Hello and welcome to Hopkins at Home.
Thank you very much for joining us today.
I'm Dicky George, I started work at the National
Security Agency or NSA, as I'll be talking
about it for the rest of the talk in 1970.
Today I'm going to talk a little bit about
something that happened in the seventies.
It was the development of DES, which was the
commercial standard algorithm that the government
provided for banking, people like that.
You're welcome to ask any questions you have
by typing them into the chat module on your
screen, throughout the talk.
If the questions are simple, I'll answer them
when they're given.
If they're more complicated, I'll probably
wait until the end.
So let's go ahead and get started.
Now, I'm going to set the stage a little bit
by telling you what life was like back in
1970.
And remember, this is the early seventies.
So when I started at NSA, we had an organization
of about 3000 people.
It was the Information Assurance, the communications
security part of the organization did the
defensive work for the National Security Agency.
3000 people in that organization did not own
a computer.
So computers were not that standard at that
time.
We could get one a couple of years later.
At that time, computers were just starting
and I, as a mathematician, really didn't know
anything about cryptography.
The only crypto I had any knowledge of it
all was World War II stuff, enigma and purple.
And as far as the average person knew that
stuff went away at the end of World War II.
It didn't, it was still around.
And in 1972, the government decided that computers
were starting to be used in things like banking.
The government needed some kind of a standard
algorithm to use for protection and the National
Bureau of Standards, which is now NIST, National
Institute of Standards and Technology, NBS
was tasked with coming up with this algorithm.
Well, NBS didn't actually have any crypto
people at that time.
So they came to NSA to ask if NSA would provide
an algorithm.
There was a lot of interesting chatter at
NSA about whether they should do that or not.
And remember, they're on the order.
There are hundreds of mathematicians at NSA,
and everybody was talking about this and everybody
had an opinion and not, not at all uniform
about what we should do.
Most people thought would be probably smart
for us to stay out of it because there were
too many bad things that could happen.
If we did a bad job of designing it, people
would think that we were incompetent.
It was just easy to say and yes, go ahead
and create the algorithm, what we will do
is partner with you and we'll evaluate the,
the proposal and see whether it's good or
not.
And we will, we will let you know if there
are any attacks that are, that are short of
exhaustion.
Exhaustion, by the way, is if you if you look
at a cryptologic, there are a lot of steps
to very complicated algorithm, but you assume
that the adversary knows what that algorithm
is.
The part they don't know is the crypto variable
and on the outside is often called the key.
That crypto variable is, is a set of bits.
You can always try all possible bits and look
and see how it, how it decrypts.
If you have a message and you decrypt the
message and it makes sense, that's likely
the crypto variable.
The cost of trying all those possible crypto
variables is called exhaustion.
So that's what you shoot for.
You don't want any attacks that are cheaper
than just trying all the possibilities.
So we, we sat back and said, NBS, we will
be the honest brokers.
We will do an evaluation of this and we will
tell you what we come up with.
We'll make sure that the algorithm that you
propose is as good as advertised.
And that was the agreement that was reached.
So then things got interesting.
It's, DES is, is an important step in crypto
history for the country and let me explain
why.
At this time all cryptography was done by
the government.
It was, it was all used for protecting government
secrets.
When DES was first proposed for public use,
the outside world really didn't have much
in the way of interest of cryptography for
a couple of reasons.
It wasn't a hot topic, but they also didn't
have a good problem to work on.
Well, when DES entered the picture, it in
fact was a good problem for the outside world
to work on.
That, that, that sparked interest in this.
And in fact, for those of you who are familiar
with crypto at all today, there are things
like a Diffie Hellman exchange, the RSA algorithm,
RSA is for Rivest-Shamir-Adleman.
If you're familiar with those, four of those
people got their interest in crypto by looking
at DES and that was Hellman, Diffie and Rivest
and Shamir, they all got their star, and I'm
not sure about Adleman, whether he did or
not, but, but he's, he's not as public as
the others, but in talking with the others,
I know that they all got their start through
DES.
So DES had a, had a key role in the whole
development of, of the interest in cryptography,
in the public.
In 1972, when it was decided that the National
Bureau of Standards would create this algorithm,
they put out a call for people to propose
algorithms, to be used as the Data Encryption
Standard.
There were three responses to that call and
all three were professors looking for grants
to study the problem, which was not at all
what they were looking for.
They were looking for an actual algorithm.
They came back to NSA and said, there were
no takers.
What should we do?
Then there was more discussion.
Should NSA actually develop the algorithm?
