The NSA’s “Fifty Years of Mathematical Cryptanalysis (1937–1987)”

In response to a FOIA request, the NSA released “Fifty Years of Mathematical Cryptanalysis (1937-1987),” by Glenn F. Stahly, with a lot of redactions.

Weirdly, this is the second time the NSA has declassified the document. John Young got a copy in 2019. This one has a few less redactions. And nothing that was provided in 2019 was redacted here.

If you find anything interesting in the document, please tell us about it in the comments.

Tags: , , ,

Posted on May 19, 2025 at 7:06 AM13 Comments

Comments

Clive Robinson May 19, 2025 9:04 AM

@ Bruce,

You have two copies of the same document with redactions.

If might be interesting to see in effect “what has become shown” in the latest version that was not shown in the previous version.

Then do a couple of things with it,

Firstly, to compare to advancements in academic and industry to what has become revealed.

Secondly, by “patchworking” get an insight into other areas the NSA was methodically investigating at the time.

Thirdly, by analysing the size, shape and location of still redacted sections make “educated” guesses about the possible areas of mathematics that are within.

Fourthly, get a feel for areas that the NSA was not investigating for various reasons, thus by inference see why they followed some areas of investigation not others.

Fifthly, having do this potentially come up with new FOI requests.

I’m sure others will be able to add to the list 😉

Geoffrey Nicoletti May 19, 2025 10:11 AM

I thought the document was especially useful in the argument over who has the advantage…cryptanalyst? cryptographer? Instead of being outside of the process, you are listening from the inside on the matter. All conclusions by we, the readers, is salted by the fact that Stahly’s report pre-dates hacking impact of the Internet and current staggering impact of AI.

AlexT May 19, 2025 5:20 PM

Not my field of expertise but can we really assume that there are groundbreaking concepts / findings that would still need to be classified almost 40 years later ?

Clive Robinson May 19, 2025 7:24 PM

@ Alex T,

You ask,

“… can we really assume that there are groundbreaking concepts / findings that would still need to be classified almost 40 years later ?”

The simple answer is yes, but it’s getting less so as academia and industry see the worth of Privacy and Security.

Not sure how old you are but the early history of DES was a bit of an eye opener.

The “public responses” to the request were often little more than upgraded paper and pencil ciphers.

The IBM cipher was designed by some of the best outside of the Puzzle Palace and initially had some quite critical weaknesses. The basic idea was to build a “mixing function” and ended up based on a system for “Information Friend or Foe”(IFF) designed for aircraft. The idea behind it came from Horst Feistel and subsequently became known as the Feistel Round (and is the basis for most block ciphers).

However it has some issues that were not known even to the NSA at the time. However one of the IBM team Don Coppersmith realised that it was there and found a way to “design it out”. The idea and the method remained classified for many years. In fact even when the method was discovered by others the NSA kept quiet untill someone demonstrated that it must have been used during the DES design process.

Do I need to mention the embarrisment of the “Dual Eliptic Curve Digital Random Bit Generator”(Dual_EC_DRBG)?

How long do you think that would have remained secret if not realised by someone who was working at Microsoft?

I’ve mentioned before that the design of “Mechanical Cipher Systems” that got used for “field ciphers” had an interesting issue. When you look at their “key space” you find the keys have varying strengths some secure by WWII standards and some ridiculously weak.

The person behind this stratagem was working at the private research “Riverbank Laboratory” by the name of William Friedman. He probably thought it up during WWI.

The idea is that any field cipher machine is going to fall into the hands of the enemy one way or another, it can not be avoided.

Thus depending on the enemies skills they might decide for several reasons to copy it (The WWII German Enigma and British Typex were logically the same).

If they were not very skilled or had a thought to get around certain “Key Material”(KeyMat) that the Germans had with Enigma, they could end up using on a random basis a mixture of strong and weak keys.

The thing is if a weak key gets broken the message gets discovered with some effort. However if the message gets built into a “card index” then you end up with sufficient “probable plaintext” that can make breaking even the strong keys fairly trivial.

Now the way around this if you know which are strong keys and which are weak is to issue “Key Tables” that were strong from a central “Key Management”(KeyMan) system. If the enemy were less adept then they would either issue weak keys or use a key generation method that would throw up weak keys based on probability.

This led onto William Friedman and his students coming up with such weak key strong key systems and it was not till something like a century later with Crypto AG in Zug Switzerland that the idea of different key strength systems became clear.

The lesson from this was “random was not the way to go” when designing parts of your cipher system like the wiring intervals one rotor wheels. A lesson that still is not much talked about.

