Talk:Cryptography/Archive 4

Possibly stupid question
From the article: It's for this reason that while computing power is approximately 2,000 times greater than it was just one decade ago, the current 128-bit key-length limit imposed by US export regulations around 2000CE are still sufficiently long today.

If NSA can't break 128-bit encryption, why would they impose a limit at 128 bits? Why not remove any limit, or set one where they can break it? Isn't it reasonable to assume that they can break it, or they'd not have imposed the limit? -- Pakaran 18:13, 1 March 2006 (UTC)

The limit exists to restrict export of key-lengths they either cannot break, or that would take too much time to break. Dr1819 15:54, 26 March 2006 (UTC)

On another note, I find it interesting that 192 bit AES is required for top secret information. If 128 bit is unbreakable, why not use it themselves? -- Pakaran 18:15, 1 March 2006 (UTC)
 * I don't think they're concerned about anyone brute forcing the 128 bit key space. Rather, they want improved safety margin against non-brute-force attacks, mathematical or otherwise.  E.g., if some weakness in the cipher or an implementation leaks half the key bits, AES-128 becomes vulnerable but AES-192 is still in good shape. Phr 09:24, 15 March 2006 (UTC)


 * Because things may change in the future. Arvindn 18:49, 1 March 2006 (UTC)


 * I guess that makes sense. If someone makes a quantum computer in 2015 and uses it to decrypt my credit card number now, I probably don't care.  there's military issues where they would care deeply.  Is that what you're saying?  -- Pakaran 18:52, 1 March 2006 (UTC)
 * Actually, it doesn't make sense. I think we have here an artifact of bureaucratic regulation mongering and an inability to think clearly about engineering issues. Too many lawyers and wannabes involved, I think.
 * Given predictable changing conditions that apply to The Adversary as well as to all others (eg, most notably More's Law, but perhsp some advance in factorign theory or some such), the correct stucture of such a regulation (presuming one is needed at all, something the regulators are unlikely to spontaneously hit upon as a real issue), the correct regulation will use something liek the following: some competent (NB this concept!!) person, organization, or group should be charged with making periodic evaluations of such things as necessary key length. Whatever it estimates will become the new regulation. Changing, say, once a year or more often as enginerring concerns indicate.
 * That won;t be possible, partly because it's the sensible thing to do, and such regulators rarely do the sensible thing. But also because lawyers don't understand engineering contingency and can't think about it clearly. So I think thet's the answer to your question, P. ww 09:33, 2 March 2006 (UTC)
 * Governments want to keep some of their secrets secret from the most powerful adversaries over time scales on the order of several decades. As you point out, most people don't have secrets that need the same level of protection (or paranoia...). There are ways of extrapolating trends in increasing computer power, and you can get estimates for what year it becomes practical to break various key lengths by brute force. See, e.g., this website. I presume that the NSA (or whoever) undertook an analysis of this nature and judged that 128 bits presented too much of a risk to be breakable too soon. &mdash; Matt Crypto 10:05, 2 March 2006 (UTC)


 * Certainly your first observation is so. In the US, there have never been any limits on crypto 'stength' available to the Federal government. The limitations on crypto 'strength' was designed to prevent those outside the US from getting access to really good crypto. We who are rather better infomed than the bureaucratic committe which adopted this policy have had little toruble understanding the futility of this attempt, and in any case since the 70s, really good crypto algorithms have been published outside the US which made such policies more than feckless. In any case, as long as one kept the 'strong' crypto one had (eg, PGP in the famous case) within the US borders (and Canada too, wasn't that kind?) these regulations didn't apply.
 * Whether my secrets or yours aren't as worthy of protection as NSA's or the FBI'ss or the CIA's or whatever, is a matter of opinion. I personally feel my secrets are very important in comparison to the CYA efforts of many in government. You may have less regard for yours.
 * As for who chose 128 bits (the current more or less acceptable limit), I really don't think it was anyone in particular, as a result of close analysis of the securiyt levels to be reached or anything similar. For symmetric cyphers, the long-standing 40-bit limit was absurd to anyone who understood a bit, 64-bits (a power of 2) was clearly either not good enough or soon to be, and the next power of 2 was 128-bits. Lots of the literature discussing the necessary length of keys from a security perspective has 40-bit, 64-bit, and 128-bit analysis points. I think the policy people merely took the next line entry from one of these analyses, given the discredited performance of NSA's recommended lengths. Keep in mind that NSA's proposed Clipper algorithm, for around this time, used 80-bit keys. Since it's widely thought that NSA had the ability to break the cyphers (or cypher key lengths) it allowed (aside from the planned key escrow feature), this may be a hint as to NSA's brute strength break capacity in this period. ww 13:51, 5 March 2006 (UTC)

The main reason behind the export restriction is that it makes it a felony to export any aspect of the technology, including an example (message) encrypted with the technology. Thus, even though nearly-uncrackable (if not uncrackable) encryption exists outside the U.S., it's a felony for anyone to send unbreakable encrypted messages outside the U.S. This puts people in the position of either playing ball, or risk going to jail. - Dr1819 16:04, 26 March 2006 (UTC)
 * The rules were never anything like that even in the ITAR era, and they're considerably relaxed now compared with those days. See Bernstein v. United States for one of the court cases.  Phr 20:42, 26 March 2006 (UTC)
 * My own personal opinion is that we're overthinking this just now and above. If there is no rational reason behind a policy, no amount of strenous and talented tea leaf reading will produce the non-existent reason after the fact.
 * I suspect that some committee (recall the definition of committee -- honorable exceptions such as the orignal Algol committee excepted), understanding that 'codes and stuff' were important to winning WWII, and further understanding that Allied brilliance at this code stuff was the edge in that respect, decided not to allow any of that brain power product off the reservation. So someone at NSA presumably had a watching brief to keep the rules such that NSA could, if it really wanted to, brute force break what it wanted among the legally permitted. Faster NSA machines, more bits allowed in keys. All of course in the deep dark dank secret dungeons of NSA. Burn before reading, if we tell you we'll have to kill you, ...
 * There's a saying to the effect that one should never attribute to malice what can be accounted for by simple stupidity. And another, "Stupid is as stupid does". And still another, this one from G Santayana, "Those who do not learn from history are condemned to repeat it". All of which would apply to this bureaucratic instance of disengare brain, formulate policy. ww 07:20, 27 March 2006 (UTC)
 * The politics and legal stuff of the export restrictions (and the Clipper chip) are discussed at some length in Steven Levy's popular book "Crypto" which is very readable and pretty good all around. More extensive treatment including many source documents is in "The Electronic Privacy Papers: Documents on the Battle for Privacy in the Age of Surveillance", edited by Bruce Schneier and David Banisar.  Wikipedia should include good coverage of this stuff but the main Cryptography article IMO should only gloss on it.  Phr 07:41, 27 March 2006 (UTC)

Improving the article
I just did a major edit here. I still think the article needs a lot of improvement, though. I tried to restructure it; before, it was something of a mish-mash. The structure, and reason for it, is now: (1) intro, (2) terminology (so that the terms we use later don't have to be defined inline, and they won't confuse people: plus it clarifies the whole code/cipher thing, which people will want to know), (3) history (so that the discussion of modern cryptography can have historical context), (4) modern cryptography, broken down into subsections, and (5) legal issues. Now that I've added (5), I think it should be expanded more generally into a section "Cryptography and society", in which we talk about the effects cryptography has had on human society in general, beyond simply the governmental regulations issue. Modern cryptography (4) is broken down into sections. Right now it's


 * Symmetric-key cryptography
 * Public-key cryptography
 * Cryptanalysis (of both symmetric-key and public-key)
 * Cryptographic primitives
 * Cryptographic protocols

I think it's best to cover symmetric before public-key, so that the motivation for public-key can be explained in context. The difference between symmetric and public-key cryptanalysis is better explained afterwards, and it is here that a discussion of the computational assumptions used in cryptography can be discussed, as well as key size issues. Cryptographic primitives could perhaps be titled "Theory of cryptography": my main point there is that some cryptographic work is concerned with the connections between various cryptographic applications in terms of solvability (for instance, the existence of OWFs implies the existence of PRGs). We could probably stress the precise definition thing a bit in that section. Finally, under "cryptographic protocols," we can discuss just about everything else. We could, perhaps, have a section on "secure computer systems", in which we note the emphasis on actual implementation and deployment, but I'm not sure that's really core cryptography.

A few things that need doing:


 * Condense writing in all sections
 * Incorporate history of PK crypto into history section? This may be awkward in the current structure, though.
 * Expand "legal issues" to "Cryptography and Society" and give broader treatment.
 * Give an overview of cryptography standards: at least, what they are and some important examples.

Also a few notes about how I used terminology: (1) I stick with "cipher" over "cypher" as it is the more popular usage. I feel strongly that the same form should be used consistently -- if we don't do this, it looks random. (2) I try to use "cryptosystem" over "cipher" when referring to modern techniques: because block ciphers aren't full encryption systems, it's not right to equate the two in the modern setting. For instance, in the sentence "DES can be used in CBC mode to provide a secure cryptosystem", it's important to use "cryptosystem" rather than "cipher," though "encryption scheme" would be okay. For this same reason, I usually avoid using "cipher" when referring to public-key techniques, although I didn't avoid it completely. Mangojuice 03:09, 4 March 2006 (UTC)


 * I more or less agree with this work. I think it has improved the article by restoring some context (historical, largely) for the benefit of the reader's understanding. A review of the earlier content of this talk page will turn up the history of soem previous debate on this question. it is still relevant. ww 13:32, 5 March 2006 (UTC)

Burial
Recently added: "(Note that some people much prefer the terms enciphering and deciphering as in many cultures 'encrypting' has unfortunate connotations related to burial.)"

Is this a particularly notable fact? I've read it in Schneier's Applied Cryptography, but haven't heard of it anywhere else; maybe it's just a witty aside by Schneier? &mdash; Matt Crypto 19:58, 15 March 2006 (UTC)

Dunno, you could email him.WolfKeeper 20:02, 15 March 2006 (UTC)

All dictionaries point to "encryption" with its use in Cryptography. I can't find any references to it as a burial term. Perhaps Schneier was being playful? "Entomb" would seem to be the word for burial. --- (Bob) Wikiklrsc 21:46, 15 March 2006 (UTC)
 * "Encipher" isn't used much in current technical literature. I dunno about popular usage.  I'd really like to de-emphasize the terminology section and the article's endless hairsplitting about how these different words have been used throughout history.  Remember that cryptography has traditionally been done by organizations that operate in secret, so there hasn't been that much sharing of vocabulary, and different organizations have internally used the terms in differing ways.  In current technical usage, there's rarely any confusion, and popular usage is generally imprecise by definition.
 * I can't resist another funny story. Frank Rowlett was an underemployed math instructor who took a civil service test and did well enough to get a job offer from William Friedman as a "junior cryptanalyst" in the 1920's.  He was delighted to finally get some steady work, and eagerly checked his dictionary to find out what a cryptanalyst was.  The dictionary didn't say, but Rowlett knew what a "crypt" was, so he showed up for work expecting that the job had something to do with statistical problems related to the govt's managing all those WW1-era military cemeteries.  (Source: "The American Magic" by Thomas Parrish).  Phr 22:26, 15 March 2006 (UTC)
 * Which book are you referring to ? The American Magic: Codes, Ciphers, and the Defeat of Japan by Ronald Lewin (1982), or The American Codebreakers by Thomas Parrish (1987), or The Ultra Americans by Thomas Parrish ? Or ? Can't find "The American Magic" by Thomas Parrish. --- (Bob) Wikiklrsc
 * Sorry. The American Codebreakers, by Parrish.  "The Ultra Americans" is the earlier title of the same book. Phr 05:44, 16 March 2006 (UTC)
 * Thanks, I had gotten a bit confused. Some articles in Wikipedia need to be fixed in that respect, like Ultra, etc. I just fixed the Ultra article's reference to the non-existent book. --- (Bob) Wikiklrsc 09:19, 16 March 2006 (UTC)
 * Thanks for the fix. The incorrect cite was put there by me, as I'd gotten the title confused with that of the Lewin book.  I better check whether I did the same thing anywhere else.  Phr 11:00, 16 March 2006 (UTC)


 * You're very welcome, Phr. I think the incorrect reference was in a few places. --- (Bob) Wikiklrsc 17:21, 16 March 2006 (UTC)

