Matt Ruckman
← Blog
May 29, 2026

The Answer In The Box

On the thirty-five-year cipher whose solution turned up in a cardboard archive instead of a computer, the Dutch language teacher whose single good idea quietly runs the entire internet, and the uncomfortable detail that everything guarding your bank account is unbroken, not unbreakable, with the clock already running.

Sometime in the early 2010s, an artist named Jim Sanborn was going through his papers during a course of cancer treatment, sorting what he wanted to keep from what he wanted to send to the Smithsonian, and he made a small filing error. He put the answer in the giveaway pile.

He had no particular reason to be careful. The answer was a handful of unremarkable pages inside a donation of thousands, and the question those pages answered had been bolted to a courtyard at CIA headquarters, unsolved, for more than two decades, which is a long enough run that a person stops lying awake worrying that somebody is going to find the solution in a cardboard box in Washington.1 So the pages went to the Archives of American Art, got catalogued, and sat.

In September of 2025, two writers found the solution in a cardboard box in Washington.

Three-quarters solved

The thing in the courtyard is called Kryptos, and if you read the second piece in this series you have already shaken its hand. The short version, for everyone who didn't: it's a curving copper plate a little under twelve feet tall, installed at the CIA's Original Headquarters Building in 1990, with roughly 1,800 letters cut clean through it and arranged into four separate ciphertexts. The artist, Sanborn, built it with a recently retired CIA cryptanalyst named Ed Scheidt, who supplied the encryption schemes the way a structural engineer supplies the load tables, except that in this case the building was art and the point of the building was to not be entered. Then Sanborn modified the schemes on his own, so that even the man who taught him could not read everything they had built. Even the collaboration has a locked drawer in it.

Three of the four fell. K1 and K2 were Vigenère, cracked by an NSA team in the early nineties and again, independently, by the computer scientist Jim Gillogly in 1999. K3 was a complex columnar transposition, also Gillogly, also 1999. The plaintexts, once recovered, turned out to be a slightly misspelled meditation on light and absence, a passage with buried coordinates that ends "it's buried out there somewhere," and a paraphrase of Howard Carter's diary from the morning he opened Tutankhamun's tomb. Spooky stuff, chosen by an artist, which is what you get when you let an artist design a cryptographic puzzle instead of a mathematician: the surface text is about something.

And then there is K4. Ninety-seven letters, beginning OBKR, sitting at the bottom of the plate. It has held for thirty-five years.

It has held despite help. Because the public attempts piled up over the decades, and because a great many of them came from people Sanborn delicately referred to as not-cryptographers, he released cribs: confirmed stretches of plaintext at confirmed positions, the cryptographic equivalent of a crossword editor telling you that 14-Across definitely ends in K. The word BERLIN occupies positions 64 through 69, released in 2010. The word CLOCK follows it, 70 through 74, released in 2014. EAST and NORTHEAST, near the front, came in 2020. Four words. Twenty-four letters out of ninety-seven, handed over for free, and still nobody read the rest.2

OBKRUOXOGHULBSOLIFBBWFLRVQQPRNGKSSOTWTQSJQSSEKZZWATJKLUDIAWINFBNYPVTTMZFPKWGDKZXTJCDIGKUHUAUEKCAR
K4, all ninety-seven letters. Highlighted are the only four words Sanborn has ever confirmed: EAST NORTHEAST (22–34), BERLIN (64–69), and CLOCK (70–74). Twenty-four letters, handed over for free. Nobody has read the rest.