We started actually thinking about developing
an algorithm.
And then one of the, the Deputy Director for
Communications Security, he was the head of
the defensive side of NSA, in talking to some
of his colleagues found that IBM was actually
working on an algorithm, which they were planning
to commercialize.
It was called Lucifer.
So he talked to IBM and convinced them that
in the interest of the nation, they should
actually submit this algorithm as a candidate
for the Data Encryption Standard.
When he told NBS this, they put out another
call.
And again, there were, there were three responses
to that call.
One was a professor who was, again, looking
for a grant to study the problem.
Another was another company that wanted to
propose an algorithm, but they wanted to keep
the algorithm secret.
And one of the rules of this was that the
algorithm had to be open to the public.
It was going to be examined by the public.
It had to have public faith because it was
being used by the public.
And when that company said that they would
not tell NBS what the algorithm was.
They pretty much disqualified themselves from
the competition.
The third candidate was in fact, this algorithm
called Lucifer, which actually then was chosen
and it became the Data Encryption Standard.
Now keep in mind, when you, when you're talking
about crypto, you have that algorithm, you
have the crypto variable, you have a lot of
interesting things that happen inside the
algorithm.
So we're gonna talk a little bit about some
of those pieces right now.
So the first thing is the crypto variable
and it's how many bits, how many bits should
it have?
When the proposal came forward, it came in
at, with 128 bits as a proposed crypto variable
length.
And that caused some consternation.
Of course part of it was the Signal Intelligence
part of the Agency, which didn't really like
NSA vetting an algorithm that could be used
that they couldn't break.
And of course they weren't going to be able
to break the, the result no matter what happened.
It caused some problems.
The bigger problem was with the communications
security part of the Agency, the defensive
part.
We put a lot of effort into designing algorithms
and designing them very carefully.
And let me give you an example of, of how
carefully we designed these things.
One of the first algorithms that I started
working on was used in, in radios, that algorithm
was designed in 1957.
We studied it for about 11 years and after
11 years, we decided that it was good enough.
We had tweaked everything that needed to be
tweaked.
So 11 years of work in looking at that algorithm,
we decided it was good enough.
Then we started building it.
The key to cryptography really is the implementation
because you're not really attacking the theoretical
thing.
You're really attacking what was built.
So we started building that in 1968 and it
was actually fielded in 1976.
So that's another eight years.
It took from, it took basically 19 years to
go from design to fielding of that algorithm.
And that's how careful we are.
Every time we were building something, if
there was any problem at all, we fixed that
problem.
So one of the things that I did on that algorithm
was called a failure analysis.
So we took the engineering diagram of, of
what that algorithm was and we went through
and we looked at every single thing that could
happen.
We, we broke every possible wire.
This is all on paper.
We, we failed all of the pieces in any way
they could fail to see what the impact was
on the output.
And if there was a bad impact, we either change
the design, so that, that impact wouldn't
be that bad and sometimes it's just as simple
as reordering, the steps of addition can change
things, or we put in alarm in and we said,
look, if, if this bad thing happens, we want
an alarm that's going to shut the machine
down cause we don't want it to broadcast in
an insecure way.
So that's, that's 19 years of study to make
sure that we got it right.
NBS, wasn't going to have 19 years.
They were going to have about a year to get
this thing out.
So it was, it was tight.
Now with the crypto variable, they suggested
128 bits.
We were concerned that US government might
think that this could replace the kind of
algorithms that we were providing for them
to use.
It was not going to have the kind of study,
it wasn't going to have the careful attention
to detail, it wasn't going to have the, the
careful implementation that takes eight years
of study to ensure the thing as good.
And we didn't want commercial things taking
the place of the government produced the equipments
that we had real confidence in.
So we preferred to cut back on the crypto
variable size so that it wouldn't be seen
as a competitor for the kinds of algorithms
that we were using.
There was a lot of discussion in the agency
about the size.
And one of the things that I found out in
preparing this talk was about, I found the
notes that were a meeting that were, there
were only three people at this meeting, the
Director of NSA, Jim Fraser, who was the Chief
Mathematician in the Communication Security
Organization and the Director's Executive
Officer, who was taking notes.
So at some point in the meeting, as they were
discussing how big the variable should be,
the Director asks Jim Fraser, how long do
you believe that this algorithm will be in
use?
Now, the interesting thing was NBS planned
to swap this algorithm out every three or
four years, keep changing it.
They didn't have the experience with crypto
I'll take what's crypto gets to the field.
It stays in the field.
