BY HENRY CORRIGAN-GIBBS ILLUSTRATIONS BY BRIAN STAUFFER

58 NOVEMBER/DECEMBER 2014 Four decades ago, university researchers figured out the key to computer privacy, sparking a battle with the that continues today.

STANFORD 59 federal laws prohibiting arms trafficking, communication of atomic secrets and disclosure of classified information. Without naming Hellman or his co- authors, Meyer specified the issues of IEEE’s Transactions on Information your research could help solve a looming national problem, but Theory journal and Computer magazine government officials thought publishing it would be tantamount in which Hellman’s articles appeared. to treason? A Stanford professor and his graduate students found Meyer concluded ominously that “these themselves in that situation 37 years ago, when their visionary work modern weapons technologies, uncon- trollably disseminated, could have more on computer privacy issues ran afoul of the National Security Agen- than academic effect.” cy. At the time, knowledge of how to encrypt and decrypt informa- Meyer’s letter alarmed many in the tion was the domain of government; the NSA feared that making the academic community and drew coverage secrets of public would severely hamper intelligence by Science and for operations. But as the researchers saw it, society’s growing depen- two main reasons. First, the letter sug- gested that merely publishing a scientific dence on computers meant that the private sector would also need paper on cryptography would be the legal effective measures to safeguard information. Both sides’ concerns equivalent of exporting nuclear weapons proved prescient; their conflict foreshadowed what would become a to a foreign country. If Meyer’s interpre- universal tug-of-war between privacy-conscious technologists and tation of the law was correct, it seemed security-conscious government officials. to place severe restrictions on research- ers’ freedom to publish. Second, Debo- ment’s longstanding domestic monopoly rah Shapley and Gina Kolata of Science A CONTROVERSIAL on cryptography deeply annoyed many magazine discovered that Meyer was an SYMPOSIUM in the intelligence community. The NSA NSA employee. The International Symposium on Infor- acknowledged that Diffie and Hellman As soon as Hellman received a copy of mation Theory is not known for its racy had come up with their ideas without the letter, he recognized that continuing content or politically charged presenta- access to classified materials. Even so, to publish might put him and his stu- tions, but the session at Cornell Univer- in the words of an internal NSA history dents in legal jeopardy, so he sought sity on October 10, 1977, was a special declassified in 2009 and now held in the advice from counsel case. In addition to talks with titles like Stanford Archives, “NSA regarded the John Schwartz. “Distribution-Free Inequalities for the [Diffie-Hellman] technique as classified. In his memo to Schwartz, Hellman Deleted and Holdout Error Estimates,” Now it was out in the open.” made a lucid case for the value of public- the conference featured the work of a The tension between Hellman and the domain cryptography research. Astutely, group from Stanford that had drawn the NSA only worsened in the months lead- Hellman first acknowledged that the U.S. ire of the National Security Agency and ing up to the 1977 symposium. In July, government’s tight control over crypto- the attention of the national press. The someone named J. A. Meyer sent a shrill graphic techniques proved enormously researchers in question were Martin letter to the Institute of Electrical and useful in World War II: Allied forces used Hellman, then an associate professor of Electronics Engineers, which had pub- confidential cryptographic discoveries to electrical engineering, and his students lished Hellman’s papers and was holding improve their own encryption systems Steve Pohlig, MS ’75, PhD ’78, and Ralph the conference. It began: while denying those same cryptographic Merkle, PhD ’79. benefits to Axis powers. Even so, Hellman A year earlier, Hellman had published I have noticed in the past months argued that circumstances had changed. “New Directions in Cryptography” with that various IEEE Groups have his student , Gr. ’78. The been publishing and exporting [T]here is a commercial need paper introduced the principles that now technical articles on encryption today that did not exist in the 1940’s. form the basis for all modern cryptogra- and cryptology—a technical field The growing use of automated infor- phy, and its publication rightfully caused a which is covered by Federal Regu- mation processing equipment poses stir among electrical engineers and com- lations, viz: ITAR (International a real economic and privacy threat. puter scientists. As Hellman recalled in a Traffic in Arms Regulations, 22 Although it is a remote possibility, 2004 oral history, the nonmilitary com- CFR 121-128). the danger of initially inadver- munity’s reaction to the paper was “ecstat- tent police state type surveillance ic.” In contrast, the “NSA was apoplectic.” Meyer’s letter asserted that the IEEE through computerization must be The fact that Hellman and his stu- and the authors of the relevant papers considered. From that point of view, dents were challenging the U.S. govern- might be subject to prosecution under inadequate commercial cryptogra-