Apparently enciphering and deciphering are the correct phrase according to the ISO 7498-2 standard (see http://www.proz.com/kudoz/1227608).WolfKeeper 01:56, 17 March 2006 (UTC)
 * Heh, interesting. Note that 7498-2 is an OSI standard, which is to say, dead as a doornail.  The convenient 7498-2 diagram at the first google hit  (other than the ISO ordering page) definitely says "encryption".  OSI was a Euro-thingie and may have been trying to make prescriptions for the sake of non-English speakers, but it never went anywhere.  I still think in the article we ought to straightforwardly use the terms that are normally used in English-language technical literature, and relegate all the less common terms to a glossary.  (FWIW, I also found some references to "Naval Cypher #3" etc. from the WW2 era, but I think that series dates back to the 19th century, so that spelling is still pretty old).  Phr 02:09, 17 March 2006 (UTC)

OK, I did some edits
that might be contentious. Don't shoot, comrades. Phr 10:37, 2 April 2006 (UTC)


 * To ww--can we chop the stuff about codes and data compression? It's reasonable to describe it in History of cryptography but it's a completely obsolete subject and should get just the briefest mention in the main article, especially up near the top where it is. Phr 03:56, 4 April 2006 (UTC)


 * Not a problem. I had, if memory serves, merely attempted to rephrase something another poster had left obscurely. The content is someone else's. I actually agree with you that it (the datqa compression stuff) needn't be here. As an article of first resort, this point is more than bit off the main line.
 * As for codes being obsolete, certainly it is largely so, but this is WP, not a popular treatise on how things is done nowadays. For our writing, there is virtue in relying on an historical account to help build understanding in our Average Reader, since, if nothing else, our predecessors started with simpler and more easily understood matters and only developed complexity (of practice and theory) over time. Since we are not preaching to the crypto choir here, but attempting an encyclopedic thing, to wit informing the uninformed, we cannot slight this or that as "obsolete'.
 * So I would say that an introduction which starts with substitutions cyphers, and transposition cyphers, and codes, only then progressing to polyalphabetic cyphers and then asymmetric crypto, protocols, crypto system design and advanced matehematical proofs of vulnerability of this or that cypher under these ot those conditions, generally will be a help to our Reader.
 * I do agree though, that the primary emphasis should not be historical in this article, but rather on contemporary crypto given its importance to all. Assorted maliciousosity is best (or soley) thwartable using properly chosen crypto, so it's a pretty important issue. And that's a point worth making for our Readers liveing and working with computers and the Internet today. 71.247.110.21 02:27, 10 April 2006 (UTC) actually ww 02:31, 10 April 2006 (UTC), got logged off


 * I think what you said about protocol design is true, but the way you said it was kind of messy, so I tried to clean it up. I think it's hard to tread the line between pointing out that ad hoc protocol design is error-prone and yet not being critical of it (note: "ad hoc" protocol design can mean two things: not doing proofs or doing sloppy, ineffective proofs, or doing good proofs but doing them "by hand."  The former really is a bad idea and badly error prone: the latter is not nearly so bad.)  I removed the claim about "most deployed protocols" because "deployed" can mean almost anything.  Also, I removed the discussion User:Ww just added about data compression: we don't need to be so informative there; we should de-emphasize the terminology section.  There's a link to code (cryptography) where a reader can learn more about codes.  And like Phr says, we could cover it in the history section if it can be fit in without disrupting the flow.  Mangojuice 04:03, 4 April 2006 (UTC)
 * Thanks for the "code" fixup. By deployed protocols and ad-hoc analysis, I meant things like TLS, which took several iterations (SSL versions 1,2,3) and still isn't quite right.  I don't know of any protocols of that much complexity that have proofs at all, "hand" or otherwise.  Also, I think just about all proofs of real-world protocols that do exist today are "by hand", i.e. automated proofs aren't so practical yet.  There's work being done on that but it's still a "holy grail" (per the last slides of ).  By a "hand" proof, I mean proofs like the ones for RSA-PSS, etc.  Even 10 years or so ago, real-world practice was very primitive compared with today.  As one example, see the evolution of RSA, from the early deterministic versions (believed to be a good thing as late as ~1990 when deterministic RSA signatures were pitched as better than DSA because of the absence of potential subliminal channels), to the original PKCS #1 that fell to Bleichenbacher's "million message attack", to RSA-OAEP ("proved", but the proof had an error), to RSA-PSS (generally accepted now).  Of course there's been much worse stuff than that too, like the weird and insecure special DES mode once used in Kerberos.  I'd hoped to get something into the protocol section that conveys that things really have gotten better in the past decade or so.  Can you suggest some alternative wording? Phr 06:18, 4 April 2006 (UTC)
 * Phr, I agree with your main trend, but would note that in this article, a frist resort one, the point about protocols that should be made is probably something like, this is a protocol, they're very important to security and real world crypto systesm, some (few) are proven to be secure as protocols when properly caried out, and further details to be left to other articles. For instance, a protocls article. some useful points here, but perhaps not in this article. 71.247.110.21 02:27, 10 April 2006 (UTC) actually ww 02:31, 10 April 2006 (UTC), got logged off
 * What we should really be doing is writing a section about standards. Talking about trends when we're really talking about one or two algorithms is dicey, but all those issues are worth talking about separately; it's not always the most important part of the academic discipline, but standards are very important and we should cover them.  I think whether things are getting better depends very deeply on which algorithms you consider to be "deployed," so I think it's not the kind of claim we can really make here without a specific, reliable source, and I don't even think a published paper is likely to be good enough for that.  I would argue things aren't really "getting better" in terms of how we design protocols, it's just that we're finally getting good ones for the really important protocols, after working on them for as long as we have.  Mangojuice 13:11, 4 April 2006 (UTC)


 * But I think things really are getting better (am I wrong?). If you read a 1990's book like Applied Cryptography, it's full of dire warnings (valid at the time) about how fraught with peril protocol design is, with not much advice about dealing with the peril beyond "leave it to experts".  The subject is better understood now; provable security is part of mainstream practice instead of being ivory-tower academic research.  We're "finally getting good ones" not because there was so much work that it took this long to do, but rather because the methods of developing "good ones" are now more widely known and applied.  Stuff got approved in the 80's and 90's that would be rejected now.  Stuff gets trusted now (because of rigorous analysis that's possible today) that would have been considered way too complex and suspicious back then (example: imagine OCB mode being presented in the 1970's alongside CBC, CFB, etc.  Nobody would have believed it).  I'm hoping we can improve Wikipedia's coverage of these topics which right now is fairly thin.


 * Btw, is Matt or Ciphergoth still around or can anyone suggest some cites? I'm not really expert with this stuff, I'm still learning about it.  Phr 02:56, 5 April 2006 (UTC)


 * Interesting discussion here. Before I debate the facts, I want to point out how hard it would be to include any of this material in an encyclopedia article without it being original research.  Research papers are unreliable, as they're academic and tend not to have a proper view of what is "in use" as opposed to the subject of active research.  Books, on the other hand, have relatively fewer authors, whose opinions are worth noting, but they are slow to be produced and can be out of date.  Our best approach is to factually cover the differences between then and now.  And "leave it to the experts" is still absolutely critical advice, and definitely the kind of advice that belongs in a book like Applied Cryptography.


 * Crypto standards bodies in the 80s and 90s had their problems; one of them was being too heavily controlled by industry without enough influence from academia. This hasn't exactly changed, but they do tend to retire broken protocols.  Also, standards bodies are becoming less important.  It's still critical to how we do encryption and authentication, but a lot of research these days is into more complicated protocols that don't need to be standardized.  There, it's the academics who rule, because they get to decide whatever is the best solution... but there's still a question of who chooses to use those results.  It's been my experience that there's a lot of crappy security-related research going on, because (effectively) people who aren't crypto experts continue to design protocols by hand, with vaguely defined goals, without knowing the crypto literature.


 * I think it's fair to say that in cryptographic research there has been a clear trend over the last two decades towards rigorous proofs; I believe this HAS improved the quality of protocol design. However, formal approaches (non-"ad hoc") are still a bit immature.  In some cases there are theorem proving tools that can help, but there are so many variables that the process remains clearly error-prone.


 * Some references on formal analysis of crypto protocols: Abadi & Rogaway ('91, I think), Many papers by subsets of Backes, Pfitzmann, and Waidner, some recent work by Jon Herzog and Joshua Guttman (and some others I think), and finally there's work by Dawn Song that's relevant. I don't think there are any books that cover these results, at least not yet, but there are probably some relevant PhD theses, for instance, Herzog's and Song's.  All those papers will talk, to some degree, about how difficult and error-prone crypto protocol design is, and how formal methods offer the promise of something better.


 * However, it's not the formal approach that has had real impact on the quality of cryptographic protocols. Rather, it's a mix of trial and error and better understanding of the ad-hoc method.  Mangojuice 04:10, 5 April 2006 (UTC)


 * Thanks for those references. I think your point is well taken that industry didn't listen to academics enough in the 80's and 90's.  But these formerly exotic research results are now really less avant-garde than they used to be.  The issue about "leave it to experts" was that in the past, knowing the crypto literature wasn't enough.  Reading Applied Cryptography is like reading a medical textbook on brain surgery--you might know all the same facts as a surgeon knows afterwards, but you're not ready to operate on patients because of the sense of subtleties and exceptions and weird special cases that only comes from experience.  Block cipher design is still like that: a black art, that few people (maybe nobody) have the right skills to do securely.  The usual guideline is that any cipher designer must first "make their bones" by breaking other people's ciphers.  But we don't even know (because P vs. NP is still unsolved) whether secure block ciphers can exist even in principle.


 * But with protocols (maybe I'm using that term loosely, I mean crypto schemes made by combining primitives, which would include things like symmetric encryption modes), we're now at a point where it's just normal math, and any geek with a reasonable CS theory background who can read and write proofs, can slog through "Foundations of Cryptography" or Rogaway and Bellare's lecture notes, and then be reasonably confident that s/he knows what s/he's doing. Materials like this didn't exist 10 years ago AFAIK, except in research papers.


 * Also, we may be using "proof" for two different things: formal, model-theoretic proofs (BAN logic and things descended from it), and informal reduction-based proofs (these are similar in spirit to NP-completeness proofs). I've heard these described as "red cryptography" and "blue cryptography".  Red cryptography is still mostly academic, but blue cryptography is being used to design stuff that makes it into standards.  I don't know much about the model-theoretic stuff and I'm currently trying to study the reduction-based stuff, mostly by web surfing.  I'm hoping to write a few articles since we don't have much yet.  I've started advantage (cryptography); it has a ways to go, and I think it has some mistakes right now, but it would be great if you could let me know if you think it's headed in the right direction.  The idea is to add articles about PRP's, PRF's, encryption modes, etc., and work backwards towards connecting with the overview articles.


