Interview with Whitfield Diffie on the
Development of Public Key Cryptography

Conducted by Franco Furger in Palo Alto, 1992

Edited by Arnd Weber

Version of 16 January 2002

Then, when I was a teenager I was very interested in military matters but for some reason I recall that cryptography seemed vulgar to me. I thought that everyone was interested in cryptography. I was interested in more esoteric things. And so I didn't pursue it again at that time.

But, while I was at MIT every now and then I would learn some little tidbit, something would come up and somebody would mention something interesting and after I graduated, I went to work for a company called Mitre and there my boss told me in fact how modern cryptosystems work, that is that they generate a keystream in exclusive or it with the plaintext.

And I began thinking about cryptography. At the time I was working in the Artificial Intelligence Lab at MIT, which was cheek by jowl with the Multics project, which is a big computer timesharing project with some very substantial security ambitions. They had the problem that they required you to trust other people, because if a subpoena came for your files from a court it would go to the system programmers who would not be interested in going to prison in order to protect your files. So I thought that cryptography was a technique that did not require your trusting other people. That if you encrypted your files, then if a court wanted your files they would have to come and threaten you and you would have the control to make the choice as to whether you would surrender your files or not.

I began talking about the importance of cryptography to people but I didn't do any work on it at that time because I wasn't really interested in it, I was working on problems I considered more important, and I tried to talk a number of people into working on cryptography and they subsequently have wished that I had succeeded in talking them into it, but nothing happened for another two or three years. And then in 1972 I had moved here to the Artificial Intelligence Laboratory at Stanford, I was working with, under John McCarthy on proof and correctness of programs. Our money was coming from a man named Larry Roberts, who was the head of the information processing techniques office of something called ARPA which supported most of computer science. Roberts wanted to have cryptographic protection on the Arpanet. So he approached NSA and, for reasons I have never understood, NSA rebuffed him because he was, NSA construed its customers very narrowly at the time, in essence it only worked for the military. But, he was the head of a hundred million dollar a year military research budget and why they said no to him, I don't know. I need to ask him, he now lives near here. But he went for some reason I also do not understand, to my boss, John McCarthy and asked him for assistance for his problem. And John McCarthy and Ralph Goren, who was his chief system programmer, and a woman named Peggy Waters with whom I was living, cooked up a cryptographic system, and I began thinking about this system. My assessment of the application of cryptography in the security of timesharing systems prior to this had been that it had to be built in and it had to run fast enough that it wasn't any inconvenience. And in general what happened is that encrypting a file multiplied the copying time by about a hundred and, therefore, nobody ever did it. And so I began studying this algorithm, mostly examining its complexity, not its cryptanalytic strength and I gradually became willing to do what I had never been willing to do before. Wanting to study cryptography and if had there been a book on the mathematic shelf, a modern book on it on the mathematic shelf in the bookstore, I would have bought one, but I didn't feel like reading. I've always been very sensitive to notation and style, at least I was at that time, I found it very hard always studying modern books on analysis. I like to read about Banach spaces and I didn't like to read the details and the sequences. But I gradually became willing to read the classical literature of cryptography.

I studied David Kahn's book, I started late in the fall of '72, I read very slowly. By the spring of '73 I was doing nothing but working on cryptography and John McCarthy was fed up with me and we separated. I took a leave of absence and I began travelling around the country.

First thing happened is I met my wife in New Jersey and we began travelling together and in the summer of 1974 we went to the IBM Laboratory at Yorktown Heights [N.Y.]. That had the only significant non-governmental cryptographic group in the country at the time, that's the group that designed DES [Data Encryption Standard]. And I spoke to Allen Konheim who was very secretive, he didn't want to tell me anything. He only told me one thing, and since then he wishes he hadn't said that. He said: An old friend of mine, named Martin Hellman, was here a few months ago, and he's out at Stanford, and two people can work on a problem better than one, and so when you get back to Stanford, you should look him up. So I got back to Stanford in the fall of 1974 and I called Marty Hellman and it just worked out wonderfully. Each of us found the other person the best informed person willing to talk about the subject he had yet run into and so we then worked together from the fall of 1974 until the fall of 1978. Really, the meeting was just amazing, not only did we get along, but I had come down to Stanford from the East Bay, we staying over in Oakland and Mary Fischer, my wife, had gone off to do something and Marty and I talked for an hour and then when she returned he invited us over to his house.

