3 January 2010

Related to:

kahn-tapping.htm      Tapping Computers by David Kahn                  January 4, 2010
nsa-meyer.htm         NSA FOIA Documents on Joseph Meyer IEEE Letter   January 2, 2010
diffie-nsa.htm        Whitfield Diffie on NSA and Joseph Meyer Letter  January 2, 2010
hellman-nsa.htm       Martin Hellman on NSA and Joseph Meyer Letter    December 31, 2009

Foreign Affairs (Fall 1979) pp. 147-59.

CRYPTOLOGY GOES PUBLIC

David Kahn

David Kahn is the author of The Codebreakers and Hitler's Spies. He is currently assistant viewpoints editor of Newsday.

I

In November of 1978 a remarkable conference took place in Germany. It brought together for the first time the Allies' backroom boys of World War II and those whom they had outwitted for nearly six years -- the cryptographers of the Third Reich.

Together with historians, they discussed what had been the most secret part of the intelligence war. This was the Allied solution of the principal German ciphers and consequent ability to read large segments of high-level military traffic, including the very messages of Adolf Hitler to his generals.

An admiral of the Royal Navy described how his knowledge of U-boat orders enabled him to steer convoys around the wolf packs to help win the Battle of the Atlantic. An American intelligence officer told how foreknowledge of a German attack enabled the Seventh Army to repel it with minimal losses. The Royal Air Force's former scientific intelligence chief recounted how Ultras -- the Allied solutions of German messages were called -- gave him the first clues to German V-weapons and enabled the Allies to bomb the research center at Peenemünde and later the launching sites in France. A historian discussed how the American solution of the Japanese diplomatic cipher machine revealed what the Japanese ambassador in Berlin was reporting to Tokyo about his conversations with Hitler -- intercepts that became, Chief of Staff George C. Marshall said, "our chief basis of information regarding Hitler's intentions in Europe." All of this proved too much for one of the Germans. During the war he had repeatedly assured the head of the Kriegsmarine, Grand Admiral Karl Donitz, that the naval Enigma cipher machine was not being solved by the Allies -- when, in fact, they were doing so almost solidly and often instantaneously. "If the Allies could read it all," he asked with some asperity, "why didn't they win the war sooner?" An American historian answered, "They did." And no one in the high-ceilinged university senate room dissented. All agreed that Ultra had shortened the war and saved thousands of lives. Ultra was, one of its veterans has rightly said, "the most important sustained intelligence success in the history of human conflict."

It was typical of the traditions of cryptology that the Ultra secret was withheld, from the Germans as well as from the public, for nearly 30 years after World War II ended. Governments maintain this sort of discretion for a number of practical reasons.

To reveal how a cryptogram was solved would enable other countries to strengthen their cryptosystems to prevent such solutions. Even to reveal that a cryptogram had been solved might awaken other nations' cryptographers to the possibility that their ciphers, too, might be broken and so might impel them to change them. Disclosing the details of one's own cipher systems would obviously nullify their ability to keep communications confidential.

Finally, to admit prying into other nations' messages would embarrass a country and so burden its international relations. In only one case, apparently, did a statesman refuse to read other countries' messages not out of fear of bad publicity if caught but because he felt it was wrong. In 1929, when Henry L. Stimson became Secretary of State, he ordered the closing of the combined State Department-War Department Cipher Bureau on the ground that "gentlemen do not read each other's mail" and in the belief that mutual trust was the best road to world comity.¹ It was an act of the highest international morality. But the times made it impossible. When he became Secretary of War in World War II, he was one of the grateful readers of intercepted Japanese diplomatic messages -- provided by the War and Navy Departments, which had kept their code-breaking groups alive in 1929.

__________

1 The nations of the world have paid lip service to Stimson's principle by incorporating in Article 27, Section 2, of the Vienna Convention on Diplomatic Relations the rule that "The official correspondence of the mission shall be inviolable." United Nations Treaty Series, Vol. 500. New York: United Nations, 1965, p. 110. Probably only the nations that cannot violate other countries' correspondence accede to the provision. The United States has in effect nullified its adherence by including in a 1978 law setting up procedures for electronic surveillance within the United States (including messages of foreign powers) the phrase "Notwithstanding any other law," which, under the Constitution, includes treaties. 92 U.S. Statutes, 1786.

