Endeavors great and small hinge on secrets, which computers are apt to spill. Whether you're smuggling moonshine or mifepristone, whether you're unionizing baristas or rousing insurrectors, whether you're a tech CEO conspiring to cap coder compensation or a CIA director coordinating a clandestine cuddle in a pile of classified papers—computers privy to your counsels could betray you. This episode of Drill Bits reviews the art of keeping computers in the dark as they handle your secrets, including a few tricks that deserve more attention than they get. Grab pencil & paper and use the example code only to check your practice work.

Ordinary people routinely store and transmit their secrets via computers, trusting the computers to keep those secrets. Such misplaced trust can have no basis other than ignorance or wishful thinking. The mere fact that computers and software are designed, implemented, and transported by large groups of total strangers, coupled with the fact that computers are too complex to be audited by users directly, is ample cause for concern. More importantly, all parties with influence over the matter—the tech industry, national police and intelligence services, and snoops equipped with modern spyware—agree that it should be impossible for ordinary people to keep secrets.

"Give me six lines written by the most honest man, and I will find therein cause to hang him."

— Cardinal Richelieu

"Collect it all."

— Keith Alexander, NSA Director 2005-2014

— Cardinal Richelieu

"Collect it all."

— Keith Alexander, NSA Director 2005-2014

The tech sector's dominant business model abhors privacy, feasting on the most intimate details of users' lives^{37} and enticing users to place indelible records of their words, deeds, and plans beyond their own control but within reach of adversaries—folly that begs for ridicule.^{24} Hundreds of 6th January revelers have learned the hard way that on Internet platforms, “delete” buttons don't work but subpoenas do.^{17} The mighty as well as the masses have lost control over their secrets: CIA Director David Petraeus password-protected the online account where he slipped love notes to the mistress he'd charmed with gifts of highly sensitive documents, but passwords don't stop the FBI.^{12,26}

"There's a sucker born every minute."

— P.T. Barnum

— P.T. Barnum

Computerized encryption can't protect secrets if the basic problem is not cleartext but computers, whose allegiance users cannot audit. For example, “hardened” encrypted phone networks, once fashionable in the underworld, have lately incarcerated their users en masse after European police infiltrated their data centers and effectively commandeered the networks wholesale.^{8} Not to be outdone, American and Australian police designed the ANOM encrypted phone network from scratch to trap credulous crooks; ANOM simply forwarded users' plaintext messages to the police. Crackdowns on encrypted phones have led to thousands of arrests, but they target more than crime: The prosecutor who led ANOM candidly boasted that the sting will destroy trust in the very possibility of private telecommunications.^{8}

Compromised computers and placebo cryptography aren't just for gullible gangsters. They're for everyone, which should surprise no one. Incentives to implant or discover vulnerabilities in computer systems are enormous, and the cost to users of auditing the quality and loyalty of such systems is prohibitive. Ken Thompson devoted his Turing Award lecture to reminding us that installing backdoors is easy but finding them is nearly impossible. “The moral is obvious. You can't trust code that you did not totally create yourself.... No amount of source-level verification or scrutiny will protect you from using untrusted code”.^{35}

Whether deliberate or inadvertent, vulnerabilities abound in both hardware and software, with predictable consequences. An NSA employee claimed decades ago that “real systems are so insecure that they never need to bother” with cryptanalysis.^{31} NSA early retiree Edward Snowden recently echoed this remark with less exaggeration.^{1} The NSA actively maintains the convenient status quo, working with tech vendors to keep their wares penetrable and forestalling inconvenience from modern cryptography by steering crypto standards to facilitate cracking.^{1,16,36} Meanwhile foreign spies ransack U.S. government systems that NSA expertise supposedly protects.^{19,29}

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then I have my doubts."

— Gene Spafford

— Gene Spafford

Looting secrets from computers isn't just for tech giants and well-heeled spy agencies. Commercial spyware such as Pegasus opens the game to ever more snoops.^{25} No one's secrets are safe. Recent hackees include Jeff Bezos, a billionaire with legions of security experts in his employ,^{5} and security firm Kaspersky.^{15} Targeted attacks on the posh and Orwellian surveillance for the rest of us both begin with the same fatal mistake: trusting computers to keep secrets.

