turing lecture DOI:10.1145/3104985 the National Institute of Standards and Cyber deterrence, like nuclear deterrence, Technology (NIST), proposed a Data Encryption Standard (DES) to protect depends on our adversaries being rational unclassified but sensitive data. Whit- enough to be deterred by our threats but us field Diffie, with whom I shared the not by theirs. Award, and I quickly realized that DES’s 56-bit key size was inadequate and needed to be increased. BY MARTIN E. HELLMAN DES had 256, or approximately 1017, keys. We estimated that the 1975 tech- nology would allow a single-chip search engine to check 106 keys per second, so 106 such chips could search the entire Cybersecurity, key space in 105 seconds. That is ap- proximately one day, and we estimated the equivalent cost to be on the order of $5,000 per recovered key. We also noted Nuclear that the decreasing cost of computa- tion—roughly a factor of 10 every five years—would rapidly reduce this cost. Even an order-of-magnitude error in Security, our estimate would thus be erased in a short time.3 We initially thought the inadequate key size was a mistake that would be Alan Turing, corrected once we pointed it out, but NBS resisted, claiming our estimates were off by four orders of magnitude. Our initial estimate had been a rough and order-of-magnitude approximation that was adequate to show the need for an increased key size. But NBS’s esti- mate was clearly wrong, and we came to Illogical Logic realize we were indirectly battling the National Security Agency (NSA), in addi- tion to NBS. A larger key size would allow foreign governments, criminals, and terrorists to hide their communications from THE 2015 ACM A.M. Turing Award recognized work I did NSA, while 56 bits would not. What we 40 years ago, so it is understandable that my interests had thought was a technical problem have changed significantly, with my most recent project key insights being a book, A New Map for Relationships: Creating ˽ While revolutionary, public key True Love at Home & Peace on the Planet, co-authored cryptography can also be viewed as a natural step in the evolution with my wife Dorothie. While, at first glance, the book of the field of cryptography. might seem to have nothing in common with my work ˽ There is greater risk than is generally recognized that a major advance in on cryptography, my Turing Lecture drew a number of factoring and discrete logarithms might parallels I will bring out in what follows. break existing public key systems. The story starts in March 1975, when the U.S. ˽ In making ethical decisions, we need to zealously guard against fooling ourselves National Bureau of Standards (NBS), now known as about our real motivations. ASSOCIATES ANDRIJ BORYS BY IMAGE 52 COMMUNICATIONS OF THE ACM | DECEMBER 2017 | VOL. 60 | NO. 12 DECEMBER 2017 | VOL. 60 | NO. 12 | COMMUNICATIONS OF THE ACM 53 turing lecture turned out to be political. If we wanted from TDCs to public key.4 TDCs oc- to improve the security of the standard, curred to us because, in the military, we would have to treat it as a political you want a highly secure cipher for use battle by seeking media coverage and by your own troops but do not want it to Congressional hearings—which we be used to keep secrets from you if it is did. While Diffie and I captured by your adversary. We realized The fight that followed was part of saw a 56-bit key that a solution was to build trapdoor in- “the first crypto war.” While the media formation into the cryptosystem that and several members of Congress sup- as small, would allow the designer to break it ported Diffie’s and my position, we lost we now know easily if it was used against him, but this part of it. DES, including its 56-bit without that information his adversary key, was the official encryption stan- it looked large would be unable to cryptanalyze his en- dard from 1977 until 2002 when it was crypted messages. While we never de- superseded by the Advanced Encryp- from NSA’s veloped a workable TDC, the concept tion Standard, or AES, which has a min- perspective. figured prominently in a later analysis imum key size of 128 bits. of DES Diffie and I undertook, with oth- Diffie and I recommended triple- ers.8 We found structures within DES DES3 as a simple, albeit more expen- that looked like they might constitute a sive, way to improve DES security, but trapdoor, although later developments most implementations used the less- indicate they were probably due to ef- secure approach. forts to strengthen the algorithm against differential cryptanalysis.1 Public Key Cryptography and It is also noteworthy that half of the the DES Controversy