Book Summary of “Crypto”
Introduction
This is a chapter-by-chapter summary of the book crypto, with the same format as in my other book summary. crypto tells a very detailed story of the discovery, struggle, and the eventual boom of public cryptography. Many familiar names show up in the book (I am not just referring to the mathematicians and computer scientists, but also politicians, such as President Biden himself, who used to be a leading voice against public crypto and demanded that the government should “obtain the plaintext contents of voice, data, and other communications when appropriately authorized by law”), and one of them, Phil Zimmermann, is surprisingly an alumni of the university I am currently attending. I don’t know why my university, especially the engineering and computer science department, does not promote him more. Well, actually I think I know why. I guess my university would loose federal contracts and support if it chooses to warm up to Mr. Zimmermann.
An important lesson from the book is that the government is not to be trusted. I remember everyone was shocked by Snowden’s leak in 2013. But if one happened to have read crypto, which was published more than 10 years prior, one would not have been surprised at what NSA had done. Granted, the government has a tough job to balance being transparent about its deed and using secrecy to protect its people. Yet, secrecy begets power, and power begets corruption, stubbornness, and stupidity. I do not deny that NSA must have played important roles in keeping the U.S.A. safe, but at what price tag? Put it in a different way, had they conducted their secrecy deeds differently or just been more open minded, they could have achieved the same outcome but with lower cost and more contribution to the society. The questionable stance of the government is also demonstrated from across the Atlantic ocean, when the reluctance to evolve was revealed in GCHQ’s treatment of the Non-Secrecy Encryption.
Overall, I highly recommend crypto. It is an old book, but the history of public crypto is worth knowing, and the lessons about how to fight against the government to protect one’s constitutional rights is worth learning (a good example of government violating the First Amendment is the famously idiosyncratic export law that allows the export of crypto content in book form but bans the exact same content in digital format). Individual rights is never granted, but hardly fought and won by the efforts of many many people we will likely never know. We might have even made fun of them cypherpunks and hippies, yet they are the reason why we are not completely monitored by the government at all times (well, time has changed. We are now willingly monitored by corporations, how bizarre!).
Summary — Chapter 1 The Loner
The strong desire to uncover the secrecy of cryptography brought Whit and Martin together. If either of them, especially Whit, had not had such relentless drive to pursue cryptograph, luck would not have introduced them to each other.
The NSA’s decision to hide cryptography research was deemed unwise. This is partly true, as closed research stifles innovation and prevents the public from gaining from the cryptography research results. However, this can only happen after NSA has come up with a cryptography algorithm so advanced that its use would not be compromised by sharing the mechanism underlying the method. Unfortunately, in the 1960s and 70s, NSA had not reached that advance level of cryptography yet. Therefore, their obsession with secrecy is understandable, if not laudable.
Summary — Chapter 2 The Standard
Feistel developed Lucifer, a block cipher, initially with a secret key of size 128 bits. Tuchman, a product guy of IBM, took up the idea and decided to turn it into a real product that could help banks encrypt the money withdrawal information transferred from outdoor money machines to indoor mainframes. Tuchman’s effort was noticed by NSA, who as a quid pro quo, demanded that Tuchman continue the product development in absolute secrecy and shrink the key size to 56 bits. In return, NSA agreed to use its expertise to test the strength of Lucifer. The deal worked well for both IBM and NSA. Yet, it caught the attention of Martin Hellman and his friends, who correctly questioned the strength of a secret key of size only 56 bits. Then began a series of back and forth between Martin and Tuchman regarding whether a 56-bit secret key was secure enough. Martin questioned why the secret key shrank to 56 bits, to which Tuchman responded that it was due to the parity bit requirement in the hardware.
The event escalated as Martin seemed to get the media involved with his quite sensational theory. As both IBM and NSA went under pressure. Eventually, an investigation by the Senate Intelligence Committee concluded that
1. The shrinkage of the secret key was the request from NSA, not hardware parity bit requirement.
2. There was no trapdoor set up in the Lucifer product that is exploitable by NSA or any other party.
3. There was nothing wrong with NSA, IBM, and NBS (National Bureau of Standards) setting the standards for secret keys to 56 bits.
In fact, after the standards have been set, there has been very little evidence that a 56-bit key could be vulnerable. This fact was eventually acknowledged by Martin as well: the key worked fine.
As for the reason why NSA wanted to reduce the key size to 56, there was no clear explanation, but it was quite obvious that NSA wanted the key to be difficult enough for regular folks and enemies to decode, yet feasible for itself to break given its vast resources of computers. Setting the secret key size to 56 was NSA’s hidden way of creating a “trapdoor” that only it can open. However, judging from the actual performance of the 56-bit key, NSA must have regretted its decision, because the key proved to be very difficult to break, probably even for NSA with all its might.
To this, a former deputy director of research and development at the NSA remarked that the IBM team had done “too good a job”.
Summary Chapter 3 — Public Key
What a rollercoaster story. This chapter focused on the journey Diffie, Hellman, and Merkle took to come up with a solid scheme for an asymmetric crypto system, and got recognition from the mainstream.
It started with Diffie finally having an epiphany of splitting the key into a public-private key pair. Whereas the public key is visible to everyone, the message encrypted by the public key can only be decrypted by the privately-hidden secret key. This asymmetric crypto system is so important that it solves two urgent problems in the coming age of communication via network.
First, it solves the secure channel problem for two parties never having met before. Now, party A can share his public key with party B. Party B uses the public key to encrypt the actual symmetric key and send the encrypted message back to party A. Since the encrypted message can only be decrypted by party A’s private key, it is secure in the transmission. When party A decrypts the symmetric key, now parties A and B are the only entities in the world who have access to this symmetric key. They can then start a secure channel for communication based on the symmetric key.
Second, it solves the authentication problem, i.e., to verify the message is indeed sent by the party who claims to have sent it. Since the asymmetric crypto system works both ways, i.e. a message encrypted by a public key can only be decrypted by the associated private key, and at the same time a message encrypted by a private key can only be decrypted by the associated public key, to verify part A’s identity in a message, we only need to ask part A to encrypt the message using his private key. For the receiver, he can use part A’s public key to decrypt the message. If the message can be decrypted, that means the message must have been encrypted by party A’s private key, in other words, verifying that party A is indeed the sender of the message. If the decrypted message is gibberish, that means either party A is not the sender or a third party has meddled with the message.
Another important part of the story is the involvement of Merkle in the picture. He was just a graduate student when he came up with his puzzle-based asymmetric crypto system. His idea is that party A would send party B tons of puzzles. This is like the public key. Party B would choose one of the puzzles to solve, and upon solving it, acquires the symmetric key and an indicator of the puzzle. Party B then sends the indicator back to party A, who can match the indicator to the puzzle and pull out its symmetric key. Then both parties have access to the same symmetric key.
