Interview with Whitfield Diffie on the
Development of Public Key Cryptography

Conducted by Franco Furger in Palo Alto, 1992

Edited by Arnd Weber

Version of 16 January 2002

Berkeley 1964. Picture by Ron Enfield

In Arnd Weber, Soziale Alternativen in Zahlungsnetzen, Frankfurt, New York 1997, an evaluation of this and other interviews with the developers of public key cryptography has been made.

The interview is also quoted from in: Weber, Arnd: Enabling Crypto. How Radical Innovations Occur. In: Communications of the ACM. Forthcoming (April 2002)

1954 Diffie learns about cryptosystems at school in New York City
1962 Studies in Berkeley
1964 Goes to MIT in Boston
1965 B.S. in mathematics at MIT
1965 Hears about rumour that National Security Agency plans to encrypt their telephone communication
1969 Learns about home terminals in Palo Alto
1973 Travels in the USA
1974 Goes back to Palo Alto
1974 Merkle develops puzzle-system
1975 IBM proposes DES
1975 Diffie develops concept of public key cryptography

Franco Furger explained the sociological research question on the socio-cultural determinants of the development of technologies and then asked Diffie how it happened that public key cryptography was developed (see Weber 1997).

Diffie: I have been interested in cryptography, intermittently, since I was ten. When I was ten years old, I had a teacher, named Mary Collins, in primary school who taught us one day about simple cryptosystems and I was fascinated and I got my father to get me all of the books on the subject from the City College Library in New York. It occurs to me now as I say it that there are books I do not remember from that collection that that library ought to have had because they were written at City College, but maybe I just don't remember them. And in any event I read all the children's books and I tried to read Helen Gaines' book "Cryptanalysis" and didn't succeed. As a matter of fact I have yet to read Helen Gaines' book. I was interested for a short period of time and I didn't do a great deal.

Then, when I was a teenager I was very interested in military matters but for some reason I recall that cryptography seemed vulgar to me. I thought that everyone was interested in cryptography. I was interested in more esoteric things. And so I didn't pursue it again at that time.

But, while I was at MIT every now and then I would learn some little tidbit, something would come up and somebody would mention something interesting and after I graduated, I went to work for a company called Mitre and there my boss told me in fact how modern cryptosystems work, that is that they generate a keystream in exclusive or it with the plaintext.

And I began thinking about cryptography. At the time I was working in the Artificial Intelligence Lab at MIT, which was cheek by jowl with the Multics project, which is a big computer timesharing project with some very substantial security ambitions. They had the problem that they required you to trust other people, because if a subpoena came for your files from a court it would go to the system programmers who would not be interested in going to prison in order to protect your files. So I thought that cryptography was a technique that did not require your trusting other people. That if you encrypted your files, then if a court wanted your files they would have to come and threaten you and you would have the control to make the choice as to whether you would surrender your files or not.

I began talking about the importance of cryptography to people but I didn't do any work on it at that time because I wasn't really interested in it, I was working on problems I considered more important, and I tried to talk a number of people into working on cryptography and they subsequently have wished that I had succeeded in talking them into it, but nothing happened for another two or three years. And then in 1972 I had moved here to the Artificial Intelligence Laboratory at Stanford, I was working with, under John McCarthy on proof and correctness of programs. Our money was coming from a man named Larry Roberts, who was the head of the information processing techniques office of something called ARPA which supported most of computer science. Roberts wanted to have cryptographic protection on the Arpanet. So he approached NSA and, for reasons I have never understood, NSA rebuffed him because he was, NSA construed its customers very narrowly at the time, in essence it only worked for the military. But, he was the head of a hundred million dollar a year military research budget and why they said no to him, I don't know. I need to ask him, he now lives near here. But he went for some reason I also do not understand, to my boss, John McCarthy and asked him for assistance for his problem. And John McCarthy and Ralph Goren, who was his chief system programmer, and a woman named Peggy Waters with whom I was living, cooked up a cryptographic system, and I began thinking about this system. My assessment of the application of cryptography in the security of timesharing systems prior to this had been that it had to be built in and it had to run fast enough that it wasn't any inconvenience. And in general what happened is that encrypting a file multiplied the copying time by about a hundred and, therefore, nobody ever did it. And so I began studying this algorithm, mostly examining its complexity, not its cryptanalytic strength and I gradually became willing to do what I had never been willing to do before. Wanting to study cryptography and if had there been a book on the mathematic shelf, a modern book on it on the mathematic shelf in the bookstore, I would have bought one, but I didn't feel like reading. I've always been very sensitive to notation and style, at least I was at that time, I found it very hard always studying modern books on analysis. I like to read about Banach spaces and I didn't like to read the details and the sequences. But I gradually became willing to read the classical literature of cryptography.

I studied David Kahn's book, I started late in the fall of '72, I read very slowly. By the spring of '73 I was doing nothing but working on cryptography and John McCarthy was fed up with me and we separated. I took a leave of absence and I began travelling around the country.