 * Also, if you think I'm drinking Kool-Aid, please go ahead and say so. It's great to have an actual crypto discussion on the crypto discussion page, instead of going on about cryptography versus cryptology.  Phr 13:16, 8 April 2006 (UTC)


 * Concur on good to get past ..ology v ..ography as the main content of this talk page. But I would note that, for our Average Reader (the target audience for the present article), the 'better than 10 years ago' you speak of is elusive, evn though true. How the untutored, or even the expert in hash theory, can reliably distinguish in practice between really good crypto, and plausible but leaky crypto, is unclear. It's part of the peculiar nature of crypoto engineering as opposed to most other kinds in which the Opponent to be outwitted is consistent (so far) and doesn't change approaches and techniques. Even with source code, being one's self in a position of reliably distinguishing between them is not at all straighforward. Expertis4 in program design, programming (syntax and semantics), numberic programming, OS security considerations, some hardware oparationsl issues, ... It's a tough problem, and is not really settled in a useful sense by relying on 'branding' (ie, NIST has annointed AES as good, so if my crypto system uses AES, I'm home free...) as a sensible test crterion.
 * In earlier edits in this article, I had taken the position that this is a point WP may reasonably make, and was revised sufficiently often and completely to make clear others' disagreement. Rather than get involved in edit wars, I went on to other work. But I still feel, very strongly, that this is a fundamental issue EVERY newcomer to modern crypto must understand, lest choice of product and attitude be made more or less by popularity of dart. Not so reliable an ensign to which to repair, however useful in respects. Our Reader is ill-served if they read this article with little hint of the presence of theis 600-pound gorilla in the crypto world. And there is little such content remaining in this article (at my last close read, anyway). 71.247.110.21 02:27, 10 April 2006 (UTC), actually ww 02:31, 10 April 2006 (UTC), got logged off

Todo list
I removed this page from the "todo priority 1" category, since there's no formal todo list, and it makes it sound like the article needs urgent attention. Of course the article could use various improvements that we'd all like to get around to sometime, but its current state is fairly reasonable. Feel free to restore the category if you think it's appropriate, but in that case we should also make an actual todo list, since the todo category is intended to attract other editors to work on the article, in which case they expect a list of tasks. Phr 02:59, 16 April 2006 (UTC)


 * I added it back. According to the explanation I ready, priority has to do more with the visibility of the article rather than the importance of the items on the to-do list.  Since cryptography is referenced by a whole lot of articles (over 1000 pages in "What links here" for the article), it's appropriate for it to be category 1.  See Category:To do, by priority.  Mangojuice 16:30, 17 April 2006 (UTC)
 * But being in the category means we're supposed to have an actual to do list, and as far as I can tell, we don't have one. It would be at Talk:Cryptography/To do, I believe.  See Template:To do and its talk page.  Should we start putting a list together? Phr 17:03, 17 April 2006 (UTC)
 * You don't see it? There is a list, at Talk:Cryptography/to do, and it's included near the top of the page under "tasks".  I added those to do list items after my major rewrite a month or so ago.  Mangojuice 17:08, 17 April 2006 (UTC)
 * I see it now. I guess I saw it before but didn't realize it was the to do list, since it says "pending tasks" instead of "to do".  Thanks.  Phr 18:43, 17 April 2006 (UTC)

Featured status
I'd like to move this article towards featured status. Based on the feedback the article received when it failed to get featured status before, the main concern has been citations. I'm going to take a pass through the article and add some citations, but I'm sure there will be large segments (particularly of the history section) that I won't be able to source properly. If we all help, hopefully we can get the article in good shape, and then try to get it featured. This is one of those articles that really ought to be featured. Mangojuice 18:00, 20 April 2006 (UTC)


 * I think I can help with sourcing, but I've also been thinking we should give up on FA and just make it a summary/overview article, and instead try to get the secondary articles featured (like the Enigma article already is). I'm imagining we should shorten all of the longer sections by about 50% each, and add some new short sections on crypto hardware, crypto theory, and crypto-related standards.  Re sourcing, "Contemporary Cryptology" (ed. Simmons) has some good papers to use for the refs that you just added.  My copy is in storage but I can try to dig it out if you don't have it.  Phr 18:32, 20 April 2006 (UTC)


 * Why give up on FA? I think it's more important for this article to become very good than most of the other ones.  This is a gateway article, it introduces people to the topic... if we think of WP as a book, this is that critical introduction chapter that people will read to decide if they want to keep reading more.  I agree with your ideas for improving the article; I may give it another pass at some point but not just now.  Mangojuice 20:30, 20 April 2006 (UTC)
 * Well, we'll see. Meanwhile, I just changed the cite for the first DH public key paper to one that predated "New Directions".  It explained the concept of public-key but didn't say how to do it (because they hadn't figured it out yet), except they added a sentence describing DH key exchange at the at the last minute.  They went on to write "New Directions" a while later.  Let me know if you think that's right; again, I think both these papers are in Simmons' book but I don't have it here.  This might also be of interest:
 * In 1870, a book by William S. Jevons described the relationship of one-way functions to cryptography and went on to discuss specifically the factorization problem used to create the "trap-door" in the RSA system. In July, 1996, one observer commented on the Jevons book in this way:


 * In his book The Principles of Science: A Treatise on Logic and Scientific Method, written and published in the 1890's, William S. Jevons observed that there are many situations where the 'direct' operation is relatively easy, but the 'inverse' operation is significantly more difficult, One example mentioned briefly is that enciphering (encryption) is easy while deciphering (decryption) is not. In the same section of Chapter 7: Introduction titled 'Induction an Inverse Operation', much more attention is devoted to the principle that multiplication of integers is easy, but finding the (prime) factors of the product is much harder. Thus, Jevons anticipated a key feature of the RSA Algorithm for public key cryptography, though he certainly did not invent the concept of public key cryptography.

unlivable differentialism unlivable differentialism


 * Solomon W. Golomb, On Factoring Jevons' Number, CRYPTOLOGIA 243 (July 1996) (emphasis added).


 * (From near the end).  Maybe we can mention this in the history article.  Phr 20:52, 20 April 2006 (UTC)


 * I'd never heard of that. Cool beans.  I figure we should cite the later paper for DH key exchange, and under "Symmetric key" when we say only symmetric stuff was known until 1976; theorizing about it is a step beyond showing it can be done.  But we should cite this earlier one for the concept of asymmetric crypto.  Mangojuice 20:54, 20 April 2006 (UTC)
 * IIRC the published version of "Multiuser cryptographic techniques" did describe DH key exchange, just very briefly (a sentence or two added just before it was submitted). This is significant because they gave out preprints at a conference more than a year before the DH patent was filed, arguably making the patent invalid (by the time this got dragged through the courts, the patent was about to expire, and I think the suit settled without a judicial finding).  The New Directions paper went into more detail. Phr 20:59, 20 April 2006 (UTC)

<---

Gentlebeings,

I very strongly feel that we must avoid turning this article into a collection of paragraphs with pointers to the real content in other subarticles. This subject is an especially twisty one, and we owe our readers the best assitance in untwisting it we can render. Settling for a collection o fpointers would fail that responsibility.

I VERY strongly feel that this article, one of 'first resort' as it were, should serve as conceptual orientation and introduction to more detailed coverage of particular topics. I once attempted to use its history as a way of introducing readers to the concepts (see prior discussion in here, now in archived form from a couple of years ago) but soem other editors disagreed without really explaining quite why.

What we have, at this writing, has largely been stipped of that contextual background and is a lesser article as a result. It is not even remotely near featured quality at this time, for that reason alone. I think it should be built in such a way as to qualify for FA status. And it should nto be all that hard to get there. But on WP, since all is hostage to all, it is difficult to jointly reach that level of quality. Nevertheless, I think we should strive to do so.

As for the anticipation of DH, we should note the GCHQ anticipation of some years before. Jevons's work is interesting, but I think is not evidence of priority. The actual application of one-way functions to crypto was not, in fact, accomplished, though it could very easily have been done, at the time there being no tec hnical imedimenta to do doing so in theory. In practice, of course, the lack of high speed computation posed a certain limitation in actual practice. In US law, at least, an invention has not occurred until one has reduced an idea to practice. A mere idea is often not sufficient. ww 19:07, 21 April 2006 (UTC)
 * The Jevons thing was for the history sub-article rather than the overview article. I'd say Jevons didn't come close enough to describing public key crypto to need mention in the overview.  However, what the law says is an invention isn't terribly relevant to the history of an idea; mentioning Jevons in the crypto history article is maybe like mentioning Leibniz in an article about computing history, or mentioning Jules Verne in an article about rockets or submarines.
 * I think I see your point that we should have more basic introduction to crypto concepts but I think we can do that in modern terms rather than dwelling too much on history. I'll see if I can improve on what we have.  The airplane article IMO has about the right amount of historical coverage, though it could use some organizational improvements.
 * Mangojuice is doing a good job adding references. That will help in the quest for FA. Phr 20:13, 21 April 2006 (UTC)

Inline footnotes
Should we switch the article to inline ref-style footnotes? Those are easier to update, I think. Phr 03:04, 21 April 2006 (UTC)
 * => User:Cyde took care of it with an automated program. Thanks! Phr 16:24, 21 April 2006 (UTC)


 * Looks good this way. It would be nice, though, if the references could go back in alphabetical order.  Mangojuice 17:06, 21 April 2006 (UTC)

large block deleted. Why?
On 3 June 06, Scircle made an edit and in the process deleted much of hte article. Without an explanation, I'll be back and roll the article back to its prior state. Have to figure that out first, but the loss was large. If someone else has better facility with the WP machinery, please have it!

Alternatively, there may be a reason for doing so, though the edit summary is unedifying. So, an explanation, or I (or hopeuflly somenone who knows what they're about) will roll things back. ww 17:08, 3 June 2006 (UTC)
 * => Sorry for that and thank you for reverting back the article. This was a mistake (first step in wikipedia) I will be very careful in my next contributions. (Scircle 20:58, 6 June 2006 (UTC))

Congrats
Congrats to the editors of this article for the FA status, Great work!--ppm 19:22, 3 July 2006 (UTC)

copyedit
Someone run this through a spell check please. 134.193.168.251

someone needs to check this articles image in the top right corner. it displays both a crypto machine (the image it should be) and an adult nude image. If you refresh the page in ur browser or go back and forth from the main wiki page it will show up. seems someone's hidden one beneath the other. Sorry i didn't know where else to report this abuse. Hope it will be removed soon. —The preceding unsigned comment was added by 62.254.72.122 (talk • contribs) .

FA
I'm back after an absence--congrats on reaching FA, and especially for the revisions of the early sections (intro and history), which are well done. I think we need some more coverage of crypto theory, both in this article and in Wikipedia in general. We have some beginnings but Wikipedia is still nowhere near as strong in this area as it is in (say) general math topics. There's not good reason for that--crypto theory isn't less comprehensible than, say, homology theory. I'll contribute what I can but I'm just a coder. I wish that the real experts here would get more involved in this area, and that more such people would join in. --Phr (talk) 06:33, 10 July 2006 (UTC)
 * Phr, I'd object to your self-characterization as being "just a coder". Coders of the world unite, for the world's embedded intelligence toys and other cyber stuff depends on us!!!
 * More seriously, the problem is not so much the incomprehensibility of crypto theory, it's in the application and vulnerability analysis. The engineering side, if you will. That requires a certain amount of twisted brain wiring, which isn't so common. Probably fortunately, as we cryptiacs are, to tell an uncomfortable truth a la EWD, usually just a little 'different' than the usual run of technical folk. The plenitude of crypto snake oil, not all of it from identifiably Bozo Crypto organizations either, argues that fuller understanding is rather more scarce on the ground than is an understanding of the underlying mathematics and source code. Even Bruce Schneier has come to the conclusion that mechanism is the lesser part of security; see his more recent books, save Practical Crypto which he and Ferguson think is sort of Applied Crypto updated.
 * All that said, I agree that more coverage of theoretical crypto would be a good thing. But, unlike maths, the surrrounding context (inescapable for serious accounts) is actually hard to convey without leaden prose, which WP should eschew. Non-trivial experience speaks here. Contingency, especially with regard to intention (something everyone has 'strong understanding' of, is quite hard to deal with. ww 15:27, 10 July 2006 (UTC)
 * I'm not sure what you mean. Rogaway and Bellare's book is pretty accessible to readers with a reasonable math background.  It's a CS theory book, not an engineering book or security book.  But anyone working seriously in cryptography has got to know this stuff, and WP's coverage is quite weak.  We can't address problems in applying the theory unless we first know the theory.  I have Practical Cryptography and am not all that impressed with it, by the way. Phr (talk) 11:06, 16 July 2006 (UTC)
 * Phr, Just noticed this, sorry. I agree with much of what you say, but note that WP is not an instructional book. We're not trying to 'address problems in applying the theory' here, just write up knowledge in a somewhat choppy form. So it's not a disaster if the theory isn't presented as a text would, especially since we're writing not for students but for the Average Reader I keep speaking up for.
 * You know, encyclopdias are a little weird. Chunks with little connection to others; WP improves on thiw with the linking business, but lets just anyone edit anything. Whcih leaves the informed on more or less permanent clean up detail.
 * As for PC, what's your objection? It seems to me to tell some unpleasant truths (a la EWD's famous note) in the context of some practical advice on design. You don't like the absence of theory? Or what? ww 04:39, 23 July 2006 (UTC)

NPOV re encrypted Nero reference
In "History of cryptography and cryptanalysis" in reads in part "For instance, early Christians used cryptography to obfuscate parts of their religious writings to avoid near certain persecution they would have faced had they been less obscured; famously, 666, the Number of the Beast from the Christian New Testament Book of Revelation, is sometimes thought to be a ciphertext referring to the Roman Emperor Nero, one of whose policies was [1]persecution of Christians."

