Who Solved What: The RSA Bottleneck Breakthroughs in the History

Theory Layer

Key Size Standardization

  • RSA Data Security Inc. (RSADSI) - Published recommendations (1991-1993)
  • NIST - Federal standards for key lengths (FIPS 186, 1994)
  • Project: RSA Laboratories' technical notes and Crypto FAQ

Random Number Generation

  • Phil Karn - Developed /dev/random for Linux (1994)
  • Theodore Ts'o - Improved Linux entropy gathering (1995)
  • RFC 1750 (1994) - Eastlake, Crocker, Schiller standardized CSPRNG requirements

Mathematical Formalization

  • Bellare & Rogaway - Provable security framework (1993-1995)
  • Project: Random Oracle Model papers giving RSA formal foundations

Protocol Layer

PGP - End-to-End Email Encryption

  • Who: Phil Zimmermann
  • When: 1991
  • What: First usable public key encryption for masses
  • Impact: Solved key exchange, hybrid encryption, user trust model (web of trust)

SSL/TLS - Web Encryption

  • Who: Taher Elgamal (Netscape)
  • When: SSL 2.0 (1995), SSL 3.0 (1996)
  • What: Standardized RSA for HTTPS
  • Impact: Made encryption invisible to end users

S/MIME - Corporate Email Security

  • Who: RSA Data Security + multiple vendors
  • When: 1995-1999
  • RFC 2633 (1999): Standardized encrypted email for enterprise

PKI Standards

  • Who: VeriSign (co-founded by Jim Bidzos, RSADSI)
  • When: First commercial CA (1995)
  • What: X.509 certificates, hierarchical trust model
  • Impact: Solved public key authentication problem

Infrastructure Layer

Hardware Acceleration

  • Sun Microsystems - Crypto accelerator cards (1995+)
  • Intel - Added crypto instructions to CPUs (AES-NI much later, but RSA accelerators via big integer ops)
  • nCipher (1996) - Hardware Security Modules (HSMs)

Software Libraries

  • Eric Young & Tim Hudson - SSLeay (1995) → became OpenSSL (1998)
  • RSA BSAFE - Commercial crypto library (1986+)
  • GNU Privacy Guard (GPG) - Werner Koch (1999) - Patent-free PGP replacement

Performance Optimization

  • Chinese Remainder Theorem optimization - widely adopted by mid-1990s
  • Montgomery multiplication - became standard for modular arithmetic

Application Layer

Email Clients

  • Eudora - First major client with PGP plugin support (1995)
  • Microsoft Outlook - S/MIME support (1997)
  • Netscape Messenger - Built-in S/MIME (1997)

Web Browsers

  • Netscape Navigator 2.0 (1995) - First browser with SSL
  • Microsoft Internet Explorer 3.0 (1996) - Added SSL support
  • Impact: Made encryption completely transparent to users

SSH - Secure Remote Access

  • Who: Tatu Ylönen (Helsinki University)
  • When: 1995
  • What: Replaced Telnet/FTP with encrypted alternatives
  • Impact: Made RSA key exchange standard for server administration

VPN Solutions

  • PPTP - Microsoft (1996)
  • IPsec - IETF standards (1995-1998)
  • Impact: Enterprise encryption for networks

Legal/Regulatory Layer

Patent Fight

  • Who: RSA Data Security Inc. → RSA Security
  • What: Aggressively licensed, but also funded development
  • Resolution: Patent expired September 6, 2000
  • Impact: Free implementations flourished immediately

Export Control Battle

Key Players:

  1. Phil Zimmermann (1993-1996)

    • Released PGP internationally despite export restrictions
    • Faced federal grand jury investigation
    • Charges dropped 1996
    • Method: Published PGP source code as OCR-scannable book (MIT Press) - export of "books" was legal