The surest way to avoid harm from computers is to refrain from using them. For example, the coven of tech titans that covertly conjured an anticompetitive anti-poaching pact tried to “keep it verbal” to preclude incriminating e-mail trails.^{13} A less radically Luddite strategy is to use computers in such a way that they cannot achieve nefarious ends, try as they might. For example, manually auditable voter-marked paper ballots allow machines to quickly tally preliminary election results without letting them pick the final winners.^{14,33} Similarly, protecting secrets does not require renouncing computers entirely. We simply must prevent computers from seeing secrets or the cryptographic keys that conceal them.

Encrypting a plaintext secret using a secure paper-and-pencil method yields ciphertext that may safely be stored or transmitted via computer—but only if no mistakes are made. As with other modes of cryptography, ignorance and carelessness with manual ciphers have filled many a grave and dungeon.^{3} Manual cryptography is tedious and requires iron discipline.

What do we get in return? Secrecy guarantees take several forms. Best is *perfect secrecy*: mathematical proof that no amount of cleverness or computational power can decrypt ciphertext without the key. Second-best is a provable exorbitant lower bound on the work required to defeat a cipher. Absent such a bound, we may settle for proof that cracking a cipher is tantamount to solving a problem widely believed (although not proven) to be difficult. Finally, sometimes we can say only that experts have scrutinized a cipher, but none have published a way to break it—whereupon we should compare the rewards of public disclosure with the price newfound weaknesses fetch on the underground market, as we do with software exploits.^{7} Cryptography textbooks formally define secrecy and formally characterize ciphers.^{2,6}

The manual techniques we'll review below offer gold-standard perfect secrecy with venerable and intuitive proofs. They're easy to teach to ordinary people, requiring only patience and compliance with a handful of rules. Their laboriousness de-bloviates messages. Like computerless computation,^{11} manual cryptography inspires creative resourcefulness and focuses attention on essentials. More importantly, in a world where trustworthy computers are as plentiful as horse feathers, manual cryptography is the only way to guarantee confidential long-distance communication with your bookie, priest, attorney, or mother.

Every literate person should learn the simplest secure cipher: the one-time pad. Computer implementations typically employ bitwise XOR on bit strings, but the best variant for paper & pencil operates on a larger numeric alphabet; examples below use `A=0`

, `B=1`

, ..., `Z=25`

. Imagine these letters arranged in a circle with `A`

adjacent to `Z`

. We add or subtract equal-length strings character-wise *without* carry or borrow, wrapping `Z`

to `A`

in both directions. For example, `HI+YO=FW`

, because `H=7`

plus `Y=24`

equals `31`

, which mod 26 wraps to `F=5`

, and independently `I=8`

plus `O=14`

equals `W=22`

.

To encrypt a plaintext message, subtract from it a random key string; to decrypt ciphertext, add the key. For example, to encrypt `HELLO,`

generate a random key, say, `WUJYD`

, and subtract: `HELLO−WUJYD=LKCNL`

. Subtraction wraps backwards (e.g., `H=7`

minus `W=22`

equals `−15`

, which wraps to `L=11`

). Decryption adds key `WUJYD`

to ciphertext `LKCNL`

, which recovers the original plaintext. Try it by hand. The example code tarball includes a little program to check your work.

The one-time pad demands rigid adherence to inflexible rules; deviation voids the perfect-secrecy warranty. A key must be as long as the message it encrypts and must be truly random. Pseudo-random keys won't do, nor keys that admit succinct description, such as ranges of digits from `π`

or `√2`

. Flipping fair coins, rolling fair dice, and drawing lettered beads from a well-stirred bowl are reasonable ways to generate keys. Keys must never be reused, because a “two-time pad” is easy to break.^{6} Key reuse has killed spies; read about the VENONA intercepts.^{3} Finally, of course, keys must never fall into enemy hands. Destroy keys after use.