First thing happened is I met my wife in New Jersey and we began travelling together and in the summer of 1974 we went to the IBM Laboratory at Yorktown Heights [N.Y.]. That had the only significant non-governmental cryptographic group in the country at the time, that's the group that designed DES [Data Encryption Standard]. And I spoke to Allen Konheim who was very secretive, he didn't want to tell me anything. He only told me one thing, and since then he wishes he hadn't said that. He said: An old friend of mine, named Martin Hellman, was here a few months ago, and he's out at Stanford, and two people can work on a problem better than one, and so when you get back to Stanford, you should look him up. So I got back to Stanford in the fall of 1974 and I called Marty Hellman and it just worked out wonderfully. Each of us found the other person the best informed person willing to talk about the subject he had yet run into and so we then worked together from the fall of 1974 until the fall of 1978. Really, the meeting was just amazing, not only did we get along, but I had come down to Stanford from the East Bay, we staying over in Oakland and Mary Fischer, my wife, had gone off to do something and Marty and I talked for an hour and then when she returned he invited us over to his house.

My wife is a great expert on animals and in particular on dogs. And it turns out that Marty's mother-in-law is a dog breeder and his wife knows a lot about dogs, all together as families we found a great deal in common. I began working casually with Marty and Marty found some, found a little bit of money to support me. And the spring of 1975 John McCarthy left and went to Japan. And his daughter was then, his younger daughter, was a little too young to be able to take care of herself here in California alone, because she didn't have a car, you can't go shopping, you can't get anywhere without a car, so we moved into John McCarthy's house which was very convenient, because I was living 200 meters uphill from Martin Hellman, and in a house that had what was at the time very rare, it had a good workstation and a high-speed connection with Artificial Intelligence Lab. My wife was working for British Petroleum up in San Francisco and I was just keeping house and staying home and thinking. Quite a number of things happened at this point, several people play a role.

I should back up actually. Back up to something that happened, amusing to me, in the summer of 1974. I spent most of the summer in Cambridge, Massachusetts, which, I mentioned I visited Yorktown Heights, that was a day trip, it's a two hour drive down there. And Jim Reeds, who is one of the smartest people in cryptography, was as graduate student then in statistics at Harvard. Jim Reeds was holding a seminar on cryptography and I went to it and I took a friend named Bill Mann who was working on a cryptographic project for a communications company and he was interested in acquiring background, because it was a bizarre business at the time, you could be working on cryptographic projects for the government, still they wouldn't tell you anything about what they wanted you to do. He went there just to learn stuff. And we explained the notion of a one-way function to Bill and he misunderstood it. And his understanding was what we would now call a trapdoor one-way function. I wrote this down in my notes and we all speculated, we thought it would be very hard to build one. We were not sure if you could build one, and we weren't sure what use it was and we forgot about it. Years later, I found in my notes.

I was doing a couple of things. In the summer of '73 in some sense, public key was discovered, as far as I can tell there, but the discovery wasn't understood. I mean that happens with many things and I think that's the kind of thing you are interested in. How much influence I had I can't tell, you see, because at the time it seems to me I made the discovery I was not aware of that, it was only somewhat later when I was looking at my own note that I saw that that had been so. So then in the winter of '74 and spring of '75 I was at first living up in Oakland and then living at John McCarthy's house and Hellman and I were running a seminar, and I had gone to visit a man named Lance Hoffman, who is now at the George Washington University, he was up at Berkeley. I think he had done a Ph.D. thesis on some aspect of computer security and I had met him here at Stanford two or three years earlier and he said to me that he had a student named Peter Blatman who was interested in cryptography. And Blatman, it turned out, had been a friend (when Blatman was a child) of David Kahn. I talked to Blatman about cryptography and Blatman began to come to our seminar.

I have to go back again. Basically, I have been working on the two problems, at this point in some sense for three years, one of them for 8 or 9 years, and one of them for 3, 4, 5 years. In 1965 somebody told me, mistakenly, as it turns out, that NSA, National Security Agency, the U.S. cryptologic organization, encrypted the telephones within its own building. That turns out that was not true but I believed this and I began to worry, to try to figure out what good it would do. Because I remember I had this view of cryptography in which the critical value of cryptography was that you didn't have to trust other people. And so I never understood the classical notion of a key distribution center, which is a trusted resource that you have to share. So I can now imagine how they might have done it at the time although it turns out they didn't do it. They really ran their phonelines in shielded conduit, it makes more sense. So I began worrying about how you could secure the whole North American telephone system. How could you ever have a spontaneous call between two people and have it secure?

Furger: But was it just, how can I say, an intellectual game for you, or was it a real commitment?
Diffie: People have asked that question, I can't distinguish the two. I have always worked on what interests me. And what interests me I take, it has always struck me that one of the things that characterizes good intellectual work is a certain self importance. I remember noticing some years ago, I worked quite a while for Bell Northern Research, I was sitting at lunch with the people in my department and they were bullshiting about some things, they were talking about intellectual, sort of social problems, I don't know what the issues were, but it was clear to me that they regarded this as casual conversation. They just took it for granted, they couldn't do anything about this or they wouldn't make any contribution. And it struck me that that was in very sharp contrast to the style of conversation, particularly at MIT, I had grown up in, in which we believed, basically that, we didn't take ourselves lightly, if we were interested, our thinking about something was important, so when you ask was this an intellectual game, no more or less so than my interest in proof of correctness of programs.

