Cybersecurity, Nuclear Security, Alan Turing, and Illogical Logic

turing lecture

DOI:10.1145/3104985 the National Institute of Standards and Cyber deterrence, like nuclear deterrence, Technology (NIST), proposed a Data Encryption Standard (DES) to protect depends on our adversaries being rational unclassified but sensitive data. Whit- enough to be deterred by our threats but us field Diffie, with whom I shared the not by theirs. Award, and I quickly realized that DES’s 56-bit key size was inadequate and needed to be increased. BY MARTIN E. HELLMAN DES had 256, or approximately 1017, keys. We estimated that the 1975 technology would allow a single-chip search engine to check 106 keys per second, so 106 such chips could search the entire Cybersecurity, key space in 105 seconds. That is approximately one day, and we estimated the equivalent cost to be on the order of $5,000 per recovered key. We also noted Nuclear that the decreasing cost of computation—roughly a factor of 10 every five years—would rapidly reduce this cost. Even an order-of-magnitude error in Security, our estimate would thus be erased in a short time.3 We initially thought the inadequate key size was a mistake that would be Alan Turing, corrected once we pointed it out, but NBS resisted, claiming our estimates were off by four orders of magnitude. Our initial estimate had been a rough and order-of-magnitude approximation that was adequate to show the need for an increased key size. But NBS’s estimate was clearly wrong, and we came to Illogical Logic realize we were indirectly battling the National Security Agency (NSA), in addi- tion to NBS. A larger key size would allow foreign governments, criminals, and terrorists to hide their communications from THE 2015 ACM A.M. Turing Award recognized work I did NSA, while 56 bits would not. What we 40 years ago, so it is understandable that my interests had thought was a technical problem have changed significantly, with my most recent project key insights being a book, A New Map for Relationships: Creating ˽˽ While revolutionary, public key True Love at Home & Peace on the Planet, co-authored cryptography can also be viewed as a natural step in the evolution with my wife Dorothie. While, at first glance, the book of the field of cryptography.

might seem to have nothing in common with my work ˽˽ There is greater risk than is generally recognized that a major advance in on cryptography, my Turing Lecture drew a number of factoring and discrete logarithms might parallels I will bring out in what follows. break existing public key systems. The story starts in March 1975, when the U.S. ˽˽ In making ethical decisions, we need to zealously guard against fooling ourselves

National Bureau of Standards (NBS), now known as about our real motivations. ASSOCIATES ANDRIJ BORYS BY IMAGE

52 COMMUNICATIONS OF THE ACM | DECEMBER 2017 | VOL. 60 | NO. 12 DECEMBER 2017 | VOL. 60 | NO. 12 | COMMUNICATIONS OF THE ACM 53 turing lecture