In late 2025, having turned eighty and watched the guesses crest and recede for thirty-five years, Sanborn went further. He confirmed that two real-world events feed into the solution: a trip he took to Egypt in 1986, and the fall of the Berlin Wall in 1989. He also clarified which Berlin clock the earlier cribs had been pointing at, which sounds like a footnote and is closer to a small demolition, because for more than a decade everyone had been pointing at the wrong one.3 The community's clock was the Mengenlehreuhr, the Set Theory Clock, which tells the hour in stacked rows of colored lights on a base-five scheme, the kind of mechanism that sends a cryptographer into a fugue state and the exact reason everyone wanted it to be the answer. It wasn't. Sanborn meant the Weltzeituhr, the World Clock on Alexanderplatz, a slowly rotating column showing twenty-four time zones at once, and the only clock in Berlin that stands, as Kryptos does, on a compass rose. And he said, of the whole sculpture, that the codes are about delivering a message.

None of it was enough. Scheidt had said years earlier that he deliberately changed the method between the first three sections and the fourth, and the community has long suspected K4 stacks more than one technique on top of another, the way I described layered ciphers multiplying rather than adding in the last post. Whatever Scheidt and Sanborn built into those ninety-seven letters, it absorbed thirty-five years of professional and amateur cryptanalysis, four free cribs, and a small fortune in submitted guesses, and gave up nothing.

So the cipher was secure. The answer was in a box.

What was actually in the box

In 2025 a novelist and a playwright, Jarett Kobek and Richard Byrne, were doing the kind of work that does not look like cryptanalysis and turns out to be more effective than cryptanalysis, which is to say they were reading an archive. Among the Sanborn papers donated to the Smithsonian's Archives of American Art, they found scraps of text that, assembled, produced what looked very much like the full plaintext of K4. On the third of September they emailed it to Sanborn. He confirmed it was real, and then he had to explain, with the weary precision of a man watching his life's most famous secret leak through the least dramatic door imaginable, exactly how those pages had ended up in a public collection. The cancer treatment. The sorting. The filing error.

Here is the part that everyone reported and almost everyone reported wrong. Kobek and Byrne did not solve K4. Sanborn was emphatic about this, and the distinction he insisted on is the entire reason I'm writing this post, so I want to be careful with it. They did not crack the cipher. They did not recover the key. They did not work out the method that turns OBKR-and-the-rest into English. They found the English. They located scrambled plaintext that Sanborn himself had written down and then misplaced, and they read it, the way you might learn somebody's password by spotting it on a sticky note under their keyboard rather than by guessing it. Learning the password tells you nothing about how the password was chosen. The lock was never touched.

Sanborn, faced with the leak, did the thing that I find genuinely strange and genuinely revealing. He did not publish K4's method to set the record straight. He had the Smithsonian seal the relevant files for fifty years, until 2075. He asked Kobek and Byrne to sign nondisclosure agreements; they declined, but pledged not to release the plaintext themselves. And then, eleven weeks later, on the twentieth of November, his eightieth birthday, he auctioned the whole archive (the solution document, the original encryption charts, a prototype of the sculpture) through a Boston auction house. It sold for $962,500, which is roughly twice the high estimate, to a bidder whose identity is, fittingly, a secret.4

I've spent real time on K4 myself. The honest accounting at the end of that time is that I hit the wall everyone hits, in roughly the spot everyone hits it: ninety-seven characters is too short for the statistics to bite, the method was changed on purpose to defeat the tools that broke K1 through K3, and a layered scheme with a hidden structure does not yield to a person sitting at a laptop pattern-matching against the cribs. But "too hard" undersells it. What the dead ends add up to is that K4 is under-determined: the ninety-seven letters and their four cribs do not carry enough information to single out one answer from the many plausible English plaintexts consistent with them. The cipher does more than resist attack; it sits at the edge where there isn't enough evidence in the world to attack with. The method can't be rebuilt from the outside because the outside doesn't contain it. A write-up is here. Treat the link, as before, as a long and well-documented way of saying no, it didn't work.

But none of that is what the post is about. The thing I keep turning over is smaller and stranger than the cipher. It's the character of the failure. K4's defense, in the end, was that nobody knew how it worked. The message escaped and the method stayed buried, and the cipher remains "unbroken" in the only sense Sanborn cares about, because secrecy of the method was the whole game.