It is murder to get that stuff out and it's
murder to change.
So, so Jim Fraser said, I'm guessing that,
this is 1974, I'm guessing that it will be
used until about 1990.
And by 1990, by 1990, we'll need a new algorithm.
And so the Director said, how, how much crypto
variable do we need to have in order to be
good until 1990?
And Jim Fraser said 56 bits.
If, if you make it 56 bits, that will be good
just until 1990, by 1990, we expect that we
will be able to break that.
And so he said done, 56 bits.
They called the director of NBS and they agreed
on them.
I have a question.
Did IBM have any business reason to participate?
They did not really have a business reason.
In fact, they were giving up an opportunity
to provide this commercially.
Of course now, at the same time, they were
the people that were designing this and it
did give them a head start in actually implementing
it as a commercial product.
So they were the ones that knew it best, but
they, they, they didn't, they no longer had
a monopoly on the algorithm.
So it, I, I would not say it was for prestige.
I would say they did it for the good of the
country.
The country needed it.
They looked like they were the only ones that
had something that would work.
And so they said, yeah, we will, we'll take
that hit for the team.
So we got to 56 bits.
Now, the interesting thing was that 56 bit
answer was really controversial.
There were a lot of people on the outside
that thought that was very small and they
thought it should be much bigger than that.
Well, we knew some things that said given
the designs, it really can't be much bigger
than that.
Cause cause we would have a little bit of
a problem if it was bigger than that, then
that's a story we'll get into later.
But there was, there were some good things
and some bad things about that.
If people were worried about the 56 bits,
that made our Signals Intelligence Director
very happy because it meant that probably
people weren't going to use it.
They weren't going to have to worry about
the fact that they really couldn't break it
effectively.
At the same time, we were happy because it
meant that our constituents, the military
was not going to think that this was a good
substitute for the stuff that we were giving
them to use.
So we satisfied everybody in that sense.
It also gave people a great problem to work
on because they thought 56 bits, I'm going
to be able to break this.
There were a lot of very, very good papers
written on this and Marty Hellman had had
two really good papers that he wrote and he
did a great job of trying to argue that that
wasn't long enough.
But we carefully analyzed all the work that
was done and none of those papers produced
really practical attacks.
There were, there were some theoretical things,
but even the theoretical things were not really
cheaper than exhaustion.
So we were pretty happy with what was done.
Now, another feature was the key schedule.
So the crypto variable schedule, that's the
order that the bits are used because the 60,
by the way, 56 bits was padded to 64 because
we all was in the, in the communication security
world, we always add parody on to ensure that
you've loaded the crypto variable right.
You load it, you check the parody.
If the parody doesn't match, then you know,
you've, you've made a mistake and you load
it again.
There's a real danger in loading a crypto
variable that doesn't get loaded quite correctly
in sending a message out.
So you've gotta be real careful about that.
And what they did was they broke it up into
bites.
They put seven bits in each of eight bites
and then the eighth bit was stuck in either
a zero or one to make an odd number of ones
in the bite.
And that was the parody.
All 64 bits were used many times.
And so there was an ordering that they were
used and it was a very, very simple key schedule
they used.
And that drove several people a little bit
crazy.
Marty Hellman was one of them.
He had some interesting discussions.
I was another one.
I could not believe that I couldn't find that
attack against the key schedule that was that
simple.
And I spent a long time trying to exploit
that, that long past the time when it was
fielded, I was still trying to attack that
algorithm to see if there was anything I could
do with the key schedule and I couldn't.
We had an agreement with the Director of NBS
that if we didn't have a good reason to change
anything, we would not request a change.
Since we couldn't find an attack based on
that key schedule, we left it as, as it was,
and it still drives me crazy, but of course
it's, it's over now.
It's, it hasn't been used in a while.
It was funny when this, this whole DES story,
NSA's involvement, was classified until the
year 2011.
When I, I wanted to get the story out.
I thought it was a good story for people to
have.
And I, and I talked to the director of NSA
and said, you know, this is a story that if
we don't get it out soon, it's going to lose
relevance.
It's and the people who worked on this problem,
who were at the agency in 1972, three, four,
they're getting kind of old.
So we ought to get it out while the people
who know that story are still around.
So we actually declassified the story in 2011
and I presented this talk first time at the
RSA conference.
If you're familiar with RSA, it's, it's relatively
big conference.
It has, at that time, I think there were about
17,000 people who went there and the way it
was presented in three parts.
As part of that RSA conference, there's a
keynote section where different people come
in and give keynotes.