Merkle was taken seriously because he had nobody to back him up — his discovery was too novel that there was no publication for him to cite. He found Diffie and Hellman’s work, and was able to lean on those two to get his message across.
The chapter then moved on to the actual implementation of the asymmetric crypto system. Donald Knuth suggested using prime multiplication as the one way function (i.e. a puzzle easier for the party with the secret key to solve but very difficult for a third party to tackle.). It is easy to multiply prime numbers than to factor a giant number to its prime factors. However, this is not the path Diffie and Hellman took. They took the discrete exponentiation, which is a mathematical manipulation of numbers via taking the exponents. While taking exponents is easy, the reverse procedure, discrete logarithm, is very difficult. They were able to come up with a scheme that uses discrete exponentiation to achieve the end goal that two parties obtain the same symmetric key by just exchanging public key and messages encrypted by their own private key.
Merkle’s original puzzle idea was not strong enough. Because to make the work of an eavesdropper harder, the only thing his system could do was to add more puzzles. That was an O(N) task. He needed to find an O(2^N) task to deter eavesdroppers. His solution was the knapsack problem. The hardest knapsack problem is an NP-hard problem, basically unsolvable at scale. But a dumb-down version of knapsack, for instance, with the given weights arranged in a certain way, is an easily solvable problem. So his scheme is like this: party A prepares a clue for a dumb-down knapsack. That clue is the secret key. Then party A reshuffles the problem and makes it the really hard knapsack. This is the public key. Since the really hard knapsack problem cannot be solved easily, it can be shared without the fear that the initial clue could be discovered. When party B receives the really hard knapsack problem, he uses it to encrypt his message. When party A receives the encrypted message, it uses the initial clue to solve the knapsack problem easily and decrypt the message.
I am pretty sure that in the next few chapters, other schemes will be introduced that work with asymmetric crypto.
Finally, the most important of all is that Diffie and Hellman published their work in open space for everyone to share in November, 1976. This is the opposite of what NSA would’ve done, but it had benefited humanity tremendously.
Summary Chapter 4 — Prime Time
What a story so far! Everything began with the deficiency in the Diffie-Hellman algorithm, which only provided a scheme to communicate a symmetric key, but not documentation signing. The latter requires a public key crypto scheme to allow encryption of the document itself by both the public and private key, and decrypted only by their counterparts. This was eventually resolved by three outsiders of the crypto research: Ron Rivest, Adi Shamir, and Len Adleman. Rivest, with the help of the others, came up the idea of using factoring of the product of large prime numbers as the one way function, i.e., it is easy to compute the product given two large prime numbers, but ridiculously difficult to factor out the two large prime numbers given the product only. This scheme, later dubbed as the RSA scheme, is able to encrypt and decrypt messages in both ways, i.e. encrypted by a public key and decrypted by a private key (secure communication) or encrypted by a private key and decrypted by a public key (e-signature).
The paper of RSA came out in April 1977, and immediately gathered a lot of attention from the public. Also paying attention was the NSA, which spared no effort to hinder the progress of public research into crypto. The main tactic used by NSA was threatening researchers that by publishing crypto research in journals or presenting the topic in conferences, they breached the law of International Traffic of Arms Regulation (ITAR) and would face jail time. This, however, was not true and reputed by judges as unconstitutional (in violation of the freedom of speech). Other tactics included stifling funding, via NSF, against crypto-related research and declaring crypto-related patents a secret order such that the inventor no longer had rights to the patent. However, none of these tactics worked. The researchers back then had strong backbones (IEEE, not so much though, as they tried to shift the NSA’s blame from themselves to the individual researchers) and didn’t back down on the intimidation tactic. And the other shenanigans cooked up by NSA were all neutralized when the victims went public against them.
The then director (dictator) of NSA, Bobby Inman, tried various other methods to strike some compromise with the academics, yet with little progress. In his mind, crypto research must be monopolized by NSA such that this dangerous weapon wouldn’t be leaked to foreign foes and it would make life a lot easier for NSA to provide intelligence. From his perspective, if everyone starts to use the RSA scheme for encryption in communication, there is no way that NSA could’ve extracted anything even if they eavesdropped on all communication. However, his view was apparently very backwards. Stifling scientific research could not benefit Americans, or humanity, even if it seemed to make NSA’s work easier. The ultimate goal of NSA, which is to protect the USA from foreign attacks, should NOT be based on handicapping the American crypto research. NSA seemed to be so arrogant that they forgot that other countries could’ve invented the RSA-esque scheme themselves. Being secretive and Big Brother-like is never going to move the society forwards, no matter how “noble” the cause is.
At the end of the chapter, it was hinted that Inman and his NSA hadn’t conceded defeat yet. He wanted to revisit the exportation requirement to again restrict crypto research in the public domain. This, of course, will be discussed in future chapters.
Summary Chapter 5 — Selling Crypto
David Chaum set up the start of the organization of independent cryptographic researchers in 1981.
The Crypto’82 was a bigger event than the year before, thanks to Chaum’s work. A session on cryptanalysis, though highly anticipated, initially didn’t retain sufficient presentations, due to the concern that NSA would not be happy about discussing codebreaking outside their facilities. However, the situation was rescued by Adi Shamir who found a way to break the weaker version of the knapsack scheme. This breakthrough led to a lot more presentations for the cryptanalysis session, all focused on attack on knapsacks.
During the conference, Adleman accepted the challenge to break the knapsack scheme originally proposed by Merkle in his own method using his Apple II computer. And he succeeded! This was a blow to the weaker version of the knapsacks scheme, which was expected even by Merkle himself. Merkle did have confidence in the real multiple-iteration knapsacks and even offered it as a challenge in the Times magazine. Yet, a 40-iteration knapsack was broken two years later by Ernie Brickell of Sandia National Laboratory leveraging a government supercomputer. In a word, the knapsack scheme no longer works.
The commercial prospect of selling crypto products, such as software that generates public-private key pairs or signing documents, was unclear after the initial boom of crypto. A few algorithms, including RSA, were patented, yet this essentially went against the aim of popularizing the crypto algorithm. Democratizing the crypto algorithms is the best way to achieve high adoption, which will then drive a positive feedback loop to force more people to use the same algorithms. Patenting discourages wide adoption, thus preventing the network effect from taking place.
The more feasible commercialization of the RSA algorithm was to put it on a chip and let the chip handle all the crypto work. To facilitate the work, Ron Rivest even wrote a chip simulation software, which the trio believed had as much value as, if not more than, the RSI algorithm itself. Unfortunately, the first chip didn’t work, despite the simulation working perfectly. This was because the complexity of the algorithm requires such long connecting wires that there was crosstalk among the wires. Such crosstalk could flip bits in some wires, causing error in the algorithm. That said, the trio were confident that a better design of the chip could resolve the issue, because after all, the simulation worked well.
