Black Echo

How the NSA Shaped the History of Encryption

The NSA did not shape encryption in only one direction. This entry traces how the agency helped build modern secure communications, influenced DES, DSS, Clipper, AES, Suite B, and CNSA, and then reshaped public trust through the Dual_EC and BULLRUN era.

How the NSA Shaped the History of Encryption

How the NSA Shaped the History of Encryption is one of the most important long-arc technology and policy entries in the declassified NSA archive.

It matters because it sits at the intersection of four worlds:

  • secure communications,
  • cryptographic standards,
  • state power,
  • and public trust.

This is a crucial point.

The NSA did not shape encryption in only one direction. It helped build some of the most important secure communications systems in American history. It influenced how public cryptographic standards were designed and adopted. It tried at times to steer encryption policy toward government access. And later, it became one of the central institutions blamed for undermining trust in modern internet cryptography.

That is why this entry matters so much. It preserves the story of how the same agency could be, at different moments, a builder of secure systems, a standards influencer, a policy gatekeeper, and a source of suspicion about hidden weakness.

Quick profile

  • Topic type: historical cryptography synthesis
  • Core subject: how NSA and its predecessors shaped encryption through secure systems, standards influence, policy pressure, and later trust controversies
  • Main historical setting: from World War II secure voice to the post-quantum era
  • Best interpretive lens: not “NSA either loved or hated encryption,” but evidence for how the agency alternately strengthened, steered, constrained, and undermined it depending on mission
  • Main warning: encryption history and surveillance history overlap heavily, but they are not identical; some NSA roles were protective and openly institutional, while others became controversial only later

What this entry covers

This entry is not only about one algorithm.

It covers a long arc of influence:

  • how secure government voice systems shaped early modern encryption,
  • why NSA became a focal institution for national-security cryptography,
  • how DES linked NSA to the first great public standards controversy,
  • why DSS and Clipper changed the policy debate,
  • how AES partially reset the story,
  • why Dual_EC and BULLRUN damaged trust,
  • and how CNSA and post-quantum guidance show the agency still shaping the future.

That includes:

  • SIGSALY,
  • secure voice lineage and STU-III,
  • NSD-42,
  • DES,
  • DSS,
  • Clipper and EES,
  • AES,
  • Suite B and CNSA,
  • Dual_EC_DRBG,
  • BULLRUN,
  • and the current post-quantum transition.

So the phrase How the NSA Shaped the History of Encryption should be read literally. It is not just a story about codebreaking. It is also a story about who defines what secure communication should look like.

The story begins with protection, not only penetration

The strongest correction to popular memory is that the NSA’s encryption story begins with protecting communications, not only reading them.

NSA’s early history makes clear that the protection of U.S. communications long predates the agency itself, even though institutions resembling the modern cryptologic state only became possible once radio communications transformed the scale of military and diplomatic signaling. That matters because communications security and cryptanalysis grew together.

This is historically important.

The institution that later became famous for foreign SIGINT also inherited a deep role in COMSEC—the design, management, and protection of secure U.S. communications.

SIGSALY and the secure voice breakthrough

One of the clearest early examples is SIGSALY.

NSA’s National Cryptologic Museum describes SIGSALY as the first secure voice encryption system for telephones, invented and built by Bell Telephone Laboratories in 1943. It introduced major technical firsts, including pulse code modulation for speech transmission, multilevel frequency shift keying, and bandwidth compression.

This matters because SIGSALY sits near the beginning of modern encrypted electronic communications. It was huge, labor-intensive, and wartime-specific, but it proved that voice itself could be transformed into secure digital-like form for strategic use.

That is one of the foundational moments in encryption history.

Why SIGSALY matters beyond nostalgia

SIGSALY matters because it established a pattern that would recur throughout the NSA story: national-security needs drove cryptographic innovation long before mass civilian adoption caught up.

In other words, the state often entered the future of encryption early. What later became normal in commercial systems often appeared first in hardened, expensive, and secret government environments.

This is a crucial point.

The NSA shaped encryption history in part by living ahead of the public market.

The long secure voice lineage

That lineage did not stop with World War II.

NSA’s history of secure voice coding says that from the time of SIGSALY forward, several generations of voice coders were developed with Bell Labs, reducing size and improving practicality across the postwar decades. It traces a path from the massive SIGSALY system to lighter and more capable systems such as the KY-9 and later vocoder developments.

This matters because it shows that encryption history is also a hardware history. Secure communications were shaped by laboratories, codecs, packaging, weight, and deployment constraints—not only by abstract mathematics.