turned out to be political. If we wanted from TDCs to public key.4 TDCs oc- to improve the security of the standard, curred to us because, in the military, we would have to treat it as a political you want a highly secure cipher for use battle by seeking media coverage and by your own troops but do not want it to Congressional hearings—which we be used to keep secrets from you if it is did. While Diffie and I captured by your adversary. We realized The fight that followed was part of saw a 56-bit key that a solution was to build trapdoor in- “the first crypto war.” While the media formation into the cryptosystem that and several members of Congress sup- as small, would allow the designer to break it ported Diffie’s and my position, we lost we now know easily if it was used against him, but this part of it. DES, including its 56-bit without that information his adversary key, was the official encryption stan- it looked large would be unable to cryptanalyze his en- dard from 1977 until 2002 when it was crypted messages. While we never de- superseded by the Advanced Encryp- from NSA’s veloped a workable TDC, the concept tion Standard, or AES, which has a min- perspective. figured prominently in a later analysis imum key size of 128 bits. of DES Diffie and I undertook, with oth- Diffie and I recommended triple- ers.8 We found structures within DES DES3 as a simple, albeit more expen- that looked like they might constitute a sive, way to improve DES security, but trapdoor, although later developments most implementations used the less- indicate they were probably due to ef- secure approach. forts to strengthen the algorithm against differential cryptanalysis.1 Public Key Cryptography and It is also noteworthy that half of the the DES Controversy public key concept—public key ex- Within a year of DES being proposed in change—occurred independently to 1975, a development—the invention of three different groups within a short public key cryptography by Diffie and period of time. me4 and independently by Ralph Merk- According to documents declassi- le12—exacerbated NSA’s concerns. fied years later,5 variations occurred While Diffie and I saw a 56-bit key as in 1970, 1973, and 1974 to researchers small, we now know it looked large James Ellis, Clifford Cocks, and Mal- from NSA’s perspective. Prior to DES, colm Williamson of the Government most commercial encryption systems Communications Headquarters (GCHQ), could be broken much faster than DES, the British agency responsible for and most data was sent unencrypted, providing signals intelligence and in- allowing access at no cryptanalytic cost. formation assurance to that nation, In comparison, even $5,000 per re- though none of their work envisioned covered key was a huge impediment to digital signatures. NSA’s communications-intelligence Ralph Merkle, then a student at the operation. But it appears to have rea- University of California at Berkeley, de- soned that cost would limit the fre- veloped the concept of a public key dis- quency of key changes so a recovered tribution system in the fall of 1974 and key would be useful for months, per- published it, along with a proof of con- haps years. The invention of public key cept (“Merkle puzzles”), in Communica- cryptography allowed keys to be tions, April 1978.12 changed as frequently as desired, mak- Unaware of the still-secret GCHQ ing $5,000 per key a much more daunt- work and Merkle’s budding ideas, Dif- ing barrier for an adversary. fie and I proposed a more general framework—a public key cryptosys- Evolution of Public Key tem—in the Spring of 1975. This ap- Cryptography proach included digital signatures, as While public key cryptography is seen well as public key exchange, with digital as revolutionary—a characterization I signatures being an entirely new idea, love—after the following explanation, even within the classified community. one might wonder why it took Diffie, In May 1976, Diffie and I developed Merkle, and me so long to discover. the first practical, unclassified system Diffie and I had been talking about for public key exchange, publishing “trapdoor cryptosystems” (TDCs) for both it and the public key cryptosystem some time before we devised the public concept in our paper “New Directions key concept, and it is but a small step in Cryptography” in IEEE Transactions