60 NOVEMBER/DECEMBER 2014 phy (which our publications are tographic could constitute decision up to the students. trying to avoid) poses an internal “export” of arms. It was not clear, how- According to Hellman, Merkle and national security threat. ever, that a prosecution under this act Pohlig at first said, “We need to give the would stand up to a legal challenge on papers, the hell with this.” After speak- In the memo, Hellman described how First Amendment grounds. ing with their families, though, the stu- his earlier attempts to prevent “stepping Evaluating these laws together, dents agreed to let Hellman present on on [the] toes” of the NSA failed when the Schwartz concluded that Hellman and his their behalf. agency’s staffers would not even disclose students could legally continue to pub- In the end, the symposium took place which areas of cryptography research lish. At the same time, Schwartz noted without incident. Merkle and Pohlig stood Hellman should avoid. wryly, “at least one contrary view [of the on stage while Hellman gave the presen- Responding to Hellman a few days law] exists”—that of Joseph A. Meyer. tation. The fact that the conference went later, Schwartz opined that publishing Hellman later recalled Schwartz’s less- ahead as planned, Science observed, “left cryptography research would not in itself than-comforting informal advice: “If you little doubt that the work [in cryptogra- violate federal law. His findings had a are prosecuted, Stanford will defend you. phy] has been widely circulated.” That a strong legal basis: Two regulations gov- But if you’re found guilty, we can’t pay group of nongovernmental researchers erned classified information in the United your fine and we can’t go to jail for you.” could publicly discuss cutting-edge cryp- States at the time—an executive order and The Cornell symposium was to begin tographic algorithms signaled the end of the Atomic Energy Act of 1954—and nei- three days after Schwartz offered his legal the U.S. government’s domestic control ther seemed to prevent the publication of opinion; Hellman, Merkle and Pohlig had of information on cryptography. unclassified research on cryptography. to quickly decide whether to proceed There was only one other likely legal with their presentations in spite of the tool that the federal government could threat of prosecution, fines and jail time. THE VIEW FROM use to prevent the Stanford group from Graduate students typically present their FORT MEADE disseminating their work: the Arms own research at academic conferences, Vice Adm. Bobby Ray Inman took over as Export Control Act of 1976, which regu- but according to Hellman, Schwartz rec- director of the NSA in the summer of lated the export of military equipment. ommended against it in this case. Since 1977. Inman was an experienced naval Under a generous interpretation of the the students were not employees of Stan- intelligence officer with allies in both law, giving a public presentation on cryp- ford, it might be more difficult for the political parties. If his qualifications for university to justify paying their legal the job were good, his timing was not. He bills. Schwartz also reasoned that dealing had barely warmed his desk chair when SHARING THE STEALTH: Merkle, Hellman and Diffie with a lengthy court case would be harder he was thrust into the center of what he ended government’s for a young PhD student than for a ten- recently described as “a huge media monopoly on cryptography. ured faculty member. Hellman left the uproar” over the J. A. Meyer letter—written the very first day of Inman’s tenure. Although Inman was concerned about the impact that publication of these new cryptographic techniques would have on the NSA’s foreign eavesdropping capabilities, he was also puzzled. As he explained, the primary consumers of cryptographic equipment in the 1970s were governments. Apart from that, “the only other people early on . . . who were buying encryption to use were the drug dealers.” Since the NSA already had “incredibly able people working on build- ing the systems to be used by the U.S. gov- ernment” and the NSA had no interest in protecting the communications of drug dealers, Inman wanted to find out why these young researchers were so focused on cryptography. In the tradition of intelligence profes- sionals, Inman set out to gather some information for himself. He went to Cali-

CHUCK PAINTER/STANFORD NEWS SERVICE SERVICE NEWS CHUCK PAINTER/STANFORD fornia to meet with faculty members and