I should give the under-determination its due, because it cuts against me: if K4 is genuinely beyond the reach of the evidence, it might hold even with its workings published, which would make obscurity not really the thing defending it. Granted. But that is a claim about how hard K4 is, and its hardness was never the anachronism; the anachronism is the decision to hide how it works at all, when the century's move was to hand the design over and keep only the key.

And that, I want to argue, makes K4 a fossil. A beautiful one, cut in copper, but a fossil: the last well-preserved specimen of an idea that the rest of cryptography spent the twentieth century burying on purpose.

Assume the enemy knows

The idea K4 embodies has a slightly contemptuous name in the field. It's called security through obscurity: the hope that your system is safe because the enemy doesn't know how it works. Keep the method secret, and the secrecy of the method does your defending for you.

The problem with this hope is that methods leak. They leak through captured equipment, through defectors, through reverse engineering, through a clerk who talks, through a disgruntled engineer, through a cancer patient sorting papers. A method is a thing a lot of people have to know in order to use, which means a method is a thing that is always one careless person away from the open. If the secrecy of the method is the only thing holding your enemy off, then your security has the half-life of your most careless insider, and you do not get to choose who that is.

In 1883 a Dutch language teacher figured this out and wrote it down so cleanly that the entire internet now obeys him. His name was Auguste Kerckhoffs.5 He published a long essay on military cryptography in a French journal, listing six practical desiderata for a field cipher, and the second one is the one that outlived him. Paraphrased: a cryptographic system should remain secure even if everything about it, every detail of its workings, falls into enemy hands, so long as the key stays secret. Put the other way, which is how it usually gets quoted: assume your enemy knows the system. Design so that it doesn't matter.

This sounds, the first time you hear it, like surrender. You are voluntarily handing your opponent the schematics. But look at what it actually asks you to relocate. Under security through obscurity, the secret is the method, which many people must know and which therefore cannot stay secret. Under Kerckhoffs's rule, the secret is the key, which can be small, can be changed daily, can be different for every pair of people, and can be known to exactly two parties who never have to write it on anything. You have moved the secret from the part that leaks to the part that doesn't, which makes the unavoidable disclosure (somebody, someday, will learn how your cipher works) survivable in advance.

The first two posts in this series were, in a sense, a tour of ciphers that lived and died before this lesson was fully absorbed, and that resist us today partly because their methods are lost. We can't read the Voynich in part because we don't know its system. We can't read the note in the drawer in part because Elgar may have invented its system for that one note and told only Dora, who put it away unsolved. K4 is the same fossil wearing modern clothes: its security is the secrecy of its method, and Sanborn guards that method like the relic it is, sealing it for half a century rather than letting the design into the daylight.

The reason your money is safe tonight is that the people guarding it made the opposite bet.

the secret lives in:
The method
everyone who uses it
The key
only two people
Security through obscurity
leaks easily
SECRET
no separate key
Kerckhoffs's principle
stays shut
published, on view
SECRET

How you protect a hospital

The cipher protecting the overwhelming majority of the world's stored and transmitted data is called AES, the Advanced Encryption Standard, and you can read exactly how it works. All of it. The full specification is published, free, online, in a U.S. government document any person on earth can download, and has been since 2001.6

It gets better, from Kerckhoffs's point of view, or worse, depending on your nerves. AES wasn't designed in a vault and handed down. It was selected through a public competition. In the late nineties the standards body put out a call, candidate ciphers came in from cryptographers around the world, and then everyone spent years in the open trying to break each other's submissions in front of an audience. The winner was Rijndael, a design by two Belgians, Joan Daemen and Vincent Rijmen, the name just their surnames shoved together, and it became the standard by surviving that public mauling better than the alternatives. Their math now runs in essentially everything with a battery, which has made them anonymous the way oxygen is anonymous. Its defense was not that nobody had seen it. Its defense was that everybody had seen it, attacked it, published their attacks, and watched those attacks fail to get anywhere useful.