Thomas Tremain and practical encrypted communications

NSA’s historical figure page on Thomas E. Tremain sharpens that point.

It says Tremain was a pioneer in voice encryption systems and that his work at NSA became the basis of virtually every digital U.S. modem and speech-coding standard for satellite communications and hand-held digital cellular systems. It also says his algorithms remained in deployed STU-III units.

This is historically important.

It means NSA did not only influence encryption through secret policy fights. It also shaped practical secure communication devices and the speech-coding infrastructure that made them usable.

From secure devices to national authority

The next phase of the story is institutional.

NSA’s operating-authorities page says NSD-42 designates the agency as the National Manager for National Security Systems, and in that role NSA acts as the focal point for cryptography, telecommunications systems security, and information systems security for NSS. That matters because it formalized NSA’s continuing power to shape what kinds of encryption national-security systems would trust.

This is a crucial point.

Encryption history is not just the history of inventors. It is also the history of approvers, evaluators, and managers of trust. NSA became all of those for a very large part of the U.S. government.

DES and the first great public controversy

If SIGSALY represents the secure-systems era, DES represents the first great public controversy over NSA’s role in civilian cryptography.

NIST’s historical and process materials show that in the early 1970s the federal government wanted a public encryption standard for sensitive but unclassified information. NIST consulted NSA during this process, and the final Data Encryption Standard emerged from IBM’s Lucifer research with both government and industry contributions.

This matters because DES was not only a technical standard. It was the first time many outsiders realized that a secret intelligence agency had influence over a public encryption system.

Why DES changed the politics of encryption

DES changed the politics because it combined openness and opacity in a way that made people uneasy.

NIST’s later cryptographic-process review says that the standardized version of DES used a much shorter key length than IBM’s earlier Lucifer version—56 bits rather than 128—and included unexplained changes to the S-boxes. Public suspicion followed almost immediately.

This is historically important.

For many observers, DES became the first mass lesson that NSA influence over public cryptography could be both technically significant and politically unsettling.

Why the DES story is more complicated than early suspicion

But the DES story is also more complicated than simple “weakening.”

That same NIST review says the cryptographic community eventually concluded that the S-box changes actually protected DES against differential cryptanalysis, a technique not publicly discovered until long after DES was standardized. In other words, one of the most famous suspicions turned out to be partly backward: NSA had strengthened one part of the design even while the shorter key length undeniably reduced brute-force resistance.

This matters because it captures the ambiguity of NSA’s historical role perfectly.

The agency could make a standard stronger against one kind of attack while making it less comfortable for those who wanted maximum civilian strength and transparency.

DES still transformed encryption history

Whatever the controversy, DES transformed the field.

NIST’s DES economic-impact history explains that DES became the de facto symmetric-key standard of the U.S. commercial cryptographic industry and was widely used in banking, fund transfers, and payment systems. That matters because NSA’s influence over DES therefore shaped not just government encryption, but the rise of commercial cryptography itself.

This is a crucial point.

Once DES spread, NSA’s fingerprint on the history of encryption spread with it.

DSS and the shape of public-key adoption

The next chapter is the public-key era.

NIST’s 2014 cryptographic-standards review says the Digital Signature Standard (DSS) that NIST standardized as FIPS 186 was developed by NSA, but was usable for digital signatures rather than for distributing DES keys or protecting the secrecy of information. That distinction mattered enormously.

This is historically significant.

At a moment when the broader technology community wanted public-key cryptography to help with confidentiality and key exchange, the first major NSA-developed federal public-key standard emphasized authentication rather than general public-key encryption.

Why DSS mattered politically

DSS mattered politically because it suggested to many critics that NSA was willing to support parts of public-key cryptography that did not most directly accelerate widespread civilian secrecy.

That did not make DSS technically worthless. Far from it. Digital signatures matter enormously. But the standard’s shape affected the politics of trust. It reinforced the impression that NSA’s preferred public cryptographic future was not always the same as the future desired by vendors, privacy advocates, or the open cryptographic research community.

That is why DSS belongs in this story.

Clipper and the exceptional-access fight

The most direct effort to shape civilian encryption policy came with Clipper and the Escrowed Encryption Standard.

NIST’s cryptography-history chapter says NSA’s key escrow solution, publicly announced in April 1993, was built into Clipper chips. Each chip implemented the cryptographic components and the escrow protocol to be specified by the EES and contained a Law Enforcement Access Field (LEAF). The idea was that authorized agencies could obtain escrowed key components and decrypt communications when legally permitted.