In 1965 I started working at Mitre and the most interesting piece of work there was called Mathlab, symbolic mathematical manipulation system, which later eventually became Macsyma and I began working on that. I really didn't know anything at the time, I knew some mathematics, I didn't know anything about computers, I had to get into system programming and I began working on the compiler and then I learned about the notion of proof of correctness of programs and immediately it seemed to me, it still seems to me that that's maybe the most important problem in all modern engineering, so I began to think about that problem. Then John McCarthy came to town, John McCarthy was almost the only person at the time who understood the importance of that problem. So I talked to John McCarthy and he offered me a job and I moved out to Stanford. That was in 1969. My meeting with John McCarthy was late June '69.

By then, the work on proof of correctness had taken off, and lots of people were working on it, whereas when I came here, John McCarthy had about two graduate students and then one or two within the three years I was here, two or three more people arrived to work on the problem.

In a sense I really worked with nobody because my approach was entirely different from the approach of that group. John McCarthy is a formalist. He knows a lot of formal logic and so forth. We are compatible in the sense that I also knew a lot of formal logic and appreciated formal methods, but in retrospect what I was interested in is what would now be called programming methodology. His approach was take programming as it exists and figure out how to construct proofs about programs the type of objects we know now. My view of the matter was we clearly dump the program, the reason that large programs are so confusing is that we don't know how to write them, so I was trying to understand how you write programs better, so what I was doing, what most interested me was less formal, I did some work on proof checking and things like that and supported his activities but my real interest was in the organization of programs. The second when I arrived in late 1969 here at Stanford, John McCarthy had just written a paper on the subject of home terminals. And he envisioned people buying and selling and booking through home terminals and things like that. And I began to think about what, I don't know what the buzzword was at the time, about paperless offices. I couldn't understand what you would do to replace the signed document. So that's when I began thinking about, you know, what we now call the problem of digital signature. Because I reasoned that since written signatures depend critically on the fact that it is so hard to copy the document but since digital documents are always exactly copyable, how could you have a signature? In some sense, the interesting point is, I made one discovery that solved two problems, one of which I've been thinking about since 1965, and one of which I've been thinking about since 1969.

Back to the fall of '74/'75. We were holding the seminar, I met this man Peter Blatman and he told me about Ralph Merkle. And this is discussed also in "The First Ten Years of Public-Key Cryptography". He said Merkle had been working on the problem of secure communication over a channel with somebody you'd never met before and I had thought about that problem for a long time. I was convinced you couldn't do it and I persuaded Blatman you couldn't do it. But I went back thinking about the problem. And so I think Merkle plays a very critical role.

As it turned out Merkle already probably knew how to do it at that time, but he saw the problem differently from the way I did. Merkle took Hoffman's class. Hoffman wanted everybody do a term paper, and he wanted a proposal for the term paper very early in the term. So Merkle submitted a proposal which is a paper about his key exchange system and Hoffman didn't understand it and Hoffman made him rewrite it and he still didn't understand it. And they got fed up with each other and Merkle left the class. And Hoffman threw away the chance to have the well known names read Merkle and Hoffman rather than Diffie and Hellman. And Merkle went on working on that problem and eventually wrote a paper that finally appeared as "Secure communication over insecure channels" about five years later [CACM 1978]. Part of the reason that it wasn't appreciated sooner is that Ralph Merkle didn't write very well. I have a draft somewhere, he wrote a hundred pages paper or something, it was very very hard to read. [1]

As I said, I was sitting, keeping house and thinking about working on these problems and I knew two different things. One, I was keeping a list of problems of what I called problems for an ambitious theory of cryptography, that is to say I didn't think of those at first as what I was working on, just whenever I've come across some problem that seemed to be very hard I would bring this down in this category. What I was interested in was the classical problem of producing secure conventional cryptosystems. I was thinking about the interaction of two things. One of the critical threads in modern cryptography is what is called the IFF problem, the Identification Friend or Foe problem. Horst Feistel, who was at Yorktown Heights, whom I did not meet on that occasion, I did not meet him for years later, but I talked to a man named Allen Tritter who was working with that group who had spoken a lot with Feistel. And Tritter told me that Feistel had this criterion he called the IFF criterion for the strength of a cryptographic system of what we know call the chosen plaintext condition. When I went back to Cambridge, I met a man named Peter Schweitzer, who had worked for Horst Feistel 20 years earlier, in the 1950s. And so I learned something about the problem that they had worked on, this problem of IFF. And I recognized that that protected you against an eavesdropper who intercepted the communication on the channel. I had been thinking for a year or two at that time about the problem of the one-way functions and login. I was interested in that for two reasons. Mostly because, that was in my mind most simplest cryptographic problem. If you could prove that something was a one-way function that was the most practical thing to attack, that was purely cryptographic. It seemed to me these two techniques protected you against two different threats. One threat was the compromise of the authentication information, and that's why it was done in computers, where the computer itself was quite vulnerable. And the other was the eavesdropping on the channel. So I was setting out to try to evolve a protocol for combining the two phenomena. That led me first to realize that you could have a digital signature, that you could have somebody who could judge the answer to a question that he couldn't answer himself and I cooked up a scheme for doing that, it turned out to be not any good. I reflected on that in this paper I was writing about protocols. I kept on thinking about that.

