NATIONAL SECURITY AGENCY FORT GEORGE G. MEADE, MARYLANO 20756-8000 FOIA Case: 60495B 1 October 2019 JOHN L YOUNG Dear Mr. Young: ‘This further responds to your Freedom of Information Act (FOIA) request of 3 January 2010 for the following documents (cited in the footnotes of NDS DOCID 3417193 provided to you in FOIA Case 60251): 1, Unknown author, Fifty Years of Mathematical Cryptanalysis (Fort Meade), Md. NSA, 1988. 2. DDIR files, 96026, Box 4, Drake Notebook, Proto Paper. 3. Ibid, Unknown Author, draft history of COMPUSEC, in CCH files. 4. Interview, Norman Boardman, by Robert D. Farley, 1986, OH 3-86, NSA. A copy of your request is enclosed. As stated in our initial response to you, Item 1 of your request (“Fifty Years of Mathematical Cryptanalysis”) was processed in a FOIA request received prior to yours. That processing is now completed and the document is enclosed. Certain information, however, has been deleted from the enclosure. Some of the withheld information has been found to be currently and properly classified in accordance with Executive Order 13526. The information meets the criteria for classification as set forth in Subparagraph (c) of Section 1.4 and remains classified TOP SECRET as provided in Section 1.2 of Executive Order 13526. The information is classified because its disclosure could reasonably be expected to cause exceptionally grave damage to the national security. Because the information is currently and properly classified, it is exempt from disclosure pursuant to the first exemption of the FOIA (5 U.S.C. Section 552(b)(1)). The information is exempt from automatic declassification in accordance with Section 3.3(b)(3) of E.O. 13526. In addition, this Agency is authorized by various statutes to protect certain information concerning its activities. We have determined that such information exists in this document. Accordingly, those portions are exemptFOIA Case: 60495B from disclosure pursuant to the third exemption of the FOIA, which provides for the withholding of information specifically protected from disclosure by statute. The specific statutes applicable in this case are Title 18 U.S. Code itle 50 U.S. Code 3024(i); and Section 6, Public Law 86-36 (50 U.S. Code Personal information regarding individuals has been deleted from the enclosures in accordance with 5 U.S.C. 552 (b)(6). This exemption protects from disclosure information that would constitute a clearly unwarranted invasion of personal privacy. In balancing the public interest for the information you request against the privacy interests involved, we have determined that the privacy interests sufficiently satisfy the requirements for the application of the (b)(6) exemption. Since these deletions may be construed as a partial denial of your request, you are hereby advised of this Agency's appeal procedures. You may appeal this decision. If you decide to appeal, you should do so in the manner outlined below. NSA will endeavor to respond within 20 working days of receiving any appeal, absent any unusual circumstances. + The appeal must be sent via U.S. postal mail, fax, or electronic delivery (e-mail) and addressed to: NSA FOIA/PA Appeal Authority (P132) National Security Agency 9800 Savage Road STE 6932 Fort George G. Meade, MD 20755-6932 ‘The facsimile number is 443-479-3612. The appropriate email address to submit an appeal is. FOIARSC@nsa.gov. * It must be postmarked or delivered electronically no later than 90 calendar days from the date of this letter. Decisions appealed after 90 days will not be addressed. Please include the case number provided above. * Please describe with sufficient detail why you believe the denial of requested information was unwarranted. You may also contact our FOIA Public Liaison at foialo@nsa.gov for any further assistance and to discuss any aspect of your request. Additionally, you may contact the Office of Government Information Services (OGIS) at the National Archives and Records Administration to inquire about the FOIA mediation services they offer. The contact information for OGIS is as follows:Encls: a/s FOIA Case: 60495B Office of Government Information Services National Archives and Records Administration 8601 Adelphi Rd. - OGIS College Park, MD 20740 ogis@nara.gov 877-684-6448 (Fax) 202-741-5769 Sincerely, pe Luks JOHN R. CHAPMAN Chief, FOIA/PA Office NSA Initial Denial Authoritywebteam @nsa.gov ‘Sunday, January 03, 2010 9:47 AM, FOIANET ya@pipeiine.com ‘Young, John - FOIA Request (Web form submission) Name: John & Young Email: jya@pipeline. com Company: Cryptome.org Records Request. Pocurents cited in notes of NDS DOCID: 3417193 recently provided to me by NSA: +, Unknown Author, Fifty Years of Mathematical cryptanalysis (Fort Meade), Md. NSA, 1988, 2. DDR #41 96026, Box 4, Drake Notebook, Proto Paper. 3. Tbid, Unknown Author, draft history of COMPUSEC, in CCH file. « Interview, Nornan Boardman, by Robert D. Farley, 1986, OH 3-86, NSA. Thank you very much, John YoungDoe ID: 6649792 FOP-SECREF Fifty Years of Mathematical Cryptanalysis CLASSIFIED BY NSA/CSSM 123-2 DECLASSIFIED ON: ORIGINATING AGENCY'S: DETERMINATION REQUIRED WNorreteasabte to-comtrecters- “bACONE- THIS DOCUMENT CONTAINS CODEWORD MATERIAL \ FOP SECRET proved for Release by NSA on 01-23-2019, FOIA Case # 58202Doe 1D: 6649792 Fifty Years of Mathematical c: ryptanalysis (1937-1987) by Glenn F. stanly August 19¢8Doe 1D: 6649792 & I. Introduction . 1 A. Background a B. Technology 1 C. Mathematics "1! ‘ 4 D. Public Cryptologic Research 6 E. Prognosis .... 7 XI, Mechanical and Electromechanical Cipher Machines 8 A. Wired Wheel Machines 2 : 8 8. Teleprinter Cipher Machines 22 . Hagelin C-38 Cipher Machines "| 14 aaenT D. Wired Wheel/Pin Wheel Compound wa: 17 q V. Computing Power ...... 39 A. Special Purpose Dev: 39 B. Digital computers . 43 VI. Public Key cryptography 46 + Knapsacks . 