01 — Cryptography Timeline
Chronology of relevant milestones from the origins to today. Exact dates where known; "circa" when approximate. Negative milestones (breaks, incidents) marked with (broken) or (incident).
Antiquity (up to the 5th century AD)
| Date | Event |
|---|---|
| ~1900 BC | Non-standard hieroglyphs in the tomb of Khnumhotep II, Egypt — first known record of writing transformed to confuse the casual reader. Not cryptography in the modern sense; ritualistic obfuscation. |
| ~1500 BC | Mesopotamian tablets with a pottery formula in modified writing (proto industrial secret). |
| ~600 BC | Atbash — Hebrew cipher of reverse alphabet substitution (A↔Z, B↔Y…). Appears in the book of Jeremiah. |
| ~500 BC | Spartan scytale — rod of fixed diameter wrapped with a leather strip: transposition cipher. Attributed by Plutarch to Greek military use. |
| ~100 BC | Caesar cipher — Julius Caesar describes in De Bello Gallico the use of substitution with a fixed shift (classic: shift=3) in military correspondence. |
| ~50 BC | Augustus cipher — variant: shift=1, no wrap (Z stays Z, or becomes AA). |
| ~150 AD | Steganography documented by Herodotus (already earlier) and Aeneas Tacticus: invisible ink, messages on scalps, scraped tablets. |
| ~200 AD | Kama Sutra (Vatsyayana, India) lists 64 arts of the courtesan, including mlecchita-vikalpa (secret writing by substitution). |
Middle Ages and Arab world (8th–15th c.)
| Date | Event |
|---|---|
| ~800 | Al-Khalil ibn Ahmad al-Farahidi (Basra) writes Kitab al-Mu'amma — first known treatise on cryptanalysis by permutations. |
| ~850 | Al-Kindi publishes Risalah fi Istikhraj al-Mu'amma (manuscript of the House of Wisdom, Baghdad) — describes frequency analysis, the first systematic cryptanalysis technique. Breaks any monoalphabetic cipher. |
| ~1379 | Gabriele de Lavinde (Vatican) — first European nomenclator (substitution cipher + list of codes for common words). |
| 1466 | Leon Battista Alberti publishes De Cifris — proposes a polyalphabetic cipher disk (Alberti disk); father of Western cryptography. |
| 1518 | Johannes Trithemius publishes Polygraphia — tabula recta, basis of tabular polyalphabetic ciphers. |
| 1553 | Giovan Battista Bellaso publishes La cifra del Sig. Giovan Battista Bellaso — polyalphabetic cipher with a keyword (later misattributed to Vigenère). |
| 1586 | Blaise de Vigenère publishes Traicté des Chiffres ou Secrètes Manières d'Escrire — formalizes the cipher that would inherit his name (actually Bellaso's autokey/cipher). |
Early modern era (16th–19th c.)
| Date | Event |
|---|---|
| 1605 | Francis Bacon publishes a binary two-letter cipher (biliteral cipher) — embryo of binary in text encoding. |
| 1795 | Thomas Jefferson designs the Wheel Cypher (Jefferson disk) — 36 disks with scrambled alphabets; rediscovered and used by the US Army in 1922 as the M-94. |
| 1854 | Charles Babbage breaks the Vigenère cipher (does not publish). Friedrich Kasiski publishes an independent method in 1863 — the Kasiski test. |
| 1854 | Charles Wheatstone invents the Playfair cipher (promoted by Lord Playfair) — substitution by bigrams in a 5×5 square. Used by the British in the Boer War, WWI, and WWII tactical. |
| 1883 | Auguste Kerckhoffs publishes La Cryptographie Militaire — formulates the 6 Kerckhoffs principles, whose second became a maxim: "The system must remain secure even if everything about it, except the key, is public knowledge". |
| 1917 | Gilbert Vernam (Bell Labs) patents the XOR stream cipher with paper tape — basis of the One-Time Pad. |
| 1917 | William Friedman (Riverbank Labs, later US Army) — father of American cryptanalysis; introduces rigorous statistical methods. |
| 1917 | Zimmermann Telegram deciphered by the British Room 40 — a factor that precipitates US entry into WWI. |
| 1918 | Joseph Mauborgne (US Army) combines Vernam + a single-use random key = One-Time Pad with Shannon's later proof (1949) of perfect secrecy. |