That was twenty-five years ago. In the quarter century since, AES has been one of the most concentrated targets in the history of cryptanalysis, studied by every academic, intelligence service, and graduate student with something to prove, all of them working from the complete published design, and the best attacks anyone has found are still so marginally better than trying every possible key that they have no practical meaning whatsoever. The lock has its own blueprints engraved on the front, and it does not matter, because the security was never in the blueprints. It was in a key you don't know and aren't going to guess.

Set that beside K4. K4 has resisted for thirty-five years on the strength of a method nobody is allowed to see. AES has resisted for twenty-five years while showing everyone exactly how it works. One of these is how you protect a piece of art. The other is how you protect a hospital, and the difference between them is the whole argument.

Two strangers and everyone listening

I owe you this section from last time. At the very end of "The Note In The Drawer" I pointed out that every cipher in that piece, from Caesar to Elgar's squiggles, shared one buried assumption: the sender and the recipient have to agree on a shared secret beforehand, through some separate, already-secure channel. A shift number. A keyword. A book they both own. A melody only two people remember. The secret can be tiny or enormous, but it has to make the trip before any message can. I said that in 1976 two researchers broke that assumption, that this is the thing that makes the modern internet possible, and that it was the subject of a different post.

This is the different post. So.

The assumption is a genuine chicken-and-egg trap, and for roughly the entire history of the subject it was considered simply part of the furniture, the way "you need a key to send a locked message" is part of the furniture of the idea of a lock. To talk secretly with someone, you first need a shared secret. To share that secret safely, you need a secure channel. But a secure channel is the thing you were trying to build in the first place. Everyone you have ever wanted to send a private message to, you first had to meet in a back room, or trust a courier, or mail a codebook and pray. At the scale of two spies, this is a hassle. At the scale of a billion strangers buying things from a billion other strangers they will never meet, it is impossible, and it should have made the secure internet impossible too.

In 1976 Whitfield Diffie and Martin Hellman published a paper, with crucial help from Ralph Merkle, describing a procedure by which two people who have never met, communicating entirely over a channel that a hostile third party is listening to in full, can arrive at a shared secret that the listener cannot reconstruct.7 Not "cannot reconstruct easily." Cannot reconstruct, given every word of the conversation and all the computing power going. The eavesdropper hears the entire exchange, has the complete method (Kerckhoffs again; the method is public), and still ends up locked out, while the two strangers walk away holding the same secret number they can now use as an ordinary key.

The trick underneath it is a mathematical operation that is wildly easier to perform than to reverse. The standard illustration, a year later, came from a related scheme called RSA, named for Rivest, Shamir, and Adleman, and it runs on multiplication. Take two large prime numbers and multiply them together: easy, fast, a computer does it instantly, you could very nearly do a small one by hand. Now hand someone only the product, a few hundred digits long, and ask them which two primes you started with. There is no fast way back. The best known methods for factoring a large number are so slow that for a number of the right size, every computer on the planet running until the sun expands would not finish. Multiplication is a door that swings one way. You build the lock out of the easy direction and you put the secret in the hard one.

Multiplication is a door that swings one way. Build the lock out of the easy direction; put the secret in the hard one.
The easy direction: multiply
61 × 53 = 3,233
✓ done instantly (you could check that one by hand)
The hard direction: factor (250 digits)
1642319187507484499965784590853011766621690423097404024788378501720028070345598728158880504133059214673910343447672145056940736214702818174889255857118226446800480673052644195516630871952290828111956970001374626163515537532610016862343128834437498571
0.0s elapsed
tested: 0 candidates≈ 0% complete

At a billion divisions a second, trial division would need to test about 10¹²⁴ candidates: roughly 4 × 10¹⁰⁷ years. The universe is about 1.4 × 10¹⁰ years old. Let it run. The bar will not move.

This is the immense thing, the thing that genuinely upends everything the first two posts were quietly built on. It means the shared secret no longer has to make a secret trip. Two people who have never met, with no prior arrangement, watched by anyone who cares to watch, can still end up alone in a room together. Every cipher in this series until now needed the back room first. This one builds the back room out of arithmetic, in public, on demand, between strangers.