Rivest, Shamir, and Adleman founded RSA Data Security, Inc. in 1983, with no product, no customer, and no market.
They found help in Ted Izen, who was more experienced in the business world. MIT also agreed to license the RSA algorithm to RSA Data Security exclusively for a hefty $150k. Ted connected the trio to Jack Kelly, who invested 225K in the company, which helped it pay for the exclusive patented deal from MIT and started to operate more like a real business.
However, the business was going anywhere, partly because the trio, mostly Rivest and Adleman as Shamir went back to Israel, only developed the product in their spare time, and partly due to the manager they hired not being totally aware of how tech start-up works. They did, however, hire a great salesman Bart O’Brien, who, via a random call, connected them to another supersalesman Jim Bidzos (sounds like an alter ego of Jeff Bezos) who saved the company from collapsing.
The company was in complete collapse mode when Bidzos decided to take over. The trios had no experience nor knowledge running a company. They took large investments but no product to sell. Debt was piling up. And in the thickest of things, Adleman decided to call quits. It was not surprising as he was only truly interested in theoretical math, not business. For whatever reason, Bidzos decided to take up the responsibility to get the company out of hot water.
The true big savior of RSA Data Security is Iris Associates, created and run by Ray Ozzie. He had a software called Notes which allowed many users to collaborate. He needed a good encryption algorithm to ensure that users can communicate with each other in a secure manner. He definitely had a lot of interest in using RSA. The initial negotiation between Ozzie and Rivest and Bart O’Brient went nowhere, because the latter was asking for way too much money. Negotiation broke the stalemate when Bidzos took over. His aggressive approach and much more reasonable pricing led to a deal which gave the company some breathing room.
After Lotus took the bite (Lotus was the parent company of Iris Associates), other big names slowly fell in line. While RSA Data Security has other products available, such as Mailsafe, Jim Bidzos knew that the key to the business’s success is licensing the RSA algorithm, such that public key crypto was baked into the very fabric of big player’s products that reach millions of users. He only needed to charge very little money per user from the big players, and the company would be profitable. This strategy worked, and was an early manifestation of the Network Effect.
Bidzos won the trust of the trio. Diffie was also happy with the stock given to him. Hellman was salty, because his own venture into business didn’t go anywhere, and he also refused the stock offered by Bidzos. Bidzos not only saved RSA Data Security, but also made it a successful business. And now it finally attracted the NSA’s attention.
Summary Chapter 6 — Patents and Keys
When Ray Ozzie tried to obtain permission to export the crypto technology in his Note program, he met tremendous resistance from the NSA, which banned the export of DES (Data Encryption Standard).
Fortunately, there was an eventual compromise from NSA, which allowed Lotus to export Note with encryption done using a 32-bit cipher. This is a ridiculously short cipher, and can be cracked in weeks if not months by commercial personal PCs. Yet, NSA had a mandate on the cipher size. It is obvious what NSA was trying to do: weaken Lotus’s cipher as much as possible so that they can decrypt any secure conversation on Note. NSA would continue its request that Note reduced its security level on the overseas product, which Ozzie reluctantly complied with.
Although NSA was always working against the crypto researchers, they did seem to help Shamir when his research in “threshold scheme” (split the secret key into multiple parts; the secret can be revealed when all the distributed keys are combined together OR a predefined subset of keys) and “zero-knowledge proofs of identity” (a person can prove that he knows a piece of information without ever divulging the information in the first place) got snubbed by the U.S. Army when applying for a patent. NSA helped lift the ban on Shamir’s research, most likely because they did not want to scare away crypto researchers from submitting their new research to NSA for pre-screening. Pre-screening allows the NSA to get a general idea of the progress in the crypto field. They use this to update their knowledge. If the government appeared too hostile to the crypto researchers, no one would submit his paper to NSA pre-screening any more.
The NSA prepublication screen came to an end with a quite ground-breaking paper by Ralph Merkel about speeding up crypto computation. NSA initially banned the publication of this paper, yet one of its outside reviewers, appalled by NSA’s decision, slipped the paper to tech millionaire John Gillmore, who then sent it on the nascent Internet. Immediately, Merkel’s paper was distributed to thousands of crypto researchers and enthusiasts. This rendered the NSA prepublication screening process obsolete.
In addition to dealing with a difficult NSA, Jim Bidzos also had competition from a company called Cylink, founded by Jim Omura and Lew Morris, which used the Diffie-Hellman key exchange algo to generate public keys, and then use DES to encrypt internal communication data of government contractors. Since these contractors already had clearance to use DES, Cylink didn’t encounter the many issues faced by Bidzos when he tried to put public key crypto in the hands of each person.
Although Cylink initially was not in direct competition with RSA (since they targeted different customers), they eventually did have business conflict, mainly due to the ownership of patents. Cylink leased the Diffie-Hellman patent from Stanford, while RSA controlled the RSA patent from MIT. The Diffie-Hellman patent only offered the public key crypto concept, whereas the RSA patent provided an executable crypto system. Cylink hoped that Stanford would give it full right for sublicensing the Diffie-Hellman patent to other parties, yet an agreement between Stanford and MIT allowed MIT to sublicense all of the Diffie-Hellman patent. MIT then transferred the sublicensing right of the Diffie-Hellman patent to RSA Data Security, which made RSA the sole licensor of both the RSA patent and the Diffie-Hellman patent. This put Cylink at disadvantage, as RSA had the rights to sublicense two patents, whereas Cylink could only do one. Consequently, Cylink heavily promoted the Diffie-Hellman patent and claimed that one can do everything the RSA patent was capable of relying only on the Diffie-Hellman patent. Such promotion became a tough pill to swallow for RSA, since they didn’t want a strong competitor such as Cylink to damage their already struggling business selling RSA. The two companies finally came to an agreement that fighting each other was bad for crypto business in the long run. The best interest for both of them was to join the two patents together and create a single crypto standard. This proposal by Bidzos was welcomed by Stanford. The two patents were combined into a single patent in late 1989 and early 1990, and owned by a new entity Public Key Partners (PKP), co-controlled by Cylink and RSA. RSA negotiated a 55–45 revenue split with Cylink.
The first joint venture of PKP is to send a letter to NIST to establish the standard of public key crypto. PKP wanted to do digital signatures first. Bidzos convinced the Cylink people that they should use RSA for signature, despite the latter advocating for a Diffie-Hellman-based approach. Bidzos said that the Diffie-Hellman approach would be used for digital key management. They sent out the letter to NIST merely two weeks after PKP was established. However, NIST (i.e., the government) has its own idea about digital signatures.