We back up again. In March 1975 the DES proposal appeared in the Federal Register. I immediately, the political problem with DES is one I have never been able to solve, because I did not understand how those people dared either standardize a secure system or standardize a non-secure system, because if it was secure - since they were primarily an intelligence agency - they would be afraid that they wouldn't be able to read other people's traffic. If it was not secure, since they had certified it for the use of U.S. government organizations, they risk having a tremendous black eye if it were broken. So I didn't understand what they could do.

And the minute it appeared, I envisioned what I called a trapdoor cryptosystem. And it now seems, looking at Shamir's work that this is much closer to the truth than I imagined it could be at the time. I imagined a cryptosystem with two properties. The first property was the one that DES appears to have. It is one element in a space in which good cryptosystems are sparse and therefore, if you alter it, you are likely to get a worse cryptosystem. So in some sense there is no good cryptosystem close and having distance or some other method to each good cryptosystem, they are sparsely distributed. And in the second place, and this is not at all clear, this is what people usually mean by trapdoor, and it's not true of DES, that there was some secret information remembered in the design process that maybe even the good ones are breakable by the people who knew how they were designed. So I had that idea, that's one of the things I put in my list of problems for an ambitious theory of cryptography, I saw no hope for that one, I saw that problem as one to be solved after we'd figured out how to make provably secure systems. But in any event, some ten days, two weeks something after I thought this way of having an enhanced IFF so that the responder could answer in such a way that the challenger could judge the answer but could not have constructed the answer. I realized this could be turned around to solve the problem that had been aching in the back of my head for 9 years, 10 years. Then, if you had this asymmetry, then and I don't know about the terms, if I had this public key of your's, it could be turned round, so I can send you a message, even though I have never talked to you before. I had not at the time sorted out the authentication issues from the secrecy issues. I think that's one of the most important threads in the later history of this.

Unfortunately, in that moment I realized that I'd discovered something important and I was acutely aware that the computer on which I was keeping my notes was not secure so I didn't write it in my file of ambitious problems so I've lost the exact date of that problem, it's some time in May 1975, I believe. If possible, looking at notes would tell us more and I haven't looked back at my old records there, they're sort of buried, but what I did, I think I first told it to my wife when she came home from work and then I walked down the hill and I told it to Marty Hellman and it took me about 45 minutes to explain it, to convince Marty that it was true; I didn't have an example of it at the time I was trying to convince him that something could be done and he immediately had the invitation from Jim Massey to write a paper for the Transactions on Information Theory. And he immediately said how would you like to join me in writing this paper [both laugh]. Marty is a very good talent scout. That's when we began working on that problem. That's in essence all of what I called the pre-history. Then as we thought about this for several months and we wrote a paper that eventually appeared in the National Computer Conference in 1976, and that was written in December 1975. And we sent preprints around and we deadlined a submission for the conference very early, had to give in before Christmas, or by January, 1st. or something like that and immediately we sent the preprints around very widely and I gave one to Blatman who gave it to Merkle. And Merkle, who had been beating his head against a stonewall for years, suddenly realized, here were people who would understand what he was talking about. So Merkle then got in contact with us, he called me because I lived in Berkeley and sent Marty Hellman a copy of his paper, because Hellman was farther away. And, once again Hellman was a very good talent scout, he immediately recognized that Merkle was a very smart person. And Merkle was a graduate student in computer science at Berkeley and Hellman offered him support at Stanford and he moved, because he had no particular advisor to work with at Berkeley. At that point we began to get active, another graduate student named Steve Pohlig began working on cryptography. So there were four or so of us and we had an active group working at Stanford.

The most original person I can identify in this case is Merkle. Merkle had the earliest claim. I had been thinking about the problems for the longest period of time. So I have one kind of claim to being the earliest. Bill Mann had enunciated the solution earliest on, but he didn't understand it and none of us who listened to him understood it, which is another sort of claim. Merkle had the first thing which is really any sort of a solution to the problem: the Merkle-puzzle system. It is a remarkable object, because it might even be practical in some channels. The argument for its security is exceedingly clear, although it is a reductionist argument, depends on having primitives with simpler properties, but properties we don't know how to prove. It is utterly resistant to being improved in its work factor to where it's of use on most channels. I never cease to be amazed by the puzzles system, it's a fantastic discovery.

