How the CIA’s Kryptos Sculpture Gave Up Its Final Secret

The saga of Kryptos, an enigmatic sculpture containing four cryptic messages outside the 35-year-old CIA headquarters, has just taken a bizarre turn. Although cryptographers broke the first three passages in the 1990s, just a few years after artist Jim Sanborn erected the copper monolith, the fourth, known as K4, remained a 97-character fortress, until September 2, when journalists Jarett Kobek and Richard Byrne discovered the answer in the Smithsonian archives.

How to crack the most famous code in the world? Advances in Kryptos offer a guided tour of the cat-and-mouse game between code creators and code breakers that has defined information security for millennia.

The main challenge of cryptography is to send a secret message securely in the presence of eavesdroppers. Strategy always involves the same ingredients: the message, called plain textdeforms (the encryption) so that anyone who intercepts it sees only garbled gibberish (the ciphertext). Ideally only those who have a secret key can decipher he. If you share your secret key with the intended recipient and no one else, you can, in theory, communicate with them in code. Cryptography is the basis of everyday financial transactions and online communications, not just spying messages.

On supporting science journalism

If you enjoy this article, please consider supporting our award-winning journalism by subscription. By purchasing a subscription, you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

To understand Kryptos, we will need to look at early cryptosystems and understand why they failed. One of the simplest and oldest methods of encryption dates back to a historical secret keeper: Julius Caesar. The Caesar Cipher obscures messages by shifting each letter of the alphabet by a fixed amount. Here the key is a number between 1 and 25. Let’s say we choose 5. The encryption for “hello” would be “mjqqt” because M is five letters after H, J is five letters after E, and so on. (If you reach the end of the alphabet, go back to the beginning.) For a more entertaining example, astute fans of 2001: A Space Odyssey I noticed that the name of the malicious AI called HAL is spelled “IBM” with a Caesar cipher shifted one letter backwards. (Director Stanley Kubrick insisted this was a coincidence.) Although Caesar trusted this method with his confidential correspondence, it is a poor way to protect state secrets. If an adversary learns that you encrypt messages with the Caesar cipher, they only need to try 25 different keys to recover the original text.

A general substitution figure offers the most natural upgrade. Instead of just moving the alphabet, you scramble it. The letter A can become Q, B can become X, C can become D, and so on, in no particular order. This seems much more secure. A Caesar cipher has only 25 possible keys, but a full substitution cipher has 403,291,461,126,605,635,584,000,000. (There are 26 factorial ways to shuffle the alphabet, or 26 × 25 × 24 × 23…3 × 2 × 1.) A brute force search of checking each key is not feasible, but substitution ciphers are still terribly insecure compared to current standards. If you don’t already know why, ask yourself how you would go about decoding a page of text encrypted with a substitution cipher.

The drawback of a substitution cipher is that it leaves the structures of language intact. English has a distinct fingerprint. The E makes up more than 12% of all letters in English text, while the letter Z appears less than 0.1% of the time. If you intercept a page of gibberish encrypted with a substitution digit and the letter J appears more often than any other letter, it’s a safe bet that J represents E. The second most common letter is probably a T. Additionally, single-letter words almost certainly represent A or I (the only frequently used one-letter English words), and common two- or three-letter words can also give codebreakers a foot in the door. Called frequency analysisthis method is the subject of riddles in popular newspapers called cryptograms; he also played a vital role in deciphering the first three passages of Kryptos.

Sanborn encrypted the first two Kryptos messages, called K1 and K2, which contain 63 and 372 characters respectively, using the higher level: the Vigenère cipher. Invented in the 16th century and named after the cryptographer Blaise de Vigenère, it remained uninterrupted for 300 years, earning it the nickname “the indecipherable cipher.” It works by applying several different Caesar ciphers to a single plain text. For example, maybe we offset the first letter of the message by 19, the second letter by 16, the third letter by 25, and then repeat. (The fourth letter is offset by 19, the fifth by 16, the sixth by 25, and so on.) These offset values ​​make up the key, which is usually represented by a word corresponding to those locations in the alphabet. In this case the key is SPY because S, P and Y are the 19th, 16th and 25th letters.