My wife is a great expert on animals and in particular on dogs. And it turns out that Marty's mother-in-law is a dog breeder and his wife knows a lot about dogs, all together as families we found a great deal in common. I began working casually with Marty and Marty found some, found a little bit of money to support me. And the spring of 1975 John McCarthy left and went to Japan. And his daughter was then, his younger daughter, was a little too young to be able to take care of herself here in California alone, because she didn't have a car, you can't go shopping, you can't get anywhere without a car, so we moved into John McCarthy's house which was very convenient, because I was living 200 meters uphill from Martin Hellman, and in a house that had what was at the time very rare, it had a good workstation and a high-speed connection with Artificial Intelligence Lab. My wife was working for British Petroleum up in San Francisco and I was just keeping house and staying home and thinking. Quite a number of things happened at this point, several people play a role.

I should back up actually. Back up to something that happened, amusing to me, in the summer of 1974. I spent most of the summer in Cambridge, Massachusetts, which, I mentioned I visited Yorktown Heights, that was a day trip, it's a two hour drive down there. And Jim Reeds, who is one of the smartest people in cryptography, was as graduate student then in statistics at Harvard. Jim Reeds was holding a seminar on cryptography and I went to it and I took a friend named Bill Mann who was working on a cryptographic project for a communications company and he was interested in acquiring background, because it was a bizarre business at the time, you could be working on cryptographic projects for the government, still they wouldn't tell you anything about what they wanted you to do. He went there just to learn stuff. And we explained the notion of a one-way function to Bill and he misunderstood it. And his understanding was what we would now call a trapdoor one-way function. I wrote this down in my notes and we all speculated, we thought it would be very hard to build one. We were not sure if you could build one, and we weren't sure what use it was and we forgot about it. Years later, I found in my notes.

I was doing a couple of things. In the summer of '73 in some sense, public key was discovered, as far as I can tell there, but the discovery wasn't understood. I mean that happens with many things and I think that's the kind of thing you are interested in. How much influence I had I can't tell, you see, because at the time it seems to me I made the discovery I was not aware of that, it was only somewhat later when I was looking at my own note that I saw that that had been so. So then in the winter of '74 and spring of '75 I was at first living up in Oakland and then living at John McCarthy's house and Hellman and I were running a seminar, and I had gone to visit a man named Lance Hoffman, who is now at the George Washington University, he was up at Berkeley. I think he had done a Ph.D. thesis on some aspect of computer security and I had met him here at Stanford two or three years earlier and he said to me that he had a student named Peter Blatman who was interested in cryptography. And Blatman, it turned out, had been a friend (when Blatman was a child) of David Kahn. I talked to Blatman about cryptography and Blatman began to come to our seminar.

I have to go back again. Basically, I have been working on the two problems, at this point in some sense for three years, one of them for 8 or 9 years, and one of them for 3, 4, 5 years. In 1965 somebody told me, mistakenly, as it turns out, that NSA, National Security Agency, the U.S. cryptologic organization, encrypted the telephones within its own building. That turns out that was not true but I believed this and I began to worry, to try to figure out what good it would do. Because I remember I had this view of cryptography in which the critical value of cryptography was that you didn't have to trust other people. And so I never understood the classical notion of a key distribution center, which is a trusted resource that you have to share. So I can now imagine how they might have done it at the time although it turns out they didn't do it. They really ran their phonelines in shielded conduit, it makes more sense. So I began worrying about how you could secure the whole North American telephone system. How could you ever have a spontaneous call between two people and have it secure?

