite his having heard of the agency, the extent of its power had only belatedly dawned on him. Diffie had actually visited the Institute for Defense Analysis (IDA) at Princeton, a quasi-private outpost of the NSA, but he’d had only the vaguest idea about the organization’s mission at the time. Not that it would have helped him get information from those crypto illuminati. One may socialize and even exchange thoughts with those who had ventured behind the Triple Fence, but only as long as those thoughts did not involve the forbidden subject of cryptography. Cryptography, however, was exactly what Diffie wanted to talk about. He wanted to learn as much as he could, to have far-ranging conversations with the leaders in the field. Even the foot soldiers in the field would do. But he quickly became frustrated with those who would not, or could not, talk about it. For instance, Diffie quizzed an MIT colleague named Dan Edwards, who would join the NSA after graduating. “He was extremely unhelpful,” Diffie later reported, “failing to reveal things which were certainly not classified and which I later saw in the bibliography of his thesis.” And when a colleague at Mitre went to work at IDA, Diffie asked him if he could share anything about his work. After a tantalizing pause: no. Perhaps the idea of pursuing the forbidden was simply irresistible to a contrarian like Diffie. He kept thinking about crypto and the silent embargo against it. And the more he thought about the problem, the more he came to understand how deeply, deeply important the issue was. Especially in what he saw as the coming era of computational ubiquity. As more people used computers, wireless telephones, and other electronic devices, they would demand cryptography. Just as the invention of the telegraph upped the cryptographic ante by moving messages thousands of miles in the open, presenting a ripe opportunity for eavesdroppers of every stripe, the computer age would be moving billions of messages previously committed to paper into the realm of bits. Unencrypted, those bits were low-hanging fruit for snoopers. Could cryptography, that science kept intentionally opaque by the forces of government, help out? The answer was as clear as plaintext. Of course it could! Right at MIT there was an excellent example of a need for a cryptographic solution to a big problem. The main computer system there was called Compatible Time Sharing System (CTSS). It was one of the first that used time-sharing, an arrangement by which several users could work on the machine simultaneously. Obviously, the use of a shared computer required some protocols to protect the privacy of each person’s information. CTSS performed this by assigning a password to each user; his or her files would be in the equivalent of a locked mini-storage space, and each password would be the equivalent of the key that unlocked the door to that area. Passwords were distributed and maintained by a human being, the system operator. This central authority figure in essence controlled the privacy of every user. Even if he or she were scrupulously honest about protecting the passwords, the very fact that they existed within a centralized system provided an opportunity for compromise. Outside authorities had a clear shot at that information: simply present the system operator with a subpoena. “That person would sell you out,” says Diffie, “because he had no interest in defying the order and going to jail to protect your data.” Diffie believed in what he called “a decentralized view of authority.” By creating the proper cryptographic tools, he felt, you could solve the problem — by transferring the data protection from a disinterested third party to the actual user, the one whose privacy was actually at risk. He fantasized about a company that would invent and implement such tools. He even had a name for this imaginary concern: Privacy Protection, Incorporated. But in Diffie’s fantasy, it was someone else who devised the solution, someone else who founded the company — not him. Though he was becoming absolutely sure that the problems of maintaining privacy in a non-crypto-protected world were insurmountable, he assumed that others would be better qualified, better motivated, more practically oriented than he to create the crypto to tackle such problems. So he tried to convince others to work on the solution. With little success. “None of the people I tried to get interested in the subject did anything,” he recalls. So Diffie kept working on his main interest, which lay in a mathematical problem called “proof of correctness.” But he kept researching what he could on crypto, though at this point his efforts were far from methodical. One day at the Cambridge Public Library, Diffie was browsing the recent acquisitions and came across The Broken Seal by Ladislas Farago, a book about the pre–Pearl Harbor codebreaking efforts. He read a bit of it right there, and he certainly thought it worth reading further. But he never did. (Worse, he came to confuse this book with another book published at that time, David Kahn’s The Codebreakers, which delayed his reading of the more important work.) Similarly, one day at Mitre, a colleague moving out of his office gave Diffie a 1949 paper by Claude Shannon. The legendary father of information theory had been teaching at MIT since 1956, but Diffie had never met him, a slight, introverted professor who lived a quiet family life, pursuing a variety of interests from reading science fiction to listening to jazz. (Presumably, by the time Shannon had reached his sixties, he had put aside the unicycle he had once mastered.) Shannon’s impact on cryptography was considerable. After receiving an MIT doctorate in 1940, he had worked for Bell Telephone Laboratories during the war, specializing in secrecy systems. The work was classified, of course, but in the late part of the decade the two key papers in Shannon’s wartime work found their way into the public domain. In 1948, Shannon’s seminal article on information, “Mathematical Theory of Communication,” ran in the Bell System Technical Journal, and subtly set the stage for the digital epoch. A year later, “Communication Theory of Secrecy Systems” appeared in the same journal. Both efforts were highly technical; those without advanced math degrees could barely venture a few paragraphs without being snared in a thicket of thorny equations and formulas. But Shannon had a sense of clarity that enabled him to send a clear signal through the noise of high-level math. In the latter paper, he clearly and concisely examined the basic cryptographic relationship from scratch, addressing the “general mathematical structure and properties of secrecy systems.” He even provided a diagram of the classic cryptanalytic situation, beginning with a box representing the original message. This was transformed by an “encipherer” with access to a “key source.” The message would move to the “decipherer,” who’d use the same key source to return the message to its original form. But there was another line branching out from the cryptogram. It led to the “enemy cryptanalyst,” who might be able to intercept the encrypted message. That third party was always to be assumed. The challenge was to make it impossible for that enemy to crack the cryptogram. The concepts of signal and noise loomed large in Shannon’s view of cryptology. He saw crypto as a high-stakes zero-sum game between secret keeper and foe, where a successful secret was a signal that could not be teased out of the apparent noise. In his sixty-page discussion of the matter, he masterfully clarified the dilemma of both encrypter and enemy. The gift of the Shannon paper was undoubtedly one of the most valuable that a prospective cryptographer like Diffie could hope for in the late 1960s. Diffie himself would later consider it the last worthwhile unclassified paper published for over twenty years. Too bad that Whit Diffie, still pursuing knowledge in a scattershot manner, waited several years before actually reading it. * * * In 1969, Diffie finally left Mitre. His funding had run out, and now that he was approaching the draft cutoff age, he had the freedom to leave. He had never really liked Cambridge very much. In high school, Diffie had hung out with the left-liberal and even the red diaper set, and led a full social life, with folk-singing parties and lots of friendly girls. Though similar scenes undoubtedly existed in Cambridge, “I just didn’t find them,” Diffie now moans. But at the University of California at Berkeley, where he spent a summer after his freshman year, Diffie found a place among the left-leaning protest crowd. “I really believe in the radical viewpoint,” he says. “And I have always believed that one’s politics and the character of his particular work are inseparable.” So Diffie and his girlfriend moved west, and Diffie went to work at John McCarthy’s Stanford Artificial Intelligence Lab. Supposedly, he would continue working on proof of correctness and other mathematical problems that applied to computer science. But in conversations with McCarthy, Diffie was led into a deeper consideration of privacy concerns. A pioneer in time-sharing, McCarthy understood that soon computer terminals would find their way into the home. Inevitably, he believed, the nature of work itself would change, as the electronic office became something that moved out of the cloistered world of computer scientists and hackers and deep into the mainstream. This would open up not only a thicket of security problems, but also a host of novel challenges that almost no one was thinking about in 1969: If work products became electronic — produced on computer and sent over digital networks — how would people duplicate the customary forms of authentication (the means to verify that the author of a document was actually the person he or she claimed to be)? What would be the computerized version of a receipt? How could you get a computer-generated equivalent of a signed contract? Even if people were given unique “digital signatures” — say, a long, randomly generated number bequeathed to a single person — the nature of digital media, in which something can be copied in milliseconds, would seem to make such an identifier pointless. If you “signed” such a number to a contract, what would stop someone from simply scooping up the signature, making a perfect copy, and affixing it to other documents, contracts, and bank checks? If even the possibility of such unauthorized signed copies existed, the signature