PGP Timeline

The topic of PGPs history seems to be fraught with controversy, and it is difficult for a new comer to discover the full story.

This FAQ lists as much detail of the history as I have been able to gather together. My part in the creation of this document is to collate information, all of the information is obtained from others, from email comments, from my reading of other peoples past cypherpunks list posts, usenet posts, and from my reading of the resources available on the WWW, and the pgp source code and documentation (going back to version 1.0).

I think there are still many inaccuracies, so if you have any corrections, extra information, or know anyone who you think may know more, feel free to forward them a copy for comment.

Adam Back <>

(pgp on key servers, or here)

An html version of this document can be obtained from:

PGP timeline and brief history


  1. Definitions of acronyms

  2. History of crypto as it applies to PGP

  3. Birth of PGP

  4. USG decides they don't like PRZ

  5. PRZ, MIT and RSA sort out earlier patent issues

  6. Current legal status

  7. ITARs viewed from inside the US

  8. ITARs viewed from outside the US

  1. Definitions of acronyms

    PGP Pretty Good Privacy

    PRZ Phil R Zimmermann, internet folk hero, author of PGP

    RSA The RSA public key crypto algorithm as used in PGP. RSA stands for Rivest, Shamir, and Adleman (its designers). RSADSI, RSA Data Security Inc, patent holders of some public key stuff, which they claim means that no one can use RSA without getting a license from them. They have a www page at:

    PKP Public Key Partners composed of RSADSI plus Cylink (plus others?) (now disbanded)

    ITAR International Traffic in Arms Regulations controls export of controlled munitions from the US, things like military aircraft components, biological and chemical weapons, and also (very strangely) cryptographic software. See:

    for the full text of ITAR (file is GNU zip format).

    PK Public Key (cryptography) as opposed to symmetric key cryptography PK is also known as "asymmetric key" cryptography.

    NSA US National Security Agency, US govt's largest spook agency. whimsically known as No Such Agency because until recently the US govt tried to deny they even existed. (Also the letters NSA are jokingly said to mean Never Say Anything because their public relations technique is usually "no comment" to avoid giving anything away) CIA US Central Intelligence Agency, another US spook agency

    DEA US Drug Enforcement Agency, agency charged with carrying out the "War on drugs".

    NIST National Institute of Standards and Technology

    ODTC Office of Defense Trade Controls, USG group charged with enforcing ITAR. They consult with the NSA, the NSA has the last word on what gets export approval.

    USG United States Government

    ETHZ Eidgenissische Technische Hochschule Zurich

    ZLDF Phil Zimmermann Legal Defense Fund (now closed since his investigation was dropped)

    IDEA International Data Encryption Algorithm invented by Xuejia Lai and James Massey at ETH in Zurich. Patent owned by Ascom-Tech.

    Bass-O-Matic Symmetric key crypto algorithm designed PRZ as used in PGP 1.0. Bass-O-Matic was weak, and after having this demonstrated to him, PRZ replaced it with IDEA in later versions of PGP.

  2. History of crypto as it applies to PGP

    1. The year is 1976, a cryptographer and privacy advocate named Whitfield Diffie, together with an electrical engineer named Martin Hellman discovers public key cryptography. (DH key exchange is still a commonly used key exchange protocol -- DH = Diffie-Hellman).

    2. 1977 Ron Rivest, Adi Shamir, and Len Adleman discover another more general public key system called RSA (after surnames Rivest, Shamir, and Adleman). R, S & A were researchers at MIT (significant later, because MIT has part ownership of patents.)

    3. NSA tells MIT and R, S & A that they'd better not publish this or else.

    4. Amusingly Adi Shamir (S from RSA) isn't even a US citizen, he's an Israeli national, and is now back in Israel at the Weitzmann Institute. Who knows what the NSA would have done about him if they had succeeded in supressing RSA - not allowed him out of the US?

    5. MIT and R, S & A ignore NSA and publish anyway in SciAm July 1977, in an article entitled "New Directions in Cryptography". They later published RSA in Comms ACM (feb 1978, vol 21, no 2, pp 120-126 (an international publication) in case you want to see if it's in your library - it's in Exeter Univ (UK) library).

    6. Because the publication was a rush job due to the NSA, R,S & A and the later formed PKP and RSADSI lose patent rights to RSA crypto outside the US. This is because most places outside the US, you have to obtain a patent *before* publication, whereas in the US, you have one year from the publication date to file for patents. This also had implications for PGP later. Another issue is that the patent law in the US is unusual in that it allows the patenting of algorithms (well algorithms as embodied by a system for a specific purpose -- what is being patented is the system). The RSA crypto system would probably not have obtained a patent in many other countries due to it being an algorithm, and hence it would probably have been ruled unpatentable, even if R, S and A had not been rushed by the NSAs interference.