In 1965 I started working at Mitre and the most interesting piece of work there was called Mathlab, symbolic mathematical manipulation system, which later eventually became Macsyma and I began working on that. I really didn't know anything at the time, I knew some mathematics, I didn't know anything about computers, I had to get into system programming and I began working on the compiler and then I learned about the notion of proof of correctness of programs and immediately it seemed to me, it still seems to me that that's maybe the most important problem in all modern engineering, so I began to think about that problem. Then John McCarthy came to town, John McCarthy was almost the only person at the time who understood the importance of that problem. So I talked to John McCarthy and he offered me a job and I moved out to Stanford. That was in 1969. My meeting with John McCarthy was late June '69.

By then, the work on proof of correctness had taken off, and lots of people were working on it, whereas when I came here, John McCarthy had about two graduate students and then one or two within the three years I was here, two or three more people arrived to work on the problem.

In a sense I really worked with nobody because my approach was entirely different from the approach of that group. John McCarthy is a formalist. He knows a lot of formal logic and so forth. We are compatible in the sense that I also knew a lot of formal logic and appreciated formal methods, but in retrospect what I was interested in is what would now be called programming methodology. His approach was take programming as it exists and figure out how to construct proofs about programs the type of objects we know now. My view of the matter was we clearly dump the program, the reason that large programs are so confusing is that we don't know how to write them, so I was trying to understand how you write programs better, so what I was doing, what most interested me was less formal, I did some work on proof checking and things like that and supported his activities but my real interest was in the organization of programs. The second when I arrived in late 1969 here at Stanford, John McCarthy had just written a paper on the subject of home terminals. And he envisioned people buying and selling and booking through home terminals and things like that. And I began to think about what, I don't know what the buzzword was at the time, about paperless offices. I couldn't understand what you would do to replace the signed document. So that's when I began thinking about, you know, what we now call the problem of digital signature. Because I reasoned that since written signatures depend critically on the fact that it is so hard to copy the document but since digital documents are always exactly copyable, how could you have a signature? In some sense, the interesting point is, I made one discovery that solved two problems, one of which I've been thinking about since 1965, and one of which I've been thinking about since 1969.

Back to the fall of '74/'75. We were holding the seminar, I met this man Peter Blatman and he told me about Ralph Merkle. And this is discussed also in "The First Ten Years of Public-Key Cryptography". He said Merkle had been working on the problem of secure communication over a channel with somebody you'd never met before and I had thought about that problem for a long time. I was convinced you couldn't do it and I persuaded Blatman you couldn't do it. But I went back thinking about the problem. And so I think Merkle plays a very critical role.

As it turned out Merkle already probably knew how to do it at that time, but he saw the problem differently from the way I did. Merkle took Hoffman's class. Hoffman wanted everybody do a term paper, and he wanted a proposal for the term paper very early in the term. So Merkle submitted a proposal which is a paper about his key exchange system and Hoffman didn't understand it and Hoffman made him rewrite it and he still didn't understand it. And they got fed up with each other and Merkle left the class. And Hoffman threw away the chance to have the well known names read Merkle and Hoffman rather than Diffie and Hellman. And Merkle went on working on that problem and eventually wrote a paper that finally appeared as "Secure communication over insecure channels" about five years later [CACM 1978]. Part of the reason that it wasn't appreciated sooner is that Ralph Merkle didn't write very well. I have a draft somewhere, he wrote a hundred pages paper or something, it was very very hard to read. [1]

As I said, I was sitting, keeping house and thinking about working on these problems and I knew two different things. One, I was keeping a list of problems of what I called problems for an ambitious theory of cryptography, that is to say I didn't think of those at first as what I was working on, just whenever I've come across some problem that seemed to be very hard I would bring this down in this category. What I was interested in was the classical problem of producing secure conventional cryptosystems. I was thinking about the interaction of two things. One of the critical threads in modern cryptography is what is called the IFF problem, the Identification Friend or Foe problem. Horst Feistel, who was at Yorktown Heights, whom I did not meet on that occasion, I did not meet him for years later, but I talked to a man named Allen Tritter who was working with that group who had spoken a lot with Feistel. And Tritter told me that Feistel had this criterion he called the IFF criterion for the strength of a cryptographic system of what we know call the chosen plaintext condition. When I went back to Cambridge, I met a man named Peter Schweitzer, who had worked for Horst Feistel 20 years earlier, in the 1950s. And so I learned something about the problem that they had worked on, this problem of IFF. And I recognized that that protected you against an eavesdropper who intercepted the communication on the channel. I had been thinking for a year or two at that time about the problem of the one-way functions and login. I was interested in that for two reasons. Mostly because, that was in my mind most simplest cryptographic problem. If you could prove that something was a one-way function that was the most practical thing to attack, that was purely cryptographic. It seemed to me these two techniques protected you against two different threats. One threat was the compromise of the authentication information, and that's why it was done in computers, where the computer itself was quite vulnerable. And the other was the eavesdropping on the channel. So I was setting out to try to evolve a protocol for combining the two phenomena. That led me first to realize that you could have a digital signature, that you could have somebody who could judge the answer to a question that he couldn't answer himself and I cooked up a scheme for doing that, it turned out to be not any good. I reflected on that in this paper I was writing about protocols. I kept on thinking about that.