Thus, secrecy about cryptology has been the rule at least since the science became a permanent function of state through the establishment of letter-opening black chambers in the Renaissance, as a concomitant of the rise of modern diplomacy. The Venetian Republic's Council of Ten ordained that any cryptologist who betrayed secrets could be put to death. In 1723, Britain's House of Lords asserted in a trial for treason that "it is not consistent with the public Safety, to ask the Decypherers any Questions, which may tend to discover the Art or Mystery of Decyphering." Governments still adhere to this principle as much as they can. In 1933 and again in 1950, the United States enacted laws that impose fines and jail terms for anyone revealing official cryptologic secrets. The National Security Agency (NSA), responsible for U.S. cryptology, operates under the tightest possible security. The same is true of its foreign counterparts.

And secrecy has been relatively easy to maintain because cryptology has been largely a monopoly of governments. Though businessmen have sometimes used codes or ciphers to conceal their messages, they seem almost never to have intercepted and solved competitors cryptograms.

But it is becoming increasingly difficult to keep the official lid on. With the expansion of radio communications and advances in intercept technology, cryptology has become so extensive an activity of intelligence and security that political and military events will from time to time impinge upon it and expose portions of it.

The 1964 clash of the U.S.S. Maddox with North Vietnamese patrol boats in the Gulf of Tonkin, the attack upon the U.S.S. Liberty during the Six-Day War in 1967, and the capture of the U.S.S. Pueblo by North Korea in 1968 revealed some details about American intercept operations. Previously, in 1960, two NSA employees, William H. Martin and Bernon F. Mitchell, defected to the.Soviet Union and gave a press conference in Moscow about American code-breaking activities. And the 1974-75 congressional investigations into the American intelligence community revealed a good deal about the vast scope of NSA's intercept operations.

More recently, cryptology has, perhaps for the first time, become the subject of formal intergovernmental agreement. In the final stages of the negotiations of the SALT II agreements now before the Senate, the American side insisted that the treaty bar "the encryption or encoding of crucial missile test information," as President Carter said in his June 1979 televised address to the Congress on the treaty. Concealing information on missile tests by encryption would make it harder for the United States to ascertain Soviet missile capabilities -- and for the Russians to ascertain American.

To prevent this, the treaty provides that "neither party shall engage in deliberate denial of telemetric information, such as through the use of telemetry encryption, whenever such denial impedes verification of compliance with the provisions of the Treaty." But since the treaty does allow encryption when it does not interfere with verification, the question of when encryption interferes and when it does not is being looked at hard in the Senate's deliberations.

But the SALT case is relatively limited and still mainly a government problem. What is today far more interesting and significant is the degree to which new factors are causing cryptology to spill over from the governmental domain into public awareness. Major governments today are not limiting their intercept activities to official communications; they seek to draw intelligence from the communications of tens of thousands of private firms and citizens of all nationalities. The protective countermeasures of target nations necessarily include the private sector. At the same time, concerns about foreign and domestic invasions of privacy have led private firms and individuals to demand security for their stored computerized files and their electronically transmitted messages. To meet this demand, private researchers have invaded the highly technical realms of cryptology that have long been a government monopoly.

In short, what has happened to other technologies, such as atomic energy, is happening to cryptology. It is becoming a public matter, and raising a whole new set of public issues.

If one nation is intercepting communications on the territory of another, what is the proper diplomatic response to this? Should a government advise its nationals on protecting their communications from foreign exploitation when such advice might enable other nations to better protect their own communications and so deny the parent government valuable communications intelligence? May private individuals develop and publish cryptographic techniques that, because of their advanced nature, could also deprive a parent government of communications intelligence?

Do First Amendment rights take precedence over the needs of national security?

We are only beginning to see the shape and scope of these and other issues raised by cryptology as it goes public. This article seeks to explore some of them.

II

A few words about terminology may help. "Cryptology" encompasses signal security and signal intelligence. The former includes all ways of keeping secret both human messages, such as telegrams and telephone conversations, and electronic messages, such as computer-to-computer data exchanges. These ways include cryptography -- varied techniques for putting the messages into secret form by code or cipher. The elements of the message -- letters, electronic pulses, voice sounds -- can be scrambled or replaced by other elements. The receiver, who must know the key or secret procedure used in encryption, then reverses the process to read the original message.

Signal intelligence comprises all methods of extracting information from transmissions. These methods can include identifying radars or translating telemetered data of intercontinental ballistic missiles in flight. Other methods deal largely with human communications. Among these are interception of messages in plain language; traffic analysis, which matches radio call signs to particular military or other headquarters and draws inferences from the volume of traffic on various radio circuits; and cryptanalysis, which breaks the codes or ciphers that armor messages. These three are generally grouped together as communications intelligence, or COMINT.