I do not believe this conforms to a Neutral Point of View. It clearly takes a side in one of the most fiercly debated books of the Bible, Revelation. For another view, see []. I propose that this section be deleted, unless in can be rewritten to conform to a Neutral Point of View. And if it can, I don't see the point of even mentioning a minority interpretation of a religious text in a non-religious article. Tmchk 03:23, 23 July 2006 (UTC)


 * Do you have a way to make it more neutral without delving into the subject deeply? How about if we said "to be a coded reference" instead of "to be a ciphertext referring to ..."?  That is, if we just describe it as a ciphertext without getting into what it's a ciphertext of?  Mango juice talk 04:02, 23 July 2006 (UTC)
 * As it says that some think this way, where's the NPOV? Some do in fact think this way. That others do not is true, but no claim is made here as the actual truth of the meaning meant by the writer. And, in any case, comeone has removed a note that an early variant text has 616, which is also generated by an alternate phrase for Nero. This article is taking no stance on any theological question, so I can't see a problem. All that said, this is an awkward sentence and should be rewirten. The 'famously' is wrongly placed. ww 04:27, 23 July 2006 (UTC)

That seems to work. Although, I still think the line "early Christians used cryptography to obfuscate parts of their religious writings" takes a theological stance, particularly the word "obfuscate", which means "  1. To deliberately make more confusing in order to conceal the truth. Can that really be said to take a NPOV?  This suggests that what the Bible says was deliberately altered to conceal the truth.  Whether the Bible is the inspired Word of God to be taken literally or simply a collection of religious writings to be interpreted metaphorically is a theological question.  I do think that the article can be rewritten, but how do we mention that "early Christians may have used cryptography to obfuscate parts of their religious writings"? Referencing early ciphertexts to show the progression of cryptography makes perfect sense, as long as they can be substantiated. But what is the reason for referencing an interpretation of the Bible? I know of no primary sources that would indicate that the Number of the Beast was a reference to Nero. Granted, there are secondary sources, but if it was true that 666 refers to Nero, than why is it that those who believed so(assuming that there were those that believed so), contemporary to the time, just happen to leave no surviving record?Tmchk 03:13, 24 July 2006 (UTC)
 * In the absence of such report, the meaning of such an encryption is likely to be subject to controversy. However, a long standing Hebrew tradition of asscoiating numeric values with letters does result in 666 when applied to a common phrase referring to Nero. And a possible less common phrase for Nero also generates 616 (recently turned up in a variant text of Revelations). Seems plausible / possible, if not definitive, that is what accounts for such odd numbers in the midst of otherwise apocalyptic text.
 * As for the motivations (or lack of contemporaneous references explaining the whole thing), well... There was a considerable danger in saying things about the Emperors and the Roman government. You could be killed in quite unpleasnat ways as the government took steps to prevent the spread of dangerous viewpoints. So concealment of your true meaning, and not mentioning that meaning in otherwise acceptable writing is not at all hard to understand. And if anyone actually did mention it, there's a good chance the material has not survived; lots of stuff has been lost.
 * The point of mentioning this is not to take a theological stance, or even to assert that THE MEANING OF 666 (or 616) IS, but to note that there is a non-trivial chance that it might be and the crypto was used for such purposes in yet another context long ago.
 * We might have used the encrypted glaze formula some Mesopotamian potter wrote down (encrypted) also, or the more troublesome as an example of confidentiality, encrypted hierogliphic insecriptions from the Old Kingdom.
 * I conclude the example is innocnet, and that none have grounds for taking umbrage. ww 16:03, 24 July 2006 (UTC)

Rivest photo
Nothing against Rivest but we've credited the public-key concept to Diffie and Hellman; shouldn't we use their photos instead of Rivest's in that section? Phr (talk) 07:25, 10 July 2006 (UTC)
 * Sure, and we should find contrasting photos. Wild man Diffie, and button down Hellman. Anyone have any sources? But what about Williamson and Cocks and Ellis? ww 15:33, 10 July 2006 (UTC)
 * DH's contribution was first, but to be fair, Rivest is more important than either of them. However, the picture is a bit boring; I just added it during the WP:FAC b/c of some of the comments, and because we already had the picture and it had a free license.  Mango juice talk 16:59, 10 July 2006 (UTC)
 * There are pictures of Diffie and Hellman in their articles. I think the Rivest picture just jarred me because it was overlarge.  I removed the size tag so it shows up at the default size now, which looks better IMO (at least with my default settings).  If I go to Crypto 2006, I can shoot some more pictures (D and H both usually attend).  I don't see how Rivest is more important; if the RSA algorithm was never discovered or didn't work, we'd be fine; DH turns into a public key algo in the obvious way, and we'd presumably still get El-Gamal signatures a while later, or at worst we could sign with Merkle hash trees. Phr (talk) 22:08, 10 July 2006 (UTC)

Cipher vs. Cypher
Can we split that issue off into a separate article? E.g.:
 * Main article: cipher vs. cypher spelling controversy

which could have its own illustrations and subchapters? I really want to remove it from the cryptography overview article. It's just not significant. Phr (talk) 10:55, 16 July 2006 (UTC)


 * I really don't think so. Is it even a notable controversy?  Some people are adherents of one, some of the other... isn't that the extent of it?  I've altered the text so it just says "A cipher (or cypher)..." as the extent of covering this.  It mentions the alternate spelling, I think the alternate spelling is important enough to mention, but this article is not about whether people use "cipher" or "cypher".   Mango juice talk 12:35, 16 July 2006 (UTC)
 * Absolutely, it is one of the most vitally important questions of our time. There is going to be a UN resolution about it, I hear.  Seriously, I was being facetious, I just thought we had taken the spelling thing out of the article before, and it reappeared and then grew.  I just want to get rid of it altogether, but the current version is tolerable. Phr (talk) 18:42, 16 July 2006 (UTC)
 * Have to agree with you both. This is the most important Teapot Tempest with which I'm acquainted. But I agree with Phr, we've noted it, and that should be enough to alert our Reader to the whole thing. But perhaps a link to the Project page entry would be reasonable...? Nah...


 * On another note, Mango, I still haven't gotten my browser to behave and so am quite a good bit behind in looking at changes here. Appeal to technical help here has been unedifying. Perhaps a bug report? ww 20:20, 16 July 2006 (UTC)


 * What kind of browser probs? Phr (talk) 04:31, 17 July 2006 (UTC)


 * Basically, when looking at a diff, sometimes the width of one side or the other will be unreasonably long, which makes looking at the actual changes difficult. Yeah, maybe a bug report?  But really, I don't think it's a bug; you'd be asking for a feature/improvement.  Mango juice talk 14:34, 17 July 2006 (UTC)


 * Mango has it about right save that it's not so intermittent, and makes actually working near to impossible. Thi sis one of the articles it's happening with and it accounts for my having been effectively locked out of reviewing edits ans responding to them. Highly annoying. It's only begun to be common in the last few months, having been much less frequent before that. It's becoming unlivable when it occurs. Adn I haven't been able to make out a pattern sufficient for a responsible bug report. And it would be a bug, because the current satus of the feature is highly user hostile. So much so it's a misfeature (=bug). ww 20:26, 17 July 2006 (UTC)
 * See: http://bugzilla.wikimedia.org/show_bug.cgi?id=1438 - it may be one of the issues linked from there, and there are some workarounds described. Phr (talk) 23:28, 17 July 2006 (UTC)

7/21/06 edits
Some notes on my edits today: (1) "cryptography/cryptology" is not analagous to "biography/biology;" I know of no real analagous example, so I took that part out. (2) removed steganography from the "in recent decades" list since that's also an ancient-times development, (3) rewrote the description of stream ciphers for accuracy, (4) removed the bit about Merkle working on PK encryption to a footnote; not that I doubt it, it's just that (a) there's no source for it and (b) this interesting trivia distracts from the flow. (5) I introduce elliptic curve cryptography a little earlier. (6) Removed the term "cillies" though I kept the link; the name is a little too intriguing, and disrupts the flow, but the example is still worth linking to. Otherwise, just minor phrasing and such. Tomorrow (7/22/06) this article will appear on the main page, so I wanted to do a check over and make sure there was nothing embarassing. Mango juice talk 15:58, 21 July 2006 (UTC)
 * Oh man, I didn't know about this main page appearance, I guess it's too late to get it postponed, there's really some significant changes I think we ought to do first. (tries to shake off stage fright).  I think the biology analogy was strictly with cryptology, and didn't extend to cryptography/biography, but ok.  I'll see what quick fixes I can make today.  I wish there could have been more discussion beforehand about this main page thing.  Phr (talk) 16:13, 21 July 2006 (UTC)


 * I too will try to make a last pass, though without much reference to prior posts because I'm still having 'compare' fun. I'll concentrate on small edits and won't change anything large. ww 16:19, 21 July 2006 (UTC)


 * Couple things I better ask first before doing: 1) I'd like to remove Cryptonomicon from the further reading section; it's a great novel but cryptography only slightly figures into it. I'm a little worried about that section turning into a spam magnet.  2) I'd like to replace the photo of Rivest in the public key section with one of Diffie and Hellman (I can make a composite image from the separate pics that are in the Diffie and Hellman biographies, so it would still be one thumbnail in the article).  Let me know of any objections. Phr (talk) 17:09, 21 July 2006 (UTC)
 * I did the photo change. I also rewrote the first paragraph of the public-key section, which previously overstated things somewhat.  But the new version maybe isn't strong enough.  Please take a look.  Phr (talk) 18:22, 21 July 2006 (UTC)
 * Actually Cryptonomicon is shot through with crypto (or odd takes on it) and mentions quite a few historical figures. In addition to inventing some. Not sure I'd call it a geat novel... I'd keep it, as spam magnitude is not something we can control at all. If something attracts bad posts, we can have an admin lock it down for a while. ww 18:49, 21 July 2006 (UTC)
 * Cryptonomicon should probably remain, as it was something that got added b/c of comments during the FAC process. :) But I also think it's appropriate for the list; there isn't much on the lighter side there.  I like the new picture.  Mango juice talk 19:35, 21 July 2006 (UTC)
 * I added a link to Wide Mouth Frog for a lighter tone, and if someone thinks we need more, I nominate either Kerchoff's entire name (it's a mile long) or a sentence or two in the crytpanalysis section about possible origins of the name bombe (as in Engima). ww 22:34, 21 July 2006 (UTC)
 * I removed that sentence in my latest revision. Wide Mouth Frog (which I'd never heard of; perhaps Needham-Schroeder would be a better choice?) really belongs under "cryptographic protocols", not in the primitives section.  Also, I removed the bit about primitives being used to make cryptosystems and digital signatures, because that kinda misrepresents things; those are other types of primitives, really.  Also, I remove the disclaimer about ciphers that may use the same algorithm in both directions.  Yes, that's true, but it's too detailed for that part of the article.  Mango juice talk 02:22, 22 July 2006 (UTC)
 * All stylistic points, I fear. We've not time enough to settle out on this stuff just now. I strongly disagree with the point about primitives, but it's a point about classification of items in categories mostly. I think not optional, but you clearly have a different classification in your mind for these things. ww 02:36, 22 July 2006 (UTC)
 * Clearly, primitives can be used to build everything. However, I don't think the study of how they build everything falls under the heading of cryptographic primitives.  Some are clearly under the heading of cryptographic protocols, for instance.  Mango juice talk 02:48, 22 July 2006 (UTC)

Let's archive the talk page
We will probably get a lot of new entries tomorrow. Phr (talk) 20:17, 21 July 2006 (UTC)
 * The seige has begun. It will take some time to look over them all. Especially with my browser soing the long horizontal with a vengance. Arise, ye editors!! ww 05:14, 22 July 2006 (UTC)
 * Try installing Tools/Navigation popups, then just float your cursor over the "diff" label in the history list. The only change so far that I take much issue with is someone more or less chopped out the 2nd paragraph about all the different kinds of math used in cryptography.  I'm so used to that paragraph (because we all worked on it a lot) that I can't tell if the shorter version is an improvement or not.  The old version was definitely long-winded, but I felt it conveyed the sweep of the subject. Phr (talk) 05:22, 22 July 2006 (UTC)
 * I felt the same way, but they actually moved the paragraph to somewhere further down. I approve of it, FWIW. Mango juice talk 05:40, 22 July 2006 (UTC)
 * Done; I archived all sections started in June or earlier. Mango juice talk 20:20, 21 July 2006 (UTC)