And then I got a message, there is a very smart man, named Peter Deutsch, who is now, a little more recently than I am, working for Sun, and he sent me a message in 1976 or '77. He sent me a message saying what's known about cryptosystems with the following property and spelled out the public key property. Since he didn't think about cryptography he hadn't had the mental block against what seems in a way some obvious. There is nothing wrong with these asymmetries. It's just the way that people were used to thinking about cryptography made them think that was difficult to do. So I sent him back a message, saying we call these public key cryptosystems, we know the following things about them. I think if we hadn't discovered it, somebody else would have within a very short period of time, because we were thinking of the requirements of a digital signature, became sort of clear and once you began thinking about authentification problems in computer networks. We were staying with Leslie Lamport, also now with the DEC center of systems research, over here, a couple of blocks away. At some time, fall of '75 I think, he asked me questions about this, he seemed to have thought of these things as problems. And I couldn't tell how much had come from talking to me because I hadn't talked to him about it a great deal.

Furger: As I mentioned the difference between a personal commitment and just academic problems. You told me that in your mind this difference doesn't exist. I like this attitude very much. But I think it's not a usual one at least as far as I can overview academic circles. To what extent are your own friends people that in some sense share with you this attitude? Is this attitude something important to you when you are working with other people?
Diffie: I'm not sure whether you formulated the attitude correctly because I'm not exactly sure what the attitude is, but let me probe the terms you've used.
Furger: I can give you perhaps an example from my own biography. When I started electrical engineering, I had finished my graduate studies, I had the feeling that I had been in some sense in a prison for 4 or 5 years. I was an engineer, but I felt rather naïve in the world outside. I was interested in a lot of things, for example, environmental questions, the connection between economic issues and environmental issues, when I met this group at the geography department by chance [Gruppe Humanökologie of C. Jaeger]. At these groups, at least one or two very, very smart people were interested in very difficult philosophical questions on the one side, but they don't consider this kind of questions just as academic games, they're focusing more or less on practical questions.
Diffie: They do or don't consider these philosophical questions as academic games?
Furger: No. One guy told me there is nothing more practical than a good theory.
Diffie: That sounds reasonable to me. I like that.
Furger: But in the social sciences it's not usual at all, there is nothing more unuseful than a good theory, it exactly the contrary, it a lot of speculation in some sense.
Diffie: I think you are really saying there are no good theories in the social sciences.
Furger: There is no agreement about a good theory.
Diffie: We in science are spoiled in a sense by two things: one is the success of mathematics. Mathematics is the study of problems so simple that they have good solutions. We have ambitious, rigorous demand of a mathematical proof. And that only works because we can only prove rather simple things, I mean lots of them too complicated for me to understand, but the point is, if you compare to real world problems, problems you don't chose, but the world poses on you, you can't expect when you deal with a really complex problem to have, at least initially, anything like the quality of answer you get in mathematics where you study artificial things.

There is an old joke, which I think is immensely informative. Somebody comes across a man in the middle of the night and he is grovelling around under a streetlight looking for something and the man says: What, have you lost something, and the man says: I lost my car keys. Where are they? And the man points way over in the darkness and he says: Why are you looking here? The man says: The light's better here.

That is almost all of the activity of science and engineering. It's a combination, you look right under the center of a streetlight, you don't find anything that wasn't known before. If you look out into the darkness, you don't discover anything, cause you can't see anything. So you're always working at the edge of the streetlight, trying to find your keys.

Another thing that spoils us. We have another one that works in a different sense almost as well as mathematics, and that is fundamental physics. If you look at these simplest physical phenomena, and they only don't look simple, of course, because they involve a lot of hairy mathematics and accelerators and things like that, but the most basic physical phenomenon, the theory of those things works so remarkably well. Electrodynamics gives you twenty decimal places of agreement for the best experiments. And so we get this exaggerated notion of what you can expect to achieve in a theory that predicts experiment. And we have no ability to do that in the social sciences. Therefore, you can say by the standards of physics or mathematics, the theories even in biology, but certainly in sociology are dreadful, and that leads to contempt for sociological theories. I don't see any reason to assume that that means that you can't have good theories in that area. A good theory in sociology would be very practical, I assume. It would help you to understand how societies behave, how people make decisions, etc. That problem is too complicated, nobody knows how to do that and that's why there is so much contempt for those theories.

Furger: My point was to say that there are lot of people that are really not committed to real world questions. I know a lot of them in physical and mathematical sciences, too. And my question was on this point. Perhaps there is a difference between Europe and U.S., I don't know, because I really don't know anything about your way of doing research in the U.S. But in Europe it seems to me quite clear that there is a kind of separation, people thinking about real world issues, either in social or physical sciences, are a minority. And I got the impression you belong to this minority.
Diffie: I think I do, but I think there are two distinctions here and I had confused it a little bit. One of the distinctions I make is between I think there are people who think about things and think they're interesting, but don't think about that as as their real work, don't consider themselves qualified to work on that. Some people make sharp distinctions sort of between their recreational musings and their professional work. I don't make that distinction very much, that's as much an outgrowth of a personal failing as anything else, that is to say I can never tell how much work I do because I'm unable to work on a thing that doesn't interest me, I am not at all good at working on assignment, I think why should I work on this, because there's money in it, I don't work on it, I sit and think about something else.