It's typically CEOs or CTOs from big companies,
but there's one panel in particular, it's
the crypto panel and the people on that crypto
panel are Marty Hellman with Diffie, from
Diffie Hellman, Adi Shamir from RSA and Ron
Rivest from RSA and for 2011, they added me
to that panel and we talked about the NSA
role in DES.
Cause all these guys had worked on analyzing
DES.
It had all been classified.
They hadn't been able to ask any questions
about it, but they could have asked all the
questions they wanted, they weren't getting
any answers.
So when it was announced that there were going
to be five people on the panel, this was what
the topic was, I got inundated with emails
from these guys, asking all the questions
that they wanted the answers to and I had
to tell them that those are good questions,
and I'm not going to answer them until we're
on the stage at the keynote, it's going to
be fun, we'll have a good time.
But particularly, I enjoyed getting one from
Marty Hellman, he said, you know, I've been
waiting 30 years for this answer.
I might die before the conference.
You've got to tell me now.
I told him, Marty, you're in good shape and
you're not going to die.
It'll be, it'll be great.
So we had a good time and, and it was the
question about the key schedule that he was
just dying.
Why, why on earth did I let that key schedule
go through that way?
And the answer was because we had this agreement
with the National Bureau of Standards that
we wouldn't change something unless we had
an attack based on it.
So we left that there.
Now the next piece it's crypto... the next
piece, every algorithm has a nonlinear part
to get, to get, to make it complicated.
If it was just linear, the thing kind of falls
apart, you need the nonlinear part.
And this was back in the early days of this
stuff.
So the nonlinear part of this algorithm was
called S boxes.
There were 32 permutations on the numbers
from zero to 15.
Now the permutations that they just move it
around, move the numbers around.
So we asked, when IBM submitted that proposal,
we told them, well, we're going to give you
criteria for these S boxes and that you'll
have to change them from the way they are,
cause we need them to be good.
We, we gave them an eight criteria to how
they generate these S boxes.
There were actually nine criteria.
The ninth criteria blocked differential crypt
analysis.
Differential cryptanalysis was classified
at the time.
Nobody on the outside knew about it.
And we didn't want this thing to be vulnerable
to differential crypt analytic attack.
So we had that ninth criteria and we told
IBM, here are eight criteria generate 10,000
permutations and send them to us and we'll
pick a subset that you should use.
And what we figured we'd do is we'd bring
it in, we'd apply the ninth criteria to all
those things and see which one satisfied the
ninth criteria.
And we just use those.
Well surprise, surprise.
The ninth criteria was harder to satisfy than
we thought.
So when they submitted 10,000 of these permutations,
none of them met the ninth criteria.
So, we had to go in and generate our own S
boxes and sent them back and said, please
use these.
Now, we weren't sure that they would actually
check to see whether those were in the original
set they supplied or not.
But as one of the members of the team said,
we submitted a bunch of S boxes to them and
they came back looking, looking all different.
And we were told to use those, so we used
them.
That led to a very interesting result.
A lot of people thought that NSA has put a
back door, a hook into this algorithm, and
it must be in these S boxes that they substituted,
the substitution for the ones that were provided
to them.
And so one of the cool things about permutations
on zero to 15, when you look at those numbers,
it's like, you know, a batter who's, who's
hot, batters don't stay hot for a season,
but they're stretches where they're hot and
you see funny things, the eyes can find patterns
in numbers.
You can always find patterns in numbers and
the number of papers that were written by
people who claim to have found evidence of
the back door in these S boxes.
It was, it was a huge number of papers.
And it was really interesting to see that.
Now that may, the people in the singing organization
really, really happy because they figured
if people believe that NSA had put a back
door in, no one was going to use this algorithm.
So that they, they were really happy.
It was, it was fascinating to see all the
work that was done on those S boxes.
Now, what we really did of course, was put
S boxes in that wouldn't lead to a problem.
We put a lot of time and effort into this
DES.
One of the really interesting things about
that was that there were various teams that
set up and these teams didn't really didn't
know that all the other ones existed.
When I was developing this talk in 2011, one
of the people I talked to was, was a guy who
worked at NSA, who was my best friend at the
time.
And we worked together every day for, until
he retired.
For about 35 years, we worked together every
day.
He was my bridge partner.
We played on the same softball team.
I was godfather to his kids, you know, we
were tight.
We were together all the time.
I was told him I was, I was working on this
talk and he said, do you want my notes?
And I said, your notes, you never worked on
DES.
He said, Oh yeah.