54 COMMUNICATIONS OF THE ACM | DECEMBER 2017 | VOL. 60 | NO. 12 turing lecture on Information Theory, November 1976.4 Born Classified? Project, the consequences of fooling That public key exchange system is wide- NSA’s concerns led it to try to control myself would have been far more grave, ly known as Diffie-Hellman Key Ex- dissemination of our work.2 In January I vowed never to fool myself again, al- change, but somewhat ironically, it is an 1976, soon after Diffie and I realized the though implementing that decision implementation of Merkle’s public key need to treat DES’s inadequate key size proved tricky during Stanford Univer- distribution system concept, not our as a political rather than a technical sity’s patent fight with RSA Data Secu- public key cryptosystem concept. I there- problem, two high-level NSA employ- rity. Space does not allow me to provide fore refer to it as the “Diffie-Hellman- ees flew out to California and tried to the details here, but the interested Merkle Key Exchange.” dissuade us from pursuing the matter. reader can find a description on pages In light of the frequent interactions They basically told us, “You’re wrong, 46–54 of our book;7 a free .pdf file is Diffie and I had, I regard everything in but please be quiet. If you keep talk- also available at http://tinyurl.com/ “New Directions” as joint work, though ing this way, you will cause grave harm HellmanBook, expanding to http:// some scholars have noted (correctly) to national security.” But that did not www-ee.stanford.edu/%7Ehellman/ that Diffie devised the public key cryp- compute. What they were really saying publications/book3.pdf. Those same tosystem concept, while I discovered was, “You’re right, but please be quiet. pages explain why I believe the Man- the Diffie-Hellman-Merkle Key Ex- If you keep talking this way, you will hattan Project scientists fooled them- change algorithm. Because those indi- cause grave harm to national security.” selves about their motivation for work- vidual insights were based on long- I went home that evening to decide ing on the bomb. term joint work, I tend not to separate the right thing to do. NSA was telling The fight Diffie and I were having credit. me the right thing was to be quiet, while with NSA came to a head on July 7, A full, working public key cryptosys- my intellect told me the opposite, even 1977, when one of its employees wrote tem was not realized until April 1977 from a purely national perspective. The to the IEEE, claiming it was breaking when Ron Rivest, Adi Shamir, and U.S. was the world’s most computer- the law by publishing our papers.14 He Leonard Adleman published their MIT ized nation, with the most to lose from cited the International Traffic in Arms report that, in slightly modified form, insecure encryption. The Soviet Union Regulations (ITAR), which, at the time, became their famous 1978 “RSA paper” had much less to lose and much more defined anything cryptographic as an in Communications.17 to gain from leaving the DES key at 56 implement of war, requiring an export While Merkle’s 1978 publication bits. Also, NSA’s request occurred soon license. An export license was re- date—two years after “New Direc- after the Watergate revelations had quired not only for physical devices tions”—gives the impression that it fol- shown that claims of national security but also for technical data related to lowed in our footsteps, he submitted could be misused to the detriment of them. He claimed our papers consti- his paper earlier than we did, in Au- the nation. tuted such technical data and they gust 1975. Its publication was delayed As I was trying to decide the right were, of course, exported when pub- by an editor who initially rejected it, thing to do, an idea popped into my lished internationally. writing, on October 22, 1975, “I … was head: “Forget about what is right and The IEEE wrote back, telling the particularly bothered by the fact that wrong. You have a tiger by the tail and NSA employee it was aware of ITAR, but there are no references to the litera- will never have as much chance to influ- “the burden of obtaining any Govern- ture. Has anyone else ever investigated ence events. Run with it!” ment approval for publication of tech- this approach?”6 Somehow, what would normally be nical data [was] on the person or com- In the editor’s defense, Merkle was a an unconscious “shadow motivation” pany seeking publication,” namely me student unfamiliar with how to write had managed to bubble to the surface and Stanford University.14 A copy of this and adequately reference a technical and become a “devil on my shoulder,” reply was sent to me, and I took it to paper; the person who reviewed it (de- like in the movies. At the time, I thought Stanford’s General Counsel John scribed by the editor as “an experienced I had brushed the devil off my shoulder Schwartz both because Stanford was cryptography expert”) recommended and made a rational decision to go pub- potentially liable and because I wanted against publishing it, noting that it “. . . lic with our analysis of the standard’s to ensure it would defend me if I was is not in the mainstream of present weakness. But five years later, in trying prosecuted. cryptography thinking,” and no one to understand the motivation of the Schwartz took a few days to review else at Berkeley, where Merkle was Manhattan Project scientists who de- the matter, after which we had a second then a student, appreciated his work. veloped the atom bomb during World meeting. He believed that publishing Earlier, in the fall of 1974, a Berkeley War II, I realized I had fooled myself. my papers was lawful but noted there professor discouraged him from pur- Instead of doing what was right, I had was “at least one contrary view” (ex- suing public key distribution as a figured out what I wanted to do, and pressed by the NSA employee) and term project, telling him, “Project 2 [a then had come up with the rationaliza- “should such view be adopted by the much more mundane proposal] looks tion for doing it. Federal Government you could be sub- more reasonable, maybe because your I was fortunate that my decision to jected to prosecution.” He went on to description of Project 1 is muddled go public was the right one, even assure me that, should that occur, “the terribly.” Merkle dropped the course though I had fooled myself about my University would defray the reasonable and pursued public key distribution motivation. But that was sheer luck. If I costs of your defense . . . nevertheless, on his own. had been working on the Manhattan there would always remain a risk to you