Meanwhile, Bidzos finally was approaching a big deal with Microsoft, providing cryptography support for Microsoft’s popular software. This deal was led by Myhrvold from Microsoft side. However, NSA didn’t want a private company setting up shield on tens of thousands of Microsoft machines. Thus, they approached Microsoft and threw a lot of shades on RSA, hinting that the algorithm has already been cracked by the agency. Bidzos was able to convince Myhrvold (or rather Myhrvold convinced himself) that RSA was sound and NSA was full of bullcrap. According to Myhrvold, why would NSA actively try to block RSA from being used on Microsoft product if the algorithm was easy for NSA to break? The deal eventually came to fruition, despite additional obstacles from NSA. Bidzos claimed that he made a NSA official recant the statement made against RSA to Microsoft. He also got Bill Gates to be present for the deal signing and actually sign the deal. On the other hand, Myhrvold leveraged Bill Gates’ presence to squeeze out a few more favorable items from the deal.
The endeavor from PKP to make RSA the standard for document signing with NIST had a good beginning but then stalled, because NSA proposed its own standard for document signature. The NSA’s version was similar to RSA, in signing a document, but it cannot be used for encryption (recall that RSA can do both signature and encryption. Signature is using private key to encrypt and public key to verify that the document has been prepared by the private key owner. Encryption is using a public key to encrypt and private key to decrypt the message). This is of course by design, as NSA did not want anything to be encrypted beyond their own capabilities for decryption.
In theory, the NSA’s signature standard, DSA, was inferior to that of RSA, since it cannot perform encryption. But DSA has one big advantage over RSA: it is free. NSA claimed that DSA did not infringe on any existing patents. This made Bidzos worried. Despite disagreeing with NSA’s claim, Bidzos knew that it would be difficult to claim that DSA infringed on their patent. Fortunately, a German cryptographer, Claus Schnorr, claimed that DSA infringed on his patent. Bidzos took advantage of this and used his charm to convince Schnorr to add his patent to that of PKP. Thus, Bidzos would be able to represent Schnorr and argue that DSA infringed on Schnorr’s part of the PKP’s patent.
The decision taken by NIST to follow steps with NSA in rolling out DSA as the digital signature standard speaks loudly about the unusually close relationship between NIST and NSA. Originally, NSA was in charge of all cryptography standards, but the agency’s terrible behavior in violating privacy made the Congress pass a law (led by Jack Brooks, the nemesis of NSA) to transfer the power of standardizing cryptography to NIST, a civilian organization. The hope was that by kicking NSA out of the loop, the cryptography standards wouldn’t be compromised. However, NIST didn’t want to take the role. Instead, it eagerly seeked advice from the NSA. On paper, NIST was the driver of cryptography standards, but in reality it followed every step from NSA.
The disappointing stand from NIST didn’t escape public criticism. Eventually, the government caved under public pressure and agreed to strike a deal with Bidzos regarding the patent fight: the government would pay PKP one dollar per customer for Bidzos’ company to use DSA as the digital signature standard. This was clearly the government’s way to buy Bidzos’ silence. It was clearly not helping the crypto community, as the deal would force Bidzos to use DSA instead of RSA for digital signature. However, Bidzos took the deal because it helped directly with his company’s bottom line. In this sense, Bidzos prioritized his company over the well-being of the future of cryptography. I wouldn’t blame him for the decision, but it surely was disappointing.
Unfortunately, the deal between NIST and Bidzos turned out highly negative in public comments, mainly because by paying PKP loyalty on patent, NIST essentially abandoned the idea that digital signatures should be freely accessible by the general public. The public pressure, both domestic and international, was so huge that NIST had to walk back on the deal and later doubled down on a second version of DSA as the officially recognized digital signature standard. Although the second DSA was stronger than the previous one (1024 vs. 512 bits), it was still criticized because it ignored the standards already adopted by major players in the computer industry (e.g. Microsoft, Apple, IBM, etc.). The fact that it was cooked up secretly by the government did not help its case at all.
Summary Chapter 7 — Crypto Anarchy
Phil Zimmermann (FAU alumni!) had the desire to implement RSA on a low-cost computer, but didn’t push through due to difficulty of writing some of the arithmetic routines in the low-cost machine. Charlie Merritt, on the other hand, created a company that sold public key programs written on low-cost machines, such as the Z-80 computer, the same one that Zimmermann had originally wanted to try RSA on. Merritt’s company wasn’t doing very well, and the pressure from NSA to force him NOT to sell public key programs overseas cut off his main client source. He had to find buyers domestically, and that was how he found Zimmermann.
Zimmermann was in the perfect place to hear the news that Merritt had been able to implement RSA on a low-cost computer, something that he wasn’t able to do in the past. And with a rich experience of being anti-government, distrusting the Big Brother, and being arrested himself during protests, Zimmermann was more than enthusiastic to delve into RSA again such that he could offer a solution to evade the eavesdropping from the government. His target was email. He wanted to encrypt email, the ever more important and widespread means of communication yet also with a horrifically low level of security — anyone can intersect an email and read it.
Zimmermann met Bidzos, along with Merritt, in 1986, as a third wheel in a business meeting between the other two. By that time, RSA Data Security already had a product called Mailsafe, written by Rivest and Adelman, that offered the same features as what Zimmermann had envisioned. But Zimmermann was unfazed, and decided to push forward with his plan. He claimed that Bidzos was impressed and granted him a free license to use RSA technology, to which Bidzos denied vociferously.
Zimmermann developed his own cipher to circumvent DES and the patent-protected ones from RSA Data Security. The cipher he used was based on the one developed by Merritt for the Navy, but with his own twist to make the scrambling even more unrecoverable.
After many many years of development, commitment, and perseverance, Zimmermann finally created his RSA implementation for securing email. He called it “Pretty Good Privacy”, now commonly known as PGP. Interestingly, Zimmermann hadn’t obtained permission from RSA Data Security to license the RSA algo. He contacted Bidzos after PGP was about done and asked for permission to use RSA. Of course Bidzos rejected him, but being unaware how the real business world worked, Zimmermann brushed the rejection aside and kept working on PGP as usual.
Biden (yes, the 47th president of the United States, that Biden) created anti-terrorism Senator Bill 266, in which it was clearly stated that any electronic communication must allow law enforcement to extrat plain text and other info if deemed necessary. This would basically make all encryption illegal once implemented. So now Zimmermann had a real deadline. He must finish PGP before S. 266 goes into effect. Since time was a factor and the importance of PGP for privacy protection was so important in light of the impending S. 266, Zimmermann decided to make PGP freeware.
Zimmermann found another crypto enthusiast, Kelly Goen, who had lots of will and some connections, to upload PGP to the nascent Internet. Very quickly, PGP was downloaded by not only people in the US, but also outside the US. Zimmermann’s dream of spreading PGP as widely as possible before S. 266 hit the ground came true.