    7. IDEA was developed by Xuejia Lai and James Massey at ETH in Zurich. (Relevant to PGP because IDEA is the symmetric key cipher used together with RSA in PGP). Also crypto politics relevance in that it is another (of many) examples of the fact that crypto knowledge and expertise is worldwide, ie why export restrict something which is available both sides of the ITAR fence, or even originated *outside* it? (Strangely, ITAR applies to importing and then re-exporting a crypto system, even if no modifications are made). There are lots of other symmetric key ciphers, IDEA is one with a good reputation (no known practical attacks better than brute-force to date, and a good key size), and is just referenced here because of its use in PGP.

    (some years pass...)

  3. Birth of PGP

    1. While Iraq was still a secret US ally against Iran, Iraqi exchange students using the same literature as PRZ later did wrote a working PK cryptosystem for their military (which was using poison gas against the Kurds at the time). Not a peep from the govt., of course.

    2. The US government introduces the 1991 Senate Bill 266. This omnibus anti-crime bill had a measure in it that all encryption software must have a back door in it. An excerpt is in pgpdoc1.txt, distributed with PGP. This bill prompted PRZ to write PGP. This is what PRZ says in pgpguide.lst in pgp1.0:

      The 17 Apr 1991 New York Times reports on an unsettling US Senate proposal that is part of a counterterrorism bill. If this nonbinding resolution became real law, it would force manufacturers of secure communications equipment to insert special "trap doors" in their products, so that the Government can read anyone's encrypted messages. It reads: "It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall insure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law."

      (This was 1991 Senate Bill 266 and it eventually failed to pass into law.)

    3. PRZ wrote pgp1.0. He implemented RSA encryption, combined with a symmetric key cipher of his own design called Bass-O-Matic. It later turned out that Bass-O-Matic was weak, and he replaced it with the use of IDEA for subsequent versions of PGP. pgp2.0 and later versions have used IDEA. There were other differences between pgp1.0 and pgp2.0 and later versions. pgp1.0 used the MD4 message digest algorithm, Ron Rivest designed MD5 to fix a weakness which was discovered in MD4, and pgp2.0 and subsequent versions use MD5. pgp1.0 used uuencode for 7 bit transport, where as versions 2.0 and later use radix-64 ascii armor. pgp2.0 and later versions use ZIP compresion code (as used by PKZIP the popular DOS compression program, GNU ZIP also uses this code), where as pgp1.0 used LZHuf (an adaptive Lempel-Ziv Huffman compression alogorithm).

    4. PRZ gave PGP 1.0 to some friends

    5. Some friends up loaded onto a few bulletin boards (US only) One friend (allegedly Kelly Goen) went around pay-phones with a portable, an acoustic coupler, and a list of BBS phone numbers uploading and then driving on to another area. This cloak and dagger stuff was because at the time the USG had some draconian sounding proposed law on the books which sounded like it was going to outlaw crypto. The intention was to ensure that PGP was available before this law came into effect, and to avoid being stopped if the USG took interest.

    6. Somehow PGP leaked outside the US via the internet. Information wants to be free, as someone said: `trying to control the free flow of information on the internet is like trying to plug a sieve with a hole in it'. Also Tim May's quote 'National borders are just speedbumps on the information superhighway' expresses the point very nicely.

    7. People all over the world (yeah outside the US too) start using PGP

    8. RSA complains to PRZ that PGP violates their PK patents

    9. PRZ tells RSA to get stuffed, says its the users problem to get a license - this text from the pgp1.0 documentation lays out PRZs original stance on the patent issue, before this was resolved:

      The RSA public key cryptosystem was developed at MIT with Federal funding from grants from the National Science Foundation and the Navy. It is patented by MIT (U.S. patent #4,405,829, issued 20 Sep 1983). A company called Public Key Partners (PKP) holds the exclusive commercial license to sell and sub-license the RSA public key cryptosystem. For licensing details on the RSA algorithm, you can contact Robert Fougner at PKP, at 408/735-6779. The author of this software implementation of the RSA algorithm is providing this implementation for educational use only. Licensing this algorithm from PKP is the responsibility of you, the user, not Philip Zimmermann, the author of this software implementation. The author assumes no liability for any breach of patent law resulting from the unlicensed use by the user of the underlying RSA algorithm used in this software.

    10. PGP is considered potentially patent infringing because of 2.6. Eventually PRZ signs an agreement with PKP. They won't sue him if he stops distributing PGP. PRZ has stopped distributing PGP -- others have taken over development and distribution.

    11. Illegality taint increases the spread of PGP, generates news, more people get a copy to see what the fuss is about

    (some time passes, PGP gets real popular...)