DECEMBER 2017 | VOL. 60 | NO. 12 | COMMUNICATIONS OF THE ACM 55 turing lecture

personally of fine or imprisonment if ence, but NSA was able to keep DES’s into friendship as we came to appreci- the government prevailed in such a key size at 56 bits. ate one another’s concerns. case.”19 Commercial encryption did not be- The real break came in the mid- Schwartz also advised me to change come truly secure until some parties 1990s when Congress requested the my plans for having two students, on both sides of the battle learned a National Research Council undertake Ralph Merkle and Stephen Pohlig, de- lesson my wife and I later emphasized a study of national cryptographic poli- liver joint papers at the upcoming 1977 in our book7—the need to get curious, cy. The study committee represented IEEE Symposium on Information The- not furious. Since the emphasis here is all major stakeholders, including law ory. He explained that a long court case cybersecurity, I refer those interested enforcement, national security, in- might kill the career of a newly minted in more personal details to the book’s dustry, health care, and privacy. By Ph.D., whereas I had tenure. I relayed Chapter 3, also called “Get Curious, talking to one another—and, more this to Merkle and Pohlig, telling them I Not Furious.” That same shift started a important, listening to one another— had no qualms about delivering the pa- process that led to the strong encryp- we were able to reach unanimous con- pers but would leave the decision to tion available on today’s commercial clusions that encouraged a significant them. Both said they would deliver the products. It started in 1978 when I re- loosening of the export restrictions on papers anyway but later changed their ceived a call from NSA saying its Direc- encryption products. This further ex- minds to assuage fears expressed by tor, Admiral Bobby Inman, would like ample of getting curious instead of fu- their parents. to visit me and asking if I was open to rious laid the foundation for wide- Wanting these students to get the the idea. spread availability of strong credit they deserved, when it was time Up to that point, we had fought encryption in commercial products, for each paper to be delivered, I had the these battles indirectly, with no direct with export restrictions being signifi- student co-author stand next to me at interchange, so I jumped at the oppor- cantly relaxed soon thereafter. the podium. I then told the audience tunity. When Admiral Inman came to The value of adversaries talking and that, on the advice of Stanford’s coun- my office, he told me he was meeting listening can also be seen in a 2014 in- sel, I would be delivering the papers, with me against the advice of all the terview with Admiral Inman conducted but to give the student the credit he de- other senior people at the Agency but by Stanford cryptography student Hen- served, they should consider the words saw no harm in talking. He was curi- ry Corrigan-Gibbs. When asked if he coming from my mouth as if they were ous, not furious. He also said it was now would make the same decision he coming from his. This gave Merkle and nice to see I did not have horns—which did 40 years ago to try to suppress our Pohlig even more credit for their work must have been how I was being de- work, Inman replied, “Rather than be- than if they had delivered the talks picted at the Agency. I returned the ing careful to make sure they [were not] without any threats. compliment, since I had seen myself as going to damage [NSA’s intelligence op- Luke Skywalker to NSA’s Darth Vader. I erations] . . . I would have been inter- Get Curious, Not Furious was in my early 30s at the time, so the ested in how quickly they were going to This first round of the crypto wars had young-hero model was more appropri- be able to make [encryption widely] mixed results. We established that in- ate than it would be today, when I am available.” He cited the theft of por- dependent researchers could publish 72 years old. My relationship with In- tions of the F-35 jet fighter design as papers free of government interfer- man was cautious at first but it grew proof that strong commercial encryption was in the U.S.’s broader national security interests.2

How Logical Is Cyber-Deterrence? Nuclear deterrence is viewed so posi- tively that cyber-deterrence is frequently suggested as a promising analogous next step. For example, the current Di- rector of NSA and U.S. Cyber Command, Admiral Michael S. Rogers, told a Sen- ate committee in 2015, “We also need to think about how can we increase our capacity on the offensive side here, to get to that point of deterrence.”18 But how logical is cyber-deterrence? The answer depends in part on a related question treated in Chapter 8 of our book7 (pages 243–264): “How logical is nuclear deterrence?” To summarize, consider these key points: We must behave irrationally. For de-