We back up again. In March 1975 the DES proposal appeared in the Federal Register. I immediately, the political problem with DES is one I have never been able to solve, because I did not understand how those people dared either standardize a secure system or standardize a non-secure system, because if it was secure - since they were primarily an intelligence agency - they would be afraid that they wouldn't be able to read other people's traffic. If it was not secure, since they had certified it for the use of U.S. government organizations, they risk having a tremendous black eye if it were broken. So I didn't understand what they could do.

And the minute it appeared, I envisioned what I called a trapdoor cryptosystem. And it now seems, looking at Shamir's work that this is much closer to the truth than I imagined it could be at the time. I imagined a cryptosystem with two properties. The first property was the one that DES appears to have. It is one element in a space in which good cryptosystems are sparse and therefore, if you alter it, you are likely to get a worse cryptosystem. So in some sense there is no good cryptosystem close and having distance or some other method to each good cryptosystem, they are sparsely distributed. And in the second place, and this is not at all clear, this is what people usually mean by trapdoor, and it's not true of DES, that there was some secret information remembered in the design process that maybe even the good ones are breakable by the people who knew how they were designed. So I had that idea, that's one of the things I put in my list of problems for an ambitious theory of cryptography, I saw no hope for that one, I saw that problem as one to be solved after we'd figured out how to make provably secure systems. But in any event, some ten days, two weeks something after I thought this way of having an enhanced IFF so that the responder could answer in such a way that the challenger could judge the answer but could not have constructed the answer. I realized this could be turned around to solve the problem that had been aching in the back of my head for 9 years, 10 years. Then, if you had this asymmetry, then and I don't know about the terms, if I had this public key of your's, it could be turned round, so I can send you a message, even though I have never talked to you before. I had not at the time sorted out the authentication issues from the secrecy issues. I think that's one of the most important threads in the later history of this.

Unfortunately, in that moment I realized that I'd discovered something important and I was acutely aware that the computer on which I was keeping my notes was not secure so I didn't write it in my file of ambitious problems so I've lost the exact date of that problem, it's some time in May 1975, I believe. If possible, looking at notes would tell us more and I haven't looked back at my old records there, they're sort of buried, but what I did, I think I first told it to my wife when she came home from work and then I walked down the hill and I told it to Marty Hellman and it took me about 45 minutes to explain it, to convince Marty that it was true; I didn't have an example of it at the time I was trying to convince him that something could be done and he immediately had the invitation from Jim Massey to write a paper for the Transactions on Information Theory. And he immediately said how would you like to join me in writing this paper [both laugh]. Marty is a very good talent scout. That's when we began working on that problem. That's in essence all of what I called the pre-history. Then as we thought about this for several months and we wrote a paper that eventually appeared in the National Computer Conference in 1976, and that was written in December 1975. And we sent preprints around and we deadlined a submission for the conference very early, had to give in before Christmas, or by January, 1st. or something like that and immediately we sent the preprints around very widely and I gave one to Blatman who gave it to Merkle. And Merkle, who had been beating his head against a stonewall for years, suddenly realized, here were people who would understand what he was talking about. So Merkle then got in contact with us, he called me because I lived in Berkeley and sent Marty Hellman a copy of his paper, because Hellman was farther away. And, once again Hellman was a very good talent scout, he immediately recognized that Merkle was a very smart person. And Merkle was a graduate student in computer science at Berkeley and Hellman offered him support at Stanford and he moved, because he had no particular advisor to work with at Berkeley. At that point we began to get active, another graduate student named Steve Pohlig began working on cryptography. So there were four or so of us and we had an active group working at Stanford.