47 B. 47 c. 48 == D. 49Doe ID: 6649792 VIII. Summing Up .......... Appendix T: Mathematicians in Cryptology in the 1940's and 1950's. A. British Mathematicians in WW II Cryptology .. B. American Mathematicians in WW II cryptology |". ¢. Members of the NSASAB Mathematics Panel, to 1965 D. Mathematicians Attending the First SCAMP E, Junior Mathematicians of 1951 .. Appendix II: ENIGMA .. Appendix ITI: TUNNY ... Appendix Iv: Hagelin Machines ...... Appendix V: Electronic Cipher Machines Appendix VI: Special Purpose Devic Appendix VII: Public Key systens A. Knapsacks . : B. RSA wee... . Exponentiation’ : D. McEliece's System References .... Index ... in2Doc ID: 6649792 TOF -SEcKET—UmBRn—nneonre—eeen— ( Preface Although this paper concentrates on mathematical cryptanalysis, it is by no means intended to disparage the work of or results produced by nonmathematical cryptanalysts, who excel in their own right and fre- quently produce results that mathematics could not. Many of them work side by side with the mathematicians and often lead then to success by formulating cryptanalytic problems in such a way as to permit the appli~ cation of abstract mathematics. In fact, they not infrequently succeed in situatigns where "pure reason" fails the mathematician and leaves him (or her) floundering. But it was absolutely essential during ww IT hat mathematicians and nonmathematicians work hand-in-glove, and only because of this cooperation were they so spectacularly successful. Neither is it my intention to suggest that manual cryptography will disappear or even diminish in importance. I believe that will nev~ er happen, and therefore we must continue to train and sustain manual ctyptanalysts and to provide them with technological support (comput- ers, mathematics, linguistics, and engineering) just as we do the ustal- iy more mathematically oriented machine cryptanalysts. Mathematical cryptanalysis is much more than merely counting let- ters, adding and subtracting numbers, or computing logarithms. It in- volves the application to cryptanalytic problems of advanced mathemati- gal subjects such as probability theory, mathematical statistics, group theory, abstract algebra, combinatorial ‘theory, and many more. Sone oF the world's foremost mathematicians have been connected with cryptanaly- Cc sis, either as direct practioners (e.g., Alan Turing) or as consultants (e.g., John von Neumann). So also have such outstanding mathematical statisticians as John Tukey. it is impossible to discuss in this survey any work in mathenati- cal cryptanalysis not done by the United States or the United Kingdon, although we have had glimpses of the capabilities of a few other coun’ tries through the opaque windows of Third Party relationships. Austra- iia and canada, other Second Parties, likewise have made contributions to mathematical cryptanalysis that are not discussed here. We can also the cryptographic skills of most foreign nations as we attack fheir enciphered communications, but it is hard to tell how closely these are connected to their cryptanalytic efforts and even more diffie cult to guess how or if they use mathematicians. T”sDelieve the U.S. and the U.K. are far ahead of the rest of the world in the area of mathematical cryptanalysis, not because of any in= nate superiority in this area but because the second World war drove home to us the value of mathematics for cryptanalysis. We took that jesson to heart and nurtured the seeds that were planted during the wari consequently, we now have fifty years of experience in applying mathematics to cryptology. We know a great deal about what works and what doesn't,Doc ID: 6649792 “TOP-SHeRET-oHERR—tneonne—Nocen— fester and better computers, which in turn stimulated new and better cryptomathematical techniques, Today there is world-wide interest in mathematical cryptology, wish academic mathematicians slowly but surely discovering oct eOLegy: 2nd publishing them openly. In the process they are alee high-lighting Bound ce gnat pathematics has much to offer cryptanalysis. “oer ena ta Pound to diminish. I fervently hope that this 1ook at the pase wenwtise spire our younger mathematicians and cryptanalysts to stay cnead ce ine pack, i am grateful tor the patient and efficient assistance of in locating documents in the R51 Classified Mathesaticn Tabes colseteettensively. I also nade considerable use of the bine 9: Sabra eons ROW located (only temporarily, I hope) with Net Archives at SAB-2, and I e people there for their help. Special thanks arc due to cptcetr “BE, Spent @ great deal of time showing me how to reg computer files to officeWriter format, correcting for’me, "Y Mistakes, and then printing the final version of aie paper forDoe ID: 6649792 —Ter-sreret—onern—nRconre— occ —$ Fifty Years of Mathematical cryptanalysis (1937-1987) Introduction A. Background The driving forces behind the development of mathematical cryp- tanalysis in the last 50 years have been twofold: the critical need for intelligence during WW II and since; and the tremendous pace of technological growth in the communications and computer fields. Intel- ligence requirements, of course, have led to the provision of the man- Power and monetary resources that make it possible to mount sophisti- cated cryptanalytic attacks. 7 ogy has both created the cryptana- lytic problens and provided the 6 to attack them, and the particu- lar forms taken by technological building blocks used in cipher ma- chines have shaped the directions of cryptomathenatical research. This paper is a survey of the development of mathematical cryptanalysis and its relationship to technology. The history of manual cryptology, essentially the only form of gryptelogy in existence until the era between the world wars, appears to be a succession of rather specific new systems followed by’ "general solutions" of them. some general principles did emerge (e.g., the use of characteristic letter frequencies as described by Edgar Allan Poe in "The Gold Bug"), but by and large cryptanalytic science consisted of ad hoc solutions to specific cryptographic syste: This was true also for the Wheatstone and Kryha mechanical cryptographic devices, but with the advent between World Wars I and II of such generic electromechani- cal cryptographic components as "wired wheels" and "pin wheels" cane also the opportunity and necessity to develop generic cryptanalytic principles. Of course, each specific implementation lar usage of a general cryptographic principle require some specific modification of the general attack on it, but nevertheless there are basic approaches to wired wheel different from the basic approaches to pin wheel problems. The basic approaches to shift register cryptanalysis and to presently emerging cryptographic techniques differ fron both of these. B. Technology Hitler's new warfare techniques (the Blitzkrieg), developed be- tween the first and cond world wars, demanded new command