would be worthless. “I didn’t sign this,” someone could say. “Someone copied my signature!” Diffie began to wonder how one could begin to fix this apparently inherent flaw in the concept of digital commerce. Diffie and McCarthy spent hours in rambling discussions on issues like authentication and the problems of distributing electronic keys. But Diffie still was more interested in letting others create the solution. In the summer of 1972, however, machinations in Washington, D.C., indirectly changed his course. The government, under the aegis of the Defense Department’s Advanced Research Projects Agency (ARPA), had recently begun a program to link major research institutions. This was known as the ARPAnet, a system that would one day transmogrify into today’s Internet. ARPA’s director of information-processing techniques, Larry Roberts, realized that such a computer network, the first computer net to link multiple sites and handle hundreds if not thousands of users, would need a way to keep messages secure, and the obvious way of doing that was to devise new crypto solutions. But when Roberts approached the NSA, he got a quick brush-off. Ultimately, he enlisted the help of Bolt Baranek Newman, the Boston-based company that helped set up ARPAnet in the first place. In the meantime, he mentioned the problem to his friend John McCarthy, who encouraged people at Stanford to concoct some crypto programs. They began working on what Diffie later called “a very complicated system combining the effects of several linear congruential random number generators.” Since Diffie’s girlfriend was on that team, he also was drawn into the effort. Naturally, his curiosity led him to study the system closely. As he came to understand it, he found himself dissatisfied with its lack of efficiency. Diffie believed that if cryptography were to be used in a computer system, it was essential that users not have to suffer performance lags. Ideally, encryption should add but a tiny — or imperceptible — increment to the time it took to perform a function like copying a file. Diffie went over the group’s basic encoding algorithm and eventually wrote a routine that ran much faster. In the process — now that he was actually doing some cryptography — he began to spend even more time thinking about the larger issue of how to advance the field. Later that year he went to Cambridge and saw Roland Silver again; Diffie now had much more hands-on expertise to bring to a discussion of crypto, and their rich exchange fueled his interest even more. By now Diffie had finally gotten around to reading David Kahn’s The Codebreakers. Since Diffie was a very slow, methodical reader, tackling a book of a thousand densely packed pages was a major undertaking for him. “He traveled everywhere with that book in hand,” says his friend Harriet Fell. “If you invited him to dinner, he’d come with The Codebreakers.” But Diffie found the hundreds of hours he spent on the book to be well worth the trouble. Indeed, The Codebreakers was a landmark work — and one that the government had not wanted to see published. Kahn was a Newsday reporter who, as a twelve-year-old, had been thrilled, like Diffie and countless other boys, with his first exposure to the mysteries of secret writing. That moment first came on a visit to the local Great Neck (Long Island, New York) library, where the cover to a potboiler history called Secret and Urgent, by Fletcher Pratt, was on display. “This was about 1942 or ’43,” recalls Kahn. “That dust jacket was terrific; it had letters and numbers swirling out of the cosmos. I was hooked.” The hook sank deeper when he actually read the book and learned about how ciphers worked. The youngster joined what was then probably the most sophisticated cryptography organization outside the government, the American Cryptogram Association. Which wasn’t saying much. “It was a bunch of amateurs,” he says. “They solved cryptograms as puzzles, and used a little publication with articles on how to solve them.” Many of the members were elderly, or at least had time on their hands. There was even an offshoot called the Bedwarmers. “These were people with polio, or were in some sort of clinic, or were paralyzed,” says Kahn. “They couldn’t move around very well so they solved puzzles.” Such was the scope of crypto work outside the government. Unlike Diffie, however, Kahn loved to solve the puzzles himself, and kept his interest into adulthood. He discussed some sophisticated schemes with some fellow Cryptogram Association members. “Otherwise, you were totally isolated,” he says. “This was an unknown field; nobody knew anything about it.” But he didn’t detect a more general interest in cryptography until 1961, when two NSA cryptographers defected to the USSR and held a press conference about their experience. This was revelatory to Kahn; despite diligently monitoring all the public literature about cryptography, he had hardly known that the NSA existed! Still, since he knew something about crypto, he dared to ask editors at the New York Times Magazine if they would like a backgrounder on the subject. They did, and he produced it. The day after the story’s publication, Kahn received three book contract offers. He turned them down since they were from paperback publishers and he wanted his work between boards. He got his wish a week later when an editor named Peter Ritner asked him to do a hardcover for Macmillan. Kahn wrote up an outline for a general book about codes, and received a $2000 advance. But as he began working on the introductory section, his research efforts kept kicking up more and more interesting stories from disparate sources. By the time he reached page 250 of his “preliminary chapter” — he had barely gotten to the Renaissance — he realized that he was really writing the comprehensive history of cryptology. Two years into the project, Kahn quit his job to focus his efforts full time on the book. He lived off his savings, bunking at his parents’ house and eating meals cooked by his grandmother. He wrote hundreds of letters, spent days in the New York Public Library, and, most important, connected with people who had never previously told their stories. A high-ranking Department of Defense official allowed him access to two important World War II codebreakers — an astonishing event given how Cold War politics decreed that revealing any information of this sort was virtually treason — if he agreed to submit his notes from the interviews to the government. “I guess the [Defense official] didn’t know what he was getting into,” reasons Kahn, “and when the notes got submitted to the NSA, the government panicked, and said I had to [disregard the information]. I respectfully declined.” Kahn also constructed, with the help of an important confidential source, the first public account of the extent of the NSA’s power, constructing it from the bits and pieces that had dribbled out over the years. But the most explosive details of Kahn’s book lay in its methodical explanation of how cryptography works, and how the NSA used it. When The Codebreakers was finished in 1965, it contained the most complete description of the operations of Fort Meade that had ever been compiled without an EYES-ONLY stamp on each page. Quite correctly, officials at the National Security Agency had come to view Kahn’s book as a literary hand grenade, with the potential for serious damage to the government’s carefully maintained ramparts of secrecy. In his NSA exposé The Puzzle Palace, author James Bamford wrote that “innumerable hours of meetings and discussions, involving the highest levels of the agency, including the director, were spent in an attempt to sandbag the book.” Countermeasures considered behind the Triple Fence ranged from outright purchase of the copyright to a break-in at Kahn’s home. Kahn, who had moved to Paris to work for the Herald Tribune, was placed on the NSA’s “watch list,” enabling eavesdroppers to read his mail and monitor his conversations. To Kahn’s dismay, in March 1966 his editor sent the manuscript off to the Pentagon for its scrutiny and comments. Of course, it was then shipped to Fort Meade. The Defense Department wrote Macmillan’s chairman that publishing The Codebreakers “would not be in the national interest.” But Macmillan didn’t bend, less because of backbone, Kahn guesses, than the fact that by that point in the production process “they had too much money put into it.” So the NSA took an extraordinary step. In July 1966, its director, Lt. Gen. Marshall S. Carter — a man so secretive that his name never appeared in newspapers — flew to New York City and met with the chairman of the publishing company, its legal counsel, and Kahn’s editor, Peter Ritner. After attacking Kahn’s reputation and expertise, Carter finally made a personal appeal for three specific deletions. A few days later, Ritner presented Kahn with the request. The actual deletions struck Kahn as surprisingly inconsequential. “It didn’t really hurt the book, so I took the three things out,” Kahn says. “But I insisted that we put in a statement to the effect that the book had been submitted to the Department of Defense. In the end that had a good effect, because right-wing reviewers could otherwise have said the book was destroying the republic. Now they couldn’t.” While The Codebreakers never made the New York Times bestseller list, it became a steady seller, going through dozens of printings. And it did not, as the NSA had hysterically predicted, bring an abrupt close to the American century. It did, however, enlighten a new generation of cryptographers who would dare to work outside of the government’s wall of secrecy. And its prime student was Whitfield Diffie. “I read it more carefully than anyone had ever read it. . . . Kahn’s book to me is like the Vedas,” he explains, citing the centuries-old Indian text. “There’s an expression I learned: ‘If a man loses his cow, he looks for it in the Vedas.’ ” By the time Whitfield Diffie finished The Codebreakers, he was no longer depending on others to tackle the great problems of cryptography. He was personally, passionately engaged in them himself. They consumed his waking dreams. They were now his obsession. Why had Diffie’s once-intermittent interest become such a consuming passion? Behind every great cryptographer, it seems, there is a driving pathology. Though Diffie’s quest was basically an intellectual challenge, he had come to take it very personally. Beneath his casual attire and streaming blond hair, Diffie was a proud and determined man. He had an unusual drive for getting at what he considered the bedrock truth of any issue. This led to a fascination with protecting and uncovering secrets, especially important secrets that were desperately held. “Ostensibly, my reason for getting interested in this was its importance to personal privacy,” he now says. “But I was also fascinated with investigating this business that people wouldn’t tell you about.” It was as if solving this conundrum would provide a more general meaning to the world at large. “I guess in a very real sense I’m a Gnostic,” he says. “I had been looking all my life for some great mystery. . . . I think somewhere deep in my mind is the notion that if I could learn just the right thing, I would be saved.” And then, Diffie’s quest to discover truths in cryptography became intertwined with another sort of romance: his courtship of Mary Fischer. * * * It had not been Whit Diffie’s original intention to fall in love with a Jewish Brooklyn-born animal trainer who was already married. Up to the day when she upbraided him on the phone for ignoring her, he had in fact hardly thought of her. But her outburst struck a nerve, perhaps more so because his own longtime relationship was on the wane. When he bid goodbye to Mary on his way across the country, and told her he’d see her in a year, he meant it. With about $12,000 he had saved from his salary at Mitre and an intention to live “low on the hog,” as he later put it, he was out to learn all he could about crypto — and maybe do something about it. That seemed like a solitary mission. But in August 1973, when he stopped by Fischer’s New Jersey house for a visit, he found that her marriage was falling apart and that she was finding relief by going to charismatic prayer meetings. It was not the type of thing she felt comfortable talking about to mathematical types like Diffie, but when she came out with it, his reaction took her aback. “You know, Mary,” he said, “I’ve always had a soft spot for mystics.” They began to spend time together. Fischer didn’t drive, and Diffie fell into the habit of escorting her to zoos — especially to locate a King cobra — and then on longer trips to view architecturally interesting churches. At one point, on a Massachusetts road, Diffie impulsively pulled the car over and very quietly told Mary he loved her. She said she loved him back. And that was that. Though it was painful for Fischer to acknowledge the end of her marriage, Diffie hastened the process by daring her to join him on a sojourn to Florida to watch a launch of the Skylab mission. They drove straight through and arrived at Cape Canaveral at three in the morning. Some hours later, they watched together as the big rocket blew fire on its jump toward the cosmos. From that point, Mary Fischer was Diffie’s companion, and eventually his wife, as he drove thousands of miles in his search for an answer to the riddle of cryptography. They would pass the hours talking, or, more often, singing popular tunes. The National Security Agency had no clue that the man who was about to make life infinitely more difficult for them was spending endless hours in a Datsun 510, crooning “Sweet Caroline” with his new girlfriend. Though Fischer had little understanding of the technologies and mathematics that drove Diffie, she became his partner in the quest. His cryptographic muse. “I was terrified all the time because I’d abandoned everything that was familiar to me,” she recalls of those days. “Every now and then he’d stop off at a library, or see somebody, and it was really cloak and dagger — people who didn’t want to talk to him, people who put their coats over their faces, people who wanted to know how the hell he’d found out their names, people who had secrets, clearly, and were not about to share them. And Whit was trying to ferret those secrets out. It was a perpetual kind of voyage of discovery because he kept checking out these people. And sometimes he’d say, ‘I want you to stand here to listen. I don’t want anybody to see you but I just want you to listen.’ So I went on some of these encounters. But basically I didn’t have a clue what he was up to.” Sometimes Diffie would try to explain his motivations to her. The computer age, he told Mary, held terrible implications for privacy. As these machines become ascendant, and we use them for everyday communication, he warned, we may never experience privacy as we know it today. His apocalyptic tone unsettled Mary, but she wanted to hear more. Eventually, Mary understood how Diffie’s mission mixed the political with the personal. Devising a way to wedge open the NSA’s grip on crypto would satisfy not only Diffie’s sixties-style rebelliousness, but also what would later be identified as a strongly libertarian ethic in him. “Whit wants to uncover secrets,” she says. “Anything that’s secret is something that Whit has to know. When we first got together I couldn’t believe it. He was doing things like going through my garbage bags. He didn’t trust anything. He feels as though what ordinary people take for granted is just too simple and there must be more under the surface there. And he builds up terrible complications that way.” Of course, the most significant complication was his seemingly quixotic mission to discover something under the nose of the National Security Agency. He wondered whether he was putting himself at risk, and indeed, because of this, “my attitude was to keep my head down for the first couple of years,” he says. Ultimately, though, the length of the odds stacked against him only made the quest more attractive to Diffie. One thing Diffie did trust during this period was the Datsun 510 automobile. He kept buying and rebuilding them, even though the evidence indicates that the cars were far from immortal. “I was stubborn,” he explains, adding that “most of what I do is characterized by the fact that I’m stubborn.” Mary Fischer puts it differently. “When Whit decides he wants something, he’ll research it thoroughly, fix on the best idea of its kind, and from then on he is married to that thing.” His Datsun broke down in Nebraska, whereupon Diffie rented a truck and transported the car to the West Coast. He then purchased a second 510, a black junker with about 100,000 miles on it. “It had a fine set of insides in it,” Diffie recalls fondly. This took him and Mary on their second continental crossing. The car took sick in La Mesilla, New Mexico, emitting an ominous chink-chink-chink sound, but it got Whit and Mary back to California, only to go dead in a Redwood City parking space two days later. Diffie then purchased more Datsuns, initiating an elaborate process of vehicular organ transplants. “At one point we had five Datsuns,” recalls Mary Fischer. “Whit would work on them himself; he didn’t trust mechanics. He is not an utterly trusting soul.” What did Diffie encounter during his cross-country journeys? Many people who refused him. But a few helped, providing him with hints of contemporary crypto techniques, or even unpublished works. Among those helpers was Diffie’s personal Mao, David Kahn, who invited Diffie for pizza at his Long Island home after Diffie had cold-called to introduce himself. Though taken aback by Diffie’s appearance — an abundance of hair and ultracasual attire — The Codebreakers’ author was impressed with his knowledge. He agreed to provide Diffie with some crypto documents from his research. One important cache of papers dealt with William Friedman, the acknowledged godfather of the government’s cryptographic efforts. A naturalized American born in Russia late in the nineteenth century, Friedman had become interested in cryptography while researching the possibility that Francis Bacon was the true author of Shakespeare’s plays. (Many years later Friedman and his wife Elizabeth would authoritatively debunk this notion in their book, The Shakespearean Ciphers Examined.) During World War I, Friedman became involved in the U.S. government’s codebreaking efforts and developed a series of courses to train prospective cryptanalysts. Within the closed community, his works became classics, particularly those on his use of statistics to crack codes. Friedman’s World War II work was instrumental in breaking the Japanese cipher PURPLE, and he was an important figure in the early NSA, remaining active as a consultant long after his retirement in 1955. Throughout, virtually all his critical work was top-secret, so when Kahn offered Diffie a look at some rare, recently declassified materials, Diffie treated them like the original copies of the Constitution. Instead of handing the bound books over to attendants at a photocopying center, he lovingly photographed each page with a 35mm camera. This meticulousness proved prescient, as the NSA hadn’t yet realized that copies of these papers had slipped underneath the Triple Fence; when it did, the agency would attempt to retroactively classify the material, thus making criminals of those who did not immediately turn them over to the proper authorities. In the summer of 1974, Diffie heard that Jim Reeds, a Harvard doctoral student in statistics he had met a year earlier, was leading a seminar in cryptography there. Diffie headed back to Cambridge and sat in. Also attending was Bill Mann, a friend who was working on the ARPA security plan. At one point Diffie was trying to explain to Mann the meaning of something called a one-way function. This was a mathematical oddity that he had come across and couldn’t stop thinking about. A true one-way function is something that can be calculated easily in one direction but not easily reversed — a mathematical Humpty-Dumpty. One cryptographer would later explain that when you broke a dinner plate, you were using a one-way function: “It is easy to smash a dinner plate,” he wrote. “However, it’s not easy to put all of those tiny pieces back together again into a plate.” Diffie was increasingly convinced that one-way functions could figure into a new kind of cryptographic approach, but he wasn’t sure how. He couldn’t even explain what it was clearly enough for Mann to understand it. But Mann misunderstood it rather creatively. He came away with the impression that a one-way function was something that not only could be quickly computed in one direction but could be calculated in reverse as well — if you had the proper information. Using the plate analogy, Mann said it was as if the guy who broke the plate had some magic way to un-break it, like a film running backward showing