Cryptography as Capability

In the 1740s, somewhere in Germany, a group calling itself the Great Enlightened Society of Oculists encrypted their rituals in a cipher so elaborate that it took 260 years, three countries' worth of scholars, and a machine translation algorithm to crack it. The cipher used 88 symbols — astronomical signs, Greek letters, accented Roman characters, pentagrams — with multiple symbols mapping to single German letters and the unaccented Roman letters serving as word separators disguised to look like the actual message. It was, by historical standards, a pretty good code.¹

What the Oculists were hiding turned out to be remarkable. Not just their own eye-surgery rituals and initiations, but detailed descriptions of the highest-degree Masonic ceremonies — rites that were still secret at the time. The Oculists appear to have been a secret society that had infiltrated another secret society. Their seal showed cats watching over mice. Whether they were spies, pranksters, or something else entirely is still unclear. One passage in the Copiale manuscript claims the Oculists founded Freemasonry as a joke — almost certainly false, but revealing of how the Oculists saw themselves relative to the larger fraternal orders.

The Copiale decipherment is a good entry point into cryptography because it shows the full stack: why people encrypt things, how encryption works at a basic level, and what happens when codes are broken.

How Codes Work (and Break)

The fundamental idea is simple. You have a message. You transform it into something unreadable using a set of rules (the key). Someone who has the key can reverse the transformation and read the message. Someone without the key can't.

The oldest approach is the substitution cipher: replace each letter with a different symbol. The Caesar cipher shifts the alphabet by a fixed number of positions. The Oculists used a polyalphabetic substitution — multiple symbols for each letter — which is harder to crack because simple frequency analysis (counting how often each symbol appears and matching to known letter frequencies) doesn't work as cleanly.

Kevin Knight, the USC machine translation researcher who cracked the Copiale, treated the cipher like a foreign language translation problem. His expectation-maximization algorithm tried every possible mapping from cipher symbols to German letters, keeping the mappings that produced the most statistically plausible German text and iterating until convergence. His breakthrough insight was realising that the Roman letters — which any casual reader would assume were the real message — were actually just spaces between words. The real message was in the exotic symbols.¹

Modern cryptography has moved far beyond substitution ciphers, but the core dynamic remains: encryption transforms data using a key, and the security depends on the computational difficulty of reversing the transformation without the key. Matt Levine's massive explainer of crypto uses hashing as the foundational example. A SHA-256 hash takes any input — a word, an article, the complete text of Ulysses — and produces a fixed-length 64-character hexadecimal number. The same input always produces the same hash. But the hash tells you nothing about the input, and tiny changes in the input produce completely different hashes. "Hi! I'm Matt" and "Hi, I'm Matt" hash to entirely unrelated numbers.²

Hashing is a one-way function: easy to compute forward, impossible to reverse. This turns out to be enormously useful. Passwords can be stored as hashes rather than plaintext — if someone steals the database, they get useless numbers rather than passwords. Predictions can be committed to publicly (tweet the hash now, reveal the plaintext after the event) without giving away the content. And digital signatures can prove authorship: encrypt a message with your private key, and anyone with your public key can verify that you wrote it.

Why Secrets Shape History

The Copiale story matters beyond cryptography because it illustrates how secrecy functions as a social technology. Hundreds of thousands of Europeans belonged to secret societies in the 18th century. These weren't marginal cranks — Voltaire, Washington, and Franklin were active Freemasons. The societies were incubators for democratic governance (they elected their own leaders and wrote constitutions), ecumenical religion (they didn't care about members' denomination), and radical politics (the Copiale contains explicit calls for revolt against tyranny, written thirty years before the Declaration of Independence).¹

Their power derived substantially from their ability to keep secrets. The encryption wasn't paranoia — it was a survival mechanism. The Catholic Church had forbidden Masonic membership in 1738. States viewed the cross-class, cross-denominational organisations as threats to social order. The ability to communicate secretly was a prerequisite for the ability to think freely.

This is the recurring pattern of cryptography through history: the ability to keep a secret is a capability, and like any capability, it shifts power toward whoever has it and away from whoever doesn't. The Enlightenment's secret societies used codes to incubate radical ideas away from church and state censorship. Modern end-to-end encryption serves the same function — it gives individuals the ability to communicate without institutional eavesdropping. The arguments for and against backdoors in encryption are structurally identical to the 18th-century arguments about whether secret societies should be banned.

The historian Andreas Önnerfors, who helped interpret the Copiale, noted that there's a "whole secret history of the West waiting to be told" locked in encrypted manuscripts that historians have traditionally ignored because they couldn't read them. The Copiale was just one document from one relatively minor society. Scores of similar encrypted texts sit in archives across Europe, their contents completely unknown. Every time one is cracked, it reveals a piece of intellectual history that was deliberately hidden from the mainstream record.¹

Shamir Secret Sharing and the PayPal Incident

Adi Shamir's secret sharing scheme (the S in RSA) is one of the most elegant constructions in cryptography. The idea: to split a secret among m people such that any n of them can reconstruct it, but n-1 cannot. You create a random polynomial of degree n-1 with the secret as the constant term, evaluate it at m different points, and hand each person one point. Any n points uniquely determine the polynomial (by Lagrange interpolation), giving you the secret. Fewer than n points reveal nothing — provably, information-theoretically, not just computationally.³

Max Levchin's account of implementing Shamir Secret Sharing at PayPal circa 2000 is the best war story I know about the gap between cryptographic theory and operational reality. PayPal's master encryption key — the one that decrypted every credit card number in the database — was protected by a single passphrase known to four or five engineers. Levchin, obsessed with security, decided to replace this with a 3-of-8 Shamir scheme: split the key into eight shares, any three of which could reconstruct it.³

The implementation was tested for weeks on his Linux desktop. The night of the key rotation, everything went smoothly — new key generated, database re-encrypted, shards distributed. Then they tried to reconstruct the key from shards on the production server (a Solaris machine). Every combination failed. Panic ensued. PayPal was down, and the only copy of the master key had been overwritten during deployment.

The bug: Levchin used getpass() for passphrase entry, the only OS-level call in his pure-POSIX C implementation. On Linux, getpass() accepted passphrases of any length. On Solaris, it silently truncated them to 8 characters. The shards were generated with long passphrases on Linux and could never be decrypted with the truncated versions on Solaris. Only one engineer's shard worked — the one who had sheepishly chosen "a$$word" as his passphrase, which happened to be exactly 8 characters.³

The story is funny in retrospect, but the lesson is serious. The cryptographic scheme was mathematically perfect — Shamir's construction is provably secure. The implementation was carefully tested. The failure was at the boundary between two systems (Linux and Solaris) in a library function that behaved identically except for one undocumented platform difference. This is the perpetual gap in applied cryptography: the mathematics is trustworthy, but the mathematics runs inside software, which runs on hardware, which is operated by humans, and the chain is only as strong as its weakest non-mathematical link.