The other distinction is whether you feel answerable to some real world requirements. And yes, I think in about 1970, I don't remember, late sixties, I decided I was an engineer. Now I continued to do work that was almost entirely mathematical, but I just realized that what I was basically interested in was building things and that made me an engineer and I've always since then regarded myself as an engineer, whereas the mathematicians, previously I had unquestionably regarded myself as a mathematician. I had been a fan of [Jeffrey] Hardy's essay of the 1940s mathematician's apology in which he trumpeted the moral virtues of not being interested in application. It took me a long time to grow out of that, to realize that that was not at all the way I felt. I think there are two kinds of distinctions there. It is my impression that lots of people working in cryptography have no interest, have no deep concern with real application issues. They are not trying to solve a practical engineering problem. They are trying to discover things clever enough you can write papers about them. And, of course, I have to admit it's often not easy to tell the difference.

I understood the importance in principle of public key cryptography but it's all moved much faster than I expected. I did not expect it to be a mainstay of advanced communications technology by 15 years from the time of discovery and there are thousands and thousands of these things actually operating in the world. I had not expected that. When I first discovered it I thought it was going to be a very difficult problem that was going to be worked on academically for a long time before there were any applications. And I made that failure of judgement certainly to the early 80s. Ralph Merkle was working for me at BNR [Bell Northern Research] in 1980 or '79 and I didn't understand that we could, he left because we didn't get along very well, I don't mean we had any fights or anything, but we thought about things somewhat differently, I was clearly, in retrospect, far too conservative. I would have been content with building a platform of conventional cryptographic techniques to protect communications and he didn't want to bother with that at all. He wanted to move directly to producing public key systems. I thought they were too computationally expensive and so forth. I didn't realize that RSA would prove to be as satisfactory as it has proven. I thought it a really fine first example of something, but I was convinced that better systems would be discovered in the near future. And I would have been absolutely amazed to see 10 years after that we have really no competitor to RSA and it's proved much more satisfactory than I would have imagined.

Back slightly to the other point. You should talk to Gus Simmons, Gustavus J. Simmons of Sandia National Laboratories. Simmons is somebody who seems to me to make a rather sharp distinction between the things he works on professionally and things that merely interest him. With dreadful consequences in that he has brilliant ideas but he won't publish, because they are not his specialty and he is afraid, he doesn't feel qualified to publish these ideas. You can talk to him about the process of discovery in cryptography, because he is one of the leading people in developing public key cryptography as a practical thing. His group, he saw, as I didn't, immediately that it could be done quickly, as an immediate thing, not a long range thing, and his group picked up RSA as a thing to work on and worked on high speed arithmetic and did good work in that area on the security assessment, mostly on factoring, they pushed the frontier of practical factoring from the 50 digit range to the 80 digit range in the time from 1980-85 or something, look up the exact details on what the numbers were, I don't remember. And they worked on fabrication, and they built chips. That group was responsible for nuclear command and control, he saw a practical problem; here is a way we can improve the control over nuclear weapons, improve the verification in a whole range of things. Of course the one he talks about most is test ban treaties and verification of data from remote seismic observatories and things like that. But the fundamental issue was the control of weapons. He saw here was a new technique to apply to that and he immediately went on with driving his whole group with him to work on that as a practical matter. I think he would be of great interest to you.

Furger: Are there any specific local or regional aspects that influenced your work? You mentioned that you were at MIT and that was in some sense very important to you. But in which sense exactly was this important, the kind of education you got at MIT?
Diffie: It's important in several ways. One thing that is important for you to know is that I think much better of MIT now than I did then. I wasn't very happy as an undergraduate at MIT. I wasn't a very good student. The reasons, I think it is a very fine school, but I basically think it is a very fine intellectual climate that it has a tradition that doesn't tend to make these distinctions about what, we have at least a myth in the United States that we think of the European educationalist institutions at least in the past as having been very stratified. Professors would or wouldn't do this that or the other, the assistant would or wouldn't, you know, professors certainly wouldn't wire up a piece of equipment, they'd insist on having a technician hired to do it. MIT is a place exactly the opposite to that. I like to think of it as the macho tradition at MIT, that is what a real person does is he does anything that comes along. Ron Rivest, although he is not so to speak natively an MIT professor, he was not an MIT undergraduate, maybe he is not an MIT student at all, he was a theoretical computer scientist but then he decided that RSA was feasible, it had to be shown to be feasible, and so he learned how to design hardware and he designed a board to do it. And then he decided that board was too expensive, so he learned how to design silicon chips. He designed a chip to do it, though he never got that chip working. Ron Rivest works on whatever seems important to him, that he works on, he doesn't have a preconceived view: 'I'm a mathematician, so I'm not going to design any circuits or wire up any boards, or test any boards'. So that's one, I am not the epitome of that tradition, but I think I was very strongly influenced by that and that was very big in the Artificial Intelligence Lab. What we call the hackers, the inner group of people in the Artificial Intelligence Lab, they knew how to write software, knew how to design hardware. There were a lot of them, the people who went on to be the founders of Symbolics.