and control gapabilities, and radio communication technology was ready to do the job if adequate cryptographic security could be maintained. The Ger- mans believed the commercial ENIGMA electromechanical cipher machine could be improved enough to atisfy tactical requirements, and commit- ted themselves to that course. They later developed electromechanical teleprinter cipher machines (TUNNY and STURGEON) for higher-level commu- nications. The United States, over the objections of William F. Fried- Ban, used for sone field communications a modified version of the C-38, called the M-209 (Army) or the CSP-1500 (Navy), that was built in this country under an agreement with Boris Hagelin, inventor of the C-38.Doe ID: 6649792 Tor srener-oneen—tneowre—necen- ax pighslevel cipher machine was the electronechanical SIGABA, which Was Pased on wired wheels. ENIGMA, TUNNY, and the Hagelin sachines Sfanpa’t? Teed and exploited during the war, but (apparently) noe SIGABA. Sophisticated mathematical and cryptanalytic techniques were devel- seated rat tack ENIGMA and TUMNY, but without the technology to build Pombes and COLOSSI (the plural of COLOSSUS) they would have’ boon cece ( ections IIA and IIB). The COLOSSI went beyond the state of engineering art at that time, and sone people said they could acces So ree sO WOrK. |The bombes ‘were largely electromechanical with cone Labes tees ctectronics, while the COLossI had a few thousand yacous Under ‘Tid, Some electromechanical components. COLOSSI were put toyether neers ip enigencies of war-tine pressures by sone of the best ensix pear to be wend j(and later here), and they did in fact work. they ape Ta da Chalen penbesing Link" in the evolution of computers from theory wrchingp ties Babbage) to EDVAC (the first programmable general pirserk Bachine)1_see_[190] and [121]. Ox eze the more automatic cryptography was needed. Cremer hee written a superb review, [88], of U.S. efforts to meet tion ering roughly the years 1950 to'1980, He emphasises the Sh of electronic technology and coMSEC design, the other sinc geehe coin from the emphasis of this paper, but since cryptographic his paper is full of insights malysts and COMSEC designers NAL: wean rece: that ‘early v.s were greatly influenced by previous dix tv) Of Sff@irs observed elsewhere (see the last paragraph ce ‘Appen~ SAEZ” pnp Etectronic technology in ‘the 1940's wes teary oF vacuum ybich could not easily be used to emulate wired rotors. hin containing multiple anodes arranged “SR major project vas therefore initiated to make an abstract math- matical study of "rules of motion". Some American unive, ‘sity mathena- ficians were put under contract to assist in this re earch, among them $-S; Cairns, an outstanding number th Illinois. John Koken(9) usc rae Doe ID: 6649792 (@3}50 Use 324 (pyareu e636 —#on_snenes_cvenn—txcowre—rocoR—— and a number of U.S. cipher machines were designed to use "Koken" regis- ers, as they were called in this form. At the same tine, general purpose electronic computers were being investigated for cryptanalytic applications and NSA (actually its prede- soon heavily involved in computer design, [181], [211]. FP. Friedman had introduced IBM punched card machinery into cryp- tanalytic and cryptographic operations before WW II, and it was heavily (and ingeniously) used by Army cryptanalysts throughout the war, {10)~ A isss study, [143], by the NSA R&D organization indicated that COMIN? Fequirements for analytic equipment had grown by a factor of about one million since 1945. ‘Since then communications volumes and speeds have jugreased manyfold with new electronic technology and new techniques being introduced almost continuously. This puts great pressure on de- signers of cryptography, who today must somehow produce key bits at rates approaching billions per second, and a who must analyze similar volumes of data. ‘computer designers have used the me technological advances in electronic circuitry to develop machines khat can do billions of binary operations per second, and cryptanalytic mathematicians have used such capabilities to develop new attacks on modern cipher machines. Each new generation of supercomputers elicits genuinely new ideas for attacks (not merely the faster implementation ef oid ideas, although that surely takes place also); cryptanalysts typically stretch to the limit the capabilities of any new tools they can obtain as they grapple with previously intractable problems. can now afford whereas they previ- ously purchased commercial cryptography. Moreover, many more commer. cial cipher machines are offered for today by many more companies fhan ever before. This means that today's machine cryptanalysts can no @ on a few known cryptographies, but face instead an ly 300 commercial machines which may be used by our tar- sand an ever increasing number of indigenously designed (and thére- fore unknown) cryptographies. It is also true that more forms of infor- mation are being transmitted today; cryptanalysts have to deal not only vith record traffic ("messages") but also with speech (both analogue and digital), facsimile, computer data, telemetry, video, and other eso- teric types of data. Bea sense aon, tress ooDoe ID: 6649792 —FoP-spenst-enenn—txconre—nocoR—— Ronald Rivest of MIT believes, (193], that today's computing tech- nology gives the cryptographer an overwhelming advantage over the cryp- ftanalyst, and argues his thesis by means of an example. In my opinion, he is partly correct, but his approach is entirely too simplistic and ignores the realities of protecting high-speed, high-volume communica- tions systems. It is nevertheless true that modern technology is max- ing cryptanalysis much more difficult than ever before. C. Mathematics OXF 8638 oe Early in his career William F. Friedman consciously set qut to sys- tematize cryptology, and he laid the foundations of mathematical cryp- tanalysis not only by his own work and writings (though he was nota mathematician) but by hiring mathematicians (e.g., Solohon Kullback and Abraham Sinkov) among his first assistants when the arhy's Signal Int. iigence Service was set up under his leadership after Yardiey's Black Ghamber was disbanded in 1930. This trend yaé given added emphasis during the years of World War II becau: mmber of noted mathemati- cians (and some who were to become noted) wisely were drawn into cryp- tanalytic work, such