Cryptography texts formally prove that the one-time pad guarantees perfect secrecy.^{2,6} Intuitively, encryption independently maps each plaintext character to a ciphertext character, which may be any character of the alphabet with equal probability. The ciphertext is therefore as random as the key, so the ciphertext alone contains no information about the plaintext—except its length and its existence. These latter aspects won't enlighten eavesdroppers if all messages are padded to an uninformative standard length and dummy messages are regularly sent to foil traffic analysis.

One-time pads enable memorable shenanigans. For example, a ciphertext receiver who fears that an eavesdropper will demand decryption can plan accordingly. A ciphertext arrives, `HYVSEOTIPYLU`

. Following protocol, the recipient destroys the real key immediately after decryption, but then subtracts the ciphertext from an innocuous fake message to create a new fake key: `ILOVEPUPPIES−HYVSEOTIPYLU=BNTDABBHAKTY`

. When the eavesdropper knocks, wanting to know the meaning of `HYVSEOTIPYLU`

, our hero smiles innocently and produces the fresh-minted fake key `BNTDABBHAKTY`

. The eavesdropper decrypts `HYVSEOTIPYLU+BNTDABBHAKTY=ILOVEPUPPIES`

. Real spies have used this trick.^{31}

Another ruse comes from the voyages of the star ship *Enterprise*. Captain Kirk pulled the wool over Romulan eyes by transmitting misinformation encrypted with an obsolete cipher that he knew the Romulans had broken.^{34} For the same hoax with a one-time pad, “accidentally” re-use a key—a common rookie error and a plausible act of desperation when key material runs out. Attentive eavesdroppers detect re-use and exploit it to decrypt messages,^{3} which will be especially easy if the sender intends them to do so.

An active attacker who can modify ciphertext in transit can play tricks of his own, because the one-time pad guarantees neither integrity nor authentication: Altered ciphertext will decrypt to *something*, and the intended recipient might not notice the changes. Furthermore, the one-time pad is “malleable” in the sense that attackers can sometimes predictably change messages *without* decrypting them,^{6} particularly if attackers know or guess message formats. For example, consider a message that instructs the recipient to follow one of several prearranged plans. The sender encrypts the plaintext: `PLAN`

. An attacker intercepts the ciphertext and correctly guesses that the last character is the punch line. Despite not knowing which plan is indicated, the attacker can trick the recipient into following a different plan by incrementing the last character of the ciphertext: **B**−JCHHP=GJTGM`GJTG`

. The attacker forwards the modified ciphertext to the recipient, who decrypts to obtain misinformation: **M**→GJTG**N**`GJTGN+JCHHP=PLAN`

. **C**

Here's a simple integrity mechanism that does *not* work: The sender appends to plaintext a single-character *check digit *^{10} equal to the sum mod 26 of all plaintext characters. If the message is `PLANB`

then the check digit is `(P=15)+(L=11)+(A=0)+(N=13)+(B=1)=40`

, which wraps mod 26 to `O=14`

. The sender appends the check digit and encrypts: `PLAN`

. If the attacker knows that the check digit is the last character of a message, he simply increments it to match his changes to the rest of the ciphertext. In our example, **BO**−KETNIE=FHHATK`FHHA`

becomes **TK**`FHHA`

. The recipient decrypts the message: **UL**`FHHAUL+KETNIE=PLAN`

, whose doctored check digit **CP**`P`

incorrectly indicates that the message has not been altered. This example shows that while a simple integrity mechanism might flag accidental mutilation of ciphertext in transit, a shrewd attacker might outwit it.

If an active attacker somehow knows the entire plaintext message, he can recover the key from intercepted ciphertext and use the key to encrypt an arbitrary forged message. For example, on Valentine's Day the attacker expects `ILOVEYOU`

and intercepts `GJKIAUOV`

. He subtracts to recover the key: `ILOVEYOU−GJKIAUOV=CCENEEAZ`

. Now the attacker can encrypt a forged message, `YOUSTINK−CCENEEAZ=WMQFPENL`

, which he passes along to the soon-to-be-heartbroken intended recipient.

The simplest active attack, of course, is simply to corrupt messages in transit, hoping that each of the communicating parties blames the glitches on the other's cryptographic incompetence. Perhaps if they become frustrated they'll fall back on cleartext.