Cryptography pioneers Ralph Merkle, Martin E. Hellman, and Whitfield Diffie, 1977. terrence to work in a standoff between NEWS SERVICE CHUCK PAINTER/STANFORD CREDIT: PHOTO

56 COMMUNICATIONS OF THE ACM | DECEMBER 2017 | VOL. 60 | NO. 12 turing lecture the U.S. and another nuclear-armed with appropriate clearances and no nation, that adversary must be rational evidence surfaced there either. I also enough to be deterred by our threats, have discussed undertaking such stud- but we must be irrational enough for ies with high-level personnel within the its equally dire threats not to deter us. U.S. Strategic Command, the succes- This need for irrationality on our part “ . . . nevertheless, sor to the Strategic Air Command, and is usually swept under the rug, but a there would that, too, did not produce any claims of 1995 U.S. Strategic Command report, studies, nor any real interest in investi- Essentials of Post-Cold War Deterrence always remain gating the level of risk. (http://www.nukestrat.com/us/strat- a risk to you This dearth of information on one com/SAGessentials.PDF), was unusu- of the most important questions fac- ally candid. After noting that instilling personally of fine ing humanity led me to spend much of fear in our adversaries is “the working the past 10 years working to bring a force of deterrence,” it advised “that or imprisonment risk-informed framework to nuclear the U.S. may become irrational and vin- if the government deterrence. As part of that effort, I dictive if its vital interests are threat- published a simplified, preliminary ened should be part of the national prevailed in risk analysis9 indicating the level of persona we project to all adversaries.” such a case.” risk is unacceptable. Nuclear deterrence must be carefully To put such risk in perspective, even defined. The U.S. has not carefully de- if nuclear deterrence could be expected fined what it means by “nuclear deter- to work for 500 years before it failed and rence.” For example, does it mean we destroyed civilization—a time horizon have nuclear weapons solely for the that sounds optimistic to most peo- purpose of deterring a nuclear attack ple—it would be equivalent to playing on us or our allies? That is the impres- Russian roulette with the life of a child sion given by many statements from born today. That is because that child’s the U.S. government. But if that is the expected lifetime is roughly one-sixth case, why do we use nuclear threats of 500 years. If the time horizon is more when the stakes are far lower? like 100 years, the child’s odds are Impaired decision making. World worse than 50/50. leaders have the power to start a nucle- My work applying risk analysis to ar war even when they cannot legally nuclear deterrence led me to see an im- drive a car. Documented examples of portant and largely overlooked ques- persistent problems with alcohol7 (pag- tion in cryptography. There is much es 250–251) include Russian President talk today about the need for “post- Boris Yeltsin, U.S. President Richard quantum crypto,” meaning systems Nixon, and British Prime Minister Tony that would remain secure even if large Blair. I suspect most leaders with “fin- quantum computers20 could be built. gers on the button” are occasionally But there is much less concern about similarly impaired. possible advances in algorithms that Risk. No one knows how risky nuclear would render both RSA and the “usual” deterrence is—a subject discussed in Diffie-Hellman-Merkle Key Exchange the next section—that then relates the insecure. There should be concern, as problem to a critical issue in encryption. we will see. For simplicity in what follows, I talk only about factoring and Nuclear Deterrence and RSA, but the same arguments apply Cryptography equally to discrete logarithms and Dif- Surprisingly, there is no evidence that fie-Hellman-Merkle Key Exchange. the U.S. government has investigated Factoring algorithms took a major the risk that nuclear deterrence might step forward in the 1970s when Morri- fail and thereby destroy civilization. son and Brillhart15 used Lehmer’s and (I strongly suspect the same is true of Powers’s “continued fraction meth- other nuclear-armed nations but have od”11 to factor the seventh Fermat num- not investigated them as deeply.) No ber, which is 128 bits long. unclassified information indicates that A second major advance occurred in any such studies exist. While I currently the 1980s when American mathemati- hold no clearances and could therefore cian Richard C. Schroeppel used siev- be unaware of classified studies, I have ing to roughly double the size of the discussed the possibility of such stud- numbers that could be factored. He ies with sympathetic, high-level people never published his algorithm but cir-