Nonspecialists frequently ask two questions about cryptology. Is there an unbreakable cipher? There is indeed one that is absolutely unbreakable. This is the one-time pad. It cannot be used in every situation because it requires as many random letters for its key as in all messages that will ever be sent, and this presents an insuperable distribution problem. It can serve in restricted situations, however, as in spy messages and on the Moscow-Washington hot line. There are also many ciphers that, properly used, are unbreakable in practice, since the cryptanalyst cannot assemble enough text to analyze their complexities. Because they do not have the disadvantage of the one-time pad, such systems serve in most military and diplomatic networks today.

The other question is: Have computers not made it possible to solve all ciphers? They have not. Modern cipher machines are in effect special-purpose computers themselves. Since doubling the encryption capacity appears to square the number of trials the cryptanalyst has to make, the codemaker can always stay ahead of the codebreakers.

III

In 1975, the Rockefeller Commission on Central Intelligence Agency activities revealed that the communist countries "can monitor and record thousands of private telephone conversations." News stories later said that the Russians not only could but did monitor "millions" of domestic American telephone calls -- 100,000 a year in the Washington area alone. Then President Carter, at a news conference, acknowledged that "Within the last number of years, because of the radio transmission of telephone conversations, the intercept on a passive basis of these kinds of transmissions has become a common ability for nations to pursue."² How did this happen? How do they do this?

__________

2 Public Papers of the Presidents of the United States, Jimmy Carter, 1977, Vol. II, Washington, GPO, 1978, p. 1234.

Since 1950, telephone companies have increasingly sent conversations -- both between people and between computers -- from city to city by microwaves. These are radio waves beamed on a line of sight from a transmitter through several relay towers, usually perched atop hills about 25 miles apart, to the receiver. Communication companies like microwaves because building and maintaining towers costs less than buying land for right of way, digging a trench, and laying cable. Today about 70 percent of the toll call mileage within the United States is microwave.

But radio is easy to intercept. The intruder does not even have to reach into the microwave beam. Each relay radiates enough energy for an eavesdropper to pick up the microwave signal five to ten miles away. The antenna for this would have to be a ten-foot dish, but "The interceptor can make use of a number of innocent-appearing structures such as apartments, houses, sheds, barns or a specially outfitted van," says a recent study made for the White House.³ If the interceptor can get closer to the beam, he can use smaller and less obtrusive equipment. None of this is either very difficult or very costly -- around $60,000 according to the study. The real problem arises in trying to pluck a particular person's conversations out of the incredible welter of calls. And for a long time this final step seemed insuperable. There were simply too many telephone calls to check.

__________

3. Mitre Corporation, McLean, Virginia, Study of the Vulnerability of Electronic Communications Systems to Electronic Interception, prepared for the Office of Telecommunications Policy, January 1977, Department of Commerce, National Technical Information Service, PB264447 and PB264448, Vol. I, p. 17.

But the evolution of computers made individual targeting feasible. A computer can count the clicks of a telephone dial or the beedledybeeps of multifrequency pushbutton calling as they pour in torrents over the microwaves. It compares that number with a list stored in its memory. If it finds no match, it discards the call and passes to the next. But if a match exists, the system "drops" the intercept onto a tape recorder for human analysis.

The Soviet Union, acting through disguised intermediaries, has almost certainly rented houses near important microwave routes and filled them with the sophisticated electronic gear needed for interception. Senator Daniel Moynihan has said that the Russians are listening in their consulate in San Francisco, their mission to the United Nations in New York, and their apartment house in the Riverdale section of the Bronx. The two locations in New York, he states, provide "extraordinary access to telephone traffic in the whole of the New York metropolitan area, and in particular to that of the financial, commercial, and legal communities of Manhattan." Though the aerials on the present Soviet embassy on 16th Street in Washington a few blocks north of the White House are designed for legitimate shortwave transmissions and not for interceptions, the Russians got lucky with their new embassy on Tunlaw Road, on one of the highest hills in Washington. When they were assigned the land, private telephone monitoring was unknown, and no one took into account that the site bestrides some important microwave beams. A primary telephone trunk group for the eastern seaboard runs close by on the relay between microwave towers in Arlington, Virginia and Gambrills, Maryland. A Defense Department digitized voice circuit from the Pentagon to Western Union's Tenley Tower on Wisconsin Avenue passes almost directly over the site.

Late in 1977, the Soviet Union added another new and important mode of interception when it installed big antennas in Cuba to monitor communications sent by satellite. These comprise telephone calls, telegrams and computer data moving between the United States and 55 other nations. The messages are directed upward to one of seven satellites hovering 22,300 miles above the Atlantic; the satellite then retransmits them back down toward a receiving station on the ground, usually on the other side of the ocean. But the downward beam spreads widely, and even from outside its fairly large "footprint" on the surface of the earth it is easy to pick up its signals, though the cost of a steerable 30-meter dish for such interception has been estimated at $1.5 million.⁴ All this seems an extraordinary effort to gain information that on its face does not seem very important. Why does the Soviet Union do it?