those tiny shards of broken china fusing back into a pristine dinner plate. As he laid out his conception to Diffie, Mann was envisioning what one day would be called a “trapdoor one-way function.” It would prove to be a prescient misunderstanding. Also in Cambridge, Diffie talked about crypto with Richard Schroeppel. He was a former MIT hacker who had a reputation as a math wizard. Schroeppel had been thinking about the idea of electronic commerce, and was beginning to grapple with the same sorts of problems that Diffie and McCarthy had discussed: What if Company A wanted to place an electronic order with some Company B and no preexisting relationship existed? How could they secure their communications? Schroeppel was impressed that Diffie had done a lot of thinking about such problems. And he certainly respected Diffie, who had done great, though unheralded, work at MIT’s AI lab, building Macsyma. Schroeppel also knew that Diffie had written the complicated routines to handle large numbers in the Stanford version of the computer language LISP. “To my mind, writing a set of big number routines crosses you over a threshold,” says Schroeppel. “It’s like passing the Bar [exam]; it means you really know how to use a computer and you really know how to do arithmetic.” Over lunch one day Diffie floated the idea that perhaps there was a way to get around the electronic commerce problem. What about a one-way function, he suggested — a reversible one-way function, like the one Bill Mann had unwittingly suggested? Could that possibly be part of a solution? They talked about it for a while, but Schroeppel was skeptical. “Actually, you probably can’t find any of those functions,” he warned Diffie. “They probably don’t exist.” Undaunted, Diffie kept on, desperate for someone who could provide him with more clues. He and Fischer went to see a friend in Cambridge who mentioned a fellow named Alan Tritter. Tritter supposedly had done work in cryptography. He now worked for IBM. So during that same summer of 1974, Diffie tracked him down at the major center of cryptographic activity outside the government, IBM’s T. J. Watson Labs, in Westchester County, New York. Even in a field littered with brilliant oddballs, Tritter stood out. Due to a rare disease that generated a massive volume of body fat, he weighed what friends estimated as a minimum of 400 pounds. Rumor had it that his grandfather had been a wealthy man who had left Tritter only enough money to attend school. Though some regarded him as a mathematical genius, others felt that his reputation was unearned. “Immediately after he was hired, it was regretted, but IBM wouldn’t admit its error,” complained one former IBM colleague. “I don’t really think he did anything there.” On the other hand, Tritter was ahead of his time by acquiring an early mastery of telephone hacking. He would die young. Diffie was immediately gratified to learn that Tritter was knowledgeable about Identification Friend or Foe (IFF) devices. Reading Kahn’s book, Diffie had been intrigued by its mention of these systems, which are communications devices that essentially quiz each other to authenticate one’s identity. As Tritter explained it to Diffie, an IFF device works by issuing a cryptographic “challenge,” one that can be successfully met only by use of secret information to precisely solve the problem. The canonical IFF situation is a fighter plane encountering another airborne craft during a period of hostilities. If the intruder is a foe, it must be shot down, but it’s obviously unwise to fire before determining if the target might be an ally. The IFF process is an electronic equivalent to a sentry’s question to an approaching foot soldier: “What’s the password?” Of course, IFF systems relied on more complicated protocols than passwords. Since such communications were generally conducted by radio, it was assumed that enemies could listen in, and if a general password were issued to the forces of one side, a foe could easily discover the magic utterance that would enable its own planes to pose as friends. It turned out that one of Tritter’s colleagues at IBM, a German-born scientist named Horst Feistel, had performed crucial work in the field. (Unfortunately, Feistel had left for a Cape Cod weekend, and Diffie could not meet him then.) Tritter explained to Diffie how Feistel’s IFF system got around the eavesdropping problem: when confronting an as-yet-unidentified aircraft, an American plane could send a radio signal containing a challenge randomly selected from a large number of possible alternatives. Other U.S. planes would be supplied with the means to encrypt that signal in the correct manner and send that scrambled response back to the questioner. The questioner would validate the response by decrypting it. If this process yielded the original signal, the second craft was definitely a fellow American. If enemy planes were listening in, it would do them no good simply to copy the friendly response and use it as a response to a later challenge, because in any subsequent encounter, the American planes would choose a different signal, one that would be transformed to a different encrypted transmission. Tritter’s information was exciting to Diffie. By that explanation, IFFs worked in somewhat the same way that a one-way function might. He hoped for similarly helpful clues when he wangled an audience with the head of the mathematical group at IBM, Alan Konheim. He didn’t get any. “He was very secretive,” complains Diffie. Konheim, now a professor at the University of California at Santa Barbara, was one of those mathematicians who had taken several NSA-sponsored courses and had signed the fatal document that bound them to submit their future cryptographic works to the agency. “You sign it once and it’s forever,” he later explained. There was no way that Konheim was going to give any crucial information to the stranger who sat in his office along the curved-glass walls of the Watson research building. However, Diffie says that Konheim did give him one critical piece of information. “He only told me one thing, and since then, he’s wished he’d never said that,” crows Diffie. That datum was not a cryptographic tip but a referral, the name of someone who had been asking the same kinds of questions as Diffie had, a guy who had briefly worked at the lab and was now an assistant professor at Stanford. His name was Martin Hellman. Maybe, Konheim suggested, two people can work on a problem better than one. When Diffie and Mary next drove whichever Datsun 510 was running at that time to the West Coast for a stint of house-sitting for John McCarthy, one of the first things that Diffie did was phone this young professor of electrical engineering. “I arranged a half-hour meeting at my office at Stanford,” Marty Hellman now recalls, “figuring it’s just not going to go anywhere, but what the heck.” Thus was made the match that, in the world of crypto, would later attain the resonance of famous pairings elsewhere: Woodward-Bernstein. Lennon-McCartney. Watson-Crick. Diffie-Hellman. * * * Though he lived in California, Marty Hellman was pure Big Apple: pugilistic, in-your-face New York City. With his dark hair, beard, and intense stare, he resembled a Semitic version of Martin Scorsese. Born in 1945, he grew up Jewish in a tough Catholic neighborhood and learned to take an outsider’s view. He also took refuge in science. His father and uncle both taught physics in the public schools. Young Hellman had always been turned on by explorers and new frontiers, whether it was Magellan charting the New World or Einstein on redefining the way we understand the universe. He was accepted into the Bronx High School of Science; his avocation was ham radio. “That probably pulled me into electrical engineering,” he said. “It’s a very broad area; you can move from theoretical physics through solid-state physics and math.” He got his doctorate from Stanford in 1969, and his first job was at IBM research in Yorktown Heights, New York. Not long after he was hired, Hellman gave a paper at an information theory symposium held at the Neville hotel and resort, the headquarters of the Catskills’ Borscht Belt. The banquet speaker was David Kahn. Hellman had always believed that there was something kind of sexy about cryptography, but Kahn’s appearance got him thinking about it as a serious scientific pursuit, and those thoughts got stronger when he discovered that his new employer was already working in that field. Surely commercial applications existed, he figured. Though Hellman didn’t work directly with Horst Feistel, the German-born cryptographer worked nearby in the building, and sometimes the two of them would sit together at lunch, where the older man would describe some of the classical cryptosystems and some of the means of breaking them. Hellman left IBM in 1970, accepting a post as assistant professor at MIT. At that time Peter Elias, who had worked closely with Claude Shannon, was just stepping down as the head of the electronic engineering department. Elias’s talks with Hellman drew the young academic deeper into crypto, and for the first time he began thinking about making it the focus of his research. “Partially, it was the magician aspect, being able to impress people with magic tricks,” he now explains. “Also, the potential to make a real impact, and advance my career by doing it.” He resisted the temptation to do what the vast majority of scientists and academics in his field had already done: work within NSA strictures. “From the very beginning, once someone heard I had an interest in cryptography, the people from NSA would come at me,” he says. Hellman would profess interest in hearing what they knew, but only if he would remain free to publish his own findings. The officials would warn him he was wasting his time, and that by depriving himself of the research performed at The Fort, he’d never come up with anything worthwhile. But Hellman, brimming with chutzpah in those days, said, in effect, To hell with you, I’m doing it anyway! He figured that even if he wound up rediscovering something that was already in the classified literature, his feat would not be redundant, because his findings could be exploited for commercial use. “It was hard,” he says. “But it was also doing something exciting that no one else was doing.” Enter Whit Diffie. “It was a meeting of the minds,” says Hellman. It came at a propitious time: though Hellman had recently published his first paper in the field of cryptography — a gloss on Shannon’s work — he’d been stuck for a follow-up, and longed for a kindred ear. “I’d been working in a vacuum,” he says, “and was feeling, ‘Is this really worth it?’ I was really getting concerned about whether this was going to lead anywhere.” Showing up wearing what Hellman called “the AI uniform” — black chinos, white socks, white shirt, and tennis shoes — Diffie was undoubtedly quirky. But he knew his stuff. He knew volumes. Only someone like Hellman, who had banged his own head against the ramparts of crypto secrecy, could appreciate how well spent were Diffie’s months and years traveling, talking to anyone he could find, burrowing in libraries for forgotten books like Luigi Sacco’s 1938 treatise on cryptography, and poring over obscure texts like the Friedman papers that NSA had later tried to reclassify. “He’d dug up everything I had never seen or had the energy to dig up,” says Hellman. Finally, someone with whom he could toss ideas back and forth; it was like an elegant game of hard catch between two professional ballplayers. The half-hour meeting went on for an hour, two hours, longer. Hellman simply didn’t want it to end, and Diffie, too, seemed eager to continue for as long as possible. Hellman had promised his wife he’d be home by late afternoon to watch their two small children while she went off, so finally he asked Diffie back to his house. No problem! Diffie called Mary and she came over to have dinner with Whit and all the Hellmans, and it wasn’t until 11:00 or so that night that the dialogue broke up. Not surprisingly, the two decided to continue the conversation. “It was very nebulous,” says Hellman. “He had some great ideas, I had some great ideas, and there was some overlap. We just loved talking to each other. It wasn’t that we had a goal of doing this or a goal of doing that — we just wanted to go further down the path we had each gone down, without finding someone at the end of the path telling us what everybody else was telling us: that we were wasting our time.” Both Diffie and Hellman firmly believed that the advent of digital communications made commercial cryptography absolutely essential. All of these huge computer and telephone networks made life incredibly easy for eavesdroppers — it was going to be possible to fully automate spying. At least with radio broadcasts, snoopers had to monitor numerous points in the channel band; with a network, it was as if everyone were broadcasting on the same channel. A spy agency like the NSA could — and would — simply turn on the Hoover and inhale gigabytes of data. “Ninety-nine percent of what they suck up gets blasted out as hot air,” says Hellman. “But by combing the data for key words, key phrases, key names and addresses, one percent gets caught in the bag as dirt.” The antidote for this would amount to, in essence, a cryptographic revolution, which would allow ordinary people to encrypt the stuff they sent over the network. The big problem, as Diffie had discussed with McCarthy and Schroeppel, was scaling crypto for more users, and making it easier to use. Something had to replace, or at least augment, the old-style, classical form of symmetrical-key crypto (where the same key that scrambles the messages can unscramble it, too), because it was totally unfit for the massive numbers of private conversations and digital transactions that people would require. The problem was that in order to have those private conversations, both parties had to arrange in advance what the key would be, and then somehow use that key without exposing it to eavesdroppers or intruders. This was a fairly straightforward act for a military organization, but an absolute nightmare in a bustling marketplace. What were you going to do — send millions of bonded couriers out into the streets to personally hand someone a new key every time he wanted to start up a phone conversation or file a purchase order? The only feasible approach seemed to be an infrastructure of key distribution centers that would generate a key every time two people requested one for a private conversation. But Hellman shared Diffie’s deep-seated suspicion of such a centralized system. “I knew he’d be around for a couple of months, but I also had the feeling that he might pick up and leave, and I was really anxious to see him stay here,” says Hellman. So Hellman called his grant monitor in the National Science Foundation (NSF) and wheedled some more funds to spend working on cryptography. There was enough to hire Whit Diffie as a part-time researcher. “It might have been for ten to twenty hours a week, or about a quarter to a half of what a working person would normally make,” says Hellman, who also suggested that while they were at it, why not have Diffie enroll as a graduate student and get a doctorate in the process? That part of the arrangement didn’t work out. “Whit is a truly free spirit,” was Hellman’s postmortem. “When he’s interested in something for himself and no one’s making him do it, he will spend unbelievable hours a day, get by with little sleep. But [not] when he has homework assignments and the structure.” Ultimately, Diffie dropped out of the graduate program when the administrators noticed that he hadn’t taken the requisite physical examination. “I didn’t feel like doing it; I didn’t get around to it,” says Diffie. Though he finessed the matter for some months, ultimately, when the Stanford bureaucrats refused to register him without proof he had taken the physical, Diffie told them to go to hell. “I used to think of it as a handicap on Whit’s part,” says Marty Hellman, “but maybe he was just mature at an earlier age, thinking, Damned-if-I’ll-follow-some-of-your-stupid-rules. Because some of them are stupid.” Ultimately, it was only by questioning the conventional rules of cryptography and finding some of them “stupid” that Diffie made his breakthroughs. A case in point: the belief that the workings of a secure cryptosystem had to be treated with utmost secrecy. That might have held true for military organizations, but in the computer age, that didn’t make sense. There would be unlimited users who needed a system for privacy; obviously, such a system would have to be distributed so widely that potential crackers would have no trouble getting their hands on it and would have plenty of opportunity to practice attacking it. Instead, the secrecy had to rest somewhere else in the system. Maybe those one-way functions that obsessed Diffie could be involved in such a system. In the months that followed, they became close colleagues and friends. Mary and Whit often hung out at the Hellmans’. Marty’s wife Dorothy was an enthusiast of purebred dogs — obviously something Mary was interested in — and Mary got one of Hellman’s daughters interested in playing the harp. Whit and Marty would usually be off in a corner, talking cryptography. Between Whit and Mary there was now an understanding that the traveling was over. They began their Palo Alto house-sitting stint for John McCarthy, watching his teenage daughter Sarah while the AI pioneer was on a Japanese sabbatical. Meanwhile, they started looking for a place of their own in Berkeley. Mary took a job with British Petroleum in San Francisco. Whit had the house to himself all day, and he would clean and cook. Mainly, he would work with Marty, hoping against hope that his years of didactic study would bear fruit and he would make a contribution, however slender, to the maddingly secretive field of cryptography. His years of obsession had not decreased his passion for the subject. Nor had his deep affection for Mary Fischer — his other romance — distracted him. On the contrary, their relationship had only intensified his hunger for privacy, and the quest for a technology to provide it. His epic quest had begun from a lack of trust in computer systems and their keepers. Now it was about maintaining a valuable personal connection, too. “When he felt he’d finally found a trustworthy person,” as Mary Fischer later explained, “the question became, ‘How do you deal with a trustworthy person in the midst of a world full of untrustworthy people?’ ” the standard On March 17, 1975, a dry government document produced a shock wave that just about tore the plaster off the walls of Martin Hellman’s little cipher operation at Stanford University. It was a Federal Register posting from the National Bureau of Standards (NBS), ostensibly one of countless protocols proposed by that agency that, if adopted, would become the officially endorsed means of doing things for the federal government. By extension, it would become the no-brainer choice for private industry and just plain folks as well. This proposal involved something seldom ventured in the public literature: a brand-new encryption algorithm. And a strong one to boot. It was to be called the Data Encryption Standard, or DES. The Stanford team had known that the unprecedented move was in the offing — the NBS had been issuing requests for such a standard — and Hellman knew that his old and trusted colleagues at IBM had been cooking up a system designed to satisfy the government’s criteria. So at first they welcomed the announcement. “This was big news,” recalls Hellman. “We were happy to see a standard. We thought it was a wonderful thing.” Then they began to actually examine the DES system — and learned that the National Security Agency apparently had a hand in its development. And their enthusiasm turned to dismay. Right away, it was glaringly obvious that the flaw in the DES was the size of the encryption key, a metric that directly determines the strength of a cryptographic system. It was 56 bits long. That’s a binary number of 56 places. You could envision this as a string of 56 switches, each of which could be on or off. Though 2 to the 56th power was a hell of a big number in most circumstances — it meant that there were 256 possible keys, or about 70 quadrillion — Hellman and Diffie believed that it was too small for high-grade encryption. Sophisticated computers, they insisted, could eventually work hard enough to find solutions to such encrypted messages by “exhaustive search”: trying out billions of key combinations at lightning speed until the proper key was discovered and the message suddenly resolved itself into the orderly realm of plaintext. This would be a classic “brute-force” attack. “A large key is not a guarantee of security,” says Hellman, “but a small key is a guarantee of insecurity.” Diffie wrote as much in an otherwise respectful initial analysis of the