As cryptology — the study of codes — continues to advance and the industry develops increasingly innovative ways to secure communication, people rarely ask: “where did all this come from?” As someone who has been fascinated by cryptology for more than 30 years, I’d like to share my historical perspective on how cryptology evolved. And yes, it began with the Egyptian monks.

Cryptology is a bit of both science and art. I define it as the study of codes. The word “cryptology” is derived from the Greek words “kryptos” (meaning hidden) and “logos” (meaning word).  In practice there are 2 subsets of cryptology: cryptography and cryptanalysis. Cryptography refers to code making while cryptanalysis refers to code breaking.

The Beginning of Cryptography

Cryptography is a method of using codes to apply privacy to messages. Since the beginning of the written word, mankind has had the desire to keep secrets. The earliest recorded secrets belonged to the Egyptian monks from around 1900 BCE. These monks developed a photocryptographic system using non-standard hieroglyphics to keep anyone outside of their inner circle from understanding what was being communicated.

If you didn’t understand the hieroglyphic images, you couldn’t understand the message. However, as with most primitive methods, outsiders were soon able to crack the code by looking at the context of individual images and the non-standard hieroglyphics became relatively easy to decipher.

Enter the Scytale Cipher

The next iteration in ancient cryptography came around 500 BCE with the invention of the Greek scytale. This was closer to true cryptology than using non-standard hieroglyphics because there’s a real key. The scytale used a cylinder base, such as a stick or baton, wrapped with a leather or parchment strip wound spirally around it. The message would be written lengthwise down the strip. When unwound from the cylinder base, the strip appeared to contain nothing more than a string of letters.

Deciphering the message required the rewrapping of the strip around a cylinder base with the exact same diameter as the one used to create the message, allowing the letters to line back up into a readable message.  So in terms of cryptography, the key was the diameter of the cylinder base.

The Influence of the Rosetta Stone

Around 196 BCE the Rosetta Stone entered the picture. King Ptolemy V Epiphanes issued a decree that he wanted everyone to understand. He had it written in three languages — Ancient Egyptian hieroglyphs, demotic scripts and Ancient Greek — and put all three on a stone next to each other. While the Rosetta Stone wasn’t true cryptology, it did provide a translation key. If you knew one of the languages, you could back your way into understanding the other two previously undecipherable languages.

Hail the Caesar Cipher

Circa 50 BCE Roman dictator Julius Caesar wanted a secure way to communicate with his generals in the field so he developed the letter shift, or substitution cipher, which often bears his name. The substitution cipher uses a shift in letters − shift 3 letters such that “A” becomes “D” and “B” becomes “E”, and so on.  In order to decrypt the message, the generals`1would need to know the key, or how many letters to shift back to get the plaintext version of the message. So, how did Caesar send the key?  It’s rumored that he would tattoo the key onto the shaved head of the messenger. Then when the messenger’s hair grew back, the key would not be visible.

Yet, this type of encryption had serious flaws − given the 24 letters in the Greek alphabet, one could simply guess up to 25 times to decrypt the message. Also, given that the message structure remains the same one could make assumptions based on commonly used letters (for instance, E is the most commonly used letter in the English language) and word structure in order to reveal patterns to easily break the code.

Geometric Substitution Cipher — Early Modern Cryptology

The Freemason’s Cipher, also called the Pigpen Cipher, emerged around the year 1700 CE. It was called a geometric substitution cipher because it matched geometric shapes to letters, as the key, to encode and decode a message. The Knights Templar used a variant based on geometric shapes from the Maltese Cross to communicate messages. But this method of cryptology was also fairly easy to decipher and the key still needed to be transferred to the intended recipients.

The One-Time Pad Provides True Secrecy

The One-Time Pad (OTP) was invented around 1882 CE and became popular with spies toward the end of  World War I in 1917. Two identical pads were created: one given to the person providing the message and the other to the intended recipient. The pads contained truly random characters and used a letter shift based on every character in the pad.

OTP is still the only encryption process today that provides true secrecy — but only if five rules are applied. It must consist of truly random characters and have the same length, or longer, as the plaintext. There can only be two copies of the OTP and they can only be used once — both copies have to be destroyed immediately after use.

Even with their perfect secrecy, OTPs introduce some unique challenges. As I just mentioned, the length of the pad must be as long, or longer than the message being encrypted. And, the OTP must be truly random digits. Pad creation, distribution, and storage create significant burden and overhead, making their implementation today not worthwhile.

Enigma Electromechanical Cryptology

One of the most intriguing methods of implementing cryptography in the early 1900’s was called Enigma. The Enigma was a rotor-based cipher machine that has its roots in inventions from the USA, Sweden, Netherlands and Germany. It was the first electromechanical cryptography system and was used extensively during World War 2 by Germany to encrypt messages to send to its military.