This is one of the defining moments in the modern politics of encryption.

Why Clipper mattered so much

Clipper mattered because it made the tradeoff explicit.

The federal government was not only asking whether strong encryption should exist. It was asking whether strong encryption should be designed from the outset to remain accessible to lawful government surveillance.

That is a crucial point.

With DES, the controversy was partly about hidden influence. With Clipper, the access philosophy was no longer hidden. It was openly built into the architecture.

The Escrowed Encryption Standard

The federal standard itself makes the design concrete.

FIPS 185, published in early 1994, specifies the use of the SKIPJACK algorithm and the LEAF creation method as part of a key escrow system. It explains that escrow agents would hold key components and provide them only upon legal authorization to conduct surveillance of telecommunications encrypted with the specific device.

This matters because it shows how directly NSA shaped one attempted future of encryption: secure by default, but never beyond state recovery.

That future did not win politically, but it changed the history of the debate forever.

Why the Clipper fight changed public trust

NIST’s history page is unusually blunt about the political reaction.

It says that as the deadline for finalizing EES approached, it became clear that the public was strongly opposed to key escrow and Clipper chips. That matters because Clipper taught a generation of technologists and civil-liberties advocates to treat state-designed access mechanisms with suspicion.

This is historically important.

Clipper did not merely fail as a product strategy. It reshaped the public meaning of government influence in encryption.

DES versus Clipper

Seen together, DES and Clipper show two very different styles of NSA influence.

With DES, the controversy centered on hidden technical influence within a public standard. With Clipper, the controversy centered on an explicit architecture of exceptional access. That difference matters.

DES left room for later reinterpretation and partial vindication. Clipper became a cleaner symbol of what critics feared: strong cryptography conditioned on government recoverability.

That is why Clipper remained so powerful as a memory marker.

AES and the partial repair of trust

The AES era changed the atmosphere again.

NIST’s 2021 retrospective on AES says that by the 1990s DES was nearing the end of its useful life and EES was not filling the gap. NIST therefore decided in 1997 to move forward with an Advanced Encryption Standard through an open competition. That choice mattered because it shifted the governance model away from the murkier politics of DES and the top-down politics of Clipper.

This is one of the most important balancing moments in the whole story.

Why the AES process mattered

The AES process mattered because it was radically more public.

NIST’s briefing-book history says that NIST staff alone comprised the AES selection panel. It also says NSA presented VLSI implementation studies of the finalists but informally told NIST it could accept any of the five finalist algorithms, giving no specific advice on the final selection. Rijndael was ultimately chosen.

This matters because it shows an important limit on NSA influence.

The agency still mattered. It still reviewed, studied, and participated. But it did not openly dictate the outcome. That distinction helped repair some trust.

AES changed the story of standards cooperation

NIST’s AES retrospective says that cooperation between the U.S. government and the cryptographic community increased trust and led to greater analysis, and that AES is now used worldwide. That matters because AES became the opposite of the Clipper image.

Instead of secretive or access-conditioned encryption, AES symbolized open competition, public review, and a stronger relationship between government standards and the broader research community.

This is historically significant.

For a time, the history of NSA and encryption looked more balanced and less adversarial.

NSA as a continuing standards participant

That more balanced role did not mean NSA disappeared from the standards world.

NSA’s current Center for Cybersecurity Standards page says the agency works with NIST, IETF, ISO/IEC, IEEE, and ANSI because it needs standardized commercial cryptographic primitives and protocols for current and future environments. That matters because NSA’s influence over encryption did not end when the standards process became more open.

It continued through:

  • review,
  • participation,
  • procurement influence,
  • and national-security guidance.

That is how major institutions shape technical history even without absolute control.

Suite B and the normalization of strong public cryptography for NSS

One of the clearest examples is Suite B, later CNSA.

NSA’s CSfC FAQ says that CNSA, previously known as Suite B, is a set of commercial cryptographic algorithms capable of protecting data through the Top Secret level. It includes algorithms for confidentiality, key exchange, digital signature, and hashing. That matters because it shows NSA doing something that would once have seemed politically awkward: endorsing widely standardized commercial cryptography for extremely sensitive national-security use.

This is a crucial point.

The agency that once backed Clipper later helped normalize strong public algorithms inside national-security architectures.

Why Suite B and CNSA matter historically

Suite B and CNSA matter because they show NSA shaping encryption not by weakening public algorithms, but by elevating selected ones into national-security trust frameworks.

That is a very different kind of influence from the DES or Clipper moments. It is more like curation and deployment authority. The question becomes not “what can the public use?” but “which commercial algorithms can national-security systems trust at the highest levels?”