Despite the shortcomings in PGP, Zimmermann was very proud of it, as it was the very first commercially viable product using RSA that became available to the regular folks. This, of course, angered Bidzos tremendously. He put Zimmermann on legal notice, yet the two struck a deal which prevented Zimmermann from distributing PGP anymore. Yet, the two sides had different interpretations of this deal. Zimmermann thought the deal meant that he could no longer distribute PGP, but he could still be involved; whereas Bidzos wanted Zimmermann to completely kill PGP.
In a crypto conference, Zimmermann quickly realized that the current version of PGP (PGP 1.0) had a lot of flaws and was not robust at all. To make PGP really powerful, he needed help from real mathematicians and cryptographers to create PGP 2.0. Fortunately, it was not a difficult task to recruit help as PGP had been popular among the crypto enthusiasts. Zimmermann became the chief designer of PGP 2.0, but hid behind the scene such that he wouldn’t openly violate the agreement with Bidzos.
A few things changed in PGP 2.0. One of them was the adoption of the International Data Encryption Algorithm (IDEA) as the cipher. IDEA is stronger than DES. Another key issue changed was the mechanism to verify that a public key is indeed coming from the person who claims the ownership of the public key. PGP 1.0 did not have this check, thus was vulnerable to man-in-the-middle attack. Although Zimmermann did not have the money or capability to establish a central certificate authority to verify all public keys, he did come up with an idea that any third party trusted by the PGP community could verify (i.e. sign) the authenticity of any public key. This creates a web of trust: A signs a key for B, who signs a key for C, who signs a key for D. So if I want to verify whether the key from D is legitimate, and I happen to know A, I can verify D’s key following this web of trust from A to D (since I know A, I have high confidence that A’s public key is real. I use A’s public key to verify that B’s public key is genuine. Then I use B’s public key to verify C’s public key. And eventually I use C’s public key to verify D’s public key), even though I do not know B, C, or D.
With a web of trust, stronger cipher, and better UI, PGP 2.0 took off like rockets. Zimmermann’s team was smart enough to release the software outside the US (Amsterdam and Auckland) to circumvent the export regulation. This angered Bidzos a lot, especially because PGP 2.0 was outshining his company’s product MailSafe. NSA was also not happy, as their old way of thinking: keeping cryptography as a weapon, no longer worked. Crypto is so important to everyday life as wireless communication becomes increasingly widespread, it is a fool’s errand to treat it as anything more than a common item used by anyone anywhere.
The widespread use of cryptography and its huge potential to be used for protecting individual privacy did not escape the eyes of crypto activists. Three names showed up: Eric Hughes, Tim May (the guy who also discovered that alpha particles can flip bits in Intels’ memory chip. He retired early), and John Gilmore (fifth employee of Sun Microsystems, retired early, and had so much balls and zero fucks to give regarding challenging the government for protecting individual privacy). They established what was later referred to as “cypherpunks”, a bunch of coders writing crypto code, free of charge, to protect people’s privacy online from the government.
The next figure to enter the discussion is David Chaum. A very important figure as he was the inventor of the digital cash concept. He was able to devise crypto schemes to allow banks to authorize digital cash WITHOUT the ability to trace the owner of the cash (blind signature). And he figured out a way to solve the dining cryptographer problem, i.e. verifying that money has been spent but NOT revealing (impossible to reveal) the exact identity who has made the payment. These schemes allowed Chaum to develop the first digital cash. Unfortunately, he met with a lot of obstacles pushing his digital cash (used like real money but untraceable to the owner) idea to a broader audience. Eventually, he founded a company called DigiCash and designed an automatic toll system (not dissimilar to the ones used today) for highways in Amsterdam. Unfortunately, DigiCash did not take off, despite the HUGE potential of digital cash. It was picked up nonetheless by banks and credit card companies on their own, since making a deal with Chaum to sell his patent was very difficult. We now have digital cash as norms, yet very few people know that David Chaum was the founding father behind this technology. To make things worse, while Chaum wanted digital cash to be untraceable, it cannot be said about the digital money we have today. Even the highway toll nowadays tracks its users. In a sense, Chaum’s dream is half realized now: people use digital cash all the time. Yet, his dream of a financial market protected by untraceable cash goes nowhere. If anything, tracking is the norm today. It feels like the fight by the folks like Chuam, Hughes, May, and Gilmore did not end up the way they had wanted. Privacy is a major concern today, yet we are far far far away from the cypherpunk libetarian world envisioned by these people.
Another important concept proposed by Chaum and populated by the cypherpunks was remailer. It was an email intermediate between the sender and the ultimate receiver. At the intermediate, the sender’s address is removed and the message is resent from the intermediate to the receiver. This way, when the message finally arrives, the receiver has no idea where the message originates. To make this scheme more private, a chain of intermediates can be used. And as long as one node in the chain (provided that this node is not the first node receiving the original message) is not compromised, the sender’s identity can be protected. To add yet another layer of protection on top, PGP public key of the last remailer can be used to encrypt the message. This way, none of the earlier remailers can even read the message.
The advancement of cyber anonymity surely generates debate whether such anonymity is for the better good (protecting good people’s privacy) or for the bad (allowing bad people to break laws more easily). The same debate has also been made about cryptocurrency, which seems more and more like the second coming of Chaum’s non-traceable digital cash.
The cypherpunks apparently pushed a bit too far. Tim May created a fictional idea of BlackNet, where people can trade any piece of digital information, be it trade secret or national secret, anonymously using non-traceable digital credits. Nobody would know the identity of anyone on the BlackNet. It was completely anonymous. To me, this is pushing anarchy to the extreme. May was dismissing all the laws and regulations that made society possible. For privacy’s sake, his idea of cypherpunks was going to destroy the very society that he was living in. This is akin to the right wing rhetorics nowadays, especially regarding the anti-vaccine and anti-mask movement. They use individual rights as the shield for everything, ignoring responsibilities that each individual must also bear to make a society functional. It is always a balance, between individual rights and public responsibilities, between privacy and public scrutiny. Humans have lived, a long time ago, in a world with complete privacy and individual rights. Everyone can use deadly force to protect his property, do whatever he sees fit, and ignore rules and regulations imposed by others. Yet, those were the dark days, struggling days. Later, humans learned to cooperate, learned to make compromise, and together as a society, where everyone gives up a little bit of privacy and rights, all can flourish. Of course, society can push too far (dictatorship, authoritarian society) and we must also be on guard against that. But in the same token, individuality can push too far as well.
Let me end this chapter’s summary with this thought: a world without the ability to fathom and test such things as BlackNet is terribly oppressive. But a world allowing such things as BlackNet to exist is also horrifying. The middle ground is where humans flourish. We all know that, yet extreme thoughts and ideas act like gravity that always pulls us to the ends of the spectrum. When education is strong and adequate, people can withstand such pulls. Yet when education degrades, as is nowadays, the pull is irresistible.