The most original person I can identify in this case is Merkle. Merkle had the earliest claim. I had been thinking about the problems for the longest period of time. So I have one kind of claim to being the earliest. Bill Mann had enunciated the solution earliest on, but he didn't understand it and none of us who listened to him understood it, which is another sort of claim. Merkle had the first thing which is really any sort of a solution to the problem: the Merkle-puzzle system. It is a remarkable object, because it might even be practical in some channels. The argument for its security is exceedingly clear, although it is a reductionist argument, depends on having primitives with simpler properties, but properties we don't know how to prove. It is utterly resistant to being improved in its work factor to where it's of use on most channels. I never cease to be amazed by the puzzles system, it's a fantastic discovery.

And then I got a message, there is a very smart man, named Peter Deutsch, who is now, a little more recently than I am, working for Sun, and he sent me a message in 1976 or '77. He sent me a message saying what's known about cryptosystems with the following property and spelled out the public key property. Since he didn't think about cryptography he hadn't had the mental block against what seems in a way some obvious. There is nothing wrong with these asymmetries. It's just the way that people were used to thinking about cryptography made them think that was difficult to do. So I sent him back a message, saying we call these public key cryptosystems, we know the following things about them. I think if we hadn't discovered it, somebody else would have within a very short period of time, because we were thinking of the requirements of a digital signature, became sort of clear and once you began thinking about authentification problems in computer networks. We were staying with Leslie Lamport, also now with the DEC center of systems research, over here, a couple of blocks away. At some time, fall of '75 I think, he asked me questions about this, he seemed to have thought of these things as problems. And I couldn't tell how much had come from talking to me because I hadn't talked to him about it a great deal.

There is an old joke, which I think is immensely informative. Somebody comes across a man in the middle of the night and he is grovelling around under a streetlight looking for something and the man says: What, have you lost something, and the man says: I lost my car keys. Where are they? And the man points way over in the darkness and he says: Why are you looking here? The man says: The light's better here.

That is almost all of the activity of science and engineering. It's a combination, you look right under the center of a streetlight, you don't find anything that wasn't known before. If you look out into the darkness, you don't discover anything, cause you can't see anything. So you're always working at the edge of the streetlight, trying to find your keys.

Another thing that spoils us. We have another one that works in a different sense almost as well as mathematics, and that is fundamental physics. If you look at these simplest physical phenomena, and they only don't look simple, of course, because they involve a lot of hairy mathematics and accelerators and things like that, but the most basic physical phenomenon, the theory of those things works so remarkably well. Electrodynamics gives you twenty decimal places of agreement for the best experiments. And so we get this exaggerated notion of what you can expect to achieve in a theory that predicts experiment. And we have no ability to do that in the social sciences. Therefore, you can say by the standards of physics or mathematics, the theories even in biology, but certainly in sociology are dreadful, and that leads to contempt for sociological theories. I don't see any reason to assume that that means that you can't have good theories in that area. A good theory in sociology would be very practical, I assume. It would help you to understand how societies behave, how people make decisions, etc. That problem is too complicated, nobody knows how to do that and that's why there is so much contempt for those theories.

The other distinction is whether you feel answerable to some real world requirements. And yes, I think in about 1970, I don't remember, late sixties, I decided I was an engineer. Now I continued to do work that was almost entirely mathematical, but I just realized that what I was basically interested in was building things and that made me an engineer and I've always since then regarded myself as an engineer, whereas the mathematicians, previously I had unquestionably regarded myself as a mathematician. I had been a fan of [Jeffrey] Hardy's essay of the 1940s mathematician's apology in which he trumpeted the moral virtues of not being interested in application. It took me a long time to grow out of that, to realize that that was not at all the way I felt. I think there are two kinds of distinctions there. It is my impression that lots of people working in cryptography have no interest, have no deep concern with real application issues. They are not trying to solve a practical engineering problem. They are trying to discover things clever enough you can write papers about them. And, of course, I have to admit it's often not easy to tell the difference.