This is historically important.

It means NSA’s role in encryption history includes large-scale adoption, not just interference.

CNSA 2.0 and the quantum transition

The most recent phase is the post-quantum transition.

NSA’s 2022 article on CNSA 2.0 says the Director of NSA, acting as National Manager for NSS, released future quantum-resistant algorithm requirements for National Security Systems and based those selections on NIST’s announced post-quantum choices. NSA’s post-quantum resources page now points users to CNSS Policy 15, released on March 4, 2025, and continues to frame NSA as a key authority for national-security cryptography during the transition.

This matters because it shows continuity.

NSA is still shaping encryption history—not by inventing the whole field, but by determining which algorithms national-security systems should migrate toward next.

NSA and QKD skepticism

The same post-quantum page adds another revealing detail.

NSA says it does not recommend quantum key distribution or quantum cryptography for protecting National Security Systems unless major limitations are overcome, and it favors mathematically based quantum-resistant algorithms on existing platforms. That matters because it shows the agency still making strategic judgments about what kinds of encryption future systems should trust.

This is historically significant.

The modern NSA does not only react to cryptographic history. It helps choose its next branch.

The trust rupture: Dual_EC_DRBG

Yet the trust story turned darker again.

NIST’s 2014 review says NSA contributed Dual_EC_DRBG and HASH_DRBG during the standards process, that cryptographers identified concerns about a possible backdoor in the specific parameters, and that NIST later removed Dual_EC_DRBG from SP 800-90A after the controversy deepened.

This is one of the most damaging episodes in modern standards trust.

It matters because it suggested that NSA influence over a public standard might again have included a pathway to hidden state advantage.

Why Dual_EC mattered more than a single algorithm

Dual_EC mattered because it reopened all the older suspicions at once.

DES had already taught people to wonder whether NSA influence concealed hidden weakness. Clipper had already taught them to fear access by design. Dual_EC combined those anxieties in the post-Snowden era, when public patience for opaque intelligence influence had collapsed.

That is why this episode mattered so much. It was not only about one random bit generator. It was about whether NSA could still be trusted inside public cryptographic standardization.

BULLRUN and the public reframing of NSA

Then came BULLRUN.

The Guardian’s 2013 reporting said internal documents described Project Bullrun as dealing with NSA’s abilities to defeat encryption used in specific network communication technologies and linked it to wider efforts against protocols protecting internet traffic. That mattered because it reframed the public image of NSA.

This is a crucial point.

The agency was no longer seen only as:

  • the steward of national-security encryption,
  • or the participant in public standards, but also as an institution trying to preserve access by defeating deployed encryption at scale.

That changed the historical story.

Why BULLRUN changed everything

BULLRUN changed everything because it made the agency’s two identities collide in public.

The same institution that approved protections for National Security Systems, endorsed commercial algorithms for secure national use, and had participated in public standards was now associated with a secret campaign to defeat or undermine some widely used encryption technologies.

This is historically decisive.

After BULLRUN, NSA’s place in encryption history could no longer be told as a clean story of technical guardianship. It had to be told as a story of dual mission: protect here, penetrate there.

The central paradox

That dual mission is the heart of the whole page.

NSA has long wanted very strong encryption for:

  • U.S. classified systems,
  • trusted national-security communications,
  • and certain government and defense uses.

At the same time, it has often wanted foreign and widely deployed encryption to remain accessible, influenceable, or defeatable for intelligence purposes.

This matters because it explains why the agency’s role in encryption history feels so contradictory. The contradiction is real. It is built into the institution.

Why the same agency could both strengthen and weaken

The apparent contradiction becomes easier to understand once mission is separated by audience.

For National Security Systems, NSA acts as a protector, approver, and standards participant. For foreign intelligence and access missions, the same agency may seek weaknesses, leverage, or ways around deployed encryption. That does not make the contradiction disappear, but it explains why both patterns can exist at once.

This is historically important.

The history of encryption was shaped by NSA precisely because the agency lived on both sides of the encryption barrier.

The arc of trust

Seen across time, the trust arc looks roughly like this:

  • secure voice and COMSEC era: technical authority and internal trust
  • DES era: influence plus suspicion
  • Clipper era: open conflict over exceptional access
  • AES era: partial repair through openness and competition
  • Dual_EC/BULLRUN era: severe trust rupture
  • CNSA/post-quantum era: continued authority, but under a far more skeptical public gaze

This is the central historical shape of the story.

It is not linear progress. It is alternating legitimacy and suspicion.

