In the open literature, Diffie, Hellman, and Merkle are credited with being the inventors of public key cryptography. But there is evidence that assorted intelligence agencies knew of the technique years earlier. (Some discussion of this question can be found in an online N.Y. Times article.)
The British Invention of "Non-Secret Encryption"
The British Communications—Electronics Security Group (CESG) has recently released some papers discussing their invention of public key cryptography. It is fascinating reading. Briefly, James Ellis came up with the idea in 1970, and proved that it was theoretically possible. In 1973, Clifford Cocks invented a variant on RSA; a few months later, Malcom Williamson invented a Diffie-Hellman analog. Their inspiration, apparently, was a World War II-era paper by an unknown person at Bell Labs.
Bobby Inman, when director of NSA, claimed (without substantiation) that NSA had had public key crypto a decade earlier than Diffie and Hellman.
There is evidence to support Inman's claim. The STU-III project—a certificate-based secure telephone system, with the associated PKI—apparently began in the mid-70's. Certificates weren't invented in the public sector until 1978. Even without that, it is improbable that NSA would build top secret-rated phones without years of evaluation of a new math trick. (Note: I'm looking for public, citable sources on the age of the STU-III project. The earlist I've found is Whit Diffie's "The First Ten Years of Public-key Cryptography"; he gives 1983 as the starting year. But I have Heard otherwise.)
National Security Action Memorandum 160
The most fascinating thread, though, concerns the relationship of public key cryptograpy to the command and control of nuclear weapons. At the ACM Computer and Communications Security conference in 1993, Whit Diffie organized a Festcolloquium in honor of Gus Simmons, who was retiring. Gus said that he learned of public key crypto the same way many of us did, by reading Martin Gardner's column in Scientific American. Simmons was on his way to Australia to give a talk; he said he was immediately struck by the implications of this technique for nuclear weapons command and control—his field—so he tore up his talk and made up a new one on the plane. It seemed clear, at that point, that he had not known of the technique. (An alternative explanation, of course, is that he knew of it but couldn't speak about it until it was rediscovered. I did not get that impression at the time.)
The next speaker was Jim Frazer, who had recently retired from the upper echelons of NSA. In a talk "The Early Days in Nuclear Command and Control", he spoke of National Security Action Memorandum 160 (from June 6, 1962), "Permissive Links for Nuclear Weapons in NATO". Frazer claimed that this memo—signed by President Kennedy and endorsing a memo from his science advisor, Jerome Wiesner—was the basis for the invention of public key cryptography by NSA. Simmons nodded in vigorous agreement.
When the conference was over, Matt Blaze called up the Kennedy Library in Cambridge, MA, and asked about getting a copy of the memo. They were extremely helpful. It was classified, but the person to whom he spoke initiated a declassification review. It turned out that what was of interest was not so much Kennedy's note as the Wiesner memorandum; this, too, was classified, and actually contained some material that was still considered sensitive. But someone scrubbed it; fairly promptly, he received a sanitized copy.
This version sat around for a few years before I finally gotten around to scanning it in and putting it up on the Web. (The Kennedy Library itself has now made available a scanned copy of NSAM 160, but not the Wiesner memorandum. Amusingly, for a while the library did not have a copy of NSAM 160 online. It isn't clear to me if that was a classification issue or not. I sent them my links; they promptly corrected their web site.)
An interesting question is just what the requirement is that is best satisfied by public key cryptography. The obvious function—arming the weapons—can be satisfied with conventional cryptography. But I think there's more.
Wiesner's memorandum says that "this equipment ... would certainly deter unauthorized use by military forces holding the weapons during periods of high tension or military combat". In other words, non-repudiation—a classic use for public key cryptography—was important; if a bomb is used, they (or their heirs, or civilization's heirs...) want to know who ordered it. Pending declassification of the rest of the memo, I suspect that this is the crucial seed that led to the invention of public key cryptography at NSA. (I should note that the quoted sentence is right in between the two largest "redacted" sections of the memorandum...)
As a footnote, the first PALs (Permissive Action Links) deployed were 5-digit mechanical combination locks. The latest versions, the Categories D and F PALs, feature 6- or 12-digit input, and an automatic "limited try" feature which disables the warhead after too many incorrect tries. But I haven't yet found anything about setting C.R.M.-114 discriminators to "FGD 135", let alone "OPE"...
The Prehistory of Public Key Cryptography by Steven M. Bellovin is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Based on a work at https://www.cs.columbia.edu/~smb/nsam-160/.
B-52 background image by Jim Ross, NASA.