standard, submitted in May 1975 as part of the NBS’s public comment process. “The key size is at best barely adequate. Even today, hardware capable of defeating the system by exhaustive search would strain but probably not exceed the budget of a large intelligence organization.” He postulated that a free-spending agency could feasibly build a customized machine that would crack such a key within a day. “Although cryptanalysis by exhaustive search is far from cheap, it is also far from impossible,” he wrote, “and even a small improvement in cryptanalytic technique could dramatically improve the cost performance picture. We suggest doubling the size of the key space to preclude searching.” Naively, the Stanford duo believed that such advice might be heeded by the United States government: Well, damn, you guys are right! Let’s double that silly key size! Instead, the government’s response was sufficiently evasive for Hellman to suspect that a smoke screen lay behind the NBS’s actions. In subsequent months, in fact, Hellman would publicly begin to question whether the DES algorithm might have been a daring ruse on the government’s part to lull citizens and perhaps even foreign foes into an illusion that they were protecting information — while that supposedly secure data was easily accessible to the NSA. At his most paranoid, Hellman wondered whether the DES had a “back door” implanted in it by Fort Meade’s clever cryptographers. While there was no direct proof of that, there was reason for suspicion. If everything was on the up-and-up, Hellman wanted to know, why was it that the design principles of the algorithm, as well as its inner workings, were being treated as government secrets? If the government had nothing to hide, why were they hiding something? Diffie and Hellman were only the first to question the murky origins of the Data Encryption Standard. The debate would continue even as the DES became a kind of gold standard for strong commercial cryptography — and an object of continued suspicion among the outsiders of the crypto and civil liberties world. Only with the passage of time would it become clear that the development and certification of DES was in a sense an inspiring story of its own, one that had elements in common with the quest of Diffie and Hellman themselves. * * * The story began with one of IBM’s most enigmatic researchers, Horst Feistel. He was the German-born cryptographer who had done the work on Identification Friend or Foe protocols that Whit Diffie had learned from Alan Tritter. Feistel had been working at IBM’s research division in Yorktown Heights since the late sixties. It was one of the few jobs in the private sector that involved work in cryptographic research. In fact, some of his colleagues suspected that Feistel had been in the NSA’s employ and was somehow still hooked up with it, even while working for IBM. In any case, his biography is somewhat sketchy. Born in 1914, he had left Germany as a young man. His aunt had married a Swiss Jew living in Zurich, and on the concocted pretext of tending to his aunt’s illness, Feistel joined them just before the Third Reich began a military conscription that would have prevented his escape. After studying in Zurich, Feistel came to the United States in 1934. He was about to become a naturalized citizen when America was thrust into World War II. Feistel was put under what he once described as “house arrest,” his movements restricted to the Boston area where he was living. But in January 1944, Feistel’s circumstances changed abruptly. He was not only granted citizenship but also given a security clearance and a job at a highly sensitive facility: the Air Force Cambridge Research Center. What he did there is unclear. Codes had fascinated him since his boyhood, but in the early 1990s he told Whit Diffie that while crypto work was indeed his desire, he was informed that this was not suitable wartime work for a German-born engineer. On the other hand, in a 1976 interview with David Kahn, Feistel said that during the war he had worked on Identification of Friend or Foe systems — not cryptography per se at that time, but close. There are other contradictions in Feistel’s various accounts of his activities. He told Diffie that before he was granted U.S. citizenship, he had to report to authorities every time he left Boston to visit his mother in New York. But he once told a coworker that his mother didn’t emigrate until the Cold War began. The U.S. had spirited her out of East Berlin, he reportedly said, just in case the Soviets discovered that Feistel was doing crypto and decided to pressure her. There was no doubt, however, that after the war, Feistel began to specialize in IFF. He headed a crypto group at the Cambridge Research Center, and part of his job was testing an advanced IFF system that depended on an amazing new invention, the transistor. This tiny marvel would enable an IFF system to be built so compactly that it could fit into the nose of a fighter plane. Another important project of Feistel’s was a longtime passion: constructing a strong cryptosystem based on block ciphers. (This kind of system encrypted messages by processing them in chunks, or “blocks,” as opposed to stream ciphers, which did their scrambling on text as it flowed, or “streamed,” by.) Did the NSA embrace Feistel’s work, or did it see his work as a threat, and try to stifle it? According to what Feistel told Diffie, the people at The Fort had closely monitored his air force work and used the NSA’s power to influence the direction Feistel’s work took. But the agency also regarded the project as a threat and eventually managed to kill the entire crypto effort at the Cambridge lab. When Feistel left for another job in the mid-1960s at Mitre (the same military contractor that would later put Whit Diffie on its payroll), he unsuccessfully tried to organize a group there that would resume his crypto work. He blamed the failure on more NSA pressure. So Feistel took the advice of his friend, A. Adrian Albert, and went to work for IBM, which seemed more open to such pursuits. (Albert was a mathematician, a onetime head of the American Mathematical Society, who had himself done extensive cryptography work for the government.) IBM was an amazingly rich company with little competition, and its research division was an intellectual playground where incredibly bright scientists were encouraged to explore whatever interested them. “If they hired you at Yorktown, you’d do what you wanted, as long as you did something,” says Alan Konheim, who became Feistel’s boss in 1971. “And Feistel did something — he formalized this idea for a cryptosystem.” The most remarkable aspect of Feistel’s creation was not its mathematics or its technology — or even its resistance to codebreakers — but the motivation behind it. His superstrong cipher wasn’t intended to defend government secrets or diplomatic dispatches, but to protect people’s privacy — specifically, to protect databases of personal information from intruders who might steal the contents to create detailed dossiers on individuals. “Computers,” wrote Feistel in a 1973 article for Scientific American, “now constitute, or will soon constitute, a dangerous threat to individual privacy. . . . It will soon be feasible to compile dossiers in depth on an entire citizenry.” Feistel declared that the antidote was cryptography, traditionally the domain “of military men and diplomats.” He proposed that computer systems be adapted “to guard [their] contents from anyone but authorized individuals by enciphering the material in forms highly resistant to cipher-breaking.” Considering Feistel’s familiarity with the government’s zeal for keeping cryptography to itself, this was a significant position to take. So important was privacy in the computer era, Feistel believed, that the knee-jerk national security arguments would have to be shelved. Meanwhile, Feistel was concocting a system that would grant people that privacy. The system was called Demon, so dubbed because file names in the computer language he used (APL) could not handle a word as long as his unimaginative choice for the first version, “Demonstration.” Later, in a burst of inspiration, an IBM colleague would change the name, carrying over the satanic theme from Demon, to “Lucifer,” thus containing a cryptographic pun. As a block cipher, Lucifer was a virtual machine that sucked in blocks of plaintext data and spit out blocks of ciphertext. Feistel created several versions; the best known used a digital key of 128 bits, an enormously tough target for a brute-force attack. Impossibly tough. Of course, the issue of key length would be of little importance if a codebreaker could quickly crack the system by detecting and exploiting structural weaknesses that would recover plaintext without having to bother with brute-force attacks. If even the most subtle pattern could be discernible in ciphertext, a codebreaker would be on his way to breaking the system. Lucifer’s strength, like that of any other cipher, depended on denying potential foes any such shortcuts. Feistel’s cipher avoided telltale patterns by subjecting the plaintext characters to a tortuous mathematical journey, leading them through a complicated whirl of substitutions. Ultimately, after sixteen “rounds” of furious swapping with other letters in the alphabet, the actual plaintext words and sentences would appear only as a block of seemingly random letters: an oblique ciphertext. The crucial rules of substitution took place by means of two substitution boxes, or “S-boxes.” These, of course, were not physical boxes, but sets of byzantine nonlinear equations dictating the ways that letters should be shifted. (At least one colleague of Feistel’s, Alan Konheim, believes that the idea of S-boxes had been given to Feistel by the NSA at a summer workshop, supposedly to get a technology well understood by Fort Meade into the mainstream. “Horst is a very clever guy, but my guess is he was given guidance,” says Konheim.) The S-boxes did not merely initiate a set of predictable substitutions in the letters; they used information drawn from a series of numbers that comprised a secret key to vary the sequence as the bits passed through the boxes. The security of the system ultimately rested with this key. Without knowing this key, even a foe who understood all the rules of Lucifer would have no advantage in transforming ciphertext into plaintext by some reverse-engineering technique. Such knowledge of the rules was to be