We continue to explore what cash is, and how it is created and authenticated, by moving forward into the computational age. This chapter describes the development of public key cryptography, particularly the technologies of authentication used for “digital signatures,” and looks at how they were assimilated into existing traditions of confirming documents—including the class of printed documents we call cash—and created, in the process, strange new hybrid forms.
Nancy Wake bicycled 250 miles in three days in 1944, more or less day and night. When she needed to sleep, she lay behind bushes or concealed in ditches. She brought makeup and toiletries, so she could freshen up as she went, always appearing to be out for a brief jaunt or some local errand. She needed to pass this way because she was the Allied agent the Gestapo dubbed “the White Mouse,” in occupied France with a five-million-franc bounty on her head. A person of extraordinary grit and courage, Wake—who organized and supplied thousands of guerrilla fighters in the Auvergne and once killed an SS sentry with her bare hands—had to make the ride; otherwise she and her crew were trapped. Fearing capture during a retreat, the wireless operator Denis Rake had buried his radio equipment and destroyed their codebooks.1
Without codes there was no way to communicate with their support in the UK; to arrange drops of food, volunteers, arms, ammunition, and other matériel; and to coordinate their actions with other fighters. Wake knew the location of the nearest operator with a set of codes, so off she went, hoping to return before they ran out of food or were overwhelmed. By the time she got back, she could neither walk nor dismount her bicycle without assistance, but they had their ciphers.
Wake was part of an institution called the Special Operations Executive. The SOE trained, coordinated, and supported guerrilla fighters behind Axis lines. It was a chaotic, inventive, unorthodox, ad hoc organization. The SOE agents urgently needed secure communications tools and cipher systems that were reliable, portable, easy to conceal, and fast. The agents were people like Odd Starheim, a Norwegian who escaped to Aberdeen to get training in sabotage and secret messages—“the agony of coding”—so that he could parachute back into Norway and aid an SOE team in blowing up a Nazi heavy-water plant.2 He couldn’t be sent into the field (pushed out of a plane in the middle of the night over a glacier, for instance) with a twenty-five-pound cipher machine that would be grounds for immediate arrest and interrogation if found.
Their standard method was the “poem cipher.” The poem, prearranged between sender and receiver, would be the basis for a set of words whose numbered letters acted as the transposition key for the message. This method had the advantage of requiring no equipment, since you could commit the poem to memory—but agents had the bad habit of choosing poems they knew well from the common stock of Keats, Molière, Shakespeare, and so on. Doing the ciphering in their heads led to slips and mistakes, making their messages confusing or even opaque to their recipients; using the same poems repeatedly, even original ones, made them less secure; SOE handlers often sent exactly the same text to many different agents, each in their personal code. If one of these identical messages were cracked, the adversary could test the text against all the others, breaking each of those ciphers in turn. Finally, if these ciphers were broken once, they would continue to be broken, since the codes themselves didn’t change.
Leo Marks, the cryptographer who headed the SOE’s code office, fought this practice. (Yes, the master cryptographer for the SOE was named Marks; in another Nabokovian detail, their offices were on Baker Street, not far from the chambers where Sherlock Holmes cracked ciphers like the “Dancing Men.”) In the short term, he convinced many of the SOE agents to create their own original poems, or at least adopt uncommon ones—Nancy Wake, for instance, “used a pornographic poem which she’d made even more pornographic by her habit of misspelling it.”3 In the long term, he sought a more complete solution.
He found it in the “one-time pad,” which he refined into the “letter one-time pad” (LOP) and printed in minute type on a sheet of silk. The LOP was a grid of randomly generated letters, used with a “substitution square”: likewise a grid for ease of reference, twenty-six by twenty-six squares, for a set of substitution rules—for A plus A, write P, for I plus D, write U. Silk made the pads easy to conceal and to destroy, to sew into the lining of coats, wad into tiny balls, swallow, burn, flush down the toilet. (When the KGB used one-time pads, they printed them on flash paper to be immediately destroyed on use.)4 Silk was expensive, but Marks presented the deal to his superiors as “silk or cyanide”—budget either for silks or for suicide pills for the agents inevitably compromised or captured.