Invisible on purpose

The reason you do not experience any of this as miraculous, or as anything at all, is that it was made invisible on purpose, and the invisibility is the engineering achievement almost more than the math.

Put the pieces together. You open a web page to buy something. Your machine and a server you have never contacted before run a Diffie-Hellman-style exchange, in the open, while anything sitting between you (your coffee shop's router, your internet provider, a stranger on the same network, an intelligence service tapping the cable) watches the whole conversation and comes away with nothing. Out of that exchange the two of you derive a fresh shared key. You then switch to fast AES, using that key, for the actual data, because the public-key math is elegant but slow and AES is the workhorse you want doing the heavy lifting. A family of functions called hashes runs alongside the whole time, fingerprinting each message so that any tampering shows up immediately. The entire negotiation, the handshake plus the switch to the fast cipher plus the tamper-checking, completes in a fraction of a second, before the page finishes painting, every single time, on every site, for everyone, forever, and the only trace it leaves is a small padlock in the corner of your screen that you stopped looking at years ago.8

It is running right now. It ran when this page loaded. It ran when you tapped your card against the reader this morning, and when your phone joined the network, and when the messaging app put a little check mark next to a text to tell you it had gone out sealed, and when your password didn't travel anywhere but its fingerprint did, and when your laptop's drive sat there as unreadable metal the whole time it was off. It happens a few billion times an hour, in dead silence, which is the only mercy in the whole arrangement, because if each handshake made even the faintest click the species would have gone deaf around 2009 and shopped happily ever after inside a roar it could no longer hear.

K4 makes you walk to a courtyard in Virginia and stare at copper. This makes the back room and tears it down again before you notice it was built. Both are cryptography. Only one of them is how the century actually went.

Unbroken, on a timer

I would like to end this in triumph, with the modern world standing safe behind math so good that knowing the math doesn't help. And that is true, for now. I have to tell you about the "for now," because a series called The Unbroken that pretended "unbroken" meant "permanent" would be lying to you, and the word has never once meant that in the history of the subject. Every cipher in the first two posts was somebody's permanent, right up until it wasn't.

In 1994 a mathematician named Peter Shor described an algorithm. Not a faster way to factor large numbers on the computers we have; those remain hopeless, which is exactly why RSA still works tonight. Shor described a way to factor large numbers quickly on a quantum computer, a machine that doesn't fully exist yet at the scale required, but that a great many serious and well-funded people are trying very hard to build. The hard direction of the one-way door (pull the product back into its two primes) stays hard for every classical machine ever made and becomes fast the day a large enough quantum computer is switched on. The same goes for the math underneath Diffie-Hellman and its faster cousin, elliptic-curve cryptography. The whole public-key half, the part that lets strangers meet in the open, runs on problems that are hard for the computers we have and that Shor's algorithm makes easy for a computer we are building.

The work of breaking one RSA key, by key size (note the logarithmic axis). Doubling the key buys enormous safety against a classical computer and almost none against a quantum one.
limit of classical computation110¹⁰10²⁰10³⁰10⁴⁰10⁵⁰512102420484096operations to breakkey size (bits)2048-bit key≈ 10²⁵× more work
Classical computer (number field sieve)Quantum computer (Shor’s algorithm)

Which means the strangers-in-a-room trick has an expiration date stamped on it, and nobody knows the date.

The field is not waiting around to find out. In 2024 the U.S. standards body finalized a first set of post-quantum cryptographic standards, new schemes built on different math (lattice problems, mostly) that are believed to resist both the computers we have and the quantum ones we're chasing.9 The migration has already started, quietly, in the same invisible layer as everything else. The locks are being swapped while you read, on a timeline set by a machine that hasn't been finished, against a threat that is partly already here in the most patient form imaginable: an adversary does not need a quantum computer today to harm you with one tomorrow. They only need to record your encrypted traffic now, sit on it, and decrypt it the day the machine comes online. Some of what is being captured and stored this year is being captured by people who fully intend to read it later. Whoever finally reads it may be in middle school right now. The phrase the field uses, with characteristic understatement, is harvest now, decrypt later.