men as Alan Turing ~ Tutte, I.J. Good, and Shaun Wylie in’ England, and Marshali Hall, Jr., and Robert Greenwood in the U.S., to name a fev, (See paragraphs A and B of Appendix I for a probably incomplete iist of mathematicians who worked in cryptanalysis during the war.) Moreover, it was the pioneer= ing work of the Polish mathematician Marian Rejewski, [192], that was vesponsible for the later British and American successes against ENIGMA (see paragraph A of Section II). It has turned out, of course, that cipher machines are particularly susceptible to mathematical analysis (although they aren't always solved or exploited), and the work of these men firmly established the value of mathematics in cryptanalys The outstanding contributions to cryptanalysi: ematicians caused both the United state: need for continued mathematical assistance to that discipline. Accord- ingly, following the merger of the U.s. Armed Forces that took place fhortly after the war, the Armed Forces Security Agency (APSA, which made by these math- and England to recognize the ing the mathematicians s.s. cairns von Neumann, C.3. Tompkins, Cc. Shannon, and H.P. Robertson. reorganized in Jan 1953 and renamed the NSA Scientific Advisory Board (NSASAB) with S.S. Cairns acting as chairman, [15]. A year later NSASAB suggested that three pan- be formed under its aegis, and these were subsequently estab- gc. One of then was the Mathematics Panel, which continued in op- eration until it was disestablished by then Director Adairal Gayler in 3970. Reference [15] contains a list of mathematicians who had served gr che Mathematics Panel up to 1965; it is reproduced in paragraph ¢ of Appendix I. | Recommendations of the Panel were taken seriously and many were implemented; such actions include the initiation of the NSA Technit gal Journal and the formation of the CryptoMathematics Institute. Panel members were also of great assistance in our efforts to recruit mathematicians.Doc ID: 6649792 At about the same time that .ScAc formed, NSA also embarked on S a recruitment program for. mathematicians to supplement those who ‘stayed with the Agency .upon’ leaving military service. Some 70 were recruited in 1951, by: sich mathematicians as Marshall Hall, Jr., and Who had been recalled to active duty during the Korean conflict Most of these new people had Masters Degrees in mathematics, and about half survived a clearance process that for the first time included the polygraph. This group, known as the Junior Mathematicians, has made outstanding contributions to cryptomathematics. However, the project hot effort and it was not till 1963 that a continuing hiring was established (in the interim but fairly generous direct hiring of mathenati- cians by various elements of NSA). A list, derived from memory, of those Junior Mathematicians who were finally cleared is contained in paragraph E of Appendix I. Nearly all have now retired. In 1952 NSA also initiated what was to become the annual SCAMP (for ‘Special Committee Advising in Mathematics, with "P" added for ef- fect; (61), p. 3) program, a project in which prominent mathenati- cians are cleared and brought together for a few months in the summer to work on difficult cryptomathenatical problems arising at NSA. A great quantity of high quality work and many useful ideas flow fron this project well as contacts valuable in recruiting mathematicians for full ‘ti ployment. Appendix I lists the nongovernment mathenati- cians who attended the first ScAMP ion. A few years later, in 1959, NSA established a "captive" think , the Communications Research Division of the Institute for Defense Analyses (IDA-CRD), located in Princeton, N.J., [152]. Many prominent mathematicians, among then A.A. Albert, J. Barkley Rosser, Gustav Hed- lund, ‘and Donald Knuth, have worked at IDA-CRD on tempo rary F) appointments and a number of equally talented ones are,there on permanent appointments. IDA-CRD has administered the since about 1960. Such general cryptanalytic techniques as well as a number of specific Gryptanalytic suchesses produce: CRD, have amply repaid the in- yestment. (y9)-PL 88.36 of Frank Raven, 1963 saw the beginning of the Pl cryptologic’ Mathematician Program in which 20 to 30 high-quality thematicians are hired each year to enter a three-year program of con- bined on-the-jsb training tours and formal classroom training in the ap- Plications of mathematics to cryptanalysis. Most of these mathenati- cians come t¢ NSA with Masters Degrees; have Doctorates and sone have only Bachelors Degrees. This program has been a remarkable suc- , with graduates now working in all parts of this Agency, including executive management leve: The Junior Mathematicians and the Cryptologic Mathematician Pro- gram have not been the only sources of mathematical talent for NSA, fewer than half the Agency's mathematicians belong to these groups. The others have come as direct hires to R5, X1, G4, AS (or to predeces- sors of these), and to a few other organizations, and they too have made sfgnificant contributions to mathematical cryptanalysis over the ( : x) 5° y3)-18 usc 788 es by3)50 USE 30240 (pare eeeDoe 1D: 6649792 er years. It should statisticians ( are included in the Paper. Solo- mon Kullback (a previous sy (a one-time con- sultant for NSA) are amon: statisticians who have contributed to c IGP 636 meeeateve that at the present tine NSA is the largest employer of Bathematicians in the world. At the end of 1987. there were’ ast Per- Geocey th Bachelors Degrees in mathenatics, another 245 with Masters’ fee tually doing or also a sizeable nun- in mathematics holding other job anager", or "Cryptanalys oh em, (Geerorew The 20 years from 1950 to 1970 saw the devel pment of a large bod; "Of Bathematical theory relating to cryptologic aspects — Then e introduction of the Data Encryp National Ce Bureau of stan: D. Public cryptologic Re: in, (86), Fediscovery of nonsecret encryption, which they Stypeeiic key cryptography), thus triggering extensive’ intecrst ay GEYptclogy among research mathematicians all over the wesid. Also, the ancreasing importance of coding theory for communicerines technology bas fueled a great deal of mathematical research in thee field, which Siaeeagkt t2,0verlap cryptanalytic shitt register mathematics ee’ a con: siderable extent Chapter 4 of (197]) eral recent paj 196 jow that our Gryprology. | In addition, public