CSP article review request
I've expanded a stub that I found about Microsoft Cryptographic Service Providers, based on my unreliable memory of having had to mess with those things years ago. Anyone knowledgeable about them is invited to take a look. Phr (talk) 16:23, 14 August 2006 (UTC)

change of rediscovered to learned of should be reverted
A recent edit made this change, and the edit summary speculated that perhaps IBM had merely learned of it. My memory is that Don Coppersmith, an IBM member of the Lucifer/DES team, explained publicly that the reason the S-boxes are so resistant to diff crypto is that IBM had discovered it, brought it NSA's attention, and were told in essence, we know all about it and would appreciate it if you kept quiet about it for national security reasons. Coppersmith made his comments after Biham and shamir went public with their discovery. Unless my memory has reached new lows in reliability, I think this should be reverted. The IBM folk should be treated fairly. ww 16:45, 17 August 2006 (UTC)


 * I am all for giving IBM whatever credit it deserves, but normally people only get credit for what they publish. Claims of unpublished invention should be met with skepticism. If Coppersmith or the other IBM guys claimed to have rediscovered differential cryptanalysis independently of NSA, then that claim might be cited. But those guys only claim that they learned about it, not that they invented it. I say that, before reverting, you should document the claim from what the IBM guys said in some verifiable souce. Roger 17:50, 17 August 2006 (UTC)
 * Steven Levy states in Crypto that IBM discovered DC independently of the US government (p. 56 in my edition). That qualifies as a reliable enough source, IMO, to use here, unless it's otherwise disputed in the literature? (Personal opinion: after reading Feistel's early papers on block cipher design, and his "tickling" of inputs, I can quite believe that IBM came up with it on their own. Moreover, I simply could not imagine the NSA teaching a powerful & general cryptanalysis technique to a civilian company). &mdash; Matt Crypto 21:33, 17 August 2006 (UTC)


 * No, Levy is not a reliable enough source. His source is Coppersmith, and I say that Levy misread him. Here is what Coppersmith wrote:


 * The entire algorithm was published in the Federal Register [2], but the design considerations, which we present here, were not published at that time. The design took advantage of knowledge of certain cryptanalytic techniques, most prominently the technique of "differential cryptanalysis," which were not known in the published literature. After discussions with NSA, it was decided that disclosure of the design considerations would reveal the technique of differential cryptanalysis, a powerful technique that can be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography. ...


 * Differential cryptanalysis was well known, however, to the IBM team that designed DES, as early as 1974. Knowledge of this technique, and the necessity to strengthen DES against attacks using it, played a large part in the design of the S-boxes and the permutation P. ...


 * The IBM team knew about differential cryptanalysis but did not publish any reference to it. That was because the tool can be a very powerful cryptanalytic tool, useful against many schemes, and there was concern that placing such information in the public domain could adversely affect national security.


 * Note that Coppersmith does not say that IBM discovered DC independently of the US government. Roger 00:59, 18 August 2006 (UTC)


 * Sort of a tough issue. While Coppersmith doesn't say IBM did discover DC independently in that quote, he also doesn't say IBM didn't.  And I think it would go without saying that IBM shouldn't reveal to the public something they learned directly from the NSA, so that statement does seem to imply that IBM did discover DC.  Mango juice talk 01:22, 18 August 2006 (UTC)


 * I take it that you mean that the statement seems to imply that IBM learned DC from NSA.
 * At any rate, this is not a tough issue. There is no need to speculate. Just say what we know for a fact. IBM claims to have learned about DC during DES development. We don't know for sure whether IBM learned it on its own, or whether it got help from NSA. IBM only gets credit for what it published. Roger 02:10, 18 August 2006 (UTC)
 * The issue of credit is a red herring, I think. Wikipedia doesn't assign credit, but we document what's understood to have taken place. There's no reason we should doubt that Levy is a reliable source. You seem to be saying that Levy based his statement on Coppersmith's paper, and read something that wasn't there. But why do you say that? I think that's your presumption: there's no mention of Coppersmith's paper at all in Levy's footnotes. On the contrary, the book is stated to be based on personal interviews, and the DES chapter, certainly, is sprinkled with quotes by the likes of Konheim and Tuchman. That IBM discovered DC in the 1970s is widely acknowledged, and unless there's been some doubt about it published in reliable sources, I think we should restore the original statement. &mdash; Matt Crypto 07:20, 18 August 2006 (UTC)
 * I say that Levy relied on Coppersmith's paper because Levy says so on pages 55 and 333 in my hardback edition. No other source is given. Yes, the paper is listed in Levy's endnotes.
 * Coppersmith was there; Levy was not. Coppersmith's article is a primary source; Levy's book is a secondary source. Coppersmith's story is accepted; Levy's is not. It is easy to understand how Levy could make a mistake like this; no one has explained why Coppersmith would fail to claim this credit for the IBM team while he was claiming credit for everything else. There is no excuse for repeating an error in Levy book when the uncontested facts tell the story. Roger 07:46, 18 August 2006 (UTC)
 * Ah yes, it is in the notes (that'll teach me to try and read anything first thing in the morning), very sorry about that. But I'm still confused as to what "uncontested facts" you're referring to. Levy is consistent with Coppersmith, unless I'm missing something again. You seem to be reading between the lines in Coppersmith's paper and reasoning that, as he does not explicitly claim credit for IBM, then the NSA must have told IBM about it. That's unsound, I'm afraid. We cannot rely on your implicit inference when we have a published source to the contrary, particularly when it flies in the face of common sense (NSA would never simply volunteer a secret and powerful cryptanalysis attack to a civilian company, surely? The entire point of NIST soliciting for public submissions was that NSA didn't want to reveal their own design secrets). Schneier, for example, appears to believe IBM invented it independently. Without a compelling reason to the contrary, we must go with the explicit source. &mdash; Matt Crypto 17:14, 18 August 2006 (UTC)


 * No, I am not saying that NSA must have told IBM, nor am I inferring anything like that. All I am saying is that the IBM team found out somehow, according to Coppersmith. Coppersmith doesn't say how in his article, and there is no need to speculate in Wikipedia.
 * As for your assumption that NSA would never volunteer a secret to a civilian company, you are just wrong about that. Schneier's statement that the NSA classified IBM's research is also incorrect.
 * The uncontested facts are that Coppersmith was on the IBM team; that he published an account of DES development in an IBM journal; that he claimed that IBM knew about the T attack in the 1970s; and that he made no claim that IBM discovered the attack independently of NSA. I don't know why you would want to perpetuate false rumors that are contradicted by the primary sources. Roger 18:34, 18 August 2006 (UTC)
 * Where are they contradicted by the primary sources? As far as I'm aware, that IBM discovered the attack independently of NSA is uncontested in reliable published sources. &mdash; Matt Crypto 20:28, 18 August 2006 (UTC)

< let's give up on the ':' counting business for a while

Aghkk! hadn't meant to set of a teapot tempest here. Sorry about that. I'll just note that WP does not insist on academic nicities of citation. Ideally, in some better world, it would be nice, but just not possible in this one, with the realities of WP operation. So, in this case, and on those grounds, I suggest that the citations made here (Levy, Coppersmith, Schneier) are sufficient justification for the inclusion of "IBM independently developed it" in this article.

Additionally, it should be noted that only the following sequence makes sense, given security regulations:
 * 1) NSA invents diff crypt (or is told of it by, say, GCHQ or some such). It's kept secret for the obvious and significant reasons.
 * 2) IBM invents it during its work on Lucifer / DES, which included -- all accounts recount -- some considerable (behind the official scenes) participation by NSA, providing 'assistance' with NBS' project.
 * 3) it comes out that IBM knows this neat analytic technique.
 * 4) consternation at NSA! Egad, someone else knows our neat trick! We've lost advantages over the Opposition! Not good.
 * 5) attempt at damage control, by NSA. NSA to IBM: hey guys, keep quiet about this, 'cause it's an important national security issue. If we te4ll you anything more we'd have to shoot you, 'cause it;'s Secret. Possibly even an undercurrent of: you realize the the Federal government is a very large IBM customer, don't you?
 * 6) IBM does keep quiet about it for years
 * 7) Biham and Shamir publish. Cat's out of the bag.
 * 8) Coppersmith clears up the odd fact of DES' S-boxes very good resistance to diff crypt, so unlikley to have been accidental
 * 9) Coppersmith not arrested or charged for violation of some regulation or another, after making his statement.

It is beyond any credible possiblity that 2, 3, and 4 are replaced by NSA telling IBM folk about this national security related secrecy thing. And, if it happened, the prosecuter types and the security clearnace removal types would have been involved somehow. It would have been, after all, a violation of law. None o fthat has come out, so ...

The case is adequately established for inclusion here. But, it probably deserves a footnote explaining exactly what Coppersmith said, and how it's been understood by informed observers. Possibly citing them as well? ww 21:56, 18 August 2006 (UTC)


 * You know, I'm leaning more and more towards Roger's opinion here: knowing what we know about the sources, I think it's implied that IBM re-invented DC, but it's not unambiguous, and it's really not such a critical point to this article. I think we should just say that IBM was aware of differential cryptanalysis but didn't publish it, at least in this article: the proper place to get into this in detail would be in the Data Encryption Standard article or the differential cryptanalysis article.  Mango juice talk 22:12, 18 August 2006 (UTC)
 * Perhaps we can deal with this in differential cryptanalysis rather than here, as you say, but wherever we do it, we must insist on representing only what sources we have available: those are primarily, as far as I understand it A) Coppersmith's article, which does not address the question of whether IBM discovered DC independently of the NSA either way, and B) Steven Levy's book, which explicitly states that they did. With regards to Wikipedia's verifiability policy, we can't do otherwise, even if we have personal doubts about it. Our job is to document the literature. If the literature is flawed, then you'd need to publish a corrective paper somewhere before it could be included here. (I agree with Ww's sequence above, but that's somewhat secondary to the issue of verifiability.) &mdash; Matt Crypto 22:28, 18 August 2006 (UTC)


 * Ww presents a theory about what might have happened, based on mistaken notions about how US security policies work. But it is just another goofy conspiracy theory that he cannot prove.
 * I changed the article back to what is known, and removed the speculative theory. Please don't change something correct to something that is speculative.
 * Our job is not to document secondary and flawed sources like Levy's book. Levy gives Coppersmith's article as his source. It looks like Levy distorted Coppersmith in order to support the thesis of his book. Levy makes lots of errors. No one is going to publish a correction to Levy's book because it is Coppersmith's article that tells the story. Roger 23:18, 18 August 2006 (UTC)
 * I thought you had an edit a while back that left the question open but didn't digress at length about the ambiguity. I was happy with that.  I do think we should say more about it, but in one of the other articles.  I do not have the impression that Levy's source for the T-attack story was Coppersmith's article.  I think it came from interviews he did.  I think I'll e-mail him and ask. Phr (talk) 07:48, 19 August 2006 (UTC)
 * I agree we should not use our own reasoning (I don't think language like "goofy conspiracy theory" is very helpful here, by the way). We should use reliable sources. Again, Coppersmith's article does not comment on this issue one way or the other (if you think it does, then direct quotes from the article would help). Levy did not use only Coppersmith's article as a source; he used interviews. Unless you can demonstate an error in Levy's work by reference to reliable sources, then I'm afraid Levy is an acceptable source as far as Wikipedia is concerned, and your opinion cannot overrule that. &mdash; Matt Crypto 23:27, 18 August 2006 (UTC)
 * Concur w/ Matt. Here we have several folks who treat Levy's book as literature worth reflecting in WP and one who characterizes it as secondary, flawed, distorted, etc w/o citations thereof. You needn't agree w/ Levy's attitude toward the politics underlying crypto in the US of the period to concede his worth on bare facts. And to reject him on bare facts, it seems to me we need more than is available. Matt's right. Use it, expand on the issue in another article perhaps, but don't reject on the basis of the assertions here.


 * 'Correct' (and truth) is not the point on WP. We are reporting, and if the sources reported are later disputed we can and should doucment that as well. Until then, we're not supposed to be doing our own research, ie, into Levy's biased agenda in distorting accounts in his work.