  4. USG decides they don't like PRZ

    1. The US gov gets a complaint from Bidzos that PGP breaks a bunch of laws. When customs first started investigating PRZ they were under the impression that PGP was developed by PKP and PRZ stole it and was not distributing it around the world.

    2. USG decides that they don't like PRZ because the NSA can't tap all those internet mail messages anymore. (the NSA part is speculation, but in my opinion likely true).

    3. USG begins investigating PRZ for alleged aiding with ITAR violation. It is clear from the very begining that PRZ did not, and is not encouraging export of PGP, as demonstrated by this excerpt from the pgp1.0 docs:

      Export Controls

      The Government has made it illegal in many cases to export good cryptographic technology, and that may include PGP. This is determined by volatile State Department policies, not fixed laws. Many foreign governments impose serious penalties on anyone inside their country using encrypted communications. In some countries they might even shoot you for that. I will not export this software in cases when it is illegal to do so under US State Department policies, and I assume no responsibility for other people exporting it without my permission.

    4. Phil Zimmermann legal defense fund (the yellow ribbon campaign) set up to cover his legal expenses. This defense fund is now closed since the investigation was dropped. See:


  5. PRZ, MIT sort out earlier patent issues

    1. PGP2.5 is written which uses RSAREF 1.0 in place of MPILIB (also has backwards compatibility with older versions impaired to discourage use of older allegedly patent infringing versions). MIT with PRZs approval start distributing a version of PGP using RSAs RSAREF library, this ensures that the new version of PGP (pgp 2.5) does not infringe any patents as it falls within the license for RSAREF1.0.

    2. RSADSI threatens MIT with legal action, and eventually backs down when MIT refuses to budge. (Recall 1.6 MIT owns part of the RSA patent which gave them a unique bargaining position against the somewhat litigious RSADSI).

    3. RSAREF may be slower, but at least after some hassles from RSADSI, a version of PGP is now 100% legal, and they agree that it is non patent infringing.

    4. MIT begins acting as official US distributor of PGP

    5. As usual, a few milli-seconds (well okay, minutes) after the official release of a new version of PGP, it gets exported from the US.

    6. The deal with RSA over RSAREF has fixed the patent related problems in the US, but it has created a copyright related problem outside the US, (recall 1.6). RSAREF is a software package copyrighted by RSA, and RSA is not allowed to export it because of ITAR, and their license agreement says as much (ie it says that you must not export it, and if you do export, you, and the subsequent users of it, are in breach of license). It is therefore supposed that RSA could if they wanted complain about this (who knows that they would want to, or what conceivable benefit it would give them if they did). This isn't enough to bother most people, but commercial users, and big organisations have lawyers, and are wary of such things.

    7. Stale Schumacher put together pgp26i to avoid this problem. Main difference between pgp26x and pgp26xi is that pgp26xi uses PRZs original big integer library MPILIB, which is any case faster than RSADSI's RSAREF, and the lack of the legal kludge noted in 3.3.

    8. MIT and PRZ publish PGP internals book. The book is currently available throughout the world. It has complete PGP source code in an OCR font. The page numbers are inserted in C style comments /* pagenum */ so that they do not interfere with scanning. See mit press page for ordering info for the book:

      [insert mit press URL for book]

      MIT were following on from Phil Karn's fun had at the expense of the NSA and ODTC with his case of the ODTCs ruling that Bruce Schneier's book Applied Cryptography was exportable while the disk set (with the very same source code) was ruled as not exportable. Phil Karn is appealing at this decision. See, for documents Phil Karn has scanned on the case:

      MIT has asked for permission to export the PGP internals book, so far the NSA sounds like they want to ban the export of the book, PRZs declaration (PRZ made a declaration in connection with Phil Karn's case against the NSA, the ODTC, and miscellaneous government officials) this was taken from bottom of:


      10. I believe that the commodity jurisdiction request referred on page 28 of the Justice filing is the one which was filed by MIT Press for my book, PGP: Source Code and Internals. I am further informally advised that the National Security Agency has considered the Request and recommended that the book be controlled for export under the ITAR and that the Department of Commerce has recommended that it not be subject to ITAR controls.

  6. Current legal status

    1. PGP is legal both inside and outside the US. You just need to use pgp262 version inside the US, and pgp262i versions outside the US.

      If you are in the US and pgp262 does not compile for your platform, another option may be to obtain pgp262i and compile it with -DMIT, which makes it use RSAREF (which keeps RSADSI happy), pgp262i compiles for a wider range of platforms.