Summary Chapter 8 — The Clipper Chip
This chapter apparently will focus on Clint Brooks, assistant deputy director of NSA in the early 1990s when public crypto went viral, and his effort to find “equity” in NSA’s two major roles: offering the public a great crypto option and defeating such crypto so that all communication remains transparent to NSA.
Brooks’s plan to maintain equity in NSA is the escrow plan: make it absolutely clear and honest that NSA supports the effort to improve and spread public crypto, but at the same time maintains and organizes “master keys” in a third party escrow, such that if prying into an encrypted message is warranted by a judge, i.e. a digital search warrant, NSA can obtain a master key from the third party escrow. This scheme allows and encourages the public crypto to be more secure, but also keeps NSA’s ability to decrypt any message if necessary.
Brooks knew that the escrow plan would only work if NSA won the trust from the public. This means the NSA must make itself open and transparent. This was the opposite to what NSA had been doing (it was dubbed the unnamed agency after all), so Brooks met with a lot of resistance from the old guards of NSA.
The final product proposed by Brooks works like this. Two special phones use Diffie-Hellman exchange to establish a session key that encrypts and decrypts audio waves. Such encryption/decryption is done via NSA’s Skipjack algo. While the encrypted audio waves are being exchanged between the two phones, there is another piece of information being transmitted, called LEAF (Law Enforcement Access Field). This field contains two pieces of information: an encrypted session key (encrypted by the session key itself, the chip unique key, and the unique chip identifier) and the unique chip identifier. These two pieces are then encrypted by a family key before being transmitted. Thus, anyone who wants to wiretap the phone call will get the encrypted audio waves (encrypted by the session key), a doubly encrypted session key (first encrypted by the chip unique key etc., and then by the family key), and an encrypted unique chip identifier. However, this won’t be helpful to some random Joe, because to access the phone conversation, he must obtain the session key. To obtain the session key, he must know the family key and the chip unique key, neither is easily available. However, for NSA, they already have the family key (there is only one family key for the entire system). This enables them to decrypt the unique chip identifier. While other people have no use of this identifier, NSA would save all the chip unique keys in its escrow storage, accessible by the unique chip identifier. This means NSA can obtain the chip unique key from the decrypted unique chip identifier. Then it is possible to decrypt the session key.
According to Brooks’s design, the ability to match the unique chip identifier to the chip unique key is restricted to NSA only, and NSA can only have access upon a warrant issued by a judge. Thus, Brooks ensured that the public could enjoy as much encryption as possible, yet at the same time, if a judge deemed it necessary, NSA could leverage the chip unique keys in the escrow storage to wiretap any phone conversation made by those chips.
Brooks constructed such chip, dubbed Capstone chip, hoping that it would be accepted by all government agencies. Unfortunately, FBI was not entirely happy about it. They wanted realtime wiretap, not wiretap after a warrant from a judge. FBI’s discontent exacerbated when AT&T rolled out its own version of encrypted phone call. To prevent AT&T from spreading thousands of secure phones without the government’s ability to wiretap, the government made a lucrative deal with AT&T where AT&T would swap its DES chip for a stripped down version of the Capstone chip (dubbed as the Clipper chip), thus enabling government wiretap on AT&T’s secure phones via the escrow scheme. In return, the government would become a major client of AT&T’s new secure phone. This was a step backwards in crypto, because a third party was introduced to the conversation. No matter how much stronger the encryption provided by the Clipper chip versus the original DES chip, DES requires no third party to establish encryption, yet the Clipper chip always has the government as the third party, not only offering the encryption algo but also ready to wiretap at anytime. But AT&T cannot say no. The contract from the government purchasing the new secure phone was too big to turn down, and the goodwill established would be priceless. Hence, AT&T budged and switched its DES chip with the government-sanctioned Clipper Chip.
However, it was not easy pushing the Clipper Chip forward with the Bush Senior administration, because Bush’s minions were all too experienced and too close to election to decide upon a rather controversial topic. Fortunately, Bush Senior didn’t win the re-election. Clinton won. Contrary to common belief that Clinton was pro-public crypto, his administration had an open mind towards what NSA had to offer, was very detail-oriented and eager to play with whatever was offered to find an edge to their new administration.
Lobbying hard the Clipper team did. Not only the NSA, but also the FBI, and other concerned government officials communicated their side of the story regarding the peril of allowing unregulated public crypto and the benefit of having the Clipper Chip and the escrow scheme to guarantee privacy for the good people but also maintaining the capacity to monitor the bad people. They presented two extreme scenarios to the Clinton administration. One: no regulation, which was favored by the crypto anarchists and cypherpunks, bad guys are able to communicate in complete secrecy, plot whatever terrorist attacks, and kill innocent people; and their blood would be on hands of Clinton administration, since they already knew about it but decided to do nothing. Two: real-time decryption of any communication and full control of crypto by the government, which was favored by the FBI; but the cry of government overreach would certainly be loud and clear. So the Clinton administration was presented in a situation between a rock and a hard place. Then the Clipper team offered a third option: approve the Clipper Chip and the escrow scheme that allows good people to enjoy privacy offered by the superior Skipjack algo but at the same time retains the ability for the government to monitor the bad people and prevent tragedy from happening.
The option seemed to be obvious, and that was what the Clipper team banked on: there was no other choice for the Clinton administration other than taking up the Clipper Chip and the escrow scheme. There was some question about Clipper, specifically how this scheme would handle international issues. Not every country would adopt the Clipper Chip and what would the U.S. do if bad people from other countries plot terrorist attacks without handing their chip unique keys to the escrow scheme? Yet, these arguments were drowned by the overwhelming sensationalization of the issue: do you want to be responsible for kidnappers? It was either you were an accomplice of all serious crimes if you didn’t sign up for Clipper, or you were a person of sense that could recognize the value of Clipper. Eventually, the Clinton administration budged and agreed on the Clipper proposal at the end of March, 1993.
BUT, backfire happened soon after the Clipper was publicly announced. Despite the government’s advocacy and a few industry and academic support, the majority of the information industries went against it because nobody overseas would want to use a secure product with a backdoor built into it that only the U.S. government could access. The grassroot went bezerk on this issue, compared it to a Big Brother scheme, and used the analogy “What if you had to leave a copy of your front door key at the police station?” to turn anyone, left and right (including Rush Limbaugh), against the Clipper.
Tim May expounded on a theory that America has two minds for privacy: “what do you have to hide” and “none of your business”. Any successful crypto policy must walk in the middle line, yet the Clipper embraced the first mind wholeheartedly and was thus doomed to fail.
Despite a positive review from Dorothy Denning regarding the Skipjack algo, an academic supporting the Clipper, the whole process of creating the Clipper had not gone through adequate market research. There was a patent similar to the Clipper’s scheme granted in 1992, so the government had to pay the patent owner a million dollars to settle the patent infringement. There was also a chip maker already producing a chip called Clipper, so the government had to pay to use their moniker. Furthermore, the government contractor that was tasked to produce the Clipper chip had too little time to adapt the chip for commercial use, such that the chip they designed was only able to support communication bandwidth of 1993, but not in the future, which means any product designed to use the Clipper chip now would become obsolete when it hit the market 18 months later. Yet, the Clinto administration did NOT budge and doubled down on the Escrow Encryption Standard.