AT MIDNIGHT, begins your message; OPXCA PLZDR, begins your pad of random letters. Check the substitution grid: for A plus O, write J; for T plus P, write X, and so on.5 The first two words of your message will be JXFZD YXQZK. Once the ciphering is done, you can send your message and destroy the random letters used from the pad—it is “one time,” never to be used again. (Reuse of the substitution square doesn’t compromise security; without the original pad of random letters, nothing in the substitution square will tell you the text of the message—it serves only to make enciphering faster and less prone to errors.) The decipherer goes through the same process in reverse. As long as sender and receiver are using the same pad and substitution square, and starting at the same place in the string of random letters, the one-time pad can rapidly encrypt and decrypt messages in perfect security.6
“Perfect” meaning perfect: as pioneering information theorist Claude Shannon proved in 1945 (and Vladimir Kotelnikov, independently, in 1941), if the numbers are truly random and there is no reuse of keys, the one-time pad is absolutely secure.7 No letter or string of letters in the ciphertext gives a clue to any of the corresponding letters, no matter how much ciphertext you have. All your adversary can determine is the length of the message; naturally, many users of one-time pads would add padding to their messages, to make even that unreliable.
All of these tools and techniques with their varying effectiveness—the wireless codebooks, silk handkerchiefs, memorized poems—shared a single, deeper problem: symmetry. Absolute as a one-time pad or vulnerable as a poem code based on a Shakespeare sonnet, all these methods relied on sender and receiver having the same key. The same poem, the same page of the same book, the same line of the same page of the one-time pad had to be used for encryption and decryption. The key was also relied on to authenticate the communicants: that the message was properly ciphered was generally taken as proof that it was from the right person.
Symmetrical keys meant an enormous multiplication of points of compromise, in every step of storing, sharing, sending, and updating the keys. Intercept the luggage at customs, surreptitiously photograph all the cipher pages, and read the agent’s traffic in your country at leisure—and communicate as them once they’ve been taken out of play. Symmetry made sender, receiver, and every point between vulnerable. The German naval code—which relied on the famous Enigma machine—included booklets for setting the device in sync with the rest of the organization (keeping the keys symmetrical) and using short codes to decrease chances of detection; these documents were printed in red ink on pink blotter paper, so they could be made immediately illegible with a splash of water to prevent capture. Nancy Wake bicycled hundreds of miles facing the possibility of capture, torture, and death for want of the codebooks.
This was the situation until one afternoon in computer scientist John McCarthy’s house in Berkeley in the spring of 1975, in the mind of his housesitter.
“The thing I remember distinctly is that I was sitting in the living room when I thought of it the first time and then I went downstairs to get a Coke and I almost lost it.”
Whitfield Diffie was preoccupied with the problem of symmetric keys, which computers aggravate. If you don’t want every signal between two computers “in clear,” readable by anyone who can tap a phone line or tune a radio, then the computers need matching keys for encrypting and decrypting. But how are those keys to be transmitted? If the keys can also be picked up in transit, then any reliable computer-to-computer exchange—any possibility for digitally communicating in confidence so that we are not overheard and both are whom we claim to be—becomes almost impossibly difficult.
This story has been well told many times by the protagonist himself, in oral histories, and in several excellent books.8 Diffie had been roaming the country in a Datsun 510, visiting libraries and meeting with researchers to answer two related questions: how to reliably verify ourselves and our machines (an issue in military equipment called identification friend or foe, IFF) and how to communicate with provable secrecy. He ended up housesitting for McCarthy, turning over, yet again, the problem of contemporary cryptography. That afternoon in May, he cracked a few different problems at the same moment with asymmetric key encryption; as he almost forgot, going to get a drink, history wobbled on a point of convergence in the living room.
