Many people remember their first kiss, or first day at high school. I remember the day I learned how public-private key encryption works.
I was on holiday, aged 13, and had borrowed The Code Book by Simon Singh. The book tells the story of how for thousands of years, the only way to securely share a message was to first meet up and agree on a secret key, after which future messages could be exchanged safely using this key. The principle was considered such an axiom of cryptography that until the 1970s, little research was done to explore alternatives.
The method invented to share secrets without a prior meeting exploited the mathematical challenge in factoring large integers, and is known as public-key cryptography. Today it is a critical component in securing most online communications and, thanks in part to Singh’s superb writing, thirteen-year-old George was captivated. I felt like I had a superpower; I knew what the padlock icon in my web browser meant.
Over the intervening twenty years I have delighted in reading all manner of ideas around encryption and data security, despite a complete lack of relevance to my day job. This newsletter is an indulgence of that moment of childhood joy, and a reminder to celebrate and share even the most nerdy and obscure of personal interests.
PLANNING & STRATEGY.
- Multiple discovery theory is the idea that independent researchers so frequently arrive at the same ideas, at the same time, that there is an inevitability about scientific progress. Isaac Newton and Gottfried Leibniz’s simultaneous invention of calculus is an often-cited example, and the invention of public-key encryption feels like it should be another. For years the first inventors were believed to be Whitfield Diffie, Martin Hellman and Ralph Merkle, who in 1976 invented the eponymous Diffie-Hellman key exchange. But in 1997, declassified research from the UK’s Government Communications Headquarters showed that the same ideas had previously been developed there between 1969 and 1973. Encryption has long been a matter of national security, and cryptographic devices were once rated as munitions and subject to export controls. This 1995 t-shirt featuring the source code to one public-key algorithm made light of that fact, as it was theoretically illegal to export.
- I’m fascinated by the growing intersection of bug-finding and branding. For 25 years the Common Vulnerabilities and Exposures (CVE) system has been used to assign generic references to security issues found in software. But more recently, research teams have begun using logos, custom websites and PR agents to publicly share details of their exploits. In 2014 the “Heartbleed” bug (CVE-2014-0160) received widespread media coverage, credited in part to the $200 spent on a logo by the firm who discovered it. More recently, the Meltdown & Spectre bugs launched with a flashy website that placed technical details alongside a cute logo of a ghost, downloadable in a variety of image formats. But this rise of media-friendly information packaging is also open to manipulation. In one example from 2018, researchers launched a slick marketing website for a relatively benign bug in AMD computer chips – whilst admitting they would profit from a fall in the company’s stock price.
MAKING & MANUFACTURING.
- The ancient Greeks were amongst the earliest users of cryptography. In the 5th and 4th centuries BCE, Spartans are believed to have wrapped a strip of parchment around a cylindrical rod called a scytale to scramble a message. This is a good example of a transposition cipher, and building a scytale is a great first project for children to learn about cryptography – although despite my childhood curiosity I never attempted it myself.
Unlike transposition ciphers, which simply rearrange letters, substitution ciphers swap each letter for another based on a pre-agreed pattern. The most famous of these is the Caesar shift cipher, recorded in the AD 121 biographies The Twelve Caesars as being popular with the Roman emperor Julius Caesar. Easy to crack, as a teenager I enjoyed making and breaking Caesar shift messages, along with the more challenging Vigenère cipher. First described in 1553, Vigenère relies on a secret key phrase to significantly increase its complexity, and was known in French as le chiffrage indéchiffrable (the indecipherable cipher). This reputation lasted into the 20th Century, despite a full solution to decrypting it being published in 1863. The Confederate States in the American Civil War heavily adopted the Vigenère cipher, encrypting messages with the key phrases "Manchester Bluff," "Complete Victory," and "Come Retribution," not realizing that the Union was often able to decrypt them. - Last year, a competition sought entries for psychedelic cryptography: hiding information in images that could only be understood when tripping. There were only three successful entries, and they all exploited the tracer effect where bright colors last longer in your visual field while on psychedelics. If you’d like to try yourself, the final images and required dosing to decrypt the messages are detailed in the competition’s results pages, although Spencer suggested a more family-friendly version in the form of the popular childhood book Magic Eye.