Good paper-and-pencil authentication and integrity mechanisms for the one-time pad are beyond the scope of this column. For now, infer from the foregoing examples that secrecy alone isn't a panacea if active attacks are possible (see page 151 of Barak^{2}). Keep in mind, however, that the prospects for active attack vary with the communications medium. For example, ciphertext spoken during a videoconference, broadcast by radio,^{23} or printed in hardcopy newspaper ads^{3} may be harder to alter undetectably than email or postal mail.

To appreciate the full versatility of the one-time pad, view it as a way to *split* a string into pieces. Rejoining all pieces recovers the string, but no proper subset of the pieces betrays information about it. Earlier we split `HELLO`

into `WUJYD`

and `LKCNL`

. We can further split these two pieces. To split `WUJYD`

we generate a random string and subtract: `WUJYD−TVHTU=DZCFJ`

. Similarly, `LKCNL−OOFTW=XWXUP`

. The four resulting pieces sum to the original plaintext: `TVHTU+DZCFJ+OOFTW+XWXUP=HELLO`

. Splitting allows us to store pieces of a secret in multiple locations or transmit them via different routes. All is well provided the good guys can lay hands on all pieces and the bad guys miss at least one.

Splitting a secret is risky because losing a single piece makes reconstruction impossible. Fortunately, Shamir devised a more forgiving way to decompose a secret into *shares*, subsets of which suffice to recover the secret.^{32} The general intuition is that

points in the two-dimensional plane uniquely determine a polynomial of degree *k*

; furthermore, we may evaluate a polynomial at more than *k*−1

points. For example, if we pick a handful of distinct points on a line, any two of the points determine the line. We'll walk through a special case of Shamir sharing that keeps the math simple. *k*

Like the one-time pad, sharing operates on each digit of a secret independently, so we'll explain how to share a single digit; to share a longer secret, simply apply the same procedure to each digit. Our “alphabet” for sharing is the digits `0`

through `6`

, because we use arithmetic modulo the prime number `7`

. Two base-`7`

digits can encode all of the keys on a standard keyboard.

To share a plaintext secret digit

we'll use the function *M*

where *F*(*x*)=(*M*+*R*·*x*) % 7

is a random digit and “*R*

” is the remainder operator. Both *%*

and *M*

lie in the range *R*`[0..6]`

, as does

evaluated at any integer *F*

. We compute shares by evaluating *x*>0

at several distinct integer values of *F*

. A single *x*`(`

pair reveals nothing about the secret digit *x*,*F*(*x*))

, but interpolating any two such pairs recovers *M*

. *M*

Beware modulo bias^{20} when generating

, which must assume one of *R**seven* values with equal probability. Tossing a coin three times or rolling an octahedral die yield *eight* possible outcomes, one of which must be discarded. Resist the temptation to use all eight, e.g., by taking remainders modulo 7, because that would make one

value more likely than the others. Modulo bias arises naturally in many contexts, and programmers must learn to spot it in lazy code such as *R*`“rand() % N.”`

This column's example code tarball includes a little program that showcases the peril of modulo bias.

Table 1 evaluates

at *F*

from *x*`1`

through `6`

for all combinations of secret digit

and random digit *M*

. For example, the table entry flagged with triple asterisks on the upper right shows that when *R*

and *M*=4

, evaluating the function at *R*=3

yields *x*=6`F(6)=(4+3·6) % 7=1`

. The

table is not a secret, and it's small enough to compute by hand if you don't trust a computer to do it.*F*

By inspecting Table 1 we can confirm that a single `(`

pair betrays no information about secret *x,F*(*x*))

. For example, say the enemy has learned *M*

. That narrows the possibilities to the rows indicated by single asterisks, which cover all values of *F*(3)=5

and which are equally likely. The enemy remains clueless about *M*

. *M*

Two `(`

pairs, however, determine *x,F*(*x*))

because exactly one row is consistent with them. For example, *M*

and *F*(1)=2

together imply *F*(2)=6

because only the row flagged with double asterisks is consistent with these points.*M*=5

Shamir's general approach allows us to divide a secret into as many shares as we please and require whatever quorum we please for recovery. Like the one-time pad, secret sharing with pencil and paper is tedious, but the payoff is a strong secrecy guarantee.