__________

4. There have never been any reports of Soviet or other attempts to "tap" the transatlantic telephone cables. A submarine could lay a length of wire alongside a cable and pick up the signals by induction. But demultiplexing the numerous interleaved conversations would require considerable complicated equipment, probably too bulky for a submarine to carry. The Roosevelt-Churchill conversations that the Germans intercepted during World War II were sent by radiotelephone, since no telephone cables then existed. The Germans never attempted to tap the transatlantic telegraph cables.

One reason is that codebreaking no longer yields the quantities of central information it once did. The transistor and large-scale integration of electronic circuits, which made pocket calculators so cheap, have placed excellent cipher machines within the price range of more countries than ever before. This means fewer codebreaking results, and this reduction has driven the Soviet Union, as well as the United States, to gather information from the unencrypted, plain language messages -- both human and computer -- that pass over telephone circuits.⁵ Though plain language intercepts seldom provide the insight that cryptanalyzed ones do, they have their strengths. "Anyone listening in to a senator's telephone conversations for two weeks would own him," says one senatorial aide with tongue only halfway in cheek.

__________

5. It might seem that this decline would reduce the scale or status of the code-breaking agencies But the need to process much more traffic to approach the qualIty of cryptanalyzed intellIgence means having to add more men and/or machines Thus the cryptanalytic loss, far from being an organizational disaster, may be a bureaucratic godsend. Though the present NSA Director says that this analysis does not fit the facts, several non-NSA intelligence specialists say it is true.

Another reason for the shift to telephone eavesdropping is that it can provide quantities of a kind of information that is becoming more and more important: economic intelligence. Information that might warn of dollar or energy crises is becoming as critical as military and diplomatic information. The Soviet Union, for example, is reported to have used its intercepts of American grain dealers' telephone conversations to advantage in its big grain purchase. Monitoring the data flowing by microwave and satellite in domestic and international time-sharing computer networks could reveal financial transactions of giant multinationals, once the trivia of airline, hotel and rental-car reservations are screened out.

The United States, too, is seeking economic intelligence through interception. In its leaked 1976 report, the House intelligence committee said that American signals intelligence "in this area has rapidly developed since 1972, particularly in reaction to the Arab oil embargo" and the Soviet grain deal success. Recently it was reported that intercepts of oil-producing nations' messages warned the U.S. government of their intention to raise oil prices.

Almost certainly, too, the United States eavesdrops extensively on communications within the Soviet Union. Monitors at the embassy on Tchaikovsky Street in Moscow are known to have listened in on the limousine radio-telephones of Soviet leaders, even though they apparently got only scraps of intelligence (including, according to a columnist, views on the ability of a favorite masseuse). It seems likely that such activities are targeted as extensively as possible on other Soviet internal communications, particularly those of a sort that would be between private citizens in America. (In the 1950s the CIA did manage to tap the military telephone lines used by Soviet forces in East Germany, through a tunnel under the East Berlin boundary, but this was probably a one-time success after its discovery by the Russians.) No doubt the Western powers get fewer intercepts from East European countries and the Soviet Union than those powers obtain in the West, but because information is harder to come by in the communist closed societies, the West's intercepts are more valuable.

IV

As these new techniques become known, the two superpowers are taking steps to close them off. And these steps have generated some of the new controversy and discussion. What are they?

The Soviet Union has flooded the American embassy with nonsignal-carrying microwaves, apparently to jam the American eavesdropping devices. But microwaves pose a health hazard, for this is the same radiation that at higher intensities cooks food in microwave ovens. Although there was a brief scare, American officials have since emphasized that they have no evidence that the radiation has yet been responsible for any illnesses.

But that is not a solution in the United States, as much for environmental as for technical reasons. Nor is a proposal by Senator Moynihan, who grew incensed about the apparent double standard applied against interceptions. "We are standing around in the Rose Garden pinning medals on one another for having discovered that the FBI is tapping somebody's telephone," he said, but nobody is doing anything about the Soviet intrusions. He introduced a bill that calls upon the President to declare persona non grata any individual with diplomatic immunity who is "willfully engaging in electronic surveillance on behalf of a foreign power. " One problem with this idea is that the Russians might retaliate in the same way against American eavesdropping, which would probably hurt the United States more than the Soviet loss of intelligence would hurt them. Another is that expelling a foreign eavesdropper might cause more loss than gain. For the United States has apparently learned about Soviet eavesdropping mainly by "piggybacking," or intercepting Soviet transmissions of their urgent American intercepts back to Russia for analysis. To reveal details officially might compromise the source.