- An excellent write-up on using 3d printed stamps and IR absorbing inks to secretly mark and track an entire deck of cards.
MAINTENANCE, REPAIR & OPERATIONS.
Last October the British Library suffered a major cyber attack that took many services offline for months, severely impacting the work of researchers worldwide. In March the library published a detailed report into the attack, in which they explained that:
Our major software systems cannot be brought back in their pre-attack form, either because they are no longer supported by the vendor or because they will not function on the new secure infrastructure that is currently being rolled out.
DISTRIBUTION & LOGISTICS.
- Steganography is the art of camouflaging a message and then hiding it in plain sight. In an early example, the 6th-century Greek ruler Histiaeus tattooed a message to his son-in-law into an enslaved person’s shaved head. After his hair regrew, the slave traveled to meet the recipient, whereupon his head was shaved again, revealing a request to revolt against the Persians. A more modern example of steganography is the Jsteg algorithm, a technique for hiding information inside jpg images by making barely perceptible adjustments to the bits of data that represent the image’s pixels. Many easy-to-use implementations exist, such as this Chrome extension to hide messages inside pictures of Kim Kardashian.
- Cosmic rays move through space with sufficient energy that when they penetrate the earth’s atmosphere, they can strike electronic circuits and cause transient errors. In the 1990s, IBM estimated that computers experience one cosmic-ray-induced error per 256 Mb of RAM per month. Typically this miniscule error will have no effect, but if it happens to coincide with a request for a web address, then your computer might take you to slopeofwork.net but still show scopeofwork.net in the URL bar. Maliciously registering these false domains in the hope this occurs is called bitsquatting, and a 2011 study logged over 50,000 occurrences of these erroneous requests.
- In a similar vein, researcher Bar Lanyado checked ChatGPT and other AI bots to see which fake software packages they consistently hallucinated, and then created packages with those names so other developers would accidentally include them in their code.
INSPECTION, TESTING & ANALYSIS.
- I love this simple explanation of why pixelating words in an image doesn’t mean they can’t be read. The author created an automated tool to unscramble pixelated letters and numbers. PSA: The only safe way to hide personal information is to draw black bars over the words, and then save the result as an image file.
- The most common approach to cracking basic codes such as Caesar or Vigenère ciphers is using frequency analysis. Letter occurrences follow a standard distribution model, and I learned the mnemonic ETA ION RHS as a child to remember the order of the most common letters in English writing. This sort of statistical analysis reminds me of the German tank problem. Allied forces in World War II attempted to estimate the monthly production rate of German tanks, based on the sequential part numbers found on captured vehicles. Conventional intelligence suggested a rate of 1,400 tanks per month, whereas a statistical approach estimated a figure of 246. After the war, the true figure was discovered to have been 245.
SCOPE CREEP.
- We’re thinking of getting a cat at home, but I’m yet to tell my wife it’s mostly so I can ditch SMS authentication messages and login to websites using Cat factor authentication.
- A great tale from Paypal’s early days of when your encryption goes wrong. Early employee Max Levchin tried to implement an algorithm that was “resistant to the rubber hose attack” (i.e. being beaten up to reveal your password), but accidentally locked the entire company out of their payments database.
- It’s not about cryptography, but this delightful video of experiments in making homebrew anti-missile flares is the perfect antidote to all of the math and software in this issue.
Thanks as always to Scope of Work’s Members and Supporters for making this newsletter possible. Thanks also to my Dad for first lending me Simon Singh’s Code Book, and, as always, to Erinna & Lukas for everything else.
Love, George
p.s. - We care about inclusivity. Here’s what we’re doing about it.