The Vigenère cipher ingeniously foils simple frequency analysis, because not all E’s, for example, will map to the same letter. Imagine the first two letters of a message are both E. The first is shifted by 19 to become an X and the second by 16 to become a U. But clever cryptanalysts can still break through. If you can guess the length of the key (for example, three for SPY), you can solve the problem. You take the first, fourth, seventh, and tenth letters, and so on, from the ciphertext and put them in a pile. All these elements were shifted according to the same key letter:S. You can now perform frequency analysis only on this stack. You do the same for the second, fifth and eighth letters, all offset according to P, and so on. The “unbreakable” number becomes three simple Caesar numbers. Not sure about key length? Careful examination of the ciphertext can sometimes provide clues, but if all else fails, try all possible lengths. Too much time? A computer program can make the search easier.

Sanborn encrypted K1 and K2 with the keys “PALIMPSEST” and “ABSCISSA”, respectively. The first, a poetic choice, refers to a writing that has been erased and rewritten several times. The abscissa is x coordinate of a (x, Yes) coordinate pair. As is common practice in Vigenère ciphers, Sanborn also used a modified alphabet for the offset: in this case, KRYPTOSABCDEFGHIJLMNQUVWXZ, which he engraved into the sculpture.

Sanborn changed his method to K3, a 337-character ciphertext. Here he opted for a transposition digit in which he simply mixed up all the letters of the message as if it were a huge anagram. Jumble of this type of cipher usually follows certain rules so that an intended recipient with a key can easily put the letters back in their rightful order. Cryptographers easily suspected that K3 was using this cipher. How? You guessed it: frequency analysis. The distribution of letters in the ciphertext matched what one would expect in a typical English text, suggesting that the letters had not been substituted, but simply mixed.

At least three independent efforts have deciphered the first three Kryptos messages. Computer scientist Jim Gillogly announced that he had broken them using a computer in 1999. Only then did the CIA reveal that its analyst David Stein had solved all three by hand in 1998. And only then did the National Security Agency announce that a small internal team had conquered them in 1992.

K4 had resisted all attempts for 35 years. Perhaps Sanborn intentionally increased its complexity to reflect advances in cryptographic science since Vigenère’s time. Breaking modern cryptography in its own right would not simply amount to a smarter deployment of frequency analysis, but a revolution in our understanding of mathematics itself. This is because cutting-edge encryption hides information behind mathematical problems (such as factoring huge numbers) that are assumed to be unsolvable in a practical amount of time. Breaking encryption would mean finding a quick solution to these supposedly infeasible problems, an act that would overturn a fundamental assumption of modern mathematics.

This fall, Sanborn planned to auction off the K4 solution – an encrypted message beginning with “OBKR” – to free himself from the role of sole keeper of his secrets. The auction announcement referenced the original Smithsonian “coding charts.” Rather than actually decipher K4, journalists Kobek and Byrne requested access to the documents and found scraps of paper containing the raw text of K4. On September 3, the duo emailed Sanborn with the solution.

Journalists discovering the answer to K4 in the Smithsonian archives are a perfect example of how hackers are infiltrating 21st century cryptography: through side doors. As far as anyone knows, modern encryption that protects your emails and credit card purchases, when implemented correctly, works. Data breaches are rarely the result of hackers breaching encryption, but rather the discovery of another weak link in the security chain. They run phishing scams to trick people into giving away their login credentials. They exploit a bug in a website’s code. In other words, they target imperfect, forgetful and disorganized humans who to use encryption. Discovering K4’s plaintext was like finding someone’s password scribbled on a post-it note in their office. Some find this climax disappointing, but we might also see it as an apt metaphor for a work of art intended to honor cryptography throughout the ages.

This does not appear to be the artist’s point of view: Sanborn asked journalists to sign NDAs. (They refused.) Those who still yearn for a puzzle are lucky because the public doesn’t know what K4 says or how it was encrypted. No one fully understands the cryptic messages revealed by K1 to K3. Sanborn also confirmed the existence of a K5 in an open letter published last August. Code breakers have a lot to look forward to in the next era of Kryptos.