Probably for these reasons, the executive branch has rejected the Moynihan proposal. Carter has said that "I would not interpret this use by the Soviet Union or by other embassies to be an act of aggression." What then is the United States doing to deprive the Soviet Union of this intelligence?

It is undertaking a multi-million-dollar program to protect American domestic communications. On February 15, 1979, the White House issued a three-page, single-spaced National Telecommunications Protection Policy directive. It divides messages into three categories and specifies different safeguards for each.

"Government classified information relating to national defense and foreign relations" -- military and diplomatic messages -- will come, as before, under the control of the National Security Agency, the government's cryptologic body. It has already transferred many sensitive telephone circuits from microwaves to buried cable, and is expanding the Electronic Secure Voice Network. This uses telephone scramblers -- each about the size of two file drawers -- to render conversations unintelligible to eavesdroppers.

The other two categories will be handled by a new Special Project office in the Commerce Department's National Telecommunications and Information Administration. Associate Administrator Donald Jansky has an annual budget of $2 million and 20 experts for the job, the main part of which he expects will last 5 years. His teams have already spoken to almost a dozen telecommunication common carriers on how to protect messages in the second category: "unclassified information transmitted by and between government agencies and contractors that would be useful to an adversary." Some companies are looking into such matters as the practicability of bulk encryption to scramble all messages transmitted over a particular microwave link. The teams will also survey the needs of government agencies and will recommend particular cipher systems to them.

The third category consists of "nongovernmental information that would be useful to an adversary." Examples that Jansky gives include the strategy to be used by American firms in negotiations against foreign competitors, changes in the prime interest rate, crop forecasts, the availability of critical materials, and developments in advanced technologies. The White House directive requires that such information "be identified and the private sector informed of the problem and encouraged to take appropriate measures." Jansky's office is not chartered either to analyze the problems of particular firms or to recommend specific ciphers. But it will draw up guidelines for evaluating types of protection systems that the firms will probably buy.

The entire program comes under a National Security Council subcommittee that will settle jurisdictional disputes between Commerce and NSA. It marks the first time that any government has ever dispensed advice on codes and ciphers to the public. This has helped bring cryptology out of the closet. So has the question of cost. Jansky predicts that for the carriers and private firms this will reach "probably in the billions."

V

The new program is linked to the rising debate on cryptology in another way as well. One of the cipher systems that it will recommend to some government bodies and contractors lies right in the crossfire of the argument over whether foreign code-cracking intelligence is more important than protecting citizens' privacy by giving them good ciphers. The cipher is known as the DES, or Data Encryption Standard. As bank cash-dispensing machines grew in number, bank officers became concerned that the wires between these machines and the central office computer could be tapped to gain information and then used to "tickle" a money machine to make it disgorge its average cash holdings of $20,000.

So the International Business Machines Corporation devised a cipher to encrypt the identifications, amounts and account numbers passing over these wires. Modern semiconductor techniques enabled it to be extremely complex and yet embodied on an integrated-circuit ceramic "chip" the size of a thumbnail: it is the tiniest known "cipher machine" ever produced.

In 1973, the National Bureau of Standards, responding to the increasing public concern about data privacy -- such as the confidentiality of individuals' Internal Revenue Service files -- solicited for a standard cipher. Government agencies would have to use it when encrypting personal files, and private firms would have to use it when communicating with these agencies in secret mode. By far the best system submitted was IBM's.

It was, in fact, so good that a miniature debate seems to have broken out in secret between the two halves of the National Security Agency, which was advising the Bureau of Standards. The code-breaking side wanted to make sure that the cipher was weak enough for NSA to solve it when used by foreign nations and companies. The code-making side wanted any cipher it was certifying for use by Americans to be truly good. The upshot was a bureaucratic compromise. Part of the cipher-the "S-boxes" that performed a substitution-was strengthened. Another part -- the key that varied from one pair of users to another -- was weakened. In this form the government proposed its adoption as the Data Encryption Standard for non-national security messages and files and for interfacing with the private sector.

At once a storm of controversy broke.⁶ Computer scientists and mathematicians clamored that the DES was still too weak. They charged at technical conferences and in the press that NSA had secretly pressured the standards bureau to weaken the cipher so it could solve it more easily. NSA, they contended, had no right unilaterally to decide a question of such importance to so many people. They also said it was possible that IBM and the code agency had built a "trap door" into the cipher that it alone could spring to reach a solution, and argued that lengthening the key was necessary to afford proper protection to personal records. The Bureau replied that the cipher was strong enough and that lengthening the key would increase the cost of encipherment unacceptably. So vociferous did this first national debate on cryptology become that the standards bureau set up two workshops on the DES. These vented some of the criticism but otherwise nothing changed. As of July 15, 1977, the DES became the official government civilian cipher.⁷ Later the Senate intelligence committee staff investigated the matter. It issued a report saying that no one had exercised any improper influence on anyone else and noting that the NSA had recommended the cipher for use by the Federal Reserve Board.