 * Put it back in, and footnote it. Expand on the issue in differential crypt or in DES, or both.


 * First time I've been accused of being a goofy conspiracy theory maven. Most people think me dreadfully mundane, save for an inexplicable interest in odd stuff like security and crypto. Rarely called 'mistaken' in those contexts, though leaky memory causes the odd contretemps now and thenm. It's in the nature of these things that one doesn't actually try to prove them, as I understand it. Much more fun that way. Thanks! Mark Lane, move over!! (preen, preen) ww 00:07, 19 August 2006 (UTC)


 * No, you don't even have a majority of people who have commented here. You have two people (Matt and Ww) who think that a general article on Cryptography should credit IBM with something that IBM doesn't even claim credit for itself, and two others (MangoJuice and myself) who want to stick to facts from primary sources.
 * I don't even know why a WP Cryptography article needs to get involved in an obscure issue of who deserves credit for a particular technical advance. Roger 00:53, 19 August 2006 (UTC)
 * Well, your last sentence is a different question (which we can discuss, of course) but your argument prior to this point has been that we should remove the IBM attribution either because it's untrue, or because Levy is wrong, or because Coppersmith contradicts it. I don't wish to be aggressive, but I really don't think you've demonstrated any of that. Primary sources are fine, but there's nothing wrong with using secondary sources. &mdash; Matt Crypto 01:12, 19 August 2006 (UTC)
 * Yes, my main motivation was just to remove a false statement. No, I don't think that it is so important for WP to try to give credit. If this point is really so important, then the only resolution is to write that the primary sources say one thing, and the secondary sources say something else. Roger 02:23, 19 August 2006 (UTC)
 * I just edited it to include both what Levy says and what Coppersmith says. Roger 01:10, 19 August 2006 (UTC)


 * What we have now is poorly written. Not due to this edit, but to the includiosn of the waffling. Should be in a footnote, not in the text.
 * On the question of IBM claiming this or that, you can't tell from Coppersmith's article. It's explicitly his views, not IBM's. He says the team knew of diff crypt (they called it the T method) by 1974 which sounds to me before the NBS interaction began, and implies independent development. It is correct that he never says that the IBM folk invented it, nor that NSA asked for silence. But I would note that IBM's usual practice in re crypto has been to apply for a patent and that they did not do so at the time. Though this is intertwined with the policy against patents on algorithms which remained in force for a while yet. Nevertheless, I do not see that it's possible to take from Coppersmith's article that IBM did not independently invent it. Coppersmith simply contributes nothing definite on that point. Inference from his lack of statement is required, and we're not allowed to include that stuff in WP. The best source may be Levy, but I seem to recall Schneier on this as well. I say we leave it at independent invention, with a footnote noting the source of the info. And, if desired, a note suggesting that Levy on this point is thought unreliable by some. Why, exactly?
 * Current state unsatisfactory for writing and content reasons. ww 04:49, 19 August 2006 (UTC)


 * Coppersmith's article was published in an IBM journal, and can be interpreted as an attempt by him and IBM to claim credit for the design of NSA and to defend the design. If they wanted credit for inventing differential cryptoanalysis, then I would expect him to have claimed the credit in the article. He did not.
 * The waffling is a result of you pushing a disputed point. I don't really think that the point is so important, but if you are going to present one particular view as a fact, and I believe that it is wrong, then both views should be there. Roger 05:17, 19 August 2006 (UTC)
 * Disputed by who? Yourself, obviously, and...? I agree with Ww that this isn't a good solution. If before it was venturing into an obscure aside, now it's doubly so. We have a fact, and a reliable source to back it up (Levy). What is the purpose, then, of adding another sentence that says, essentially, "P.S. there is another source (Coppersmith) that neither supports nor contradicts this fact"...? It's redundant, and there's no justification at the present time for us to cast doubts on Levy ("popular author says, but IBM doesn't mention it") without some compelling evidence that what he wrote was incorrect. Roger, you might be convinced that Levy is incorrect, but we can't just accept it on your say-so. Even if we assume that you're correct, to modify the article in this way is pretty close to original research. Wikipedia is a tertiary source, and if the literature contains errors, then it needs to be fixed "upstream" first. &mdash; Matt Crypto 05:45, 19 August 2006 (UTC)

I think Levy's main source for his DES stuff is interviews with Tuchman. I'm in support of explaining the unclarity in the DC article. I think it's too hairsplitting a detail to dwell on in this overview article. Anyone going to Crypto next week? It might be possible to ask those guys what happened. Phr (talk) 05:41, 19 August 2006 (UTC)
 * Agreed. I think we can do without the parenthesis here, and deal with this in differential cryptanalysis. By the way, there's an interesting set of slides by Eli Biham on the early days of public domain DC from FSE 2006: here. &mdash; Matt Crypto 05:51, 19 August 2006 (UTC)
 * Agree w/ Matt and Phr. A middle way of a sort. ww 07:32, 19 August 2006 (UTC)
 * I've emailed Levy asking where he got the story. I suppose that means I've committed OR.  But it can give us some guidance. Phr (talk) 08:07, 19 August 2006 (UTC)
 * I agree that a general Cryptography article does not need to get into an obscure issue of assigning credit like this. But if the article says anything, then it should be something that is verifiably correct. That is why I favored just saying that IBM knew about DC, without explaining how IBM got that knowledge. Roger 08:24, 19 August 2006 (UTC)
 * Yes, I'm fine with that, given our current state of knowledge. If Levy writes back to me and says he got the story from Tuchman (or somewhere else that sounds reasonable), then I think we should restore the old wording (crediting IBM per Levy's book), since we don't have anything contradicting it.  There's also that Senate hearing, has anyone bothered to look at the transcript? Phr (talk) 09:39, 19 August 2006 (UTC)

I heard back from Levy; he stands by the story in the book. He says it was informed by people with first-hand knowledge of what happened, as well as documents. Roger, you mentioned a while back that your doubt came from Coppersmith's Crypto 2000 lecture. If you go to Crypto next week, maybe you could ask the organizers if a tape is available. That's the only way we can get to the bottom of this. Otherwise I think we should go with what Levy's book says. Phr (talk) 07:55, 20 August 2006 (UTC)


 * Ok. Given this, I stand by the version we have now.  I'd like to point out that it's no surprise if Coppersmith was reluctant to claim that they had invented DC at IBM: it's sort of a no-no, academically, to do things like that, and Crypto is an academic conference.  Levy's book is a sufficient source.  We have no obligation to include information just because it's verifiable, but in my judgement, I think we should in this case.  Mango juice talk 15:24, 20 August 2006 (UTC)


 * I still say that Levy got the story wrong, and the issue is not really important enough for this article anyway. More strongly, I believe that WP should not give just one POV. If it puts in Levy's story, it should also note that Coppersmith conspicuously refused to take credit for IBM independently rediscovering DC in article that takes credit for various related matters. Paul - yes, I am here at Crypto SB and I'll try to track you down here. Roger 01:36, 21 August 2006 (UTC)
 * In a nutshell, when you reason that Coppersmith has not claimed credit for IBM in a journal article, ergo IBM did not invent differential cryptanalysis independently, you are performing original research with a source, and thus we cannot use it whether true or not. On the other hand, if such reasoning as yours had been published in the literature, then we could act differently. An argument from silence is dangerous, and you may not have heard what you thought you heard at Crypto 2000. &mdash; Matt Crypto 08:45, 21 August 2006 (UTC)
 * No, I do not propose to do any original research. My position is that the article should stick to undisputed facts, as reported in primary sources. I think that it is bizarre that anyone wants to give credit to the IBM team for something that the IBM team itself does not claim credit for. I am not one of the guys who changed his mind based on a private email from Levy. Roger 02:34, 22 August 2006 (UTC)
 * You are doing original research when your novel position is not asserted by anyone in the literature, and it is not: it is actually contradicted (by Levy). What is unsound, and even "bizarre", is to make tenuous deductions from what one source doesn't say, and then demand that this inference should override what another reliable source explicitly says. If you have a theory about IBM and DC, then fine, get some evidence and publish. (If Coppersmith did, as you allege, make a public statement in front of hundreds of academics, then it shouldn't be too difficult.) But do that before editing Wikipedia to take into account your theory. &mdash; Matt Crypto 16:08, 22 August 2006 (UTC)
 * No, I have not asserted any novel position, nor have I proposed any theory. I merely proposed to have the article stick to established facts. No one has disputed the factual content of any of my edits. My last edit was to say this (with references omitted:
 * DES was designed to be secure against differential cryptanalysis, a cryptanalytic technique known to NSA and IBM, but not publicly known until it was rediscovered in the late 1980s by Biham and Shamir. (A popular account of the history of DES claims that IBM rediscovered differential cryptanalysis independently of NSA. But IBM's own account of DES development only says that IBM knew about it.)
 * This cites the primary and secondary source, and lets the reader decide. Matt, you are the one who is relying on an unsourced and fallacious theory about what NSA would or would not do, and you are the one who wants to publish a rumor from a secondary source as fact, and you are the one who wants to omit what the primary source says. Roger 17:11, 22 August 2006 (UTC)
 * (edited for civility &mdash; Matt Crypto 18:27, 24 August 2006 (UTC)) I disagree that I want to "omit what the primary source says". Your argument has been centred on what the primary source doesn't say, and how that negates what a secondary source says. What I want to omit is any inference from what the secondary source doesn't say, which would be original research. I'm afraid I have to insist that, as far as Wikipedia's policies on citing sources and original research are concerned, A) the current assertion is established fact, and B) as a source, Levy is reliable and undisputed. &mdash; Matt Crypto  19:54, 22 August 2006 (UTC)

What about the following version:
 * DES was designed to be secure against differential cryptanalysis, a cryptanalytic technique known to NSA and IBM, but not publicly known until it was rediscovered in the late 1980s by Biham and Shamir. (According to some sources, IBM rediscovered differential cryptanalysis independently of the NSA, but IBM has never publically acknowledged this.)

I have to say that although Levy is published, I think weaseling the claim from Levy is appropriate given that the source Levy cites isn't clear, and we've found nothing else to back it up. Although I personally would rather leave out the parenthetical entirely: like I said, it's more of a matter for the Differential cryptanalysis article than this one. Oh, yeah, and both of you, chill out and stuff. Mango juice talk 19:56, 22 August 2006 (UTC)
 * Yes, sorry, I apologise for being grumpy. I think a parenthesis would be inappropriate in this article. I've edited differential cryptanalysis to add some sources and otherwise reword it. It presents who says what, but resists drawing undue attention to Coppersmith not claiming credit in his paper, which I argue would be improper. &mdash; Matt Crypto 18:27, 24 August 2006 (UTC)

Without the parenthetical comment, the article just had Levy's theory about what happened, so I changed it to the agreed-upon facts. Also, the article gave Coppersmith as a source for an assertion ("silent about it at NSA's request") that is not in the Coppersmith article. People can read the differential cryptanalysis article for more details. Roger 17:21, 27 August 2006 (UTC)
 * First, if you want to change the wording, please keep the citation templates intact. Second, Levy's version of what happened is the agreed-upon fact, so the article doesn't need changing. &mdash; Matt Crypto  18:39, 27 August 2006 (UTC)


 * No, Levy's version is disputed; Coppersmith's is not. Why do you insist on putting in Levy's version, and omitting Coppersmith's? Roger 19:11, 27 August 2006 (UTC)
 * Levy's version is not disputed, and does not contradict Coppersmith. &mdash; Matt Crypto 19:17, 27 August 2006 (UTC)
 * So you say, but if that's true, why don't you want to report what Coppersmith says? I put the references back in at your request. The way you wrote it, the Coppersmith reference was used for something that Coppersmith does not say. Roger 19:23, 27 August 2006 (UTC)