public key concept—public key ex- Within a year of DES being proposed in change—occurred independently to 1975, a development—the invention of three different groups within a short public key cryptography by Diffie and period of time. me4 and independently by Ralph Merk- According to documents declassi- le12—exacerbated NSA’s concerns. fied years later,5 variations occurred While Diffie and I saw a 56-bit key as in 1970, 1973, and 1974 to researchers small, we now know it looked large James Ellis, Clifford Cocks, and Mal- from NSA’s perspective. Prior to DES, colm Williamson of the Government most commercial encryption systems Communications Headquarters (GCHQ), could be broken much faster than DES, the British agency responsible for and most data was sent unencrypted, providing signals intelligence and in- allowing access at no cryptanalytic cost. formation assurance to that nation, In comparison, even $5,000 per re- though none of their work envisioned covered key was a huge impediment to digital signatures. NSA’s communications-intelligence Ralph Merkle, then a student at the operation. But it appears to have rea- University of California at Berkeley, de- soned that cost would limit the fre- veloped the concept of a public key dis- quency of key changes so a recovered tribution system in the fall of 1974 and key would be useful for months, per- published it, along with a proof of con- haps years. The invention of public key cept (“Merkle puzzles”), in Communica- cryptography allowed keys to be tions, April 1978.12 changed as frequently as desired, mak- Unaware of the still-secret GCHQ ing $5,000 per key a much more daunt- work and Merkle’s budding ideas, Dif- ing barrier for an adversary. fie and I proposed a more general framework—a public key cryptosys- Evolution of Public Key tem—in the Spring of 1975. This ap- Cryptography proach included digital signatures, as While public key cryptography is seen well as public key exchange, with digital as revolutionary—a characterization I signatures being an entirely new idea, love—after the following explanation, even within the classified community. one might wonder why it took Diffie, In May 1976, Diffie and I developed Merkle, and me so long to discover. the first practical, unclassified system Diffie and I had been talking about for public key exchange, publishing “trapdoor cryptosystems” (TDCs) for both it and the public key cryptosystem some time before we devised the public concept in our paper “New Directions key concept, and it is but a small step in Cryptography” in IEEE Transactions 54 COMMUNICATIONS OF THE ACM | DECEMBER 2017 | VOL. 60 | NO. 12 turing lecture on Information Theory, November 1976.4 Born Classified? Project, the consequences of fooling That public key exchange system is wide- NSA’s concerns led it to try to control myself would have been far more grave, ly known as Diffie-Hellman Key Ex- dissemination of our work.2 In January I vowed never to fool myself again, al- change, but somewhat ironically, it is an 1976, soon after Diffie and I realized the though implementing that decision implementation of Merkle’s public key need to treat DES’s inadequate key size proved tricky during Stanford Univer- distribution system concept, not our as a political rather than a technical sity’s patent fight with RSA Data Secu- public key cryptosystem concept. I there- problem, two high-level NSA employ- rity. Space does not allow me to provide fore refer to it as the “Diffie-Hellman- ees flew out to California and tried to the details here, but the interested Merkle Key Exchange.” dissuade us from pursuing the matter. reader can find a description on pages In light of the frequent interactions They basically told us, “You’re wrong, 46–54 of our book;7 a free .pdf file is Diffie and I had, I regard everything in but please be quiet. If you keep talk- also available at http://tinyurl.com/ “New Directions” as joint work, though ing this way, you will cause grave harm HellmanBook, expanding to http:// some scholars have noted (correctly) to national security.” But that did not www-ee.stanford.edu/%7Ehellman/ that Diffie devised the public key cryp- compute. What they were really saying publications/book3.pdf. Those same tosystem concept, while I discovered was, “You’re right, but please be quiet. pages explain why I believe the Man- the Diffie-Hellman-Merkle Key Ex- If you keep talking this way, you will hattan Project scientists fooled them- change algorithm. Because those indi- cause grave harm to national security.” selves about their motivation for work- vidual insights were based on long- I went home that evening to decide ing on the bomb.