The way in which MIT was not congenial to me at the time was, MIT was in the first place all male, which I did not find congenial. Not all male, in my class there were 25 women and 925 men, something like that. It had the atmosphere of a boyscout camp. That had a terrible influence.

And second place it was politically very conservative. I had come from the environment of New York City, a very left, politically active environment. I grew up among what were called red diaper babies. So I didn't find it politically congenial at all.

I spent two summers during those years at Berkeley and I liked Berkeley tremendously, Berkeley was a very leftist campus. In the first summer I was at Berkeley I met three or four people I counted as lifetime friends. In the period of six weeks I came to love that city as much as I love Paris or the south of France or New York, all of which places I'd spent a lot more time in. I almost moved to Berkeley, I was talked out of doing it, probably a mistake. But I think well of both places and all I have to say is they're different, they're both very, very vibrant intellectual organizations. I was not so thrilled with Stanford. Stanford strikes me as a brilliant imitation of a great university.

Furger: Brilliant imitation?
Diffie: Yes, it's in fact Frankenstein's monster. It lacks the spark of life. You can drive in there, it has beautiful architecture. If you look at it on paper, it has brilliant professors, it has very smart students. If you look at the rankings of departments, they are very high. And yet the excitement that's present at Berkeley or MIT or Harvard, does not seem to me to be present at Stanford. There is something slightly cold and remote. And when I was at Berkeley, you know, the Berkeley University Newspaper refers to Stanford as down on the farm, which actually historically refers to the fact that the land was Stanford's farm, a century ago, but that suggests a sleepy place. I never understood why they called it that until I'd worked here for six weeks. By comparison with Berkeley it's a very dull place. I'm not speaking currently, I'm not currently involved with either one. I know less about what Berkeley is like now than what Stanford is like.

People thought about things at MIT and they took that thought seriously. People meet in bars after work all over the world and talk about the great problems of life and death and the world and politics and they don't take themselves seriously. They can do nothing else except they chat about these things in bars after work. The things talked about in conversation at MIT, the people who were talking about them took themselves seriously. If they had good ideas on them they would recognise them and work on these things. That seems to me an immensely important attitude. That really is one of the things that separates good intellects from mediocre intellects, is the understanding that the intellect matters, that you matter. If you have ambition, you might not achieve anything, but without ambition, you are almost certain not to achieve anything, if you don't believe you can achieve something.

Furger: And that was an important point at MIT?
Diffie: I don't know what I would have said at the time; looking back on it that's the way it seems to me, that conversation in MIT was what I think rather serious. And it was where I grew up in New York, also. Maybe I am just projecting my own point of view, but certainly there are even groups now where people don't seem to think that they matter.

Look, what did I do in 1973, I took off nearly two years from having a job at all. I had of course enough money to do that as an artifact of the society at the time. I was being paid as though I was supporting a woman, but I wasn't supporting anyone, so I had lots of extra money. I got interested in cryptography and I set out to, I am very pleased to say that since I have achieved what I set out to achieve, I thought, this is a very important field, there ought to be more work on this field. And some years later, indeed, there was more public work on this field. I'm proud of that as evidence of having not allowed my priorities to be set by the fact of the world of what I could get a job doing at the time. What I thought was intellectually important was what I worked on, and the way I worked on it, which was to depart, I had a great desire to travel. I had been sort of tied down by circumstances for several years. So I set out at first driving around the United States, and I had planned to go off around the world. In fact, because I met my wife, I stayed here and didn't begin travelling widely again for several years. So I went around doing one of the things I am good at, which is digging up rare manuscripts in libraries, driving round, visiting friends at universities and things, going into the university libraries and doing research there and working entirely unsupported. When I made my first talk at Stanford after I got back, Hellman described me in the flyer as an itinerate cryptographer, an itinerant being one who wanders around.

Furger: Would you say the special climate that was at Berkeley in the sixties was in some sense connected to the student movement?
Diffie: Oh yes, unquestionably for me. When I first was in Berkeley in 1962. Berkeley was very different from the way it is today. It was a quiet, gentle, very intellectual town. I did better work at Berkeley than I did at MIT, I got better grades in the courses I took there. I spent more time working and it struck me as a perfect place to do mathematics. At the same time, I found the political climate very congenial, that is any night you could go out and you could go listen to politically active discussion and things of that sort. There was a steady stream of political activities. Part of it's accident. That is certainly overall true of Berkeley. I had the good luck that one of the important politicals in Berkeley was a man named Mike Rossman. I feel a tremendous friendship to Rossman, although I've had very little contact in recent years. Rossman was one of the big people a year or two later in the student movement. He and four other people were sentenced to the longest sentences for the activities from the free speech movement. Mario Savio is the most famous, but Mike Rossman was one of the others and he wrote a brilliant memoir of his time in jail in the late sixties. He was a mathematics student at Berkeley and I guess he may have been a graduate student at that time, I am not sure, but he was in the classes with me that summer of '62. I left in '64 about three weeks before the occupation of Sprowal Hall in a big fight over what was called free speech movement. At that time Berkeley was still fundamentally to me an academic intellectual climate. It had a strong political movement. The methodology of my work was that mathematics, intellectual work and politics were somehow intimately connected, can't explain it any better.