key cryptography was ine gependently discovered by university mathematiciare, [86], several Yaen nes seg nS Janes Ellis first conceived it in 1970, [safe eins ceded sor eae te new, AFeas of mathematical cryptanalysis thee sii1 ign cryptographers: areas are being. rature will makeDoc ID: 6649792 —ter-enenes—oneex—txconre—rocon——$ Another aspect of today's technology that will greatly affect cryp- tology is the rapidly increasing power and decreasing cost and size of microprocessors. Many new cipher machines today based on micropro- cessor chips, which means that the cryptography is in software form and can thus be changed easily and inexpensively (and frequently, if de- Whereas cryptography implemented in hardware can be expected in in use for quite long periods of time hence justifying some time and expense to develop attacks, software cryptography can be re- Placed overnight which means that attacks must be developed under tine pressure, if at all; it may not even be cost effective to attack usages of software cryptography that change too frequently. On the other hand, it is more difficult than most people realize to devise secure cryptography and therefore we may expect frequent software changes at least occasionally to produce highly exploitable systems. Identifying and diagnosing them will be the problem. E. Prognosis Mathematical cryptanalysis is in a time of transition caused by technological changes in hardware and by unprecedented public interest in cryptology. Huge volumes of enciphered communications are on the air today and volumes are increasing exponentially, providing more op- portunities for cryptanalysis than ever before. Of course, formidable obstacles must be overcome in order even to mount cryptanalytic at- tacks: collection technology must be developed to cope with these vol- # methods to select vulnerable transmissions must be devised; sig- analytic technology must be modernized; and adequate numbers of mathematicians and cryptanalysts must be trained to deal with tomor- row's problems. But that is ever the position of cryptanalyste ind communications and cryptographic tech- he other hand, technology is a two-edged sword. —Supercomput- ers of every generation have been eagerly embraced by cryptanalysts; in t, cryptanalytic needs have driven the development of computer hard— ware technology and are largely responsible for the U.S. lead in that field, [211]. Too, bombes of WW IT, or| challenge is for cryptenathenaticians to remain no more teps behind the cryptographers * exa}PL 6.26Doe ID: 6649792 —Sop_spenee_eueen—txconre—HOCON— I. Mechanical and Electromechanical cipher Machines ff FP eratoty Of cryptology up to the second World War has been very nicely summarized by William F. Friedman in a series of six tectuece, area ges to NSA employees; these were published in 1963 and lates terse seen tO7]+ rm the last of his lectures Friedman discussed, rather wnecengl¥, @ number of mechanical cryptographic machines such ae'tee wpeatstone manually-operated device and the Kryha springedeives Goo yice;., Neither of these was really secure and neither Nave rise to any gigniticant general cryptanalytic techniques. ‘Friedman then aeseee the developm el cryptography, particularly that which took place in the united states. He also described ene Hagelin B-21 and M-209 devic 209 is the U.S. Army designation of a machine Ergaused fox Army field use; it is nearly identical with the comeccics device described in Appendix IV). Friedman made no se; PURPLE machine, nor, indeed, of any Japanese m (see (491), probably for reasons of security, know principie was observed quite rigorousi. Neither did he 018) -PL 86-36 =F > TOD SECRES UHRA —sneoNtTe—ROCOR (yah use 798 (byar80 Use Joe4eDoe ID: 6649792 & (DyShause 7 (oy3180 Use 3024)Doc ID: 6649792 =lo- fore18 usc 708 foy2y80 USE 20240)Doe ID: 6649792 1X3} 4B USC 708 (XSPS0 USC 2024 (xSHPL 8-98Doe ID: 6649792 B. Teleprinter Cipher Machines ees This category contains the cerman sz-40 and s2-42 on-line cipher fa TUNNY by the British wuring WW IZ) that are described id [11]; the German T¥52 12- (xh 18 USC 788 (ey3rs0Use 3c24Doe ID: 6649792 s8usc 708 50 USE 20240)Doe ID: 6649792 =14- foQr4B USC 708 (yr 80 USE 20240)Doe ID: 6649792 eS 15: (@33}10 usc 790 (oy3780 USE Jo2u (rrPL Beeex , (0y3)-18 usc 796 Doe ID: 6649792 (by3}-50 USC sozaq) (D)SHP L a6-36 =16~Doc 1D: 6649792 =17-Doc ID: 6649792 t (o)50 Use aoe) oP sons sens —tneonre—aocon— ee 18.Doe ID: 6649792 ‘TOP BECRET-URERR—RCONTC—ROCON— (raPL 868 III. Electronic Cipher Machines No single electronic cipher machine, nor even a-‘small group of mS to be responsible for the development of’ any significant body of cryptanalytic theory. Rather, it is the generic technology it- self that has shaped the course of cryptanalysis of such machines (see ' endix V for an example of electronic cryptography)’. REDSrEDRa ERE eet There are at least two reasons for this. First, the theory origin- ated in U.S. and British COMSEC studies that begah before any electron- ic cipher machines even existed and continued throughout the develop- mental phases of a number of equipments. Much of it led to design revi- sions before production began and so cannot Be attributed to anything that was ever actually built. A considergble portion of the theory grew out of abstract mathematical research specifically related to an} ing tangible. paper, [88], is an excel- ie way in which electronic technology shaped U.S chin : is, the cryptanalysis of electronic cipher \ -19- 5 POP ERE REE LECRIE OCT “xn (ox3)-18 use 756 fexerao Use 2024Doe ID: 6649792 {¥3150 USC 3024%y OP 8636Doe ID: 6649792 21; XS) 18 USC 798 IB e0 Ue ae)Doe ID: 6649792 (KHPA, 06.98Doe ID: 6649792 23) tt tt {813} usc 70, Biol 538Doe ID: 6649792 24 (1318 USC 708Doe ID: 6649792 1) 18.USC 708 (byars0 Use 2024) atoc ID: 6649792 ox) (330 Use 3024s) ~26-Doc 1D: 6649792 om foy3)50 Use 2024) —son_sacnan_cupnn—iaconze tees Iv. other Techniques : There are a number of cryptomathematical techniques and theories that were not developed in connection with specifi¢ cipher machines (and some that were developed within compartmented problem areas whose details. cannot. be discussed here) that I believe ar¢ important enough to mention in this paper. As NSA's.mathematical population grev over the years, the amount of classified cryptomathematical activity in- creased and diversified so much that it