Mangojuice Ww "changed to implement consensus in talk re cite of IBM discovery", but his change did not do that at all. The only consensus is that IBM and NSA knew about some differential cryptanalytic attacks. That is what both Levy and Coppersmith say. Levy has an unsourced theory about IBM got that knowledge, that no one can verify. Please don't claim that something is a consensus when it is not. Roger 19:57, 1 September 2006 (UTC)
 * (I believe it was Ww, not Mangojuice.) The facts are as follows: on Wikipedia, if something is stated in a reliable source, and is not contradicted in any other reliable source, then it can be presented as fact. Levy is a reliable source not contradicted by any other reliable source. Therefore we can present it as fact. &mdash; Matt Crypto 21:08, 1 September 2006 (UTC)
 * You can present Levy's account for what it is, and account in a secondary source. If you mean what you say, then you shouldn't object to also including what the primary source says, so I added that. Roger 00:00, 2 September 2006 (UTC)
 * I edited Roger's version slightly: the one he had included seemed to me to be favoring the view that the Levy account is false. I tried to write one that was more neutral.  I think this is probably the best way to handle this issue.  It wouldn't be TOO bad if we oversimplified and didn't describe the ambiguity, but we're doing it in a pretty compact way, so it's no big deal.  Mango juice talk 00:23, 2 September 2006 (UTC)
 * I have some phrasing difficulty with the current version and will come back to make a pass at it shortly. But in rereading the above -- whew!! -- I realized that no one has here noted the reason which justifies covering this issue here in the overview article. It illustrates by example the nature of progress in crypto topics and the sometimes public, sometimes not public, nature of such advances. Namely, the secrecy-influenced lack of complete knowledge for all observers. An important point to make for readers if only by example as overt elaboration would likely add too much to an already long article. ww 05:14, 2 September 2006 (UTC)
 * Actually, it could be removed entirely. Ww, your observation is one reason to include it.. but the reason in the context is to give an example of where NSA involvement in cryptography has been controversial.  The problem is, we haven't said what the controversy is, namely, that some view NSA's involvement in the development of DES skeptically; what was NSA's goal?  Was it to strengthen the cipher to help strengthen US encryption?  Or was it to weaken it so that they could continue breaking it?  Unfortunately, that point isn't made very well, and isn't backed up by the references we have.  Mango juice talk 14:51, 2 September 2006 (UTC)
 * I agree. NSA keeping IBM's discovery secret is just one way NSA interacted with public crypto. Perhaps we should focus on others -- there are plenty of cases. Certainly, I do find the current wording about "the account published by IBM makes no such claim" to be unacceptable. It gives room to a POV not found in the literature, namely that Levy is somehow suspect (he may be, but we have no grounds to imply so here). &mdash; Matt Crypto 15:10, 2 September 2006 (UTC)
 * Matt, are you determined to put false info into the WP or what? I understand your reason for including info from Levy's book, but what possible excuse could you give for excluding what the primary source actually says? Roger 16:55, 2 September 2006 (UTC)
 * Because it's irrelevant. It serves only to add an opinion, not published anywhere, that Levy is suspect. It does not address the matter at hand. &mdash; Matt Crypto 19:26, 2 September 2006 (UTC)
 * Matt, I've got to say it, but you're pushing an opinion, too. Your opinion is backed up by Levy, so it's not totally out of nowhere.  However, it is irresponsible research to ignore the reliability of sources, and Levy stands alone right now, citing a primary source that doesn't back it up.  I don't see why Coppersmith can't be used as a source, either: there's nothing unreliable about it, and we're not making any analytical claims.  Levy is a source we can't trust 100%.  Therefore, I included a weaseling of the statement, with "according to some sources."  But I think if we want to continue this discussion any further, we need to find MORE sources.  Mango juice talk 19:37, 2 September 2006 (UTC)
 * I agree we have to look at the reliability of sources, and that we don't trust them blindly. Equally, however, we should not blindly "weasel" a source without a rationale. Why should we not trust Levy? If it is simply because we're reading something into what Coppersmith did not say in a paper, then that, I'm afraid, is not sound. If it's because Roger thought he heard Coppersmith say something in Crypto 2000, then that is also not sound. I'm not a Levy fan-boy, but he's an award winning tech journalist and author. In his research, Levy interviewed original DES team members, and referred to IBM internal memos from the period. He's not been challenged in the literature. He still stands by what he wrote on this topic. On Wikipedia, such sources are treated as reliable. I'm not pushing my opinion about whether Levy is correct or not (that matters little to me), but I think it's very important that we are not influenced by original research (until that research has been published elsewhere). &mdash; Matt Crypto 19:50, 2 September 2006 (UTC)

These constant changes are getting annoying. Perhaps we can take this to a neutral arbiter. Here are the facts. The primary source (Coppersmith) says one thing. The secondary source (Levy) says something else, and only cites Coppersmith as a source. Coppersmith gave a public lecture that confirmed his article, and contradicted Levy's account. Levy sent a private email that says he stands by his story. If listening to a public lecture is original research or unsound data, then surely the private email is also. I think the Levy's account is clearly wrong, and should be removed. It is contradicted by Coppersmith and common sense. Levy's book has a lot of errors in it, and it is not that surprising for him to get something wrong. But to repeatedly include Levy's account without also saying what Coppersmith said in the IBM journal is just plain deceitful and irresponsible. It is promoting a particular POV as fact when other info makes it implausible. It suppresses that other info that no one is disputing. Please do not change a general article on Cryptography to put in some bogus NSA conspiracy to the exclusion of more reliable sources. Roger 20:51, 2 September 2006 (UTC)
 * Ahem. Please stop trying to force your pet theory into Wikipedia when we have a reliable and unchallenged source that explicitly contradicts you. &mdash; Matt Crypto 22:12, 2 September 2006 (UTC)
 * No, there is no source of any kind that contradicts any of my edits. I am not forcing any pet theory. I even agreed to put in Levy's pet theory that I believe to be wrong, as long as it is attributed to Levy and the primary source is also included. Roger 00:30, 3 September 2006 (UTC)


 * There's some logical difficulty with the Schlafly position here. Levy says X, no one else contradicts, Coppersmith fails to either confirm or contradict, and therefore Levy shouldn't be trusted. This is not, as Levy presents it, a matter of interpretation. According to him, IBM found it, used it to improve the DES submission that won, and NSA told them it was already known and please don't tell anyone. Not much interpretive room there, not much motive involved at all. That Levy has a position generally and in other contexts is moslty irrelevant on this point.


 * An additional reason for including this as (IBM invented, NSA said was already known, don't talk, publically unknown till B & S published) is that it provides an illustration of something which is important to understanda bout crypto, and that is that -- short of the one-time pad -- non-publically known advances might happen which reduce the security of the algorithms a user might have counted as secure in practice. It bears on a user's understanding of the risks inherent in relying on a crypotio algorithm or system (a collection of them). A point worth making as to the credilbility of algortihms and crupto generally.


 * Matt is correct that Roger's doubts about Levy are insufficent to throw out his account. Independent corroboration is not required, though Roger might need it to overcome his perspective. Levy is perfectly adequate as a source for the account Roger doubts.


 * Leave it in.


 * And I agree that this tempest became fruitless some time ago. It's not an edit war yet, but one has one's fears... ww 07:14, 5 September 2006 (UTC)

Time
Right, there has been far too much time spent on this. The only reason to discuss DC & DES here is to show how NSA have persuaded/coerced industry not to publish newly-(re)discovered crypto techniques. This is an important way in which NSA have influenced the public academic crypto field, but there are other examples we can use (e.g. Khufu and Khafre). &mdash; Matt Crypto 23:10, 2 September 2006 (UTC)


 * It appears that you are the one with the pet NSA conspiracy theory. If your theory were really true and important, then you ought to be able to find some reliable primary source to back you up. I don't think these goofy theories have much place in a general Cryptography article. Roger 00:43, 3 September 2006 (UTC)
 * Roger, I'm not going to discuss anything with you if you accuse me of being deceitful and trying to push a "goofy conspiracy theory". &mdash; Matt Crypto 06:48, 3 September 2006 (UTC)


 * I disagree that we can cover this topic without bringing up the design of DES; it's a major issue and nothing can really substitute for it. I did some google book searching, and here are some things I found:


 * From the Encyclopedia of Computer Science and Technology (1989), "It has been said that in developing the criteria, IBM rediscovered some design principles that were relevant to other cipher systems not in the public domain." Old, though, before the rediscovery of DC.
 * PGP - Pretty Good Privacy by Simson Garfinkel (1994), remarks on DC being known to the NSA, remarks on the possibility that the NSA discovered flaws in Lucifer and helped correct them. Mentions Coppersmith's lecture specifically; never covers whether IBM reinvented DC or whether the changes were NSA's idea.
 * Cryptography's Role in Securing the Information Society (1996), by National Research Council, says that the changes that strengthened DES against differential cryptanalysis were "some changes NSA suggested."
 * Data Privacy and Security (2003), by David Solomon, says "Potential users immediately suspected that the NSA had changed the S-boxes in order to leave themselves a trapdoor, but today it seems that the changes were proposed by the NSA in order to optimize the S-boxes against differential cryptanalysis attack."


 * Those are all the results my Google book search returned that were both relevant and allowed me to actually see the page from the book. As you can see, two of these sources specifically describe the changes as recommended/suggested by NSA (which is somewhat contrary to Levy's view).  One avoids the question of whose idea it was, and one mentions the idea that IBM rediscovered something, but doesn't claim it as fact.  This is what I meant when I said that Levy stands alone: many other books cover this subject and do not support the version Levy does.  Mango juice talk 04:17, 3 September 2006 (UTC)
 * There's also a 1978 Cryptologia article which says "IBM has classified the notes containing the selection criteria at the request of the NSA....'The NSA told us we had inadvertently reinvented some of the deep secrets it uses to make its own algorithms' explains Tuchman." (P. Kinnucan, Data encryption gurus: Tuchman and Cryptologia, vol. II #4, 371--XXX, 1978.) Of course, that doesn't specify that this was DC. Few, if any, authors other than Levy have attempted to dig into the creation of DES and the interaction with NSA. I'm open to reason, but I don't see why we shouldn't treat Levy as a reliable source. &mdash; Matt Crypto 06:48, 3 September 2006 (UTC)
 * There was some interaction between IBM and NSA on DES. I don't know how much can be said beyond that, without getting into speculative and unverifiable theories. Roger 05:53, 3 September 2006 (UTC)
 * I'm just saying, since it's been brought up, that we should be cautious, and use a wording like "according to some sources." This is an issue where the facts are up for debate, and they are debated in the sources, so we shouldn't pick one side over the others.  Roger: I think we should get into those "speculative and unverifiable theories" because that's what this whole section is about: controversy over NSA's involvement.  The theories may be accurately described as speculative and unverifiable, but their existence is certainly not unverifiable.  Mango juice talk 12:25, 3 September 2006 (UTC)
 * Where are these facts debated in the sources? &mdash; Matt Crypto 12:50, 3 September 2006 (UTC)
 * If you want to say that a lot of people have suggested goofy NSA conspiracy theories, then that is okay with me. I just object to reporting those theories and rumors as facts, as most of them are false. This is a general page on Cryptography, not a page on the Loch Ness Monster. It should only have well-documented facts. It could refer to other pages for the details of political controversies and conspiracy theories. Roger 15:45, 3 September 2006 (UTC)
 * I argue that, from Wikipedia's point of view, a fact being published in a book like Levy's makes it a well-documented fact. If someone like Coppersmith had stated that Levy had published a rumour, then I'd be entirely willing to get rid of it from this article: it would put Levy's account into doubt. The fact is that nobody in the literature, not even Coppersmith, has refuted what Levy wrote. I think you need to address the issue of Levy's reliability -- you act as if it's simply axiomatic that he's wrong, but you haven't presented any rationale as to why. He's a published author: the onus is on you to present arguments as to why he's not a reliable source. Have you considered asking Coppersmith to repeat in print what you think he said at Crypto 2000? &mdash; Matt Crypto 18:03, 3 September 2006 (UTC)


 * No, I have not considered doing original research on this subject. Nor is Coppersmith likely to put what he said in writing, for reasons that he explained in his lecture. Matt, you are just completely wrong about this. Wikipedia never prefers a rumor published in a secondary source to a primary source. Coppersmith refuted what Levy said, and Mangojuice posted 3 other book citations that also refute it. Your understanding of the NSA is wrong, and you are apparently just pushing some goofy NSA or anti-government conspiracy theory.
 * I agreed to go along with stating Levy's theory, as long as it is attributed to Levy and it also says what Coppersmith published. But you stubbornly want to publish Levy's rumor as a fact, and eliminate the hard facts. That is unacceptable. Roger 19:20, 3 September 2006 (UTC)
 * If a fact is supported by a reliable published source, then it can be presented as fact on Wikipedia. You can call it "Levy's rumor", or a "goofy NSA theory", or an "anti government conspiracy theory", or "wrong" until you're blue in the face, I don't care. The only thing that will convince me is an actual rational argument as to why Levy, a published prize-winning author, cannot be trusted as a reliable source. Argument by repeated assertion is not convincing. &mdash; Matt Crypto 20:00, 3 September 2006 (UTC)
 * Yes, I know you don't care if you are wrong. Go ahead and trust Levy, if you want. But please stop removing what Coppersmith says or supply some evidence for Coppersmith being wrong. Roger 01:42, 4 September 2006 (UTC)
 * (sigh). Ok, this edit war has to stop.  This is ridiculous.  Frankly, it doesn't matter at all in the context of the paragraph whether or not IBM invented DC or not.  What's important is that we cover the strain between the community and NSA over NSA's involvement in the design of DES.  What's important to bring up are two things: (1) the public belief that NSA had purposely weakened the cipher with their suggested change to the S-boxes that no one understood, (2) the controversy over the NSA's suggested low key length, and (3) that the NSA asked IBM not to disclose differential cryptanalysis, which is probably the least important part of all this.  Matt, here's a rational argument why not to rely on Levy as a source of fact: his is the only account, and cannot itself be verified.  That isn't a Wikipedia regulation, but WP:V never says that any one reliable source must be taken as gospel.  In fact, if you look at WP:RS, I find the following rather relevant:


 * Check multiple sources


 * Because conscious and unconscious biases are not always self-evident, you shouldn't necessarily be satisfied with a single source. Find another one and cross-check. If multiple independent sources agree and they have either no strong reason to be biased, or their biases are at cross purposes, then you may have a reliable account.


