Publishing a new idea

by Ralph C. Merkle

The human mind treats a new idea the same way the body treats a strange protein; it rejects it.

P. B. Medawar

For more information about the events in the Fall of 1974, you can read the Computer History Museum's interview:

Ralph Merkle: 2011 Fellows Interview
Public-Key Cryptography

CS 244

In the Fall of 1974 I enrolled in CS244, the Computer Security course offered at UC Berkeley and taught by Lance Hoffman. We were required to submit two project proposals, one of which we would complete for the course. I submitted a proposal for what would eventually become known as Public Key Cryptography -- which Hoffman rejected. I dropped the course, but kept working on the idea.

Unfortunately, I lost track of the proposal and didn't find it again until September 8th, 2005, while cleaning out some boxes of old folders. There, neatly labeled "244 Project Proposal" was a folder containing the original 7 page project proposal. I've scanned it in for those interested in this bit of historical arcana.

The original CS244 project proposal from Fall of 1974 (7 page PDF).

Besides describing "Method 1," now better known as the puzzles method, the project proposal goes on to discuss "Method 2" which involved converting a "two-way encryption technique" into an "apparently one-way encryption technique" which would then be transmitted to the "other site" which would use it to encrypt messages. The only way to decrypt the messages would be with the original "two-way technique from which it [the one-way technique] was derived." The project proposal notes that "This method would also have advantages in other applications..."

After Hoffman rejected this proposal, I rewrote it to be shorter and simpler. Following is the two-page simplified version, resubmitted to Hoffman and showing his comments.

The second project proposal (2 page PDF).

Submitting to CACM

Hoffman continued to show little interest so I dropped the course, but kept working on the idea. I showed an early draft to Bob Fabry, then on the faculty at Berkeley, who immediately recognized it as both novel and valuable and said "Publish it, win fame and fortune!" I then submitted it to Susan Graham, then an Editor at the Communications of the ACM in August of 1975. As I was to learn, Fabry's response was rare.

Graham sent my submitted paper out for review and received the following response from an "experienced cryptography expert" whose identity is unknown to this day:

"I am sorry to have to inform you that the paper is not in the main stream of present cryptography thinking and I would not recommend that it be published in the Communications of the ACM."

"Experience shows that it is extremely dangerous to transmit key information in the clear."

With this blanket rejection of public key cryptography by an "expert", she rejected my article. She "was particularly bothered by the fact that there are no references to the literature. Has anyone else ever investigated this approach. If they consider it and reject it, why?"

I had failed to provide any references to the prior work on public key cryptography, and the reasons previous workers in the field had rejected it as impossible. I should have looked up "public key cryptography" on Google before submitting my paper. My defense is feeble: there was no Google, the term "public key cryptography" did not yet exist, and there were no previous workers in the field. There were no words for what I had done, and looking up a concept to show that no one had previously thought of it is difficult. This is not a unique problem: it illustrates a problem faced by anyone trying to explain a new idea to an "expert" who expects a properly referenced article anytime anyone tries to explain something to them. The more a new idea is unrelated to any prior idea or concept the more it must appear as a squawling bastard, naked and alone, appearing de novo and lacking any respectable pedigree or family to vouch for its acceptability.

While I have not been able to find a copy of the paper as originally submitted to CACM, I do have what appears to be a copy made shortly after the first rejection which includes revisions to make it so obvious that even the "cryptography expert" would be able to understand it. The revised version is dated December 7th 1975.

The first rejection by CACM left me confident that no one had previously investigated this approach, as the "experienced cryptography expert" had rather obviously failed to understand what was being proposed and private conversations suggested that no one else had heard of the idea, either. So I persisted for the simple reason that (a) the idea was sound, so CACM would eventually have to concede this fact and publish the article and (b) they would then have to include the original submission date -- which I would lose if I re-submitted anywhere else, even if that somewhere else miraculously had a clearer understanding of the concept.

And so it proved. CACM eventually published the paper, though only after almost three years of delay, and only after others (who were better able to persuade their editors to publish in a timely fashion).

For historical background, see The First Ten Years of Public-Key Cryptography, by Whitfield Diffie, Proc. IEEE, Vol. 76, No. 5, May 1988, pages 560-577.