is now extremely difficult to survey it compr ive I have therefore triefi to identify math atical developments that are general and will have or have had last- ing technical consequences for cryptanalysis. I haye included also sev- al techniques important to data processing in general, such as sort- ing, whose cryptanalytic applications have warranted considerable clas- sified development internally. Most of the above.can be categorized as either statistical methods or algorithms, although there are a few which it is more convenient to consider separately. Statistical and probabilistic questions and methods pervade cryp- tanalysis. The cryptanalyst continually wants "to know how likely some observed or hypothesized event is, or where to set thresholds for sta~ tistical tests, or how to program a computer ‘to recognize plain text; the variations’ are endle: These questions nearly all relate to the results of manipulations of data (i.e., algorithms) carried out or to be carried out by the cryptanalyst or by a computer. To call certain cryptanalytic techniques "statistical" while others are called "algo- = rithms" is thus largely a matter of emphasis. and personal taste. C jy all statistical cryptanalytic techn: algorithmic tures and most cryptanalytic algorithms,have some statistical tutes: |, iy judgments in this matter have resulted in the following cat- egorizations.ox (2)3}-18 usc 708 (04330 0st 30249 Doe 1D: 6649792 PHP 8036 jater in-1938, solomon Kullback, Sne of Friedman's Published his pioneering work "Statistical Methods in , (142],, Which has now been declassified and is available from Aegean Park Pr + in it Kullback-sketches some gen- eral aspects of :PFobability and statistics, describes briefly a few stributions of interest mainly to manual cryptanalysts, number of cryptanalytic. a - ais Ligation: fie: ‘cone p——wptanalytic applications of these no-_ Ke TUNES -a_great-wany-tablesand charts text trequenc yy data for several languages and graphs of This may well in professional conceivably the first by athematical statistician, one of any nationality. SS fon enone t—enenn—nnconre—nocon———_ ° ‘ex (ox3} 9 usc 756 (23980 USE 2024) (pyre eeeDoc ID: 6649792 =29- (oy) 8 use 756 (ja) 80 Use 3c24Doc ID: 6649792 30- i W3)-18 USC 798 xSP USC 30% DIOR eseDoc 1D: 6649792 B. Algorithms SST an gorithn is an explicit step-by-step pecific task, a method that can be buil grammed on a computer. — Fon enenst_opnn—taconre roca (213}18 usc 708 (0)3)50 Use seq method for accomplishing t into a machine or pro- IghBusC 798 ()9h80 USE s0e40) IarPL 8038Doc ID: 6649792 (oxsh1s usc 76 fen3y200c ae)Doc ID: 6649792 18.usc 798 rare saeDoe ID: 6649792 -34- 18 usc 708Doe ID: 6649792Doe ID: 6649792 36. (e391 80 Use 2024 (arr 8aDoc ID: 6649792 == Sob snonetoHERR—encoNre—mOCUR— 7Doe ID: 6649792 (o33h38 usc 788 Dh 30 Use 30) Ter srener omens —xconre—rocor— oRayPLa88Doe ID: 6649792 Tob _SEchEs uaa _taconze necen— 7 V. Computing Power Gryptanalysis has always required enormous investments of tine and effort for data manipulations and for computations of both nunecicer and logical types. At one tine they were carried out with peneil sad Paper (charcoal and cave walls?), but as cryptographic systems became EO tues eee ond Communications becane nore voluminous it was necessary Wiisizn § Machines to perform these functions. Sometine around iose- gittiam F. rriedman introduced the use of IBM punched card equipment for cryptanalysis (and also for the constriction of codebocks fer ue. eee ggan’ Guring Wi II special purpose hardware appendages were fitted nneme ct these machines in spite of IaM prohibitions against suck tinkering; (10]. | Many machines were also constructed during the Besides ac’ frequency counts, compare streams cf data, ete., (210), Poe ides the now highly publicized pombes and cOLossr. Excepe' ter the j@ Were all special purpose devices. In- the process giving the United states the technology. (OV) 06-96 A. Special Purpose Devices jal Purpose Device (sPD) is used at NSA’ to refer to ony tachine built to perform a specialized task, usually one related <2 C cryptanalys: haps the first SPD was the ‘original Polish cyclom= eter an ,glectromechanical device built py Poland in the mid- ist in making a catalog which enabled the Poles to recever deity Xeys for German Army ENIGMA ‘traffic -(the cyelocetor exploited tne pong Grundstellung indicator system). This device was foie lowed by the Polish bomby (plural of bomba) andthe British bombes (see p—Batsazaph A of Section Iz), both used to exnloit the Burau Teta te Puring the war there were constructed a wide variety of relatively ante PDS te, do such "general" special functions as making frequency fape) emygrious kinds (input being supplied usually on posches Paper fae), Combining two data streams (e.g., forming the bit-by-bit mod 2 Tytie alae, e1eprinter messages), etc. Such machines were Lovied tae ayes ais. A number of SPDs were also built to pertors ryption op- these were ana- d by the actual German or =35- 22 ox Doo ID: Gees (0x3)-P.L 86-96 CONNIE Was a photoelectrical comparator of punched pape The first model was delivered in Jan 1948 for experimenter lise qt operated at 5000 characters per second. : Two JROBINS began operating at NSA (really AFSA dt the time) in Randle 2} ‘gant,the plan at that tine was to acquire severe? op trey to poe engtt OU requirements. They, too, were phocoelerriea: cofpara- ° Sors and also ran at a speed of 5000 characters es gecond. =40- S02 seen —tmeonre— recor —(HPL 8636 —Ter-srenetonerx—nnconre—rocon—— ith the introduction of digital compnters into cryptanalytic op- ( erations in the came predictions of the demise of SPDs. However, the Doc ID: 6649792 work; in still other ca: sing a computer {PAE hot Be cost effective. Most importantly, a requirement foo pine wippervption of messages in certain cipher system Seages may eretinne HASting for computer solutions even theligh the work would not overload Shouse ey ey ree onawer in any case (assuming the problem hae hice steace eeiority), ds to build a special purpose computer desioneg eo attack the specific problen in question. The bonbe fs sech o weeine (although COLOSSUS tumed out to be much more flexibi ihc (3-18 use ran (oy3rs0 Use Se2qiy fysret BeseDoe ID: 6649792 Sob ssn aHeRA—enconte—recon— say ~42-Doe ID: 6649792 IHL 26.96 TOP SrCRET—ouBRA—taeonre—necot— «* Analytic aid SPDs have now been