DECEMBER 2017 | VOL. 60 | NO. 12 | COMMUNICATIONS OF THE ACM 57 turing lecture

culated it to many relevant researchers, Alan Turing and and Carl Pomerance credits Shroep- My Illogical Use of Logic pel’s algorithm as “the forerunner of The section “Illogical Logic” in our [Pomerance’s better known] quadratic book7 (pages 244–251) describes how sieve and also its inspiration.”16 supposedly highly logical people can A third major advance in factoring Logic is just one misuse logic. In keeping with the book’s occurred in the 1990s with develop- way of knowing aim to move from blame to responsi- ment of the “number field sieve,” again bility, the first story in the section de- roughly doubling the size of numbers about the world, scribes how, years ago, I misused logic that could be factored. and an incomplete as a weapon to win arguments with my While major advances in factoring wife. While I may have been winning occurred in the 1970s, 1980s, and one at that. arguments (at least in my mind), I was 1990s, no similar advances have oc- losing something much more impor- curred in roughly the past 25 years, tant—my relationship with her. Illogi- leading many mathematicians and cal logic loses every time. cryptographers to believe that factoring That section also describes how I has hit a brick wall. But I see the situa- felt like I was having a mental break- tion quite differently as a result of my down when confronted with Gödel’s work applying risk analysis to nuclear Incompleteness Theorem in my sec- deterrence.10 ond year of graduate studies at Stan- Think of each decade as a coin toss ford. I had based my whole life on log- that shows heads if a major advance oc- ic—not just my professional life—and curs in factoring and tails otherwise. logic was telling me it was literally in- The 1970s gave us heads, as did the complete. Because it would have com- 1980s and 1990s, but the next decade plicated matters too much for the aver- gave us tails, and the current decade is age reader, we purposely left out of that more than half over without a major ad- section Alan Turing’s role in creating vance, so it seems more likely than not my angst. But my ACM Turing Lecture to also give us tails. Even under the opti- provided a wonderful opportunity to mistic assumption that no major ad- highlight how Turing helped open my vance occurs in the remaining years of mind to new possibilities. this decade, the coin-toss sequence In that second-year graduate math would be HHHTT. If a coin showed course, we studied the cardinality of in- such a sequence in its first five tosses, it finite sets. The positive integers are would be foolish to project tails into “countably infinite” because you can even the next decade of the 2020s with count or enumerate them 1, 2, 3, . . . It any reasonable degree of confidence. was easy to see that the set of all inte- Given the impact another major ad- gers is also countably infinite, with one vance in factoring would have on the enumeration being 0, –1, +1, –2, +2, and global economy, I have argued that it so on. Every integer is eventually would be prudent to already have reached in that enumeration. backup systems for both key exchange It was slightly more difficult to see and digital signatures in place and in that the set of rational numbers is use. For key exchange, two keys could countably infinite. For simplicity, I be generated and hashed or XORed. show only the argument for positive ra- One key would be produced by public tional numbers, though it extends easi- key exchange and the other by the ly to all rational numbers. The count- backup system. Such a system would ably infinite sequence 1/1; 1/2, 2/1; 1/3, provide seamless security even if one 2/2, 3/1; 1/4, 2/3, and so on includes all of the methods of key exchange were positive rational numbers. (I use semi- compromised. One possible backup colons to demark the end of subse- system would be a key distribution quences in which numerators and de- center that shares a master key with nominators have a common sum, as in each user and distributes session keys 1/3, 2/2, and 3/1.) on demand, encrypting the session Things became much more interest- key in each relevant user’s master key. ing when the professor showed that the Likewise, two digital signatures could real numbers were “uncountably infi- be used to sign each message, with a nite”; that is, they form a larger infinite possible backup system being Merk- set that cannot be enumerated. The le’s tree signatures.13 proof was by contradiction, using Georg