The ciphers in the first two pieces, the Voynich and the note in the drawer, are unbroken by accident: too short, too strange, too personal, too lost. K4 is unbroken by craft, a hidden method guarded by one man who sealed it for fifty years. And the cryptography standing between every stranger on earth and every other stranger's bank account is unbroken by design, openly published, publicly attacked, mathematically magnificent, and also running against a clock that someone in a lab is presently winding. Unbroken has always been a tense, not a verdict. It means "not yet."

Back to the box

With the Voynich, and with the eighty-seven squiggles Elgar left in a drawer, the answer is lost. Everyone who could have told us is dead. There is no one to ask, nothing to unseal, no date on which the meaning comes back; if those ciphers ever open, it will be because somebody breaks them, not because somebody relents. That is what an unsolved cipher looks like, and it is what the first two posts were about.

K4 is something else. Its answer exists, written in Sanborn's own hand, confirmed and catalogued and sealed in the dark until 2075. From the courtyard the two conditions look identical, ciphertext you can see and cannot read, and underneath they are nothing alike. The Voynich's secret has a grave; K4's has a calendar. One of these you can only resent in the abstract, the way you resent weather. Whoever wrote the Voynich has been past asking since before Columbus, and is not withholding anything, any more than a mountain withholds gold. K4 has a guy. A specific, living, reachable guy, with an email address, who for years would even write back, for fifty dollars. And that changes everything about how the not-knowing feels. The Voynich is a mystery. K4 is a guy not telling you.

And the thing the century actually built, the openly published, endlessly attacked, invisible math that meets strangers in the open and guards nearly everything, is the one development in this entire story that took the lock, engraved its design on the outside where any enemy could read it, and survived anyway. For now. On a timer nobody can see, against a machine somebody is finishing.

The collection is called The Unbroken, and it has been, from the first post, a series about things that held. The last thing worth saying about anything that holds is that holding was always the most you were going to get. Somewhere in a sealed file in Washington sits the one finished secret in this whole series, the answer that actually exists, known to an anonymous buyer and to the man who wrote it. The rest of us stand in the courtyard, reading OBKR off a copper plate. The cipher will hold; it has the calendar on its side. Fifty years is a long time to stay curious.

This is the third piece in The Unbroken, following the Voynich post and the Dorabella post. My own run at K4 is written up here; see the earlier posts for the Voynich shorthand hypothesis and the calibrated Dorabella falsification. The Kryptos sculpture stands in the courtyard of the CIA's Original Headquarters Building in Langley, Virginia, and is, as far as anyone outside one sealed file knows, still three-quarters solved.

Footnotes

  1. I want to be fair to him, because "artist misplaces the answer to his own famous cipher" is the kind of sentence that sounds like carelessness and is actually closer to grief. He was sorting his life's papers during cancer treatment, which is to say he was doing the specific administrative task you do when you are making arrangements, and the famous secret was, at that moment, one item among the thousand items a person handles while contemplating not being around to handle them. The cipher had stood unsolved for over twenty years. If you had built something that had defeated the NSA and a generation of obsessives, you too might have stopped treating the answer key like plutonium.

  2. There is a detail here I find almost unbearably good, which is that Sanborn, drowning for years in submitted "solutions" from people who had cracked nothing, eventually began charging fifty dollars per guess. Not to profit. To slow the flood. There is something perfect about a man defending the world's most famous puzzle not with mathematics but with a small administrative fee, the cryptographic equivalent of a restaurant putting up a sign that says PLEASE WAIT TO BE SEATED and discovering it works.