assumed; the nuts and bolts of a well-distributed commercial cipher were much more likely to be accessible to eavesdroppers than the workings of military codes, which could be more tightly controlled. A cryptanalyst trying to crack an army code would often have no clue as to the system used to produce the ciphertext, a problem that required not only plenty of extra time to break the code, but also a huge amount of resources in the black art of undercover intelligence. Huge spy networks devoted themselves to learning the sorts of codes the enemy used. On the other hand, if Chase Manhattan Bank decided to use IBM’s brand-name code to encrypt its financial transactions, a potential crook would find it relatively simple to discover what cryptosystem the bank used. Since IBM might license the cryptosystem to others, the rules of that system would probably be circulated fairly widely. So in this new era of nonmilitary crypto, all the secrecy would rely on the key. IBM applied for, and received, several patents for Lucifer. As an innovation of its Watson Research Lab, Lucifer fell into the research category. But unlike some blue-sky schemes at Watson that were way ahead of their time, an invention that provided an instant answer to a pressing problem — data security in the communications age — was naturally positioned on a fast-track to commercialization. Lucifer’s first serious implementation came quickly, in Lloyds of London’s Cashpoint system, a means for distributing hard currency to bank customers. Undoubtedly, this was a harbinger of bigger things to come for both IBM and crypto. It was only a matter of time before Horst Feistel’s baby would no longer be a research project; it would be a major IBM initiative. And that would change everything. * * * As Feistel was refining Lucifer, a thirty-eight-year-old engineer named Walter Tuchman was working at IBM’s Kingston, New York, division. He was a Big Blue lifer, having first gotten his feet wet during a three-month period at IBM in 1957 between college and the army. When he finished his stint, IBM not only rehired him but sent him off to Syracuse to pursue a doctorate in information theory. Most of his classmates remained in academia, but Tuchman wanted to use his knowledge to actually create sophisticated technology, so he stuck with IBM and wound up heading product groups. Tuchman’s most recent IBM task involved an odd sort of computer security vulnerability. When computer terminals are in operation, they leak out faint electronic impressions that a sophisticated eavesdropper can use to reconstruct the information being shown on the screen. In effect, those blips represent an unauthorized computer-data wiretap. The government wanted a special means to shield its computers from such potential leaks, and IBM responded by devising what came to be known as Tempest technology. It was considered a big win, and when Tuchman’s team finished its work around 1971, people in the group wanted to stay together rather than disperse to other projects, a routine known internally as “volkerwanderung.” To do this, they needed a new mission. Tuchman’s boss knew there were some interesting things going on in the banking division that might require innovative advances in computer security, and suggested Tuchman and his team look into it. IBM’s banking division was fortuitously located just across the road from Tuchman’s offices in Kingston. He quickly found that his boss’s instinct was sound in sending him there. Building on the Lloyd’s project, IBM had decided to advance the idea of cash-issuing terminals, where bank customers could get money from their accounts without having to see a teller. The first cash-issuing machines had been giant safes that held not only the money but also all the electronic and computer equipment necessary to process the transaction. This was both costly and unwieldy. The better solution would be to spread the computer application between a terminal and the bank’s mainframe computer, which could do all the heavy-duty processing. This solution was not only efficient, but hewed to IBM’s recent, painful realization that the standard model of computing was headed to the junkyard. “Before then, data processing was all done on the mainframe. The security model was that you locked your door, you locked your desk, and you had a guy with a gun guarding the building,” explains Tuchman. But now, even the most tradition-bound minds in Armonk understood that in the future, as Tuchman puts it, “data processing was leaving the building.” And since a guard with a gun couldn’t be everywhere, the security model would have to change. Of course, a system that actually doled out cash would represent a trial by fire for whatever new type of security IBM employed. The crucial commands that flashed a green light to spit out twenty-dollar bills would be sent over the phone line. Tuchman was quick to understand how precarious this could be. Imagine if some techno-crook managed to elbow his way on to the phone line and mimic the messages that said, “Lay on the twenties!” The answer was cryptography. Though Tuchman had a background in information theory, he had never specifically done any crypto work. But he soon found out about the system that the guys in IBM research at Yorktown Heights had cooked up. He ventured down to Watson Labs one day and heard Feistel speak about Lucifer. He immediately set up a lunch with Feistel and Alan Konheim. The first thing Tuchman asked Feistel was where he had gotten the ideas for Lucifer. Feistel, in his distinctive German accent, mentioned the early papers of Claude Shannon. “The Shannon paper reveals all,” he said. Meanwhile, Tuchman’s colleague Karl Meyer was exploring whether Lucifer might be a good fit for an expanded version of the Lloyd’s Cashpoint system. Ultimately he and Tuchman concluded that it would probably need a number of modifications before it was strong enough to rely upon. But it would be a fine beginning. And so, they made an arrangement with Alan Konheim and his Information Theory Group. Tuchman and Meyer’s team at Kingston would build a revised algorithm for Lucifer. Then they would send it to Yorktown for evaluation and testing. The internal name for the cipher was the DSD-1. Before this arrangement was approved, however, a top IBM executive demanded to know why they were even bothering with Lucifer when he knew of a cheaper, faster algorithm. Tuchman took this supposedly superior algorithm home and broke it over the course of a weekend. (He and Meyer eventually published the break in the trade magazine Datamation.) Tuchman would often cite this triumph as proof that his team knew what it was doing — and to ensure that the work wouldn’t be disrupted by clueless interference from upstairs. “We can’t deal with amateurs in the field,” he remembers telling the muckety-mucks high on the corporate food chain. “There’s no cheap way out of doing a crypto algorithm. You’ve gotta work, work, work. Qualify, qualify, qualify. It’s going to take a long time.” This was a fairly difficult process because, as Whit Diffie could have told the Kingston group, there was pathetically little information available on how one could construct a modern, military-strength cryptosystem. “All of it was classified,” sighs Tuchman. “But we understood from our mathematics classes what makes a cipher hard to solve.” His group read everything they could in the library, and, as Feistel had predicted, the most helpful papers were those of Shannon. And they talked a lot to Feistel himself. But mainly they reinvented a lot of what must have been common knowledge among the algorithm weavers at Fort George Meade. “We sat around in our conference rooms working on the blackboard, teaching ourselves,” says Tuchman. Ideally, Feistel himself would have been recruited to temporarily move to Kingston. Tuchman kept asking Konheim, “What does Horst want to do? I’ll give him a nice desk and his own office, and he can come up here.” And Konheim would say, “Nah, I don’t think it’ll work out.” Tuchman eventually came to understand why. “Horst was like a European version of James Stewart in the movie Harvey,” he later said. “He was sort of living in a little magical world between what happens in a commercial business like IBM and his hobbies. I never quite felt that Horst understood what the business world — especially the high-tech business world — was all about. He was cloistered in research in Yorktown, and here we were, these crazy guys from Kingston who were actually willing to make products, to see if we could do something that made money.” Konheim agrees that Feistel was oddly misplaced in the corporate world and, as time went on, even in the research division of that universe. According to Konheim, as Lucifer became less and less Feistel’s invention and more the commercial product of an IBM division, Feistel would arrive at Yorktown later and later in the day. And even then, he wouldn’t seem to be working on the project, but rather spending a lot of time on the phone speaking German. Konheim says that Feistel’s elderly aunt had promised him a considerable inheritance, and a lot of that phone time was spent cultivating her almost fanatically. (According to Konheim, it was a bitter disappointment years later when she died and left him nothing.) And Feistel’s 1973 article for Scientific American — one of the most explicit scientific descriptions of crypto presented to the public in years — could have been interpreted as a rebellion of sorts. Certainly in some quarters such frankness about the cryptographic innards of a potential IBM product could have more than raised an eyebrow. Apparently, the NSA itself objected to the article; years later, Feistel would allude to the agency’s unhappiness with it, also remarking that if it hadn’t been for the Watergate scandal then turning Washington upside down, the NSA might have tried to shut down the entire Lucifer project, as it had with his previous ventures. The Kingston group was blissfully unaware of such intrigues. To them, the Lucifer effort was simply a product ramp-up. They focused on their goal of modifying the system, of increasing its complexity and difficulty so that its ciphertext would pass the Shannon tests for apparent information randomness. The first step was to set up a list of what they called “heuristic qualifiers,” a series of mathematical tests that would evaluate the cryptosystem’s output — the scrambled message — so that it bore no apparent relationship to the original message, appearing to be