__________

6. See David Kahn, ''Tapping Computers," The New fork Times, April 3, 1976, p. 27.

7. Department of Commerce, National Bureau of Standards, Data Encryption Standard, Federal Information Processing Standards Publication 46, Department of Commerce, National Technical Information Service, January 15, 1977.

For the present, the furor has abated. DES chips are now being manufactured by half a dozen firms, and it is a sign of the new interest in secret communications that the DES bids fair to become what no other cipher ever has been: profitable in sales to business.

The American Banking Association has endorsed it, and it will therefore protect many financial messages in the coming era of electronic funds transfers. (The protection of the security of such transfers is, of course, a matter of grave private concern. But there is also the possibility that hostile elements or terrorists, if they could break into the system, might introduce spurious messages designed to throw the whole financial system into chaos.) But in five or ten years advances in computer technology will so greatly reduce the time needed to crack the DES -- a time now measured in years, even with the fastest computers -- that the cipher will have to be strengthened. The debate will resume. It will again bring into confrontation the needs of national security through codebreaking and those of individual liberties through codemaking.

VI

Another great debate in cryptology continues to simmer. Should free inquiry be allowed in the field, or are its implications for national security so great and so sensitive that research should be controlled by the government?

For a long time this issue did not really exist. The only cryptologists outside NSA, with its squadrons of brilliant dedicated mathematicians and engineers backed by banks of the biggest and fastest computers, were a few hundred hobbyists who solved pencil-and-paper cryptogram puzzles. The spread of computers and of data communications began changing that. Whereas stealing a paper file required physical access to it, stealing data that was stored and transmitted electronically could be done by copying it at a remote terminal. Computer crime, wiretapping and terrorism made this threat real. One defense was encryption, and computer scientists in many firms and universities began studying it; the DES is a product of this interest. Very rapidly the quantity and quality of information on cryptology being circulated outside of government channels exceeded by far what it had ever been before.

The expansion was accelerated by Stanford University scientists' development of public key cryptography, the most revolutionary new concept in the field since polyalphabetic substitution emerged in the Renaissance.⁸ Unlike standard cryptosystems, such as the DES, in which the same key serves both to encrypt a message and to decrypt it, public key cryptography employs one key to encrypt and another to decrypt. The two keys are mathematically related to one another, and each user possesses a pair. He makes one key public. The other he keeps secret. Suppose user A wants to communicate secretly with user B. He looks up B's public key and encrypts his message to B in it. B applies his private key to decrypt the message. Thus anyone can send B a secret message, but only he can read it. This asymmetry can eliminate one of the most vexatious problems in practical cryptography: distributing keys to a correspondent before secret communication can be started with him. And a twist makes possible what has never been possible before with electronic messages: unforgeable signatures.

__________

8 For an excellent discussion of the idea by its inventors, in the context of the best current survey of modern cryptography, with extensive bibliography, see the study by the Stanford scientists, Whitfield Diffie and Martin E. Hellman, "Privacy and Authentication: An Introduction to Cryptography," Proceedings of the IEEE (Institute of Electrical and Electronics Engineers), March 1979, pp. 397-427. The most workable realization of public key cryptography is by Ronald L. Rivest, Adi Shamir, and Leonard Adleman, "On Digital Signatures and Public Key Cryptosystems," Communications of the ACM (Association for Computing Machinery), February 1978, pp 120-26.

The seeming impossibility of these schemes, their boldness, and their elegance have attracted numbers of first-rate mathematicians to cryptology. There is now, for the first time, an informal network of scientists who can do sophisticated mathematical cryptology and who bounce ideas off one another in the way that advances a study rapidly and rationally.

Suddenly the nation is faced with a problem it has never had before -- an information explosion in cryptology. NSA worries that any mention of codebreaking might make other nations change their codes, losing intelligence and forcing the agency to redo much of its work. This happens far less often than the agency likes to think. In 1941, for example, Japan did not change its principal diplomatic cipher despite an unequivocal report that the United States had broken it. Nor did the German navy alter its systems in World War II, despite much suspicion. Several of the countries named by the defectors Martin and Mitchell in 1960 as having had their codes broken by NSA did not change them thereafter. But more cautious nations do replace their cryptosystems upon suspicion of solution, and NSA fears that all the new activity in cryptology may not only dry up the flow of foreign intelligence but also inadvertently expose principles used in American ciphers.