STANFORD 61 industry leaders at Berkeley, Stanford and as a crucial piece of a functioning techno- To reckon with the growing threat of elsewhere. Inman quickly discovered logical environment. unclassified cryptography, Inman con- that the researchers at Stanford were Still, Inman was not excited about the vened an internal NSA panel for advice. designing cryptographic systems to solve prospect of high-grade encryption systems As recounted in the declassified NSA his- an emerging problem that was not yet on being available for purchase, especially tory, the panel gave Inman three stark the NSA’s radar: securing the growing abroad. “We were worried that foreign choices for how to control the publication number of commercial computer systems, countries would pick up and use cryptog- of cryptography research: which were subject to attack or compro- raphy that would make it exceedingly hard (a) Do nothing mise. The researchers’ position, Inman to decrypt and read their traffic.” (b) Seek new legislation to impose said, was that “there’s a whole new world The level of public excitement sur- additional government controls emerging out there where there’s going rounding the recent cryptography work (c) Try non-legislative means such to need to be cryptography, and it’s not made growth in the field of unclassi- as voluntary commercial and academic going to be provided by the government.” fied cryptography almost inevitable. In compliance. recently recounted August 1977, Scientific American had The panel concluded that the damage their conversation in similar terms: “I published a description of the new RSA was already so serious that something was working on cryptography from an cryptosystem devised by , Adi needed to be done. unclassified point of view because I could Shamir and Leonard Adleman of MIT. NSA documents and Hellman’s rec- see—even in the mid-’70s—the growing According to Steven Levy’s 2001 book ollection both suggest that Inman first marriage of computers and communica- Crypto, the researchers offered a copy of a tried to get a law drafted to restrict cryp- tion and the need therefore for unclassi- technical report describing the scheme to tographic research, along the lines of the fied knowledge of cryptography.” Inman anyone who would send a self-addressed Atomic Energy Act. For political reasons, realized that the academics stamped envelope to MIT. The authors the NSA history says, Inman’s proposed saw strong public cryptographic systems received 7,000 requests. bill was “dead on arrival.” “Congress [wanted to] unshackle U.S. commerce from any sort of Pentagon- imposed restriction on trade,” the history ruefully recounts, and the Carter admin- istration “wanted to loosen Pentagon control of anything, especially anything that might affect individual rights and academic freedom.” Even if Inman could get a bill through Congress, Hellman said, the First Amend- ment would make it difficult to prevent researchers from speaking publicly about their work. If they didn’t publish their papers, “they’ll give 100 talks before they submit it for publication.” As a sort of last-ditch effort at com- promise, Inman organized a voluntary system of prepublication review for cryp- tography research papers. A number of other scientific journals have attempted a similar system in recent years. “That’s really the best anyone has been able to come up with,” said Steven Aftergood of the Federation of American Scientists, an expert on government secrecy. The review process was used for a decade, but Inman recalled that it even- tually “fell apart” because of “the explo- sion of . . . uses” for cryptography. As the world underwent a digital revolution, there was an accompanying “revolution in cryptography,” just as Diffie and Hell- man had predicted in 1976.

62 NOVEMBER/DECEMBER 2014 intelligence or communications security. coordinate its grants with the NSA. Since AFTERMATH The purported reason for these reviews funding agencies often need not explain It is tempting to view the outcome of the was for the NSA to advise the NSF on why they have rejected a particular grant conflict between the Stanford research- the proposals’ “technical merits,” but the proposal, it is hard to judge the NSA’s ers and the NSA as an unequivocal victory agency appeared to use this process to effect on the grant-making process. for freedom of speech and the beginning exercise control over nongovernmental The agency has a second tactic to pre- of the democratization of the tools of cryptography research. vent the spread of cryptographic tech- cryptography. There is a grain of truth in For instance, the NSA reviewed and niques: keeping high-grade cryptography this characterization, but it misses the approved an NSF grant application from out of the national standards. To make it larger effect the run-in had on the aca- Ron Rivest. Later, Rivest used the funds easier for different commercial computer demic cryptography community and on to develop the enormously influential systems to interoperate, the National the NSA. RSA cryptosystem, which secures most Bureau of Standards (now called NIST) Hellman and other academic research- encrypted Internet traffic today. An coordinates a semipublic process to design ers realized they could win the debate, internal NSA history suggests that the standard cryptographic algorithms. Ven- as long as it took place in public. News- agency would have tried to derail Rivest’s dors are hesitant to implement algorithms papers and scientific journals found it grant application if the reviewers had that are not in the NIST standards: Non- much easier to sympathize with a group understood what Rivest would do with standard algorithms are harder to deploy of quirky and passionate academics than the money. The NSA missed this oppor- in practice and are less likely to see adop- with a shadowy and stern-faced intelli- tunity, the history complains, because tion in the open marketplace.