largely superseded by remote terni- Rals connected to general purpose computers. of various sizes and, more Fpsently, by desktop computers. Analogue SPDs used solely for decryp- tion have also for the most part been replaced by terminals and/or per= sonal computers. B. Digital computers The Navy approved the proposal and embarked on the development Of what became ATLAS I, the first general purpose computer to be used onapTyptanalytic problems, [103]. Much of the design philosophy and ery OF the machine instructions were heavily influenced by cryptana- EG Considerations, and these in turn have influenced computer design fo this day. Computers were invented mainly for scientific nushese soenhing calculations, and might have developed quite differently had not cryptanalytic applications been injected in those early years, x gact, the ATLAS I and ATLAS II computers were specified by an Bea Predecessor and built for it by a company called Engineering’ Rew arch Associates (ERA) that had been Up specifically to build sarsbtogtaphic analytic equipment" for the government, [222], (ALAS Tt subsequently was marketed commercially as the UNIVAC 1103), “ERA was formed in 1946 by Howard T. Engstrom (later a Deputy Director of Noa) soe billien ¢. Norris (later president of Control Data Corporation, nov tired) with the help of Ralph I. Meader and the backing of Johin'e” jaa 7, 82S S00n Pought by RenRand which later merged with UNIVAC, gnd still later many of the best technical people left to form Conveot Data Corporation which in turn spun off Cray Research, Inc. Sam Snyder, one of Friedman's early recruits, has written an excel- pene pistory, 211], of NSA general purpose computers covering she Period ftom 1945 to isea. In this present paper 1 will attempt merely ko, identity some of the highlights of that period and since that ork relevant to cryptanalysis.Doe ID: 6649792 0 usc 2024) eset as se eokizet Computers were programmed in absolute machine language fae weet? RuRbers) “by persons who "learned vatle doimee: Debugging mivarneraal time at the console of'the computer itecis, “eeugging tine frame sone experiments were being carried out in yoreunel computer access to cryptanalysts, resulting in 2 Series of systems: ROGUE, which used Atma? IIT; -ROB'ROY, which Vere: qpcabis and RYE, [162], which initislly used Uiiree wot ‘the ie were upgraded later to UNIVAC 4954's." Th stly to manual system cryptanalysts, also employed them profitably. They Sty One 6: the most important requir ements of the analyst: access to con: puting power. Machine cryptanalysts depended primarily on the nmain-frames, the the Tete toe ge thele day. “They, foo; required easy access, and in sos cate, 1950's and the 1960's that really sane they wanted prograas ronbe written quickly; there just was no poaching: way to give analysts sacnag Computers. To get prograns written in a nutes: Eine in eats eaxned to progran in assembly language ten then (some- time in the early 1960's) fn FORTRAN Gone? COBOL. | Open-shop progran- thi galled, became officially sanctioned at aboue tree efforts were nade ‘to provide four. round time for de- bugging runs of FORTRAN programs. All ‘th tions, as well as those for operational rune conducted "over the counter"; card decks with programs to or data to be run were taken to a counter lo not then named T, of course) where After they ters where Bookbreak- priority, computing In early 1962, HARVEST we ight years of develop PP. 26-43 of is instruction he concept of op- 8 point of view. running on a 24 the counter not operated ly for cryp- ES Meanwhile, IDA-CRD (which was established in 1959) had in 1960 ac- Gyired its first computer, a coc 1604, ana ees developing an operating System specifically designed to give researchers tn easiest access pos- 44 TOP _SECRED KSA —tnConTe—Hoco—Doc ID: 6649792 See tnin @ year or two A5 (the Soviet probler ox Tor SEcrer—omnra—tncorre—secen— gible. Any Person on the technical staff could take his program deck So, the, card reader and read it into the computer (or rather into the disk file that served as an input buffer). Facilities were avallame Shennar Be could monitor the status of the run whenever he wished, and when it was completed the output was automatically printed on the’ line printer, As Plans were made to upgrade IDA-CRD's 1604 to a CDC 6600 (that year's supercomputer), the decision was made to do away with card decks and use instead the then new cathode ray tube (CRT) terminals for intere active program input and control of input data from disk storage. Thus was born IDASYS, which featured the first-of-its-kind full screen text gaiter and permitted a researcher to sit at a CRT to write prograse which could then be compiled and run at the push of a button! sacs around tine was a matter of seconds for a compilation, not the mininva gf four hours required for over-the-counter transactions. The Coc e600 Pesan running at IDA-CRD in the summer of 1967, and even the most dyed~ inwthe-wool conservative (1.e., Glenn stanly) soon abandoned the "tous rity" of his card decks. Reference [68], pp. 2-5, gives a brief sate line of IDA-CRD's computer history. ) and 64 under the influence of the demonstrated effectiveness-Gf the operating system, sought and acquired. cDc 6600 and/or 7600 cone puters dedicated to their ovn problens, and installed IDAS’S which chen a into the splendid NSA FOLKLORE operating systen. Fros those initial installations have grown the present CAP, CAR, and ICAP compione As cryptanalytic problems have grown in volume, Siversity, and con- plexity, so the computer power has been increased by acquiring more Gone Rytery and ever more powerful ones. Historically, computer power tor 45 pnd 4 has approximately doubled every two years since 1975) end so ds pstimated that this rate of incre ‘have to continue’ for the Additiona: led now xploding PRC problem), for x1 ). wth in computer r for. W (signals anal; (COMSEC evaluations), besides the present supercomputers, technology for peskerking and tor powerful desktop computers has emerged, making it paggnically possible to fuitill every cryptonathenatician’s deere ot payene Supercomputing powe: available at his or her own deshe anos FARES Money, though, andit will be a few years before the areas nat ane’ Tealized, but NSA $8 moving (slovly) in that direction Gueines: ablé numbers ‘of pergo’ (PCs) are now present in working are being nega nets (IANS) are in place in a few offices, and plang Bzg:deing consideted tor making the supercomputers accocctble tenes wg angtworkinig. | One of the large roadblocks is the problem of pene xiding adequate’ computer security features, a problem fer fren coped at the tine this paper is being written. 