All of this has caused it to ask whether the right of unrestricted inquiry is worth the national security losses. The issue has surfaced in three recent episodes.

One dealt with inventors of cryptographic systems. Dr. George I. Davida, a bright and articulate professor of electrical engineering and computer science at the University of Wisconsin, had applied for a patent for a cipher device using advanced mathematical techniques. The law requires that, if competent government authority deems that disclosure of an invention "would be detrimental to the national security," the Commissioner of Patents "shall withhold the grant of a patent." On the advice of NSA, the commissioner ordered that Davida's invention be kept secret. The university's Milwaukee chancellor protested that the secrecy order had "a chilling effect on academic freedom." The NSA Director argued, on the other hand, that the decision to seek a patent implied a profit motive, not academic freedom. "If the individual had elected to publish in academic journals there would have been no question of a secrecy order," he said. But this dodged the fundamental issue of whether publication of Davida's work would have impaired the government's cryptologic operations.

While this matter was working its way through the government and university bureaucracies, the Commissioner of Patents imposed another secrecy order. This was against a "phaserphone" voice scrambler invented by four West Coast men originally for use with citizen's band radios; it would let CB and telephone users who had it chat without being overheard by others. The four estimated that the device could sell for $100 and could have a large commercial market. The leader, Carl R. Nicolai of Seattle, angrily charged that the secrecy order "appears part of a general plan by the NSA to limit the privacy of the American people. "They've been bugging people's telephones for years and now someone comes along with a device that makes this a little harder to do and they oppose this under the guise of national security." (The 1974-75 investigations revealed that NSA had in fact listened to the conversations of 1,650 Americans and had intercepted millions of private telegrams up to the mid-1970s.) The storm of publicity led to a quick about-face by NSA. It lifted the secrecy orders on both applications. But the agency's vacillation suggested that it had not resolved within itself the issue of freedom versus security that the incidents had raised.

The third episode began when an eccentric NSA employee, J. A. Meyer, wrote on his own a letter to the Institute of Electrical and Electronics Engineers, one of the largest professional societies in the world, which was holding a session on cryptology as part of a symposium in Ithaca, New York. Meyer warned the IEEE that the session and articles on cryptology that it had published might violate the government's International Traffic in Arms Regulations.⁹ These implement the law authorizing the President "to control the import and the export of defense articles and defense services." On the U.S. Munitions List that enumerates these articles, which include guns, ammunition, and warships, are, in Category XIII (b) , "speech scramblers, privacy devices, cryptographic devices," and ancillary equipment.

__________

9. Code of Federal Regulations, Title 22, Chapter I, Subchapter M.

To export a warplane or a cipher machine, the exporter must apply for a license, which the State Department grants or denies after consultation with the Defense Department. (It is easy to evade these controls for cipher devices, some manufacturers note.

They ship the mechanisms to the foreign country's Washington embassy, which then sends them home by diplomatic pouch.) But the regulations also require a license to export "technical data" touching these "implements of war." "Technical data" is defined very broadly. It covers "any unclassified information that can be used. . . in the design, production. . . [or] operation" of any Munitions List items as well as "any technology which advances the state of the art or establishes a new art in an area of significant military applicability." At the same time, the regulations in effect define "export" very broadly. Before publishing something in a periodical with subscribers outside of the country, the writer must seek government approval, the regulations say. They declare that "an export occurs whenever technical data. . . is disclosed to foreign nationals in the United States (including plant visits and participation in briefing and symposia)." This seems to mean that every time someone publishes a paper or gives a talk at a conference on cryptology or on any of the other items on the Munitions List without government approval, he is breaking the law. These regulations seem never to have been tested in court. When Meyer's letter reached the IEEE, officials cravenly urged authors of papers on cryptology to clear them with the government. As a consequence, some of the speakers conferred with their universities' lawyers, and the Massachusetts Institute of Technology suspended distribution of a monograph on public key cryptography. There was a flurry of news stories. But in the end, all the papers were read -- though one tenured professor read papers by two of his graduate students to protect them -- and the mailings resumed.

For a while, many people thought that NSA was behind the Meyer move. But the Senate intelligence committee cleared the agency of this charge. What has not been clarified is the threat of government crippling of research posed by the arms regulations. The present Director of the NSA, Admiral Bobby Inman, a tall, boyish, brown-eyed intelligence specialist, is seeking first to calm the waters. "I am striving," he said, "to open up a dialogue" between the agency and industry and academia. He is doing so by talking to private researchers, giving interviews to the press, making a speech in public.¹⁰ No other Director has ever thus come out officially from behind NSA's triple barbed-wire electrified fence at its Fort Meade, Maryland, headquarters; Admiral Inman says he is doing so out of concern that a bad press might harm recruitment.