IN THE ’70s, ONLY GOVERNMENTS AND DRUG DEALERS WERE BUYING ENCRYPTION. WHY WERE THESE ACADEMICS SO INTERESTED?

gence agency. The issue of First Amend- the wording of Rivest’s proposal “was so The first controversy over the NSA’s ment rights, Hellman recalled in 2004, general that the Agency did not spot the hand in these standards erupted in the 1970s also gave the press and the researchers threat” posed by the project. when it persuaded the bureau to weaken a common cause. “With the freedom of In 1979, Leonard Adleman (another the Data Encryption Standard (DES) algo- publication issue, the press was all on member of the RSA triumvirate) applied rithm, an NBS-designed cryptosystem our side. There were editorials in the New to the NSF for funding and had his appli- widely used by banks, privacy-sensitive York Times and a number of other publi- cation forwarded to the NSA. According businesses and the public. Hellman and cations. Science, I remember, had covered to Whitfield Diffie and Susan Landau’s his then-student Diffie mounted a vigor- our work and was very helpful.” 2007 book, Privacy on the Line, the NSA ous—and ultimately unsuccessful—public From the other side, NSA officials real- offered to fund the research in lieu of the relations campaign to try to improve the ized they would have a difficult time getting NSF. Fearing that his work would end up strength of the DES . public support to suppress publication of classified, Adleman protested and even- At the time, NSA leadership emphati- what they considered dangerous research tually received an NSF grant. cally denied that it had influenced the results. They turned instead to two aspects Even though the NSF appears to have DES design. In a public speech in 1979 of nongovernmental cryptography over maintained some level of independence aimed to quell some of the controversy, which they had near-total control: research from NSA influence, the agency likely Inman asserted: “NSA has been accused funding and national standards. has had greater control over other fed- of intervening in the development of the As of 2012, the federal government eral funding sources. In particular, the DES and of tampering with the standard provided 60 percent of U.S. academic Department of Defense funds research so as to weaken it cryptographically. This research and development funding. By through the Defense Advanced Research allegation is totally false.” choosing which projects to fund, grant- Projects Agency (DARPA), the Office Recently declassified documents giving government agencies influence of Naval Research, the Army Research reveal that Inman’s statements were mis- what research takes place. Office and other offices. After the run-in leading, if not incorrect. The NSA tried to Even before the 1977 Symposium on with the academic community in the late convince IBM (which had originally Information Theory, the NSA reviewed 1970s, the NSA history asserts that Vice designed the DES algorithm) to reduce National Science Foundation grant appli- Adm. Inman “secure[d] a commitment” the DES key size from 64 to 48 bits. Reduc- cations that might be relevant to signals that the Office of Naval Research would ing the key size would decrease the cost of