Bauer surveys the long history of cryptography.^{3} Rogaway argues that because this science “rearranges power” it has political and moral dimensions;^{28} in contrast, Lehrer sings the praises of purportedly apolitical technocracy.^{18} Greenwald documents mass surveillance in light of Snowden's revelations.^{16} Barak^{2} and Boneh & Shoup^{6} mathematically formalize cryptography. Much of modern cryptography relies on computers, but several extraordinary techniques do not. Examples include an untraceable broadcast mechanism,^{9} a stream cipher that uses playing cards,^{30} Visual Cryptography^{22} (see sidebar), and zero-knowledge proofs for the top search problem of the 1990s.^{21}

Grab the example code tarball at https://queue.acm.org/downloads/2023/Drill_Bits_10_example_code.tar.gz. You get a mod-26 arithmetic program, a mechanical mod-26 calculator disc kit, a script that generates Table 1, a program to create random-dot stereograms, and a program that illustrates modulo bias. Keep all of this code away from your secrets!

1. Can your car's computers be remotely commandeered for eavesdropping or other mischief? Read the vehicle's end-user license agreement and see Berghel.^{4}

2. How quickly can you generate keys for a one-time pad? Does it help to roll a 30-sided die (avoiding modulo bias)? Is it faster to shuffle labelled cards or draw labelled beads from a bowl? How quickly can you encipher/decipher messages?

3. Compare the prison terms of “encrypted” phone users^{8} with the time it would have taken them to protect their secrets via manual encryption. Make reasonable assumptions about the volume of their communications, and include the time required to generate and securely exchange keys. What's the break-even point where taking the time for crypto by hand equals doing the time for the crime?

4. Modify the mod-26 arithmetic program to handle a larger alphabet.

5. Detective Fabriqué has intercepted a message to a usual suspect: `DCLZZH`

. How can the detective compute a one-time pad key to “find” on the suspect such that the message decrypts to `MURDER`

?

6. Are active attacks on the one-time pad more difficult if plaintext is randomly rotated (“Russian copulation”^{3}) or randomly permuted prior to encryption? What if a check digit is stored at a secret random offset in the plaintext?

7. Do we need Table 1 to recover

from two *M*`(`

pairs? Can we use the familiar interpolation formulas *x,F*(*x*))

and *R=*(*y*_{2}−*y*_{1})/(*x*_{2}−*x*_{1})

, or does the mod-7 arithmetic in *M=y*_{1}−*R·x*_{1}

somehow preclude their use? Prove that the formulas still work or show a case where they don't. Hint: Read about multiplicative inverses in prime fields.*F*()

8. Does secret-sharing still provide perfect secrecy if we skip arithmetic modulo a prime? Create a modified version of Table 1 but without taking remainders modulo 7 and see if a single `(`

pair can leak information. *x,F*(*x*))

9. Send a random-dot stereogram message to your friends (see sidebar on the next page and example code). Can they read it?

One-time pads with pencil and paper are tedious. Naor and Shamir devised Visual Cryptography to make computerless decryption quick and easy.^{22} In the simplest original variant of Visual Cryptography, both key and ciphertext are two-dimensional arrays of tiny 2×2 checkerboards. Each checkerboard represents a bit:

The random key is printed on transparent plastic; ciphertext is printed on paper. Placing the key over the ciphertext renders plaintext visible: A zero checkerboard atop a one, or vice versa, makes a dark square. However, zero over zero, or one over one, makes a half-dark square. Thus, the exclusive-OR of ciphertext and key—the plaintext image—appears in the eye of the beholder. A Visual Cryptography one-time pad provides perfect secrecy in the same sense as any other one-time pad, and it requires neither a computer nor manual fuss at the receiving end.

Visual Cryptography doesn't eliminate every disadvantage of the one-time pad. For example, producing the key and encrypting a message might still rely on computers. But Visual Cryptography mitigates a major pain point in a delightfully creative way.