  2. Daniel J. Bernstein - Bernstein v. United States (1995-1999)

    • UC Berkeley grad student
    • Sued government over source code export restrictions
    • Won: Court ruled source code = protected speech (First Amendment)
    • Precedent weakened crypto export controls

  3. Electronic Frontier Foundation (EFF)

    • Founded 1990 by John Perry Barlow, John Gilmore, Mitch Kapor
    • Funded legal challenges
    • Lobbied against Clipper Chip

  4. Cypherpunks Movement

    • Eric Hughes, Timothy C. May, John Gilmore
    • Email list (1992+): "Cypherpunks write code"
    • Built and distributed crypto tools to force policy change

Clinton Administration Reforms

  • 1996: Export controls transferred from State Dept (ITAR) to Commerce Dept (EAR)
  • 1999: Significant relaxation of export restrictions
  • 2000: Further liberalization - 56-bit and higher generally allowed

Clipper Chip Defeat

  • Opposition: EFF, EPIC, industry coalition
  • Technical flaw discovered: Matt Blaze (AT&T) found escrow vulnerability (1994)
  • Result: Initiative abandoned 1996

Frontend/UX Layer

Browser Integration

  • Netscape - "Lock icon" paradigm (1995)
  • Made encryption status visible but operation invisible
  • Users didn't need to understand crypto

PGP Evolution

  • Pretty Good Privacy 5.0 (1997) - First GUI version
  • PGP Inc. (acquired by Network Associates) - Commercial polished versions
  • Plugins for Outlook, Eudora made it accessible

Key Management Tools

  • PGP Key Servers - Automated key distribution (1996+)
  • LDAP directories - Corporate key distribution
  • Browser certificate stores - Automatic cert management

Social/Cultural Layer

Awareness Campaigns

  • EFF - "Privacy is a right" messaging
  • Wired Magazine - Popularized crypto culture (1993+)
  • Cypherpunks - Evangelized encryption as civil liberty

Legitimization Events

  • Netscape IPO (1995) - Made SSL/HTTPS mainstream business practice
  • E-commerce boom (1995-2000) - Made encryption necessary, not suspicious
  • Amazon, eBay - Normalized encrypted transactions

Community Building

  • RSA Conference (first held 1991) - Made crypto respectable
  • IETF working groups - Open standardization process
  • Academic crypto conferences - Crypto became legitimate CS field

The Critical Path - Timeline

Year Breakthrough Who Impact
1991 PGP released Phil Zimmermann First usable public key crypto
1994 /dev/random Phil Karn Solved randomness problem
1995 SSL 2.0 Netscape/Taher Elgamal Made encryption invisible
1995 VeriSign CA Jim Bidzos Solved PKI problem
1995 SSLeay Young & Hudson Free crypto library
1996 Export reform Clinton Admin Legal to export strong crypto
1998 OpenSSL OpenSSL Project Industry standard library
1999 Bernstein wins EFF/Bernstein Source code = speech
2000 RSA patent expires (automatic) Free to implement

The Unsung Heroes

Brian Behlendorf & Apache-SSL (1995)

  • Made SSL available on Apache web server
  • Enabled small businesses to use HTTPS

Eric Young & Tim Hudson

  • SSLeay → OpenSSL
  • Probably wrote the crypto code running most of the internet

John Gilmore

  • Co-founded EFF
  • Funded legal challenges
  • "I want a guarantee—with physics and mathematics, not with laws—that we can give ourselves things like real privacy of personal communications"

The Key Insight: No single project solved everything. It took:

  • Hackers (Zimmermann, Ylönen) to build tools
  • Companies (Netscape, VeriSign) to productize
  • Activists (EFF, Cypherpunks) to fight legal battles
  • Academics (Bellare, Rogaway) to formalize theory
  • Standards bodies (IETF) to create interoperability
  • Time (Moore's Law) to make it computationally feasible

The real breakthrough was the 1995-2000 convergence where legal reform, browser integration, and patent expiration all aligned.