STANFORD 63 certain attacks against the cryptosystem. make mistakes that render their traffic You’re an interested party.” The NSA and IBM eventually compro- easy for an intelligence agency to decrypt: It was not until Hellman watched Day mised, the history says, on using a weak- “People still make a lot of mistakes: use After Trinity, a documentary about the ened 56-bit key. wrong, bad keys, or whatever else.” development of the atomic bomb, that Today, Inman acknowledges that the A second question is whether Hellman he realized how dangerous his decision- NSA was trying to strike a balance be- was right to worry that a lack of strong making process had been. The moment tween protecting domestic commercial cryptography could become an “econom- in the film that troubled him most, he communication and safeguarding its own ic and privacy threat” in a computerized recalled, was when the Manhattan Proj- ability to eavesdrop on foreign govern- economy. In an unexpected turn, today ect scientists tried to explain why they ments: “[T]he issue was to try to find a Inman is as worried about protecting continued to work on the bomb after level of cryptography that ensured the nongovernmental computer systems as Hitler had been defeated and the threat privacy of individuals and companies Hellman was in the 1970s. When asked if of a German atom bomb had disappeared. against competitors. Against anyone he would make the same decisions about The scientists “had figured out what they other than a country with a dedicated nongovernmental cryptography now as wanted to do and had then come up with effort and capability to break the codes.” he did then, Inman replied, “Rather than a rationalization for doing it, rather than ‘FORGET ABOUT WHAT’S RIGHT. GO WITH THIS. . . YOU’LL NEVER HAVE MORE OF AN IMPACT ON SOCIETY.’

The NSA’s influence over the stan- being careful to make sure they were[n’t] figuring out the right thing to do and dards process has been particularly effec- going to damage [our collection capabili- doing it whether or not it was what they tive at mitigating what it perceived as the ties] . . . I would have been interested in wanted to do. . . . I vowed I would never risks of nongovernmental cryptography. how quickly they were going to be able to do that again,” Hellman said. “Thinking it By keeping certain cryptosystems out of make [cryptosystems] available in a form through even now, I still would have done the NBS/NIST standards, the NSA facili- that would protect proprietary informa- most of what I did. But it could have been tated its mission of eavesdropping on tion as well as government information.” something as bad as inventing nuclear communications traffic. The theft of portions of the designs for weapons, and so I vowed I would never the F-35 jet, Inman said, demonstrates do that again.” that weak nongovernmental encryption Making good decisions in these situ- REFLECTIONS and computer security practices can griev- ations, Aftergood said, requires a large ON SECRECY ously harm national security. Even though dose of “internal restraint” and a certain There are a few salient questions to con- history has vindicated Martin Hellman, “degree of trust” between researchers sider when looking back at these first he adamantly refuses to gloat over the and government officials, “which is often conflicts between the intelligence com- accuracy of his predictions and the far- lacking in practice.” munity and academic researchers in reaching impact of his technical work. On Although Hellman and Inman forged cryptography. A starting point for this the contrary, Hellman is still deeply trou- an unlikely friendship in the wake of the analysis, said Aftergood, is to consider bled by the way he engaged in the debate conflict in the late 1970s, trust between “whether in retrospect, [the govern- with the NSA over the publication of his the academic cryptography community ment’s] worst fears were realized.” papers and the DES encryption standard. and the NSA is at its nadir. Inman said of According to Inman, the uptake of Rather than trying to understand both the new NSA director, “He has a huge chal- the research community’s cryptographic sides of the issue and make the “right” lenge on his plate. How does he . . . can he, ideas came at a much slower pace than decision, Hellman said that in the heat in fact, reestablish a sense of trust?” he had expected. As a result, less foreign of the controversy, he listened to his ego Diffie and Hellman’s now-legendary traffic ended up being encrypted than instead. “The thought just popped into my key-exchange algorithm has an elegant the agency had projected, and the con- head: Forget about what’s right. Go with one-line representation. Debates over aca- sequences for national security were not this, you’ve got a tiger by the tail. You’ll demic freedom and government secrecy as dramatic as he had feared. Essentially, never have more of an impact on society.” do not lend themselves to such a concise Inman recalled, “there was no demand” Aftergood said that this sort of ego- formulation. “It’s not a neat, simple calcu- for encryption systems outside of govern- driven reasoning is a hallmark of debates lation,” Aftergood said. “There are com- ments, even though many high-grade sys- over secrecy in research: “If you’re a peting interests on all sides, and somehow tems eventually became available. “You researcher and you’ve achieved some one just has to muddle through.” n had a supply but no demand for it.” Even kind of breakthrough, you’re going to those people who try to use high-grade want to let people know. So you’re not a Henry Corrigan-Gibbs is a second-year cryptographic tools, Hellman said, often neutral, impartial, disinterested party. PhD student in .

64 NOVEMBER/DECEMBER 2014