I understood the importance in principle of public key cryptography but it's all moved much faster than I expected. I did not expect it to be a mainstay of advanced communications technology by 15 years from the time of discovery and there are thousands and thousands of these things actually operating in the world. I had not expected that. When I first discovered it I thought it was going to be a very difficult problem that was going to be worked on academically for a long time before there were any applications. And I made that failure of judgement certainly to the early 80s. Ralph Merkle was working for me at BNR [Bell Northern Research] in 1980 or '79 and I didn't understand that we could, he left because we didn't get along very well, I don't mean we had any fights or anything, but we thought about things somewhat differently, I was clearly, in retrospect, far too conservative. I would have been content with building a platform of conventional cryptographic techniques to protect communications and he didn't want to bother with that at all. He wanted to move directly to producing public key systems. I thought they were too computationally expensive and so forth. I didn't realize that RSA would prove to be as satisfactory as it has proven. I thought it a really fine first example of something, but I was convinced that better systems would be discovered in the near future. And I would have been absolutely amazed to see 10 years after that we have really no competitor to RSA and it's proved much more satisfactory than I would have imagined.

Back slightly to the other point. You should talk to Gus Simmons, Gustavus J. Simmons of Sandia National Laboratories. Simmons is somebody who seems to me to make a rather sharp distinction between the things he works on professionally and things that merely interest him. With dreadful consequences in that he has brilliant ideas but he won't publish, because they are not his specialty and he is afraid, he doesn't feel qualified to publish these ideas. You can talk to him about the process of discovery in cryptography, because he is one of the leading people in developing public key cryptography as a practical thing. His group, he saw, as I didn't, immediately that it could be done quickly, as an immediate thing, not a long range thing, and his group picked up RSA as a thing to work on and worked on high speed arithmetic and did good work in that area on the security assessment, mostly on factoring, they pushed the frontier of practical factoring from the 50 digit range to the 80 digit range in the time from 1980-85 or something, look up the exact details on what the numbers were, I don't remember. And they worked on fabrication, and they built chips. That group was responsible for nuclear command and control, he saw a practical problem; here is a way we can improve the control over nuclear weapons, improve the verification in a whole range of things. Of course the one he talks about most is test ban treaties and verification of data from remote seismic observatories and things like that. But the fundamental issue was the control of weapons. He saw here was a new technique to apply to that and he immediately went on with driving his whole group with him to work on that as a practical matter. I think he would be of great interest to you.

The way in which MIT was not congenial to me at the time was, MIT was in the first place all male, which I did not find congenial. Not all male, in my class there were 25 women and 925 men, something like that. It had the atmosphere of a boyscout camp. That had a terrible influence.

And second place it was politically very conservative. I had come from the environment of New York City, a very left, politically active environment. I grew up among what were called red diaper babies. So I didn't find it politically congenial at all.

I spent two summers during those years at Berkeley and I liked Berkeley tremendously, Berkeley was a very leftist campus. In the first summer I was at Berkeley I met three or four people I counted as lifetime friends. In the period of six weeks I came to love that city as much as I love Paris or the south of France or New York, all of which places I'd spent a lot more time in. I almost moved to Berkeley, I was talked out of doing it, probably a mistake. But I think well of both places and all I have to say is they're different, they're both very, very vibrant intellectual organizations. I was not so thrilled with Stanford. Stanford strikes me as a brilliant imitation of a great university.

People thought about things at MIT and they took that thought seriously. People meet in bars after work all over the world and talk about the great problems of life and death and the world and politics and they don't take themselves seriously. They can do nothing else except they chat about these things in bars after work. The things talked about in conversation at MIT, the people who were talking about them took themselves seriously. If they had good ideas on them they would recognise them and work on these things. That seems to me an immensely important attitude. That really is one of the things that separates good intellects from mediocre intellects, is the understanding that the intellect matters, that you matter. If you have ambition, you might not achieve anything, but without ambition, you are almost certain not to achieve anything, if you don't believe you can achieve something.