 * However, bear in mind that we only report what reliable publications publish, although of course editors should seek to use the most authoritative sources. In accordance with Wikipedia's No original research policy, we do not add our own opinion.


 * Issues to look out for


 * Have the secondary sources used multiple independent primary sources?
 * Do they have an agenda or conflict of interest, strong views, or other bias which may color their report? Remember that conflicts of interest are not always explicitly exposed and bias is not always self-evident. However, that a source has strong views is not necessarily a reason not to use it, although editors should avoid using political groups with widely acknowledged extremist views, like Stormfront.org, Al-Qaeda, or the British Socialist Workers Party. Groups like these may be used as primary sources only, i.e. as sources about themselves and their own activities or viewpoints, and even then with caution and sparingly. Extremist groups should not be used as secondary sources.
 * Were they actually there? Be careful to distinguish between descriptions of events by eyewitnesses and by commentators. The former are primary sources; the latter secondary. Both can be reliable.
 * Find out what other people say about your sources.
 * Have the sources reported other facts reliably, including on different subjects? Cross-check with what you already know.
 * Are they available to other editors to check? We provide sources for our readers, so they must be accessible in principle. If not, inclusion is probably not appropriate. Note, however, that they need not be online; availability through a library is sufficient.


 * In my view, Roger has brought up a good reason to doubt the accuracy of what Levy reports. And Matt, you've completely dismissed it by asserting Levy's reliability repeatedly.  Levy stands alone.  We've been unable to find multiple sources backing up his account.  Furthermore, some of the issues to look out for apply: Levy didn't use multiple primary sources, he wasn't actually there, and the book DOES have a point of view, ya know: just look at the title.  Still, Levy isn't actually contradicted in any source, and it reports on other facts reliably.  Therefore, we should present the information as it actually is: Levy's account is uncontradicted, but could not be independently verified, and wasn't found in any other sources.  Therefore, we make sure the text doesn't treat it as the unambiguous truth.  I do, however, agree with Matt that we shouldn't be discussing Copperfield as if it disagrees with Levy's account, because it doesn't contradict what Levy says, and it's not really interesting information that IBM hasn't publically claimed to have invented DC: that may be interesting in differential cryptanalysis but not here.  If "According to some accounts" or "according to some sources" makes it sound like Levy is unreliable, Matt, what would you prefer.  How about "According to Levy"?  That doesn't, to me, imply that there's something wrong with Levy, it just makes it clear that that is the one and only source.  If we just put that on the beginning, it's 3 words, which doesn't draw that much attention to this issue, which I'm sure is totally uninteresting to our readers (in this article, anyway).  Mango juice talk 14:11, 4 September 2006 (UTC)
 * OK, thanks, your argument that Levy is the sole source is a reasonable basis for some caution, and anything like "According to (Stephen) Levy" would be fine. (Personally, I still think Levy could stand alone, but I can live with your argument). And I agree that this is a little blown out of proportion, sorry about that ;-) &mdash; Matt Crypto 16:03, 4 September 2006 (UTC)


 * Yes, this edit war is ridiculous. I am not convinced that NSA asked IBM not to disclose differential cryptanalysis. We don't have a primary source. Coppersmith's article only says "after discussions with NSA" and the couple of sentences quoted above. When he says "there was concern", he pointedly does not say who was concerned. Maybe NSA, maybe IBM. Maybe NSA persuaded IBM without formally asking. Maybe NSA claimed that it was classified. Maybe NSA threatened to cut off some govt contract. Maybe IBM decided on its own. We cannot conclude from the cited sources. As Mangojuice says, the point is not that important so there is no need to say something that is possibly wrong. We know that IBM had some closed-door discussions with NSA, and that is sufficient to make whatever point needs to be made. Roger 18:04, 4 September 2006 (UTC)
 * You say, "I am not convinced that NSA asked IBM not to disclose differential cryptanalysis." Levy reports (p. 55) that:
 * "They asked us to stamp all our documents confidential, " says Tuchman, "We actually put a number on each one and locked them up in safes, because they were considered US government classified. They said do it. So I did it."
 * So yes, I think we can safely present this as fact. &mdash; Matt Crypto 08:59, 5 September 2006 (UTC)
 * That quote is a little ambiguous, but the one from Coppersmith is not: "After discussions with NSA, it was decided that disclosure of the design considerations would reveal the technique of differential crytpanalysis, a powerful technique that can be used against many ciphers. This in turn would  weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography."  Also, the other Tuchman quote above.  I think we can safely stick to this as a fact.  Mango juice talk 14:50, 5 September 2006 (UTC)


 * Agree with both Matt and Mango in this instance. This has been discussed at considerable length and I think we're not going to get any farther, save some new information coming to light. Thsu, I think the change should be made and will come back in a bi and do it. ww 16:45, 5 September 2006 (UTC)


 * Yes, I saw that Tuchman quote, but it raises as many questions as it answers. If the IBM info was really classified, then why doesn't Coppersmith give that as the reason? When and how was the info declassified? Did Coppersmith have get NSA permission to write that 1994 article? I would expect the IBM team to blame the secrecy on IBM, if it could. But Coppersmith pointedly says, "it was decided", without saying who gave the order. Maybe Tuchman and Coppersmith don't even know who made the decision. And if they don't know, then I don't see how you guys could know. I suggest just saying that the DES design considerations were kept secret after discussions between IBM and NSA. Everything else is unverifiable and unnecessary. Roger 18:00, 5 September 2006 (UTC)

More problems; opportunites foregone
Roger has revised the comments discussed above to reflect his view. I think he shouldn't have, based on concensus more or less achieved above, but this comment is not about that.

Roger's edit (and any which so simplifies the account from any perspective will) has done damage to a useful point. Previously, the reader is told that a powerful technique was known (in secret), that it was rediscovered (at least once) and most likely kept secret a second time. The reader thereby learns that it's not possible to be sure what cryptanalytic techniques are available to potential Attackers, and that powerful technique are sometimes multiply developed/discovered, again sometimes in secret. This is a possibility of which crypto users should be aware as it bears directly on the security / confidentiality available from its use. And on the crypto designs and configurations which ought to be chosen in preference to others to the end of increased possibility of confidentiality / security. It is a part of the co-evolution betwixt crypto and analysis, which is a cruscial part of the nature of the subject and its use or proposed use.

As the section now reads, the reader learns that there is a claim in some book about whether IBM knew about something or not. This will be opaque to a great many readers, and not usefully opaque either. We ought not to be writing opaque prose here on WP. ww 09:32, 11 September 2006 (UTC)


 * The problem here, as I see it, is that different accounts of the creation of DES tell different stories. The obvious choices are: (1) stick to the facts that where the accounts agree; (2) do original research on which account is most accurate and tell that; or (3) describe the different stories and cite the sources.
 * As Ww explains, the basic undisputed facts are sufficient for the reader to learn useful lessons from DES. IMO, there is no need to tell any more in a general article on Cryptography. Maybe an article on differential cryptanalysis can dive into the issue of who should get credit for what, but it is just not that interesting to the typical reader, and there is no complete answer available.
 * If you just put in Levy's account and omit the others, then you will just invite criticism that the article is wrong, and invite others to add the other accounts. There isn't any reason to stick to Levy's account to the exclusion of others, except to promote Levy's anti-govt POV.
 * Therefore I believe the best outcome is to stick to the facts in Coppersmith's account, and not s peculate on the content of the communications between IBM and NSA. Roger 15:30, 11 September 2006 (UTC)

Random visitor observation
Under public-key cryptography, there's a picture of Diffie and Hellman with a subtext of "inventors of public-key cryptography", yet, elsewhere in the article there's the following text: "In 1997, it finally became publicly known that asymmetric cryptography had been invented by James H. Ellis".

Is there a minor point of contention between who really invented it or something? It just seems a bit unclear to me. Crimson30 18:51, 17 September 2006 (UTC)


 * Yes, it should be clarified. Ellis independently developed some of the concepts. The article also fails to credit Merkle, who was really the first to submit for publication a paper describing public key crypto. Roger 19:27, 17 September 2006 (UTC)

Needless caption rambling
The caption under the public-key cryptography has an irrelevant portion.

"Padlock icon from the Firefox web browser, meant to indicate a page has been sent in SSL or TLS-encrypted protected form. But note that a properly subverted browser might mislead a user by displaying a proper icon when a transmission is not actually being protected by SSL or TLS. Security is not a straightforward issue."

The first sentence is very informative and contributes much to the cryptography article. The subsequent sentences although, do not. These other comments deserve a place possibly on the browser wiki page or the blog of a firefox fanatic. These excess comments must be removed. --166.66.103.37 02:43, 26 October 2006 (UTC)


 * I agree with David, who restored it. This kind of comment was encouraged by other editors during the Featured Article process, and it is informative and on-topic.  There is some level of consensus that this belongs in the article, and only you objecting to it, so I'm removing the tag.  Mango juice talk 05:54, 26 October 2006 (UTC)

First Sentence
The first sentence isn't even a sentence at all - without the parenthetical information, all it is is the word "cryptography" in bold. The proceeding sentence then begins with "In modern times" - this gives rise to the notion that the preceding sentence had once held a definition of "cryptography" which does not apply to modern times - does anyone know what happened to it?!

Ethical and societal implications of cryprography
I think this article really needs a separate section or sections on the ethical and societal implications issue of criminals using encryption. Some topics I think this article is missing:
 * The use of encryption by dissidents in dictatorships to provide free speech.
 * The issue of "if your not doing anything wrong then why do you need to encrypt your communications" and why a lot of feel that is misguided thinking.
 * Criminals/terrorists using encryption for nefarious purposes vs. those using it using it for free speech, privacy, or security purposes and the moral/ethical dilemma that brings up.

--Cab88 22:41, 9 December 2006 (UTC)


 * It's a good idea, but given the current featured status of the article, this update should proceed cautiously. Has much been written on the ethics of cryptography itself?  If so, we should stick to the most reputable of such writing as our source material... and if what's been written is less well-collected, we should probably just have a separate article on Ethics of cryptography, which we can link from here.  In a cursory google books search, I didn't find much written on the subject that wasn't complete bullshit, and what I did find amounted to things the US government wanted in terms of crypto (like key escrow), and that the community hasn't especially debated ethics issues.  Mango juice talk 17:07, 11 December 2006 (UTC)
 * There's the famous quote, "gentlemen do not read each other's mail", the phrase used by Henry L. Stimson when he closed down the US Black Chamber in 1929. As per Mangojuice, though, how we cover this topic is driven by the nature of the sources available. &mdash; Matt Crypto 17:19, 11 December 2006 (UTC)