Not that asymmetric—or, as it became more widely known, “public”—key encryption would never otherwise have been discovered. Many different people were attacking this question from different sides. Martin Hellman, Diffie’s coauthor and collaborator, had already been studying it. So had Richard Schroeppel, who devoted his career to a mix of cryptography, elliptic curves, and the properties of magic squares. An undergraduate at UC Berkeley named Ralph Merkle was working on closely related ideas: a set of puzzles to establish a shared secret key between two parties with no shared secret beforehand, which he first proposed in 1974.9 A prominent cryptographic mathematician, cryonics advocate, and Extropian, Merkle reappears many times in this book; his work on hashing paired data, the Merkle tree, underlies the “blocks” in the Bitcoin blockchain.
In fact, public key cryptography had already been independently discovered—as “non-secret encryption”—by James Ellis, Clifford Cocks, and Malcolm Williamson in the UK, with the initial breakthrough in 1969 (“Can we produce a secure encrypted message, readable by the authorised recipient without any prior secret exchange of the key?”) and the mathematical solution, from number theory, in 1973.10 But they worked for the Government Communications Headquarters (GCHQ), the UK’s equivalent of the National Security Agency in the United States, and their work was and long remained secret.
What Diffie, Ellis, Cocks, Williamson, Hellman, Merkle, and others were all working toward was splitting the key. Symmetry means the same key is used for enciphering and deciphering; if you could separate those functions into different yet somehow related keys, then you could freely distribute one without compromising the other. This could solve the intractable problem of symmetrical key exchange in a single decisive stroke, like Alexander cutting the Gordian knot.
An asymmetrical arrangement means you can freely share your “public” key without endangering the security of your communications. Messages encrypted with that public key can only be read by using the “private” key, which is kept by the user. The keys correspond, but the first cannot be inferred from the second: you cannot extract the private key from the public. Instead of fretting over every weak link in the chain of custody of a symmetric key, and trusting in third-party repositories of matching keys to establish safe communications between computers, you can generate a keypair yourself and share the public key with whom you will and keep the private key as a secret for you alone. “The virtue of cryptography should be that you don’t have to trust anybody directly involved with your communications,” said Diffie.11
For this to work, the cryptographers had to find a set of “one-way functions.” These had to make it very easy to compute a function and produce a result, and very difficult (“computationally infeasible”) to work backward from that result—to invert the function. It only works one way, a door that permits entrance but not egress. We could sit down together with pen and paper and grade-school arithmetic and quickly multiply two very large prime numbers together. To factor out the resulting semiprime number, though, and determine which primes we multiplied to produce it, is an immensely difficult task: a protracted “brute force” search through an enormous space. With a sufficiently strong key, the solution process dwarfs not only our life spans but the history of written language, of human evolution, of geological time.
This function has one additional, vital component: a trapdoor. If you have semiprime factors for the number, you can quickly verify whether they are the correct ones. Possession of the trapdoor means that the function can be easily reversed by someone with the right information. “A trap-door cryptosystem,” Diffie and Hellman wrote, “can be used to produce a public key distribution system.”12 What this means in practice, speaking at a high level: With the right set of functions, you can take a message and encrypt it without knowing the key necessary to decrypt it. The person with the key can do the decryption more or less instantly (with the aid of the “development of cheap digital hardware”), and an adversary can intercept the encrypted message, plus the public key, and still be unable to discover the private key and read the message. Diffie and Hellman were not certain of precisely the right function for this one-way operation, and many initial attempts proved too easy to solve with the aid of fast computation. The particular area of prime number factorization would wait a few years until the work of Ron Rivest, Adi Shamir, and Leonard Adleman in 1978 (for whom the landmark RSA algorithm and company were named), and set off what the scholar of computing infrastructure and cryptography Jean-François Blanchette described as “a gold rush for the discovery of additional suitable problems,” each involving “different computational assumptions, distinct conjectures about the difficulty of calculating inverse functions for the scheme.”13
Metaphors can mislead in this domain—there are properties particular to primes and semiprimes, and to different equivalent functions, that make certain numbers and operations much less suitable for this purpose than others. But the simple question remains: How was this number produced?