__________

10 Before the Armed Forces Communication, and Electronic Association. January 11, 1979 Reprinted in Cryptologia, July 1979, pp. 129-35.

Inman's substantive proposals on cryptologic research flow from his "deep convictions that the national security missions entrusted to the agency are in peril." He is considering imposing restrictions "on domestic dissemination of nongovernmental technical information relating to cryptology," though he would limit this to "a central core of critical cryptologic information that is likely to have a discernible adverse impact on the national security." It is rumored that he is seeking a law for cryptology analogous to the Atomic Energy Act, which places under government control not just government-generated secrets but "all data" concerning atomic weapons and "special nuclear material." Present laws on cryptology deal only with government secrets.

On the export problem, such a law would presumably provide a stronger basis for action than the purely administrative International Traffic in Arms Regulations. And, as a possible step in this direction, NSA is already seeking to have cryptology included among the "critical technologies" whose export would be controlled under a pending House bill introduced by the Administration (H.R. 4034).

But George Davida, his erstwhile opponent in the patent secrecy dispute, sees many problems in this approach. Who can foresee where the critical areas are? Microprocessors -- which put practically an entire computer on a single chip -- may confer greater cryptologic ability on a country than all the seminar papers ever given. Yet they are not cryptologic in themselves. Mathematicians working with no thought of cryptology may find that their work touches upon it directly. Complexity theory, which deals with how hard some problems are to solve, is a current example. "How are you going to clamp down on complexity theory?" Davida asks. "And to turn a complexity theorem into encryption is trivial. If Inman is trying to monitor everything, he'll find it very hard. In universities, where we have to keep up with new developments in computing science for our livelihoods, we find it hard." Nor are the problems confined to the United States. They are as universal as science. Several nations, among them France and West Germany, have passed laws requiring that stored or transmitted personal data be encrypted where necessary.¹¹ Work is under way to create effective protocols. Though cryptologic activity seems not as great among mathematicians and computer scientists abroad as in the United States, interest is growing.

__________

11. See Department of Commerce. Office of Telecommunication, (now the National Telecommunication and Information Administration),. Selected Foreign Data Protection Laws and Bills, Special Publication 78-19, Washington: GPO, 1978.

Individuals and firms who ten years ago would not have given a passing thought to cryptology are now devoting substantial portions of their time to it. The problems of transborder data flows, which some governments are trying to restrict for fear that too much of their national "information capital" may fly to nations powerful in data processing, include encryption; the study committees of industry and government have not yet grappled with them.

Among these questions is the variability of practice among governments in dealing with encrypted information coming into their territories by cable or radio. Some countries impose no restrictions; others require knowing the cryptosystem used.¹² Some countries insist upon this for domestic communications as well.

__________

12. This is permitted by Articles 35 and 41 of the International Telecommunications Convention of November 2, 1965. United States Treaties and Other International Agreements, Vol. 18, part I, Washington: GPO, 1968, pp. 620, 622.

For most nations, the new public awareness of cryptology has not yet become a major concern of their governments. Even in Britain, where the most public work is being done, persons studying cryptology have not gotten the feeling that the government cryptologic agency is trying to discourage the activity. But there seems little doubt that such concerns will eventually emerge.

VII

Davida and Inman, at odds on a number of points, agree on others: cryptology is no longer a government monopoly; the debate is just beginning; it will be political; it will attract many participants. Davida thinks that the question of government regulation in the field is a matter that "each person must decide for himself." Inman says that the question has to be "fully examined by the executive branch, the Congress, and the interested segments of the public." But the examination itself may raise more difficulties than it settles. Is it paradoxical to seek public resolution of a matter that deals in secrets? Will it be done by legislation or executive order or not at all? How can one balance the conflicting demands of national security and individual freedom?

And the problems are almost impossible to predict. Will the experts in the National Security Agency (who are reported to have invented their own type of public key cryptography some years ago), be able to stay a step ahead of the inventors, or will their closed work system eventually be matched (as it may have been in that case) and even surpassed by the open interactive community of bright scientists who refuse the restrictions and nonrecognitions of work in a clandestine agency? Will the study of cryptology become an epidemic that even all the government's resources will be unable to stem?

So cryptology, in 1945 a nation's most closely held secret, has gone public. But not even the procedures or forums for coming to grips with the new problems have been settled on. Their evolving substance will be harder still to resolve.