58 COMMUNICATIONS OF THE ACM | DECEMBER 2017 | VOL. 60 | NO. 12 turing lecture

Cantor’s “diagonalization argument.” FOR i=1, i++ 10, 6 (June 1977), 74–84; http://www-ee.stanford. th edu/%7Ehellman/publications/27.pdf Assume there is an enumeration of the {Com pute b ii the i binary 4. Diffie, .W and Hellman, M. New directions in real numbers decimal place of the ith cryptography. IEEE Transactions on Information Theory IT-22, 6 (Nov. 1976), 644–654; http://www-ee. computable real number, and stanford.edu/%7Ehellman/publications/24.pdf 5. Ellis, J. The history of non-secret encryption. R1 = I1 . b11 b12 b13 … print ~bii} Cryptologia 23, 3 (1999), 267–273. R2 = I2 . b21 b22 b23 … 6. Graham, S. Letter to Ralph C. Merkle (Oct. 22, 1975); http://www.merkle.com/1974/RejectionLetter.pdf R3 = I3 . b31 b32 b33 … and so on This reasoning, drawn from Section 7. Hellman, D. and Hellman M. A New Map for Relationships: 8 of Turing’s paper, is almost exactly Creating True Love at Home & Peace on the Planet. where R is the (assumed) ith real num- the same as was used to prove the real New Map Publishing, Stanford, CA, 2016; http://tinyurl. i com/HellmanBook, expanding to http://www-ee. th ber, Ii is its integer part, and bij is its j numbers are not countable. But there is stanford.edu/%7Ehellman/publications/book3.pdf 8. Hellman, M., Merkle, R., Schroeppel, R., Washington, binary decimal place . To complete the a difference, as there must be, since the L., Diffie, W., Pohlig, S., and Schweitzer, P.Results proof, consider the real number “proof” here produced a contradiction of an Initial Attempt to Cryptanalyze the NBS Data Encryption Standard. Technical Report SEL 76-042 to a known fact: The computable real (available from NTIS). Electrical Engineering R = 0 . b11 b22 b33 … numbers are countable. Department, Stanford University, Stanford, CA, Sept. ~ ~ ~ 9, 1976 (revised Nov. 10, 1976); http://tinyurl.com/nbs- This line of reasoning involves a very des-analysis, expanding to http://www-ee.stanford. where bjj is the complement of bjj. subtle, hidden assumption—that there edu/~hellman/resources/1976_sel_des_report.pdf ~ 9. Hellman, M. Risk analysis of nuclear deterrence. The This real number R is different from exists a computable enumeration of the Bent of Tau Beta Pi 99, 2 (Spring 2008), 14–22; http:// R1 since they differ at least in their first computable real numbers. An enumer- tinyurl.com/hellman74, expanding to http://www-ee. stanford.edu/%7Ehellman/publications/74.pdf binary decimal places. It is different from ation exists, but we can never compute 10. Hellman, M. How risky is nuclear optimism? Bulletin of the Atomic Scientists 67, 2 (Mar. 2011), 47–56; http:// R2, since they differ at least in their it. In a sense, only God knows it, while tinyurl.com/HowRisky, expanding to http://www-ee. second binary decimal places. Similar we mortal humans cannot. stanford.edu/~hellman/publications/75.pdf 11. Lehmer, D. and Powers, R. On factoring large numbers. arguments apply to each Ri in the as- I was dumbfounded. If an incorrect Bulletin of the American Mathematical Society 37, 10 sumed list. We had assumed the list assumption can be that subtle, what (1931), 770–776. included all the reals, but R is not in others might have been missed in oth- 12. Merkle, R. Secure communication over insecure channels. Commun. 21, 4 (Apr. 1978), 294–299. the enumeration, so the reals are not er proofs? Is mathematics itself on a 13. Merkle, R. A digital signature based on a conventional encryption function. In Advances in Cryptology, countably infinite. firm foundation? Might Cantor’s proof CRYPTO 1987, Lecture Notes in Computer Science, So far, I was not too perturbed. But that the reals are uncountably infinite Vol. 293 (Santa Barbara, CA, Aug. 16–20). Springer- Verlag, Berlin, Heidelberg, Germany, 1988, 369–378. then the professor defined the comput- have a similar flaw? (I still wonder 14. Meyer, J. Letter