12462036678171878406583504460810659043482037465167880575481878888328966680118821085503603957027250874750986476843845862105486553797025393057189121768431828636284694840530161441643046806687569941524699318570418303051254959437137215902923609914
When Diffie and Hellman were working on the particulars of the system for splitting the key, they saw a second property the system would have. If such a split key existed, with a private and a public piece and the trapdoor between them, you could use the private key to encrypt a message so that the corresponding public key could decrypt it. This provided no secrecy: the public key should be widely distributed, and anyone with it could read a private-key-ciphered message. Instead, it gave verification. To decipher a message with the public key proved that it was ciphered with the private key. Assuming that the private key had been protected—still a secret, in possession of its creator alone—that meant you could verify the message had been produced by the holder of the private key and not altered in transit. The message could be given the equivalent of a written signature and a sealed envelope.
This was simultaneously a real thing—the system would enable just such a demonstrable outcome—and a powerful and somewhat vague metaphor. Diffie and Hellman talked about contracts and receipts; Rivest, Shamir, and Adleman about “signature,” “proof,” and “judge”—in quotes, as Blanchette points out, because “cryptographic algorithms are not transparently assimilable to the writing of one’s name on paper.”15 For a start, they were constrained by the problem of copying. “Since any digital signal can be copied precisely,” Diffie and Hellman wrote, “a true digital signature must be recognizable without being known.”16
Recognizable without being known. This was a tall order, one that may seem familiar from the problems faced by banknotes. How do you create a reproducible object—a printed sheet of a currency, a signature—that can’t be reproduced by the wrong parties? It must be verifiable but not replicable, easily created but not re-created, recognizable without being known, and provably reliable. (Bitcoin, decades in the future, will be almost entirely a system of digital, cryptographic signatures.) Diffie and Hellman wrote that “in order to develop a system capable of replacing the current written contract with some purely electronic form of communication, we must discover a digital phenomenon with the same properties as a written signature.”17 “But what exactly,” Blanchette asked in rejoinder, “is a written signature?”18
When Sylvia Howland died in 1865, she left a will giving part of her enormous fortune in trust to her niece, Hetty Robinson. Robinson produced a second, secret will awarding herself the whole estate. The executor refused to accept it, and Robinson took him to court. The second will was in Robinson’s handwriting; she had taken dictation from her elderly, infirm aunt. Only the signatures on the page were Howland’s—or not. On this millions rested.19
Three words—“Sylvia Ann Howland”—would be among the most closely studied examples of handwriting in history. Quantified in terms of hours and expertise, few works of art could claim such critical focus: photographically enlarged and studied under microscopes and scrutinized by handwriting experts, bankers, scientists, and pioneering photographers and engravers.
The concern wasn’t that the signatures on the different pages of the will were too different: it was that they were too similar. They were identical, stroke by stroke, and even their placement and distance from the margins on their respective pages was the same. This didn’t look like authorship but like tracing. Dozens of examples of Howland’s signature showed more variation, but those were over time. How much does your signature vary from day to day, hour to hour, document to document? Bankers and accountants—people with a professional background in approving signatures—testified to consistency and inconsistency.20 Louis Agassiz used cutting-edge microscope technology to look for traces of pencil lead, providing testimony that sounded like an explorer traversing an alien landscape by balloon: he found deltas of ink distributed like mud on a silting riverbed, and none of the geological disturbances of scrambled strata that would be left by a rubber eraser.