The fight back was even more fierce. Two main arguments against the Clipper appeared. One was mentioned above: who would use the Clipper when PGP existed already? And why would any foreign countries use the Clipper and subject their citizen’s privacy to two U.S. government agencies (the escrow facility was to be handled by NSA and the Treasury Department). The other was by Whit Diffie. He compared the “danger” of public crypto to the supposedly dangerous telecommunication that the government feared a few decades ago. But eventually, the danger was unfounded and the government benefited from telecommunication. The same thing would happen to public crypto. Diffie also mentioned that the right to privacy was built into America. The founding father would easily obtain privacy by simply walking outside the earshot of others. So should the Americans today be granted the right of privacy. The U.S. was built on privacy. Democracy requires the right to privacy. Depriving of privacy was akin to depriving people of their freedom to have private discussions on issues that form the bedrock of democracy. The Clipper is against the right of privacy, thus it is anti-America.
Matthew Blaze, an obscure scientist working for AT&T Bell Lab, discovered that the checksum of the Law Enforcement Access Field (LEAF) in the Clipper Chip was only 16-bit in size. This allowed him to spoof a fake LEAF with the correct checksum to not send the actual unique key identifier and encrypted session key to the escrow facility, which means he was able to use the Clipper for encryption purpose but WITHOUT the government having the ability to decrypt it (since he sent a legitimately-looking but spoofed LEAF). It took Blaze 42 minutes to spoof the LEAF, which essentially rendered the Clipper useless for what the NSA and FBI wanted to use it for — it was very easy for people to avoid decryption by the government. The vulnerability was obviously the small size of the checksum. But it was by design. Due to the bandwidth limitation, the Clipper chip could only send 128 bits in LEAF. 32 bits were used for the unique chip identifier. The remaining 96 bits were left for the session key and checksum. The FBI required that the full-length of the encrypted session key — 80 bits — be included, which left only 16 bits for the checksum. Had the FBI moved a few more bits to the checksum, they would have a little bit brute force work to do to find the session key (but not much), yet increased the difficulty of spoofing the checksum by orders of magnitude. Yet, their pretentiousness and ego failed them harshly. Despite a little bit of resistance, Blaze was able to publish his findings and surprisingly also got a front page news article in the New York Times for his discovery.
This incident was not really a big issue to the Clipper, per se, as they could easily increase the checksum size, but it showed that even when the government tried to play Big Brother, they couldn’t do it correctly. Any lingering trust in the government would be lost after incidents like this.
The next battle ground is the exportation law that prevented American companies from exporting products containing strong crypto. This was lunatic, as strong crypto products were already everywhere in the world, and strong crypto, such as PGP, was publicly available everywhere. There was no logical reason why the U.S. government was still enforcing an exportation law that was harming the U.S. companies. Maria Cantwell, a newly elected Congresswoman took the initiative to fight against this archaic and stupid law.
She fought tooth and nail for repealing the exportation law, despite mountains of rejection and resistance. Eventually, her effort won a concession from Al Gore, who made a deal with her: you drop the bill, and we would walk back on the enforcement of the Clipper. The compromise was that the public would have a choice whether to use the Clipper or not, had a choice how the escrow scheme was implemented, and had a choice where to store the escrow (could be a private sector). Basically, the concession made the initial goal of the Clipper useless. This was a big victory for the fight against the Clipper. Cantwell agreed to drop the bill, got a written note from Gore regarding the concession, and had the story published in the news. As of now, the initial vision of Clint Brooks, who seeked to have open and honest discussion about a national crypto that enables both privacy and law enforcement wiretapping was dead. There was never an open discussion, which signaled the doom from the start.
Summary Chapter 9 — Slouching Toward Crypto
Robert Morris, Sr., a retired former NSA crypto top scientist, offered two koans for the future of crypto.
1. Always assume your codebreakers have better resources and determination than you imagine.
2. There will always be something on a plaintext.
These two koans concern how crypto can be broken, either by brute force (throw large amounts of resources to decrypt) or human stupidity (someone somewhere must have written a key piece of the crypto on plaintext because humans are fallible).
Derek Atkins, along with friends and colleagues, broke RSA 129 (the RSA system with 129 bits) using distributed computing, i.e. recruit computers world wide via the Internet, and a smarter prime number factoring algorithm in April 1994. This was not completely surprising as the ones that set up the challenge to crack RSA 129 and Ron Rivest himself both predicted that better factoring algorithms would make code cracking easier. But the fact that this did eventually happen, merely 17 years after the initial challenge was issued (instead of millions or billions of years originally predicted to crack RSA 129) gave people doubt about the security of the actual RSA used in commercial systems.
The next target is the 40-bit cipher allowed by the US government for software export. Breaking this cipher is different from breaking RSA. The latter requires fractoring of prime numbers, whereas the former needs brute force.
The 40-bit RC4 cipher was used in Netscape’s SSL. Hal Finney set up a challenge in July 1995 to break this key, and the challenge was accepted by the cypherpunks. However, some misunderstanding among them delayed the effort, which gave Damien Doligez a chance to work on it himself. He was a computer scientist from France, working in a powerful government computer lab. He thought the weak 40-bit should be cracked in two-three weeks, given the stronger 129-bit key was broken not so long ago. Yet, the cypherpunks weren’t able to muster enough effort to give the crack a go, Damien decided to do it himself. Since he had access to many computing resources in the computer lab, he was able to set up a distributed algorithm to crack the 40-bit key. His program was so neat that if other people were using their machine, the program didn’t run. Yet once someone stopped using their machine, his program would kick in and take advantage of the idling computing resources.
Doligez cracked the 40-bit key in four days.
Then, two fresh graduate students Ian Goldberg and Dave Wagner cracked Netscape in an even shorter time. They found out that the RNG used in Netscape used a predictable seed number: time of day + process ID + parent ID. They were able to obtain these easily, get the RNG pattern, and cracked the key in minutes on a single Pentium machine. This was a wake-up call that even the engineers at Netscape, which was supposed to be putting user’s privacy first, could make mistakes like this. The root cause of this was lack of standardization of how crypto must be implemented. Had there been a guideline to follow regarding how the RNG seed should be generated, this type of silly mistake wouldn’t have been committed. The finger was again pointing at the U.S. government’s half-hearted effort to promote strong crypto.