  3. He had, to be fair, told them to. Handing the NYT the CLOCK crib in 2014, Sanborn advised solvers to "delve into that particular clock," then added, with what reads now as a card player's patience, that "there are several really interesting clocks in Berlin." Everyone delved into the wrong one for the next eleven years.

  4. The auction lot reportedly included the original encryption charts, which is the part that should make a cryptographer's pulse change, because the encryption charts are the method, the actual fossil, the thing thirty-five years of attacks failed to reconstruct. Somewhere a single anonymous person now owns the document that says how K4 works, and is, presumably, sitting on it, which means the count of people on earth who know the method has gone from one to two, and neither of them is you, and neither of them is me, and both of them have agreed, in their separate ways, that this is how it should stay.

  5. His full name was a small parade: Jean Guillaume Hubert Victor François Alexandre Auguste Kerckhoffs von Nieuwenhof. He was born in the Netherlands in 1835, spent his career teaching German and other languages in France, and was, in the part of his life he probably cared most about, an enthusiastic apostle of Volapük, one of the constructed international languages that briefly looked like it might unite humanity before Esperanto ate its lunch. He is remembered for none of this. He is remembered for a single sentence about keys in an essay about field telegraphy, which is roughly as if Tolstoy were known exclusively for a parking ticket.

  6. It is also, right now, the thing keeping the drive in whatever you are reading this on from being readable by someone who picks it up. If your phone is full-disk encrypted, which it almost certainly is, AES is running between you and the lock screen at this moment, and has been the whole time, and will keep running after you put it down, defending a few hundred gigabytes of photos and texts with the exact cipher that protects state secrets, because there turned out to be no reason to build two.

  7. With a twist that the theme of this entire post demands I include. Diffie and Hellman published in 1976. But several years earlier, inside the British signals-intelligence agency GCHQ, three people had already worked the whole thing out in secret. James Ellis conceived the basic idea of public, non-secret encryption around 1970; Clifford Cocks devised what is essentially the RSA scheme in 1973; Malcolm Williamson devised what is essentially Diffie-Hellman in 1974. And because it was classified, it sat in a vault and changed nothing. It revolutionized no commerce, secured no internet, met no strangers in any room, because the entire power of the idea was in being used, openly, by everyone, and a secret version of "let everyone use this openly" is a contradiction that helps precisely no one. The British government declassified the story in 1997, by which point Diffie, Hellman, Rivest, Shamir, Adleman, and Merkle had long since built the public world on the public version. The secret-method bet lost even here, in the one place that technically got there first. Ellis died twenty-three days before the announcement, having spent the better part of three decades unable to mention the most important idea he ever had. He did meet Diffie once. Asked how he had done it, he paused, said he did not know how much he should say, and then handed the whole era its epitaph: "you people made much more of it than we did."

  8. An actual person drew that padlock. In 1995, when Netscape shipped the first secure browser connections, someone on its design team needed a way to tell users the page was safe, so they drew a tiny lock and moved on to the next icon. Nobody wrote down who. The histories of SSL record the company, the protocol, and the year, and the person has simply fallen out of the story. That doodle now appears on billions of screens every day, which plausibly makes it the most-seen drawing a single human being has ever produced. So this post ends up holding two artists of secrecy: Sanborn, world-famous for a sculpture locked inside the CIA where almost no one will ever see it, and a designer nobody can name, whose work almost no one on earth can avoid.

  9. The first finalized standards, in 2024, included a key-establishment scheme now called ML-KEM (it grew out of a design called Kyber) and a digital-signature scheme now called ML-DSA (out of one called Dilithium), both built on the mathematics of lattices, which are hard in a different way than factoring is hard, and specifically hard in a way that Shor's algorithm is not known to make easy. "Not known to." I'd love to give you "cannot." The field would love to give you "cannot." Nobody gets to say "cannot" in this subject, which is the entire reason the subject keeps moving, and the entire reason a series like this one will never run out of material.

cryptographycipherskryptosk4public-keyquantumunsolved-ciphersessays