Look, what did I do in 1973, I took off nearly two years from having a job at all. I had of course enough money to do that as an artifact of the society at the time. I was being paid as though I was supporting a woman, but I wasn't supporting anyone, so I had lots of extra money. I got interested in cryptography and I set out to, I am very pleased to say that since I have achieved what I set out to achieve, I thought, this is a very important field, there ought to be more work on this field. And some years later, indeed, there was more public work on this field. I'm proud of that as evidence of having not allowed my priorities to be set by the fact of the world of what I could get a job doing at the time. What I thought was intellectually important was what I worked on, and the way I worked on it, which was to depart, I had a great desire to travel. I had been sort of tied down by circumstances for several years. So I set out at first driving around the United States, and I had planned to go off around the world. In fact, because I met my wife, I stayed here and didn't begin travelling widely again for several years. So I went around doing one of the things I am good at, which is digging up rare manuscripts in libraries, driving round, visiting friends at universities and things, going into the university libraries and doing research there and working entirely unsupported. When I made my first talk at Stanford after I got back, Hellman described me in the flyer as an itinerate cryptographer, an itinerant being one who wanders around.

I next returned to Berkeley in 1967, it had changed completely. It had become a very tough town. The politics had gotten very unpleasant, the police had gotten very unpleasant. Telegraph Avenue had changed completely and you saw what you had never, what was familiar to me from New York, but what you would never have seen in Berkeley, people hanging out and swaggering and talking tough and occasionally even fighting with a knife or something like that and that influence has remained. Berkeley is, there is a lot of certainly non-academic, unsavory streetlife side to Berkeley that came in the late sixties and persists. Now we have these other things, lots of people living in the street in Berkeley, lots of people are homeless, lots of people can't get jobs. If you compare it with this community there is homeless in the real world, visible poor in this community, but this is by and large an upperclass, very wealthy community down here [Palo Alto]. People have good jobs, very gentile life. Berkeley is a fascinating, is a much more workingclass town, although it largely is also an academic town, but influenced on the character of the academic institutions. Stanford is after all an exceedingly expensive place to go to school, costs 20,000, 25,000 $ a year total. I don't know the distribution of fellowships or that sort of thing. Whereas Berkeley is still a relatively speaking inexpensive place to go to school. I don't know what tuition is, but I conjecture it's a thousand dollars a term which is 3,000 a year. Living expenses are probably comparable, I don't know, well, a dorm is probably cheaper. I suppose it is a somewhat larger school, I don't know precisely.

My observation, and this is probably a way off from your topic, is that the average student in mathematics at Berkeley wasn't as good as average student at MIT. But the best students were about equivalent. Of course, in some sense, the community of the best students is formed by the best students, there only have to be a few of them for there to be a good inner group of people working in mathematics. It doesn't matter that there are another hundred students who aren't very good. The fact that Berkeley is much larger and has a much more diverse student population, and that would mean that if you judge things by averages, if you gave a national exam and said the average mathematics student at Berkeley scores a 500 in this exam, whereas the average student at MIT or Stanford scores a 700 that would not reveal the essential fact equally good, if you looked instead at the number of people who went on to prove first class theorems or something you'd find them very similar. There's something that argues very strongly for that. I read in a book some years ago, I've never checked this against any original source. There was a book about universities an I couldn't find it very readily, that discussed Brooklyn College which is little known in a sense, one of the City Colleges in New York, Brooklyn College, City College of New York and I've forgotten what the other campuses were. It claimed Brooklyn College had produced, it was only an undergraduate school, it had produced more Ph. D. mathematicians than any other college in the United States in the 1940's or 50's. One of the most famous mathematicians in the country, Cohen, went to Brooklyn College. And I think that's evidence of that claim. There were lots of students at Brooklyn College who weren't particularly good, who weren't interested in very intellectual things etc. but there don't have to be very many good ones for there to form a vibrant intellectual community in which the good ones support each other. I've somewhat lost track of exactly what you are trying to find out, I know you're investigating a discovery as a social phenomenon.