Remember in the eighties where they set up
that team and they set up a team in the eighties
and I led, it was a little team.
I led a little team that did another look
at DES to make sure we haven't missed anything
in the early eighties.
He said, well, when you were doing that, I
was on another team that was watching what
you were doing to make sure that you weren't
missing anything.
And I didn't even know he was working on it.
But he had some interesting notes.
And I was able to use that.
I found that there were, there were a lot
of stories.
There's this this oral history of what went
on with DES that a lot of people had a lot
of ideas of things that weren't quite right.
And actually in, in his notes, that's where
I found about the, the meeting between the
Director and Jim Fraser.
And that was not in any of the oral history
that I had heard.
Nobody knew about that meeting, where the
56 was actually decided upon.
So it was, it was fascinating to see how careful
we were in the development of this algorithm.
Now, an interesting thing happened in, in,
we are getting close to the end of the talk.
So if you want to be asking questions, it's
a great time.
In all the outside work that was being done,
people were concentrating on the S boxes and
they were trying to find patterns.
They were looking for funny things.
They were looking at the key schedule, trying
to find funny things.
Adi Shamir looked at a and a different algorithms
called feel.
And when he looked at that and when I saw
a feel, I said, this is going to be a problem
because it screams differential cryptanalysis.
Well, he looked at that and he said, and you
know, if, if I do some of this, make some
changes here and changes there, funny things
are gonna happen.
And what he found, he found differential cryptanalysis
and this was about 85 or 86.
So he in fact noticed that there was, there
was this process.
Differential cryptanalysis lets you look at
inputs that have small numbers of differences
and you track down and look at structure through
the algorithm.
So he found that, and I remember I was having
dinner with him one time and we were talking
about it.
This was long after that.
And I said, so you didn't find a differential
crypt analysis in looking at DES, he said,
no, no one could find differential crypt analysis
looking at DES, way too complicated.
Once I found it on feel, I thought it ought
to work on DES.
So he thought it should work on DES.
He tried it and it didn't work.
And he said he got really annoyed that he
could not make it work on DES because knowing
as much as he knew about differential crypt
analysis, it had to work on DES.
Well, of course it didn't because the ninth
criteria said differential cryptanalysis can't
work.
So he played a game.
He, he took the eight criteria and started
generating random sets of S boxes that, that
met the eight criteria.
Every one of those sets that he generated
his differential crypt analytic attack worked
on.
And it worked very strongly.
That made him more convinced that it had to
work on the real thing.
He tried and tried and tried, and it wouldn't
work.
So he made the bold assertion that NSA had
known about differential crypt analysis at
the time and had designed the S boxes to block
differential crypt analysis.
And he actually proposed a potential ninth
criteria, which was almost exactly the criteria
as we had presented it.
It had the same effect.
He wrote the paper, it was a, it was a wonderful
paper that really brought the, the art of
differential crypt analysis to the public.
And in that he said, he believed that NSA
rather than weakening the S boxes to lead
and to lead to an attack has strengthened
the S boxes to block differential crypt analysis,
which was exactly right.
It was, it was a very good ending.
And that paper was published in the late eighties
and as soon as that paper was published, the
world said, well, DES really is good then.
And we said, yes, but it's 1990 and now you
can't use it anymore.
It's no longer, it's no longer approved for
use.
So it was a wonderful 15 year run.
I got a question.
Was there any pressure from the signals analysis
side of the agency use S boxes that were known
to be weak so they could be exploited?
No, there really wasn't.
I think that was down in the noise.
It was long before any of that.
It was decided that we, we were not even going
to think about that.
This was a, this was a, there was no room
for anything in, in in weakening this algorithm.
This was something that was going to be used
by the US government.
We don't weaken things that are going to be
used by the US government.
We, we make them stronger.
I hear a lot about people that do that do
weaken things that you hear about, about hooks
these days.
I think in cryptography, hooking is very,
very hard.
In cybe, hooking is very, very easy.
It's really easy to get software, to do what
you want to do.
It's very hard to get crypto do, which want
to do.
But there was, there was no push at all from
the sig inside of the house to make the DES
weak.
And I was talking to Adi Shamir about that
one time.
And he said, why on earth would you want to
make DES weak?
Did you think the Russians were going to use
DES?
Do you think the Russians don't have their
own algorithms?
Of course, I, I did not think the Russians
were going to use DES.
So there was, there was no push at all to
weaken the algorithm.