3) 18 use 78 (oya)-50 Use se2a) ( wxsrew' eee 45:Doe ID: 6649792 —Ton_snones_siern—tnconre—nOCOR— VI. Public Key cryptography Alzget, ai} known public key cryptosystens (see appendix VII) are jathenatical in nature, depending on transformations ttee wis dirticult S2acnvert in general.’ some public researchers have ‘aecernet that the tational complexity (reference [111] contains ic to the understanding ard problems should be used as the For instance, the general knapsack problem is fP-complete (and therefore hard in general) ond this ghould lead to a good public key cryptosystes according to’ this phi- BOR RECESS enone COT (biahsause 788 (o)e}50 Use ae24() (areu seasDoc ID: 6649792 sor “on tora} se usc rats URE SeanDoe ID: 6649792 (yQh4B USC 708 fy3)80 USC 202 (arr 806Doc ID: 6649792 ex (pyahse usc 798 (bya 80 USC 3024) Te? -srener—onenn—anconre—rocon— (xO 0636Doc ID: 6649792 Tak SECRES_-oHER—ERCORTO NOOR OH a scree ty9 0 USE 30247) OL 8638 VII. COMBEC SG=T~Tn the evaluation of v-s. and ar: tish-ctystédyeters, noth neviy Proposed ones and those i Y nalysts « = sider all th there are a number of generic Systems tease reate PRO CONSEC arena. The reasons for this wre chee we ereneT® today have features ditterent from most of those fancy by opera~ Egonal cryptanalysts, and, nore important, ‘that comes evaluators must consider types of attacks that may be impractical with today's technol Bey cont ote Likely to become feasible in future y ars. The future must be considered because cipher machines Proposed. today, if. actually Pdi are likely to be in use for many years te gome. The communica~ tions they protect may also need protectixe ror years following the ac- huge fzansmission of the information, perhape eyen after the machines have been taken out of use. Forecasting developments in computing and gguade ©, fechnelogy and their future costs “ist therefore an important ea SOSRC activity. = soo ss enet ene —txconre—rocor—Doe ID: 6649792 — For _enenes_onenn—tneonte—rocor— d 51. ee STS ROC “ons {bra 36 use 798 (oya}30 Use 3024) (oavPLeeseDoe ID: 6649792 ox (2)2)-18 usc 798 ()ohs0 use seta) (are seseoc ID: 6649792 “ox (oy3}-8 use 790 (ojo 80 Use 3024) (pyar seaeDoe ID: 6649792 ter enenet-ennnn—nacomre—nocor— VIII. summing up The past fifty. y m to comprise three cryptographic periods; the electromechanical era, the electronic era, and the computer (or con- Phegrsonal) era that has Just begun. In the electrosechereeey era, ci- phe: tei paged on vired wheels and/or pin wheels, components tain properties that led to certain types of atteokente fypes of mathenatics were applicable. More and seen see sagctromechanical designs evolved over the years, or rectally in those countries: having the most sophiceicaten nced hardware technology. This forced develop: more -sophisticated attacks but ‘ex faster computing machinery. =54= En TRE RECRED SBR ene ONT MOCO (Shab use a8 IS Use seu)conn) 1792 (y3)-18use 798 Doc ID: 6649792 3)-50 Use 30245) (aprLense Although new techniques were needed in each era, it is also true phat Cider methods continued to be applicable to many cryptanalytic Problems. Not only did cipher machines of previous eras cencinne in Bee.Well beyond the introduction of newer ideas, but some of the newer tine we tig Winerable to classical methods. Moreover, at the present time we find that cryptanalytic techniques are required to stiye prob- dene in other fields, notably in signals analysis where modern communes gations technology ‘has turned the business of characterizing complex and previously unseen signals into a cryptanalytic task, me cigar that cryptanalytic advances over the years have @ directly from cryptographic advances and that theis dictated both by the technology (in the forms of harde and algorithmic design) involved nd by the technology available for manipulating computat io; q have found no evidence of cryptanalytic peing developed in the absence of concrete coMsie or secur cryptana- jytic problems. In the present environnent, T believe oertnn Site pre- pare for the future by increasing our level of mathemati computa- oxpertise and by closely monitoring technological developments areas and in the domain of public cryptologic research. Ne have already taken one step that cryptanalytic leadership; % : acquires the requi= jaathenatical resources to keep up. with (at-a ninimuny on stay ahead of (if* nie) the public cryptographers, and those targets Ensgh may take advantage: of, all the public Work, aa well ee ier eets broadening range of application’ sf coryptanalytic ‘methods. (0X3). 86-36Doe ID: 6649792 Appendix I: Mathematicians in cryptology in the 1940's and 1950's A. British Mathematicians in ww II cryptology a ate is Book “ccHo", (227), Nigel West mentions @_ number $f Buitish mathematicians who worked at ‘aug je Obvious that ne has not identified alt ch in cryptanalysis at that time, and he may ve fleia’° pe Bathematicians who vere in fact traines field, names of those West calls mathematicians? prenser Aitkin, "Professor of Mathenatics at Eainbur fh Univer sity" (p. 153), ** ‘wx, {DNS}? L. 08.96 Harold Fletcher, "the cambridge mathematician” (p- 180); I, 3;, S008, Cambridge mathematicia: of Statistics at West Virgini, Peter Hilton, sity" (p. 191); John Jeffreys, "Downing cote, je", one “of .mt) distinguished . satnenaticians fron ‘cambridge (p. 126) [/-2t oe "they C Dillwyn Knox, talented, if ‘unorthodox, mathematician" (e. 90-91), (en MoE Ay ote otevittie, "later' Professor of Mathematics at London Univer- sity" (p. 205) ronald Michie, "later Professor of Machine Intelligence at Eain- burgh" (p. 191); jy H+ A+ Newman, "University Lecturer in Mathematics at cambridge" (p. 191); Alan Turing, "King! one of “three distinguished mathematicians from Cambridge" (p. 128); W. T. Tutte, one of "the mathematicians" (p. 191); Gordon Welchman, "Sidney sussex College", one of "three distin- guished mathenaticians from Canbridge™ (6° 128); gern H, Whitehead, “later Professor of Pure Mathematics at can- bridge" (p. 192); Shaun Wylie, "brilliant topelogist" (p. 191). 56 ——feP oneness sHna—enconze—ticcon