I next returned to Berkeley in 1967, it had changed completely. It had become a very tough town. The politics had gotten very unpleasant, the police had gotten very unpleasant. Telegraph Avenue had changed completely and you saw what you had never, what was familiar to me from New York, but what you would never have seen in Berkeley, people hanging out and swaggering and talking tough and occasionally even fighting with a knife or something like that and that influence has remained. Berkeley is, there is a lot of certainly non-academic, unsavory streetlife side to Berkeley that came in the late sixties and persists. Now we have these other things, lots of people living in the street in Berkeley, lots of people are homeless, lots of people can't get jobs. If you compare it with this community there is homeless in the real world, visible poor in this community, but this is by and large an upperclass, very wealthy community down here [Palo Alto]. People have good jobs, very gentile life. Berkeley is a fascinating, is a much more workingclass town, although it largely is also an academic town, but influenced on the character of the academic institutions. Stanford is after all an exceedingly expensive place to go to school, costs 20,000, 25,000 $ a year total. I don't know the distribution of fellowships or that sort of thing. Whereas Berkeley is still a relatively speaking inexpensive place to go to school. I don't know what tuition is, but I conjecture it's a thousand dollars a term which is 3,000 a year. Living expenses are probably comparable, I don't know, well, a dorm is probably cheaper. I suppose it is a somewhat larger school, I don't know precisely.

My observation, and this is probably a way off from your topic, is that the average student in mathematics at Berkeley wasn't as good as average student at MIT. But the best students were about equivalent. Of course, in some sense, the community of the best students is formed by the best students, there only have to be a few of them for there to be a good inner group of people working in mathematics. It doesn't matter that there are another hundred students who aren't very good. The fact that Berkeley is much larger and has a much more diverse student population, and that would mean that if you judge things by averages, if you gave a national exam and said the average mathematics student at Berkeley scores a 500 in this exam, whereas the average student at MIT or Stanford scores a 700 that would not reveal the essential fact equally good, if you looked instead at the number of people who went on to prove first class theorems or something you'd find them very similar. There's something that argues very strongly for that. I read in a book some years ago, I've never checked this against any original source. There was a book about universities an I couldn't find it very readily, that discussed Brooklyn College which is little known in a sense, one of the City Colleges in New York, Brooklyn College, City College of New York and I've forgotten what the other campuses were. It claimed Brooklyn College had produced, it was only an undergraduate school, it had produced more Ph. D. mathematicians than any other college in the United States in the 1940's or 50's. One of the most famous mathematicians in the country, Cohen, went to Brooklyn College. And I think that's evidence of that claim. There were lots of students at Brooklyn College who weren't particularly good, who weren't interested in very intellectual things etc. but there don't have to be very many good ones for there to form a vibrant intellectual community in which the good ones support each other. I've somewhat lost track of exactly what you are trying to find out, I know you're investigating a discovery as a social phenomenon.

Furger: What I'm trying to do is just to get in contact with people involved in this kind of process, step inside the social blackbox. You told me you don't need a large mass of good students in order to get an exciting academic climate. You need just some interesting people.
Diffie: You need a certain number of good people.
Furger: And then the question is: There are everywhere at least some very good students in any university.
Diffie: It requires some much better than others
Furger: Why in some universities some things are possible, keep going, and in other, like ETH for example, it is much more difficult. In terms of the academic climate it is becoming much more conservative. It is becoming much more difficult to keep an interesting academic climate. A few weeks ago I had a long interview with Niklaus Wirth about this kind of issues and it was interesting for me to learn that he has almost no connections to the private industry. That is interesting because he developed Lilith machine. Do you remember this machine? [2]
Diffie: No.
Furger: This was one of the first graphical workstations in the world, developed at the Xerox laboratories.
Diffie: Palo Alto?
Furger: Something similar to Alto, this was a development in Zürich. He developed a completely graphic workstation, completely on Modula. One of the interesting things about this machine was that the machine was developed from the software side, first, first designed Modula, and then tried to adapt the hardware. At that time there was not any other comparable product. The Diablo machine and some years later the Macintosh. Nobody in Zürich in the industry realized...
Diffie: it's one of greatest discoveries in computer science.


[1] Diffie apparently does not mean Merkle's early papers (see Weber 1997, p. 163f), but later ones. Merkle: "The earlier versions were short, but every time the referees rejected the paper I tried to make it simpler and more basic - and added further explanations and examples. This resulted in the paper growing longer, and longer, and ...." (Letter of Dec. 1, 1995). Merkle stated that in the end the paper had 43 pages.

[2] Furger, Franco: Informatik-Innovationen aus der Schweiz ?
Litith / Disa und Oberon. Zürich 1993.

Last update: 30.08.2011 - Comments to:   Arnd Weber

Bitte beachten Sie, dass diese Internetseite nicht weiter gepflegt wird. Für aktuelle Inhalte besuchen Sie bitte