Ray Ozzie, the boss of Lotus (in late 1990s, Lotus was bought by IBM for $3 billion, so technically he was no longer a boss but employee of IBM), devised a new scheme to circumvent the stupid export law. The Notes software from Lotus shipped overseas with a 40-bit key whereas domestically a 64-bit key. To calm the anger of overseas users regarding the 40-bit key, especially after it was broken easily in the case of Netscape, Ozzie decided to also ship 64-bit key overseas, BUT with 24-bit being NSAF (National Security Access Field) which could only be decrypted by the private key held by NSA. So essentially, to NSA, the 64-bit key was the same as the 40-bit key previously, but to overseas customers, the key was stronger than before. This was Ozzie’s way to find a middle ground between the stupid export law and the international demand for same treatment of crypto.
However, even this effort to search for middle ground was not greeted with open arms by the government. Ozzie received notes from the government claiming that his new patent application regarding the 64-bit key for export was in violation of national security, and none of its product can be shared with third parties. He received this warning AFTER he already shipped millions of Notes products with the new 64-bit key implemented, which means he was already liable for leaking national secrets to millions of people overseas. This strange event was resolved eventually as a “mistake”, because Ozzie had a friend who knew someone higher up in NSA. But it seemed to be a warning against anyone daring to even find a work-around of the government’s stance on crypto.
The guy who openly challenged the government got more threats. Jim Bidzos, who had openly and actively trashed the Clipper, received a death threat from an NSA agent. Bidzos later received an apology from the NSA boss, but this was a sign that the government wanted Bidzos out of the crypto business.
Phil Zimmerman had an even worse treatment by the government. He was charged with export of munitions thanks to his work and distribution of PGP. Zimmerman was instructed by his lawyer to lie low, but he decided to go public and talk whenever he could, educating the general public the benefit of PGP, the danger of the government acting as Big Brother to quench Zimmerman, and spreading the words how PGP had helped people worldwide to fight for democracy. His strategy of mobilizing the general public worked favorably for him, as he was never indicted by a grand jury for the charges against him.
The export law back in 1995 was bizarre. One could export crypto content, algorithm, theory, etc., in a physical book to foreign countries, but it was illegal to export the same thing in digital form. It was so absurd that MIT press published the entirety of PGP source code in a physical book that was easily scanned and its content turned into digital format, and this book was allowed to be exported. MIT also put PGP software on their server for anyone claiming to be American to download free of charge. Of course someone outside the U.S. downloaded the software, yet MIT never got a clear response from NSA whether what they were doing was against the law.
Julf Helsingius had the worst experience. He was the guy running a remailer server in Finland that stripped away the identification of senders for hundreds of thousands of emails worldwide. Yet, he was ordered to submit the identities of the email addresses he had stripped by the local judge. The charge was brought initially by the Church of Scientology, who claimed that former members stole church materials and used Helsingius’s service to distribute the copyrighted material anonymously. Then Helsingius was wrongly accused of helping with the distribution of child pornography. He couldn’t fight the Finnish judge, because the latter ruled that email should not enjoy the same privacy protection as regular mail. Therefore, reluctantly, Helsingius had to shut down his remailer service.
The implication of this was huge. It shows that while technology is there to allow privacy for everyone on the internet, yet the implementation is dependent on whether the local government is willing to allow such privacy. If the government, such as that of Finland, didn’t deem electronic privacy the same as physical, then all the technological advancement in privacy is a moo point.
The US government was not progressing either. They still stalled any attempt at librarting the stupid export law. In 1996, the Security and Freedom through Encryption (SAFE) bill was promising to resolve all pain points for the industry and guard a future that the government could not enforce one crypto algo, yet this bill went nowhere.
However, the defendant of the crypto export law was losing ground. First, the report produced by the National Research Council (Cryptography’s Role in Securing the Information Society) strongly encouraged the freedom of crypto and the end of the export restriction. The argument was that the genie was already out of the bottle, and we might as well take advantage of the advancement of crypto instead of stifling its progress. Second, Daniel Bernstein, a graduate student from Berkeley, created a software (Snuffle) that could turn any good hash function into a tool to encrypt and decrypt information in 1992. He wanted to publish it, but decided to go through the government first to determine whether it was legal to do so. Obviously, the government shot him down, saying the distribution of his software or the paper describing it violated the export law. He fought back relentlessly, and with the help of John Gilmore and a pro bono lawyer Cindy Cohen, they were able to sue the government, claiming that the export law violated Bernstein’s First Amendment right. The district judge sided with Bernstein. The government appealed. Then the three-judge panel at the Ninth Circuit court, after much deliberation, upheld the decision from the lower court in 1999. Furthermore, they opined that the government’s control on crypto not only violated the First Amendment rights of crypto but also deprived American citizens of the benefits from crypto.
Finally, as the pro-crypto group both in the industry and congress (thanks to the lobbying effort from the computer industry. Though lobbying was making a positive impact in this case, I am still against this mode of governing) grew in voice, they were able to present the vision that the U.S. would suffer catastrophic loss if its digital infrastructure was hacked due to poor crypto. Thus by suppressing public crypto through export law, the government was sabotaging the country. Finally, in 1999, the government accepted the reality that further controlling crypto was not going to work. Public crypto officially became freely available to everyone
It took 20 years for public crypto to be fully accepted by the government and widely used everywhere where online communication is concerned. The delay was not due to the deficiency of public crypto, but due to it having been born too early. Without a mature ecosystem of online communication, i.e. web browsing, e-commerce, etc., the usefulness of public crypto is hard to emphasize. Yet, by the beginning of the new millenia, the environment is ready for public crypto. Thus neither the government nor the stauch voice against public crypto could stop its wide adoption.
Summary Epilogue — The Open Secret
The epilogue told the story of James Ellis, Clifford Cocks, and Malcolm Williamson of Government Communications Headquarters (GCHQ) in Great Britain, who discovered the theory of public crypto, RSA algo, and Diffie-Hellman key exchange, respectively, BEFORE they were re-discovered in the US. Luck really struck them as they all just spent hours to come up with the idea, in contrast to the many efforts committed by their American counterparts a few years later.
Unfortunately, that was where they had exhausted all their luck. All three of them worked in secrecy and were barred by their superiors from publishing their work. Furthermore, Ellis’ discovery, dubbed Non-Secret Encryption, was deemed too eccentric, and Cocks and Williamson’s implementation of Non-Secret Encryption deemed too elegant, to be further pursued by GCHQ for application. Essentially, GCHQ sat on top of a gold mine in crypto, yet decided to bury it instead of taking advantage of it. Although GCHQ had their legitimate concern against Non-Secret Encryption, given its extreme novelty, yet their backwardness and cowardness was also at full display when they brushed away Ellis’s attempt at making the records straight to the world in 1985, 16 years after he first conjured up the public crypto idea.
It was quite sad that Ellis passed away before the true story of his and his colleagues’ discovery was finally made public in 1997. It is also sad that these three’s names are not mentioned when people discuss RSA or Diffie-Hellman-Merckle key exchange.