a random collection of letters. In Claude Shannon’s terminology, the apparent information content would be zero. Feistel’s version of Lucifer certainly attempted to reach this ideal but didn’t go far enough. Its strongest feature was its two S-boxes, where the trickiest substitutions took place — the nonlinear transformations designed to drive cryptanalysts batty. So the Kingston team decided that the new, improved Lucifer — DSD-1 — would have even more devious S-boxes. And the number of those would increase from Lucifer’s two to a much more formidable eight. Complicating that effort were the requirements for compactness and speed: “It had to be cheap and it had to work fast,” says Tuchman. To fulfill those needs, the entire algorithm had to fit on a single chip. So another part of the team was a VLSI (Very Large Scale Integration) group, split between Kingston and IBM’s Burlington, Vermont, labs, whose job was to put the entire scrambling system on a 3-micron, single wiring layer chip. If everything worked out, IBM would have the tiniest strong-encryption machine ever known. Working under those constraints, the Kingston team constructed the complicated DSD-1, still informally referred to as Lucifer. If all went well, their new Lucifer would take a 64-bit block of plaintext, submit those bits through a torturous process of permutation, blocking, expansion, blocking, bonding, and substitution involving a digital key, and then repeat the process fifteen times more, for a total of sixteen rounds. The result would be 64 bits of what appeared to be total digital anarchy, a Babel that could only be returned to order by someone reversing the encryption process by using the digital key that determined how the scrambling had been done. Then the Watson Lab team would try to attack it, to see if things really had gone well. * * * Though Horst Feistel was not involved in the actual reconstruction of DSD-1, he did help bring his colleagues in research up to speed for the testing process. On January 11, 1973, he gathered five fellow members of the Data Security Group at Yorktown Heights and gave them their first exposure to the Lucifer cipher. One of the group, Alan Tritter (the same eccentric computer scientist who had told Whit Diffie about IFF protocols), raised questions as to the wisdom of the entire enterprise. Was IBM putting itself at risk by vying to be a power in the new world of commercial cryptography? What if Lucifer could be cracked? Tritter’s comments drew interest because they seemed to echo some remarks made, but not proven, by a professor at Case Western Reserve University named Edward Glaser. A blind man who was one of the endless consultants IBM routinely hired with its bottomless budget, Glaser, according to Konheim, had blustered that if he were given twenty examples of ciphertext, along with the original plaintext (this is known as a chosen plaintext attack), he could break Lucifer’s system. (It turned out to be a specious claim.) But the point was well taken, and Tritter repeated it in a memo written later that year. “We were/are in an unusually exposed position,” he wrote. Noting that the first use of Lucifer was already implemented in a Lloyd’s cash terminal, he ticked off the consequences that could come if the system, like so many seemingly “unbreakable” ones before it, was somehow compromised. If someone was able to produce a valid key for a Lucifer cipher, he wrote, “a clever, resourceful, highly organized attempt to remove illicitly but without the use of force the entire cash contents of all the terminals in the ‘Cashpoint’ system, say over a single bank holiday weekend, would certainly succeed.” But such a possible loss was only the beginning of the sorts of perils IBM was courting by drawing on crypto’s implicit promise of security. With Big Blue’s fat cash reserves, it would be no problem replacing even a steep stack of twenties to reimburse Lloyd’s. More troublesome would be restoring public confidence. And then would come the lawsuits. “Were the security of [Lucifer] or of any other crypto product we may subsequently field to be breached publicly, the harm it would do us in the marketplace would be incalculable,” wrote Tritter. “And this is in addition to actual damages and the very real possibility of exemplary damages awarded against us in a lawsuit which would give the press, the industry, and the public a field day.” On the other hand, how could IBM not pursue cryptography? Its business was the information age, and without a means of protecting data as they moved from one computer to another, IBM would not sell nearly as many computers. The lack of cryptography was a potential roadblock to the computerization of America — and the computerization of the world itself. So on February 5, 1973, a high-level meeting was held to review “the status and plans of cryptography within the entire IBM corporation.” As Tritter later summarized the meeting, “It appeared to be broadly agreed . . . that IBM was apparently in the crypto business for keeps, and would have to acquire a corporate expertise in the area. In the meanwhile, attacks on Lucifer were to be intensified.” An outside expert, Jim Simons of the math department at the State University of New York at Stony Brook — who had also practiced cryptography at the Institute for Defense Analysis, the NSA satellite in Princeton — was recruited to organize a concentrated attack on Lucifer. He worked with three researchers from Yorktown Heights for about seven weeks in the late spring of 1973. Even before he issued his report, IBMers were buzzing with the good news: Simons and his team hadn’t cracked it. “The Lucifer machine is certainly stronger than I had originally thought,” Simons wrote in his report of August 18, 1973. But he didn’t exactly bestow a crypto seal of approval on it. “It seems highly improbable that Lucifer will be broken by two high school students as part of their science fair project,” concluded Simons. “On the other hand, there isn’t nearly enough evidence to feel confident that it won’t succumb to sophisticated attacks by a professional cryptanalyst.” Simons worried that if Lucifer, as currently constituted, was put into commercial use, it would almost inevitably be used to protect “traffic of genuine importance” (like money, or trade secrets), providing the incentive to encourage an intense, ultimately successful effort to break it. So while Lucifer seemed to be a good start for IBM, Simons warned, the company should work harder to come up with an improved product. “There really is no choice,” he concluded. Meanwhile, IBM itself kept wondering if Lucifer was up to the task. In a confidential memo in May 1973, its chief scientist Lewis Branscombe, summarizing the consensus of the firm’s Scientific Advisory Committee, emphasized the need for the company to “establish a single cryptographic architecture, technology and product strategy.” Lucifer, he wrote, was not the only candidate. But later in the month, another memo deemed the Kingston scheme superior, with one caveat: “Unless there is a clear evidence of a significant threshold of vulnerability.” The tests continued for months, conducted by private-sector researchers hired by IBM. “Alan would give them the algorithm and say, ‘Break it. Just go break it.’ And Alan kept reporting back that nobody could find a shortcut,” says Tuchman. “Finally I reached that magical psychological place where I figured this thing doesn’t have a shortcut, so there is just no shortcut solution. Forget it, guys, let’s concentrate on implementing the product now.” Still, compared to the world-class codebreakers behind the Triple Fence, most of the math professors hired to bang their heads against Lucifer were Little Leaguers. How could IBM be sure the scheme was really sound? They certainly didn’t want to find out its vulnerabilities by discovering that one day some former KGB cryptanalyst hired by the Mafia had cleaned out their virtual cash vault. * * * At the beginning of 1974, Tuchman figured his team was about halfway through its work. “We had a pretty good idea how much algorithm we could get on a single chip,” he says. And much of that algorithm was written. But two things happened that year that would profoundly affect the project. The first would throw it open to the public. The second would cast a clandestine shadow over it that would last for a generation. IBM was not the only institution aware of the vital need for cryptographic protection in the computer age. That view was also shared at the National Bureau of Standards, the government agency in charge of establishing commonly accepted industry standards for a wide variety of commercial purposes. The bureaucrats and scientists there believed that digital protection should be centered in a single system, one well-tested means of encrypting information that would be accessible by all. So NBS decided to solicit proposals for a standard cryptographic algorithm. (The NSA declined to submit one of its own ciphers, since allowing outsiders to examine its work was unthinkable.) In the May 15, 1973, Federal Register, the NBS listed a number of exacting criteria that such a standard should meet. Not surprisingly, the NBS received no submissions at that time that even vaguely met the criteria. By and large the only cryptographers in this country who had the wherewithal and expertise to meet this challenge were working behind the Triple Fence. And the work done there was never published, never revealed. But there was one cryptosystem in development that seemed to fit a lot of the government’s needs: Lucifer, the DSD-1. Lewis Branscombe, IBM’s chief scientist — who, not coincidentally, was himself a former head of the NBS — in particular felt that this work in progress might be an excellent candidate for the encryption standard for the next generation. Walt Tuchman was against the idea, primarily because of the trade-off involved in submitting the revised Lucifer as a federal standard: IBM would be required to relinquish its patent rights, essentially giving — not selling — the algorithm to the world. “I was this typical capitalistic product manager,” he explains. “I’m in this thing to make money, not to foster some great social improvement.” He argued his point before IBM’s high-level executive Paul Rizzo, who was then Big Blue’s number two. Branscombe presented the other point of view: make it public. Finally, Rizzo weighed in. Lucifer, he argued, was like a safety component that benefited all of society. If the Ford Motor Co