A different encoding scheme eliminates the need for transparent printouts. We generate a key of random dots and encode ciphertext by creating a random-dot stereogram^{27} that displaces regions of the key corresponding to plaintext characters. Figure 1 shows a random-dot stereogram of the word “`KITTENS`

” set vertically in an angular custom font. The left-hand pattern is the key, and the right-hand side is the ciphertext. Let your gaze converge well beyond the figure so that the halves superimpose, which should make the letters visible.

Compared with the original Visual Cryptography, the random-dot stereogram approach seems more profligate with key material, because the amount of information conveyed per pixel seems lower. On the positive side it doesn't require transparent plastic and it works with ciphertext displayed on a computer screen juxtaposed with a key printed on paper if the former is sized appropriately.

David Lehavi, Ben Reed, and Brendan Weickert reviewed an early draft of this column, and Kevin O'Malley reviewed the example code. All provided valuable feedback.

[1] Ball, J., Borger, J., and Greenwald, G. 2013. Revealed: how US and UK spy agencies defeat internet privacy and security. *The Guardian*, https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security.

[2] Barak, B. 2021. An Intensive Introduction to Cryptography. https://intensecrypto.org/public/index.html and https://files.boazbarak.org/crypto/lnotes_book.pdf.

[3] Bauer, F.L. 2000. Decrypted Secrets. Springer, second edition. ISBN 3-540-66871-3. See p. 26 regarding print newspapers.

[4] Berghel, H. 2019. Vehicle telematics: The good, bad and ugly. IEEE Computer, 52(1):66–70. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8666649.

[5] Jeff Bezos phone hacking incident. 2023. https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking_incident.

[6] Boneh, D. and Shoup, V. 2023. A Graduate Course in Applied Cryptography. https://toc.cryptobook.us/book.pdf.

[7] Brandom, R. 2016. Why can't Apple spend its way out of security vulnerabilities? The Verge. https://www.theverge.com/2016/8/26/12660800/apple-ios-security-bug-bounty-payouts.

[8] Caesar, Ed. 2023. Crooks' Mistaken Bet on Encrypted Phones. *The New Yorker*, 32–43, April 17, 2023. https://www.newyorker.com/magazine/2023/04/24/crooks-mistaken-bet-on-encrypted-phones.

[9] Chaum, D. 1988. The dining cryptographers problem: Unconditional sender and recipient untraceability. *Journal of Cryptology*, 1(1):65–75. HTML version available at http://www.cs.cornell.edu/People/egs/herbivore/dcnets.html.

[10] Check digit. 2023. https://en.wikipedia.org/wiki/Check_digit.

[11] Dewdney, A. K. 1984. On the spaghetti computer and other analog gadgets for problem solving. *Scientific American*, 250(6):19–26. The basics are explained at http://dataphys.org/list/dewdneys-analog-gadgets/.

[12] Dozier, K. and Yost, P. 2012. Petraeus shocked to hear of emails, associates say. Associated Press. https://web.archive.org/web/20121113030944/http://m.apnews.com/ap/db_289563/contentdetail.htm?contentguid=VOlvNjF4.

[13] Edwards, J. 2014. Emails Show Apple's Steve Jobs and Google's Eric Schmidt Allegedly Conspired to Screw Over Employees. *Business Insider*. https://www.businessinsider.com/apple-google-recruitment-emails-lawsuit-2014-1.

[14] Brennan Center for Justice. Securing the nation's voting machines: A toolkit for advocates and election officials, June 2018. https://www.brennancenter.org/sites/default/files/2019-08/Report_Securing__Voting_Machines.pdf.

[15] Goodin, D. 2023. The Spy Who Hacked Me: “Clickless” iOS exploits infect Kaspersky iPhones with never-before-seen malware; “Operation Triangulation” stole mic recordings, photos, geolocation, and more. https://arstechnica.com/information-technology/2023/06/clickless-ios-exploits-infect-kaspersky-iphones-with-never-before-seen-malware/.

[16] Greenwald, G. 2014. No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. New York, NY: Metropolitan Books. ISBN 978-1-62779-073-4.

[17] Harris, M. 2023. The Panopticon v. the Capitol Rioters. IEEE *Spectrum*, 60(2):32–37, 46. https://ieeexplore.ieee.org/document/10040551/.