The machine used rotors (wheels) and electrical contacts on the right and left sides of each rotor that created electrical circuits used to provide letter-by-letter encrypted messages. As a letter was typed, the electrical current went through a series of rotors and a light was illuminated on a lamp panel above the keyboard. The operator would type the message in, one letter at a time, and record the lighted letter from the lamp panel for the encrypted message. Some models of the Engima separated the lamp panel from the keyboard, thus making the encryption and decryption process a 2-person job (one would type in the message and the other, sitting on the opposite side of the Engima machine, would record the indicated letters from the lamp panel).

The tricky part was that users had to know some very specific settings in order to configure their Engima machine to be able to decrypt messages:  which cipher wheels were being used, what order were the cipher wheels inserted onto the spindle, what was the starting position for the rotors, and what was the configuration of the plugboard and reflector wiring. The fact that these details had to be delivered every day, along with human error, led to the eventual cracking of the Engima, attributed to the work of Alan Turing, one of the code breakers working for the British government at Bletchley Park. Still, in my humble opinion, this was one of the most ingenious mechanical cryptology devices ever built.

Pretty Good Privacy — Modern Cryptology Begins

Pretty Good Privacy (PGP) emerged around 1991 as part of a social/political activist group wanting to communicate privately with like-minded members in various geographic regions. PGP leveraged a combination of symmetric encryption (one key to encrypt and decrypt) to encrypt the message and asymmetric encryption (a public key to encrypt and a private key to decrypt) to secure the symmetric key. Users had their own key rings containing the public keys of the people they wanted to communicate with. Eventually people began hosting their key rings on public servers and allowing other people to add their own public keys to the shared key rings.

Public keys were created and key rings were shared for everyone in the group. If someone had their public key introduced into the key ring and they had their private key, they could decrypt any messages encrypted using their public key from the key ring. But the flaw with PGP came to light from untrusted introducers as more people and layers were added without a centralized authority to determine trust. Plus, PGP was not interoperable with a developing, competing standard: S/MIME.

S/MIME for Email Encryption and Digital Signature

Privacy is just one use case for cryptography. As I’ve discussed, encryption allows us to ensure that only those with the proper key can decrypt the message. But, what if you want to do more than just provide privacy? Using cryptography we can also implement digital signatures. These are very specific cryptographic functions that serve to provide proof of the origin of a signed message and proof that the message has retained its integrity. This is just a fancy way of saying that nobody altered the contents after the digital signature was applied. If we combine these concepts, encryption and digital signature, we now have the foundation to enable protection of messages that can be electronically delivered to other people.

Around 1998, S/MIME (RFC2311) became the standard for encryption and digital signature. Its native integration with Microsoft and other email clients — rather than freeform PGP— made it much more attractive. However, even today, most organizations don’t encrypt their email even though it’s relatively easy to implement using readily available solutions. Yet, there isa higher adoption rate in industries like healthcare and financial services, as well as some government enterprises, that need stringent security.

Code Signing and Mobile Authentication

Code signing entered the landscape in the early 2000s to ensure the integrity and origin of drivers and executable code. Code signing, like email signing, allows us to ensure that the software we run on our computers and other connected devices is really from the publisher we expected it to be from and that no one has altered the software since it was published.

As far as using cryptography for authentication goes, even our cell phones have enough cryptographic capabilities that they have become a form of authentication. With cryptography-based digital certificates on mobile phones and other forms of authentication — fingerprint, pin or passcode — our mobile devices now are a means of authenticating users to systems.

What’s next for Cryptology?

While cryptology started with very primitive means of securing messages, the advances we’ve made from ancient times to modern times have built upon each innovation. Emerging cryptology topics include the Internet of Things (IoT) using long-lived embedded certificates, Blockchain distributed ledgers and the impact of quantum computing on cryptographic system.

I believe that IoT and quantum computing will be the next frontier for cryptology. Ensuring security as more things are connected to the IoT will be critical to prevent fraud and identity theft. As for quantum computing, it is predicted that within the next seven to ten years we will have reached a point of quantum supremacy. That’s not a very long time. Now is the time for us to start developing plans and approaches to determine how we’ll transfer data encrypted under old algorithms and key materials from old to new — or whether we should start over from scratch.

Interested in talking about the history of cryptology and what’s coming next? Connect with Entrust.

Additional Resources

Web Page, Entrust Cryptographic Center of Excellence, https://www.entrust.com/digital-security/certificate-solutions/products/cryptographic-center-of-excellence

White Paper, Defining a Cryptographic Center of Excellence, https://www.entrust.com/digital-security/certificate-solutions/c/introducing-entrust-cryptographic-center-of-excellence/crypto-coe-whitepaper

White Paper, The Quantum Computer and Its Implications for Public Key Crypto Systems, https://www.entrust.com/-/media/documentation/whitepapers/sl20-1026-001-ssl_quantumcomputers-wp.pdf