The astronomer Benjamin Peirce and his son, the scientist, philosopher, and logician Charles Sanders Peirce, tried a very different approach, shifting to mathematics and probability and away from the sensory training of those skilled in signatures. Father and son identified precisely thirty downstrokes characterizing Howland’s signature and went through the dozens of examples, cataloging the variations and creating a statistical model of the likelihood of the signatures on the contested page precisely corresponding. It was to deliver the results of these calculations that Benjamin Peirce took the stand on that June day to describe a number—the chance of the signatures matching as well as they do—that “far transcends human experience.”21
Charles Peirce would later cofound American pragmatist (or, as he preferred, “pragmaticist”) philosophy, and the discipline of semiotics in the United States. His passion was symbolic logic, and of particular interest to him was how we distinguish signs that refer to things from signs that are things themselves: What does a zero or a dollar sign or a yardstick or a barometer’s needle mean and how does it work? In the Howland Will case, he and his father had to distinguish a signature from a picture of a signature—to quantify and explain how to identify the moment of human presence and conscious assent in the written object, and to distinguish what it is from what it means.22
A signature is known in a singular way: it is the index of an event, of a body in the act of writing. Charles Sanders Peirce, in his capacity as a semiotician, argued that there were three ways that a thing, a sign, could “convey knowledge of some other thing, which it is said to stand for or represent.”23 One way was the index, the sign that conveys knowledge by virtue of a physical connection to the thing for which it stands. Think “index” as in the pointing index finger: it’s over there, you communicate without speaking. Distant smoke, the Pole Star, a bubble in a carpenter’s level, a plumb bob, a map, a sailor’s rolling gait on land, a fingerprint left on a glass: indices all, signs carrying information by physical connection. A signature is a set of written symbols based on shared convention and usage—as with seven arbitrary symbols: h, o, w, l, a, n, d—but also an index, the record of a hand, a second, a physical event linked to a body. “Taking the offered pen,” writes Melville of Queequeg signing on as harpooner on the Pequod, he “copied upon the paper, in the proper place, an exact counterpart of a queer round figure which was tattooed upon his arm.”
Signet rings, Chinese chops and Japanese inkan and Korean dojang and guksae, fingerprints, and the unique calligraphic tughra signature of an Ottoman sultan: the millennial and global history of human authentication objects rests on the paradox of an object that could be unique but repeatable, expressing a singular instant of presence each time. It had to be similar enough to itself that it could be confirmed without being precisely the same—recognizable without being known. The signature, the authenticating act, was intimately personal but could be delegated: from the presidential or prime-ministerial body to the Autopen or the rubber stamp. The cultural historian Hillel Schwartz argued that the signature only assumed its current cultural significance after the heyday of the European Romantic movement, focused as it was on the singular expression of personal genius and style. In a time of reproducible printed type, Schwartz wrote, the personal hand, “like a paraph spiralling off the end of a signature,” had “a public flourish irreproducible by any printing press.”24 The paraph being a precaution against forgery: recognizable but not reproducible, a bit of unique human style.
The digital signature began as a superficially similar act of individual bodily presence, the authentication of a message with a private key corresponding to a public key—“a digital phenomenon with the same properties as a written signature,” as Diffie and Hellman had envisioned. But it did not have exactly “the same properties.” Written signatures involve similarity without replication: what distinguishes an authentic signature is precisely that infinitesimal bit of personal difference produced each time that a Xerox machine does not possess.25 Signatures occupy a technically simple, socially complex role in the context of witnesses, formalized positions like notaries and lawyers, and systems of documents like checks, contracts, and forms.
The “digital phenomenon” of the cryptographic signature, meanwhile, was a growing family of interesting mathematical objects, software processes, and models. “Creatively assembled,” in Blanchette’s words, these elements yielded “mutations” in the metaphor of the signature, a strange bestiary of new ways to confirm, authenticate, approve, or verify: chimeras with names like one-time signature, multiproxy signature, ring signature, fair blind signature, undeniable signature, forward-secure signature, fail-stop signature, threshold signature, multisignature, designated confirmer signature.
There were occasional, obligatory paragraphs in the literature where cryptographers would crank up the mainspring on the old Victrola gramophone and drop the needle on convoluted analog metaphors and analogies: invisible inks, signed flaps, irrefutable stamps; locks and keys and safe-deposit boxes; cashier’s checks, bearer bonds, and banknotes. Imagine, wrote the cryptographer and entrepreneur David Chaum, a sealed envelope lined with carbon paper, containing an unknown document, stamped with a notary’s embosser. Out of this strange notion, implemented cryptographically, he would develop the first functional digital cash scheme—one that he hoped could avert a totalitarian future.