to IEEE (July 7, 1977); https://stacks. able real numbers, a concept first in- about that.) stanford.edu/file/druid:wg115cn5068/1977%20 0707%20Meyer%20letter.pdf and https://purl. troduced by Turing in his brilliant 1936 My world was shaken in that course, stanford.edu/wg115cn5068 paper.21 A computable real number but not enough for me to give up logic 15. Morrison, M. and Brillhart, J. A method of factoring and the factorization of F7. Mathematics of is one that can be computed to as as the primary basis for my personal Computation 29, 129 (Jan. 1975), 183–205. many decimal places as desired in a and professional life. That took 10 16. Pomerance, C. A tale of two sieves. Notices of the AMS 43, 12 (Dec. 1996), 1473–1485. finite (though indeterminate) time more years and almost ruining my mar- 17. Rivest, R., Shamir, A., and Adleman, L. A method for by a finite-length program. While, at riage before I finally accepted what obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (Feb. 1978), 120–126. first, this set might seem to depend Gödel and Turing had been implicitly 18. Sanger, D. U.S. must step up capacity for cyberattacks, on the machine being used, that problem telling me: Logic is just one way of chief argues. The New York Times (Mar. 20, 2015), A4. 19. Schwartz, J. Memo to Martin Hellman (Oct. 7, 1977); was removed by using a Universal Turing knowing about the world, and an in- https://stacks.stanford.edu/file/druid:wg115cn5068/ Machine that can simulate any other complete one at that. 1977%201007%20Schwartz2MH.pdf 20. Shor, P. Polynomial-time algorithms for prime physical computer with only a finite I learned the limits of logic in time to factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26, 5 (1997), increase in program size and run save my marriage. Will humanity learn 1484–1509. time over what would be needed on the limits of its current logic in time 21. Turing, A. On computable real numbers, with an application to the Entscheidungsproblem. Proceedings the machine being simulated. to save the world and itself? Dorothie of the London Mathematical Society, Series 2 42 The set of finite-length programs and I wrote our book partly to increase (1936), 230–265; https://www.cs.virginia.edu/~robins/ can clearly be enumerated, as in 0, 1, those odds, even if just a bit. That pro- Turing_Paper_1936.pdf 00, 01, 10, 11, 000, and so on. Since not vides yet one more connection between every finite-length program produces a the work that won me the ACM A.M. Martin E. Hellman ([email protected]) is Professor Emeritus of Electrical Engineering at Stanford University, computable real number—some get Turing Award and the book. What is the Stanford, CA. hung up in infinite loops and provide point of developing elegant algorithms Copyright held by author. no output—the set of computable real (such as Diffie-Hellman-Merkle Key Ex- Publication rights licensed to ACM, $15.00 numbers is also countably infinite. But change) if no one is around in 100 years the professor then seemed to prove that to use them? the computable real numbers were uncountably infinite by writing the follow- References ing program: 1. Coppersmith, D. The Data Encryption Standard (DES) and its strength against attacks. IBM Journal of Research and Development 38, 3 (May 1994), 243–250. Print 0 and a (binary) decimal 2. Corrigan-Gibbs, H. Keeping secrets. Stanford Magazine Watch the author discuss (Nov./Dec. 2014), 58–64; http://tinyurl.com/cyptowar1, his work in this exclusive point, so that what follows expanding to https://alumni.stanford.edu/get/page/ Communications video. magazine/article/?article_id=74801 https://cacm.acm.org/videos/ is the binary expansion of a 3. Diffie, .W and Hellman, M. Exhaustive cryptanalysis cybersecurity-nuclear-security- computable real number. of the NBS data encryption standard. Computer alan-turing-and-illogical-logic

DECEMBER 2017 | VOL. 60 | NO. 12 | COMMUNICATIONS OF THE ACM 59