      See Stale Schumacher's pgp pages for a table of which versions to use in USA/Canada/Rest of world depending on whether you are using in a commercial or a non-commercial setting:

    2. In the US if you are using PGP in a commercial setting, and care about patents, you should purchase a copy of ViaCrypt pgp2.7, here is the relevant quote from the pgp2.6.2i documentation:

      Ascom-Tech AG has granted permission for the freeware version PGP to use the IDEA cipher in non-commercial uses, everywhere. In the US and Canada, all commercial or Government users must obtain a licensed version from ViaCrypt, who has a license from Ascom-Tech for the IDEA cipher.

    3. Commercial use outside the US and Canada: RSA is free as RSA is not patented outside the US, but a license is required from Ascom Systec for IDEA. See Ascom's www pages:

      Ascom Systec contact info:

      Ascom Systec AG
      IDEA Licensing
      CH-5506 Maegenwil

      Phone: +41 62 889 59 54
      Fax: +41 62 889 59 54
      Email: <>

  7. ITARs viewed from inside the US

    1. ITAR means that if you are in the US you should not export PGP. (Yeah it's already available on a few thousand ftp sites around the free world, so another export isn't going to make any difference, but the NSA and the ODTC might not see it in that light).

    2. Even though controlling the export of freeware software available worldwide might seem incredibly stupid (not to mention pointless), you should bear in mind that the penalties for getting successfully prosecuted for violating ITAR are rather steep. Up to $1,000,000 (US$) fine, and and up to 10 years imprisonment per count of export.

    3. They'd probably never do anything to you, PRZ is just a scape goat (someone they can symbolically persecute to discourage others). I have personally seen several people from US sites post crypto source and binaries (nautilus, PGP itself even). Plus of course this:
      -export-a-crypto-system-sig -RSA-3-lines-PERL #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

      has probably been exported a few hundred thousand times by now. It's an implementation of RSA encrypt and decrypt in perl and dc - a real crypto system, which has every right to claim ITAR status if anything does, and yet benefits from being more convienient to use as a .sig than a uuencoded PGP binary. See:

  8. ITARs viewed from outside the US

    1. If you are outside the US, ITAR probably doesn't apply to you. You could, if you could be bothered, down load PGP from a US site, and short of attempting an extradition for violating a regulation which only applies in the US, there would be nothing the NSA, or USG could do about it. Most extradition treaties tend to rely on the action being prosecuted being illegal in both countries.

    2. Yeah, I know `tell that to Manuel Noriega' (a Panama citizen who was kidnapped by DEA agents and US military and brought to the US to face trial for importing/exporting drugs from Panama into the US. He broke no Panamanian laws, he is a citizen of Panama, and was in Panama when he committed his crime, and he is now languishing in a US jail.

      However, he was kidnapped for a number of reasons:

      • the USG thought they could get away with it (Panama owed them a few favours)
      • politically easy to pass of acts of aggression (kidnap by civilised countries in this day and age?) in the name of the `War on Drugs'
      • they thought it was worth it.
      • Noreiga, because he had worked for them on numerous occasions, knew some very dark secrets about (then President) George Bush and the CIA, so the USG felt he had to be "muzzled."
      • There was an election coming up.

      (The whole situation was very silly anyway because just a few months before a renegade faction of the Panama Army kidnapped Noriega and turned him over to the the US Army. They released him. The speculation is that the CIA (who were later themselves implicated in drug smuggling) didn't want him tried in case they were implicated. The presumption is that a few papers were shredded before the USG kidnapping.)

      Some of these criteria are likely to be missing if there was an attempt to extradite a non-US citizen outside the US for breaking ITAR. One big problem is that crypto is not controlled as much in most of the free world. Also the fact that the USG haven't bothered other people within the US who have similarly exported crypto software (examples cited in 6.3) would make the whole situation look rather silly.

    3. Some people speculate that if a non-US person exports/imports software resident on US ftp/www sites it is possible that the USG might add the exporter to a list of interesting people and have a talk to them when they next visit the US. If you consider reprisals likely, you might want to avoid travelling to the US for a while.

    4. A more important consideration is that although a non-US downloader of PGP from a US site would be effectively immune to the ITAR nonsense, the owner of the (US based) ftp/www site may not be. You might get the site owner in trouble for not taking adequate precautions. So politeness demands that you don't do it.

    5. Indeed why bother anyway, because PGP is available from literally thousands of ftp sites, there is bound to be a closer (and hence likely faster download) copy, without any hoops to jump though.

    6. There are some other countries with restrictions on use, import and export of crypto. These include France, Russia, Iran, Iraq, China, plus miscellaneous tin-pot dictatorships, and totalitarian regimes. In France you must obtain a license to make private use of crypto. DISSI is quoted as saying that they won't bother private users of PGP, but they would not if asked give permission to use PGP. See:

      for a detailed survey of the crypto laws of many countries.

Long live the Pretty Good revolution,

Adam Back <>

Comments, html bugs to me (Adam Back) at <>