[18] Lehrer, T. 2000. “Werner von Braun.” Originally from *That Was the Year That Was* (1965). Also available on *The Remains of Tom Lehrer*, Warner Bros. https://genius.com/Tom-lehrer-wernher-von-braun-lyrics and https://www.youtube.com/watch?v=QEJ9HrZq7Ro.

[19] Liptak, K. 2015. U.S. government hacked; feds think China is the culprit. Cable News Network. http://www.cnn.com/2015/06/04/politics/federal-agency-hacked-personnel-management/.

[20] Modulo bias. 2023. https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bias.

[21] Naor, M., Naor, Y., and Reingold, O. 1999. Applied kid cryptography –or– how to convince your children you are not cheating. Paper: https://www.wisdom.weizmann.ac.il/~naor/PAPERS/waldo_abs.html. Talk: https://www.youtube.com/watch?v=L3AmP6IQLtg.

[22] Naor, M. and Shamir, A., 1994. Visual cryptography. In Proceedings of *EUROCRYPT*, volume 950 of *Lecture Notes in Computer Science*, 1–12. New York, NY: Springer. doi:10.1007/BFb0053419. https://www.cs.jhu.edu/~fabian/courses/CS600.624/NaorShamir-VisualCryptography.pdf

[23] Numbers stations. 2023. https://en.wikipedia.org/wiki/Numbers_stations.

[24] Onion News Network. 2011. CIA's “Facebook” program dramatically cut agency's costs. https://www.theonion.com/cias-facebook-program-dramatically-cut-agencys-costs-1819594988 and https://www.youtube.com/watch?v=ZJ380SHZvYU.

[25] Pegasus (spyware). 2023. https://en.wikipedia.org/wiki/Pegasus_(spyware).

[26] David Petraeus. 2023. https://en.wikipedia.org/wiki/David_Petraeus.

[27] Random dot stereogram. 2023. https://en.wikipedia.org/wiki/Random_dot_stereogram.

[28] Rogaway, P. 2016. The moral character of cryptographic work. https://web.cs.ucdavis.edu/~rogaway/papers/moral-fn.pdf. Based on an Asiacrypt 2015 talk.

[29] Sanders, S. 2015. Massive data breach puts 4 million federal employees' records at risk. National Public Radio. https://www.npr.org/sections/thetwo-way/2015/06/04/412086068/massive-data-breach-puts-4-million-federal-employees-records-at-risk.

[30] Schneier, B. 1999. The Solitaire Encryption Algorithm. https://www.schneier.com/academic/solitaire/. See also http://www.ciphergoth.org/crypto/solitaire/.

[31] Schneier, B. 2015. *Applied Cryptography*. Hoboken, NJ: Wiley, 20th anniversary edition. ISBN 978-1-119-096726. See Afterword by Matt Blaze for NSA quote and p. 228 for cover-message trick.

[32] Shamir, A. 1979. How to share a secret. *Communications of the ACM* 22(11):612–613. https://dl.acm.org/doi/10.1145/359168.359176.

[33] Simons, B. 2006. Statement of Barbara Simons for the Committee on House Administration Hearing on Electronic Voting Machines. https://www.acm.org/binaries/content/assets/public-policy/usacm/e-voting/testimony/simons_testimony.pdf.

[34] The Deadly Years (Star Trek episode). 2023. https://en.wikipedia.org/wiki/The_Deadly_Years.

[35] Thompson, K. 1984. Reflections on trusting trust [Turing Award lecture]. *Communications of the ACM* 27(8). https://dl.acm.org/doi/pdf/10.1145/358198.358210.

[36] *The New York Times*. 2013. Secret documents reveal N.S.A. campaign against encryption. https://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html.

[37] Zuboff, S. 2019. The *Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power*. New York, NY: Public Affairs. ISBN 978-1-5417-5800-1.

**Terence Kelly** ([email protected]) enjoys a clandestine cuddle in a pile of classified papers.

Copyright © 2023 held by owner/author. Publication rights licensed to ACM.

*Originally published in Queue vol. 21, no. 4*—

Comment on this article in the ACM Digital Library