The only, the only weakening we did was reduce
the crypto variable size from 128 to 56, because
we knew that we couldn't, we couldn't keep
a differential crypt analytic attack from
being a lot better than 128.
We knew it was gonna be better than 56, but
it would be better than 128.
And we didn't want our government users to
want to use this product.
We, we had committed to NBS that we would
not let anything go out that wasn't as good
as advertised.
And this was 56 bits of strength, but, but
it wasn't much more than that.
And so we, we were kind of locked into the
56, which, which all ties into the 1990, good
enough, 56 bits.
Everything works nicely together.
That is the DES story.
It was, it was a fascinating thing.
It was, it was really interesting to be a
part of it.
I was a part of it from the day it started
to the day it was no longer approved for use.
And 20 years after that, when I, when I got
to give the talk, talking about this topic
and letting people know about the history.
It's always fun to talk about things like
this that are big pieces of our mathematical
history.
And, and DES was, in my opinion, one of the
really big ones.
A couple more questions.
What was NSA's reaction to the discovery of
differential crypt analysis?
Well, you know, what's going to happen.
You know, when I saw a feel go out, I knew
someone was going to jump on feel because
it just screams differential crypt analysis.
And that's the way you come up with new ideas.
You, you, you have the right problem to work
on and that's, that's the way, that's the
way you get there.
So what was our, what was our reaction?
It's too bad, but it was going to happen.
That's okay.
Adi Shamir asked me one time.
What did I, what was my reaction when I saw
his paper that had that?
And I said, my initial reaction was two parts.
I hope he didn't find something better than
I had found.
And second, this is a guy I would love to
be working with.
It's too bad that we can't do more collaboration
with people on the outside because we could
do some really good things together.
Would have been fun.
Was DES ever cracked by any agency foreign
or domestic?
Not that I know of.
Of course, if, if the Russians did it, they
would probably wouldn't tell me.
But as far as we know, no.
Is triple DES still strong enough for use?
Triple DES is as strong as advertised.
And so you, you know how good it is, right?
It's just, it's on the order of 112 bits of
strength.
You can tell when you're going to be able
to break that, you know, for, for, for people
like us.
Yeah.
It's probably fine, but there are things like
AEA out there, which are a little bit better
in the sense that there are 256 bits and they're
a little bit faster.
So there's not much point in using triple
DES when you can use something like AES, which
is really modern.
A lot of crypto is designed to take advantage
of the capabilities of the technology at the
time.
So DES was constrained to using permutations
on, on four bit words, presentations, a number
from zero to 15, because memory was so expensive.
It turns out memory is not as expensive anymore.
So you might as well use stuff.
That's good.
Did you always want to be a mathematician?
Yeah.
Yeah.
I always wanted to because it was, it was
all I could do.
I really wanted to be a football player, but
I lacked size.
I lacked speed and I lacked the ability to
catch and that meant I had to be a mathematician.
How did I find the career at NSA?
I was a senior in college.
And remember this was 1969.
There were interesting things happening in
the world.
And one of the places that was giving out
deferments was the government.
A guy came to the college I was at and asked
if I liked doing puzzles.
We, you know, we had an interesting talk about
yeah, I love doing puzzles.
I love solving hard problems.
It's great.
And he's told us well said I've got some really
hard problems that are kind of puzzle-like,
you might like working with us.
So I joined NSA, I figured I'd be there for
a couple years and then maybe go back grad
school, teach whatever.
I fell in love with the work that I was doing
at NSA.
The problems were the best problems that you
can imagine.
And the people were the best people I'd ever
been with.
The the mathematicians I worked with, they,
they were competitive in that they wanted
to do good things for the country, that they
were wonderful to work with.
They, they were sharing, just, just the best
people you can imagine.
All they want to do is make a difference for
the country.
You know, that that's kind of a good thing
to want to do.
So I got hooked on that.
It, you know, I look back on 41 years at NSA,
I respected and liked every manager I've ever
worked for.
I loved the people I worked with.
They were fantastic.
Great problems.
I wouldn't have changed anything.
I, I incredibly lucky, best time I ever could
have had nothing would have been better than
that.
If there are any more questions, let me know.
Otherwise, thank you very much for being with
us today.
I hope this was informative.
I hope you enjoyed it.
DES is, is a wonderful thing.
There's a lot of information out there in
places like Wikipedia.
It's not all correct.
You have to be careful.
When I was doing this study for this talk,
I found there were a lot of things that I
thought were true, which were not true.
And I was, I was on the game the whole time.
So be careful, but it's a fascinating topic.
Thank you very much.