Another area where things were kept secret even long after it was known in academia was “Linear Feedback Shift Registers”(LFSR). Yes they can produce very long sequences but they are actually almost as easy to predict as XORing two counters running at different rates together (Chinese Clock Counters).

This failing is still found in CPU chips that have “in built DRBGs”.

I’ve been through it before a few times on this blog, but briefly the result is what looks random “close in” when looked at much further out after simple integration makes a near perfect sine wave…

I could go on but…

Clive Robinson May 19, 2025 9:04 PM

@ Bruce, ALL,

You say,

“John Young got a copy in 2019”

Not sure if you have seen this, or the very belated post by the EFF?

https://countylocalnews.com/2025/04/10/death-of-john-young-cryptome-founder-at-89-on-march-28-2025/

“On March 28, 2025, the world mourned the loss of John Young, the esteemed founder of Cryptome, who passed away at the age of 89. His [passing] marks the end of an era for digital activism and advocacy for transparency in the digital age. As a figure deeply committed to aesthetics and conscience, Young’s life and work continue to inspire those who champion freedom of information and internet privacy.”

Ms. Un Redact May 20, 2025 4:29 AM

Perhaps in addition to comparison of the 2 releases, attempt can be made to un-redact the 2 texts:

1) Redaction techniques in 2019 may be different (less effective) than those in 2025.

2) Use AI to examine both texts and interpolate, the AI could be trained on mathematics texts and surveillance texts. Perhaps AI can determine the most likely substitutions for the redacted text and redacted equations.

Jochen Voss May 20, 2025 7:22 AM

One slightly interesting find: Index entries pointing into redacted regions are preserved. For example, page 13 is redacted out in its entirety, but from the index we know that the following topics are discussed: Chi wheel; delta; delta-key; delta-pattern; eigenvector; eigenvector convergence; Good, I.J.; Hagelin; level; pin pattern; Psi wheel; rectangle; TUNNY; Turing, Alan; Tutte, W. T.

Grammar May 20, 2025 9:33 AM

Look at the text before and after a redaction, grammatically what is most likely after and most likely before, respectively.

Clive Robinson May 20, 2025 10:34 AM

@ Jochen Voss, ALL,

With regards,

“but from the index we know that the following topics are discussed: Chi wheel…”

Most of those are explained in,

https://billtuttememorial.org.uk/codebreaking/the-lorenz/

The thing is the combinatorics of the Lorenz machine are fairly well known in certain areas of the crypto domain.

We even know from what was written later how the machine was “supposedly” broken initially.

A long message was encrypted under the same key twice. The difference being that in one plaintext a number was typed out such as “three” and in the repeated message it was “^3^” where the “^” represents the “number_shift” and “letter_shift”. As the Lorenz/Tunny was a stream cipher using an XOR as the mixer it was a “simple matter” to strip the key text to get the plain text then recover the key texts and then the hard part, finding the cycles of each tab wheel and so work your way in.

Bill Tutte did this by himself with many long days and nights. He deduced that there were two sets of wheels that were XORed and one set moved like a car odometer and the other set all the wheels stepped together. As all the wheels were “prime geared” you got a maximum sequence either way.

It’s this system I was alluding to in my post to @Alex T above…

Moshe Rubin June 9, 2025 4:25 AM

@Jochen Voss, @Clive Robinson, @Bruce Schneier, @All

Extracting information from the index

Continuing Jochen’s excellent idea, you can find all index terms for all pages in the document at my Google Docs account:

https://drive.google.com/file/d/1ClbUXg8F7L1MdvXIWvs9STibLRq_W0Jz/view?usp=drive_link.

For the record, Jochen was spot on regarding page 13.

A clean ASCII listing of the index:

https://drive.google.com/file/d/1hEaeCScBK5oTaiE5Pp68HCbKzSJwEIRU/view?usp=drive_link

There is a lot of information to be extracted from these redacted pages.

Bill Tutte Memorial Page

@Clive: The Bill Tutte memorial page’s video to Dr. James Grime’s YouTube video entitled “Lorenz: Hitler’s “Unbreakable” Cipher Machine” is flagged as private. The URL is: https://youtu.be/GBsfWSQVtYA

Self-Deprecating Humor!

What is there not to like about the sentence on page 45:

“The CDC 6600 began running at IDA-CRD in the summer of 1967, and even the most dyed-in-the-wool conservative (i. e., Glenn Stahly) soon abandoned the “security” of his card decks.”

Stahly is, of course, the author of the paper .

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.