Why this belongs in the NSA section

This article belongs in declassified / nsa because the history of the agency cannot be understood only through collection and surveillance programs.

It helps explain:

  • how NSA shaped secure U.S. communications,
  • why it mattered in DES and DSS,
  • how Clipper exposed its policy instincts,
  • why AES partially reset the standards relationship,
  • how Dual_EC and BULLRUN damaged public confidence,
  • and why CNSA and post-quantum guidance show that NSA still remains one of the most consequential institutions in the future of encryption.

That makes this more than a technology page. It is a structural page in NSA history.

Why it matters in this encyclopedia

This entry matters because How the NSA Shaped the History of Encryption preserves the deepest paradox in the archive:

the agency that helped secure some of the most sensitive communications in the modern world also helped create the conditions for some of the modern world’s deepest suspicions about cryptographic trust.

Here NSA is not only:

  • a codebreaking organization,
  • a COMSEC authority,
  • a standards participant,
  • or a policy actor.

It is also:

  • a builder of secure voice and secure systems,
  • a shaper of federal and national-security cryptographic choices,
  • a force in public standards debates,
  • a driver of exceptional-access controversies,
  • a participant in trust crises over hidden weakness,
  • and a continuing architect of the post-quantum transition.

That makes this article indispensable to a serious declassified encyclopedia of NSA history.

Frequently asked questions

Did the NSA help build strong encryption, or weaken it?

Both, at different times and for different purposes. It helped build and approve strong encryption for U.S. national-security systems while also becoming associated with efforts to steer, constrain, or defeat other forms of encryption.

Why is SIGSALY important here?

Because it shows that the NSA encryption story begins with secure communications engineering, especially secure voice, not only with internet-era controversies.

What was NSA’s role in DES?

NSA was consulted during the DES process and influenced the standardized design. That influence triggered controversy over key length and S-box changes. Later analysis suggested the S-box changes strengthened DES against differential cryptanalysis, even as the shorter key remained a real limitation.

Why did Clipper matter so much?

Because it openly proposed strong encryption with built-in government access through key escrow. It turned abstract fears about state influence into a visible policy fight.

Did the NSA control AES?

No. NSA participated and reviewed implementation issues, but NIST staff alone selected Rijndael in the open AES competition.

What is the significance of Suite B and CNSA?

They show NSA endorsing selected commercial cryptographic algorithms for use at very high national-security levels, which is a major way the agency still shapes encryption history.

Why did Dual_EC and BULLRUN damage trust?

Dual_EC raised fears that NSA influence could embed hidden weakness in public standards, and BULLRUN suggested the agency was actively working to defeat widely used encryption technologies. Together they reshaped public perceptions of NSA’s place in cryptography.

Is NSA still shaping encryption now?

Yes. Through CNSA 2.0, post-quantum guidance, and its standards and National Security Systems role, NSA still shapes which algorithms are trusted in critical government environments.

Suggested internal linking anchors

  • How the NSA Shaped the History of Encryption
  • NSA and encryption history explained
  • how NSA influenced DES and AES
  • NSA and the Clipper chip fight
  • Dual_EC and BULLRUN in encryption history
  • Suite B and CNSA in NSA crypto policy
  • NSA secure voice and COMSEC legacy
  • how NSA shaped modern cryptography

References

  1. https://www.nsa.gov/portals/75/documents/news-features/declassified-documents/cryptologic-spectrum/early_history_nsa.pdf
  2. https://www.nsa.gov/History/National-Cryptologic-Museum/Exhibits-Artifacts/Exhibit-View/Article/2719206/sigsaly/
  3. https://www.nsa.gov/History/Cryptologic-History/Historical-Figures/Historical-Figures-View/Article/1621954/thomas-e-tremain/
  4. https://www.nsa.gov/Culture/Operating-Authorities/
  5. https://www.nist.gov/document/report01-2pdf
  6. https://www.nist.gov/document/vcat-report-nist-cryptographic-standards-and-guidelines-processpdf
  7. https://csrc.nist.gov/files/pubs/fips/185/final/docs/fips185.pdf
  8. https://csrc.nist.gov/nist-cyber-history/cryptography/chapter
  9. https://nvlpubs.nist.gov/nistpubs/jres/126/jres.126.024.pdf
  10. https://csrc.nist.gov/csrc/media/projects/crypto-standards-development-process/documents/briefing_book_to_cov.pdf
  11. https://www.nsa.gov/resources/commercial-solutions-for-classified-program/faq/
  12. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/
  13. https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/
  14. https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security