Era of the machines (1918–1945)
| Date | Event |
|---|---|
| 1918 | Arthur Scherbius patents the commercial Enigma machine (Germany). |
| 1923 | The German Navy adopts Enigma; in 1926 the Wehrmacht follows; by 1945, dozens of variants (M3, M4 naval, etc.). |
| 1929 | Lester S. Hill publishes Cryptography in an Algebraic Alphabet — the Hill cipher, the first purely algebraic cipher (matrix multiplication modulo 26). |
| 1932 | Marian Rejewski (Polish Biuro Szyfrów) makes the first structural break of the military Enigma using permutation theory; creates the Bomba kryptologiczna. |
| 1939 | The Poles transfer their Enigma knowledge to the British and French (July, at Pyry). |
| 1939–45 | Bletchley Park — Alan Turing, Gordon Welchman, Hugh Alexander, Bill Tutte, Max Newman, and thousands of others. Continuous breaking of Enigma (Ultra) and of the Lorenz SZ40/42 (Tunny). |
| 1940 | Tommy Flowers designs the Colossus Mark 1 — first programmable digital electronic computer; used against Lorenz. Operational in December 1943. |
| 1940 | William Friedman + Frank Rowlett (US Signal Intelligence Service) break the Japanese Purple; codename Magic. |
| 1941 | Navajo code talkers — code spoken in Navajo used by marines in the Pacific (not cryptography, but ethnic security through obscurity that worked). |
| 1945 | Claude Shannon (Bell Labs) writes the classified memorandum A Mathematical Theory of Cryptography; declassified and published in 1949 as Communication Theory of Secrecy Systems (Bell System Technical Journal). Begins modern cryptography. |
Foundation of modern cryptography (1949–1975)
| Date | Event |
|---|---|
| 1949 | Shannon, "Communication Theory of Secrecy Systems" — defines perfect secrecy, proves that the OTP is the only perfectly secure cipher, introduces confusion and diffusion as design principles. |
| 1961 | Start of TEMPEST (NSA) — classified research on electromagnetic leakage from cryptographic equipment. |
| 1971 | Horst Feistel (IBM) publishes Block Cipher Cryptographic System — the Feistel structure, basis of DES, Blowfish, Twofish, Camellia. |
| 1973 | GCHQ (UK) — Clifford Cocks internally discovers an analog of RSA (declassified 1997). Malcolm Williamson formulates a DH analog. James Ellis had proposed "non-secret encryption" in 1969. |
| 1974 | IBM submits Lucifer (precursor of DES) to NBS (later NIST) in a competition for a federal standard. |
Public-key revolution (1976–1985)
| Date | Event |
|---|---|
| 1976 | Whitfield Diffie + Martin Hellman, New Directions in Cryptography (IEEE Trans. on Information Theory). Introduce the concept of public key and the Diffie-Hellman key exchange. Credit also to Ralph Merkle (Merkle's Puzzles, 1974). |
| 1977 | DES (Data Encryption Standard) standardized by NBS as FIPS 46 — 64-bit block, 56-bit key (after the NSA reduced it from the 64 proposed by IBM). |
| 1977 | Ron Rivest, Adi Shamir, Leonard Adleman publish A Method for Obtaining Digital Signatures and Public-Key Cryptosystems — RSA. Presented by Rivest in Martin Gardner's Mathematical Games column in Aug 1977; formal paper MIT/LCS Tech Memo 82, later CACM 1978. |
| 1979 | Adi Shamir publishes How to Share a Secret (CACM) — Secret Sharing with polynomials. |
| 1979 | Ralph Merkle publishes Secrecy, Authentication, and Public Key Systems (PhD Stanford) — Merkle trees, Merkle signatures (hash-based, basis of the modern SPHINCS+). |
| 1980 | Martin Hellman + Whitfield Diffie patent DH (US Patent 4,200,770; expires 1997). |
| 1983 | RSA Patent US 4,405,829 granted (expires September 2000). RSA Data Security Inc. founded in 1982. |
| 1984 | Taher ElGamal publishes an encryption and signature scheme based on the discrete log problem — the ElGamal cryptosystem and ElGamal signature (later generalized into DSA). |
| 1984 | Charles Bennett + Gilles Brassard publish BB84 — first quantum key distribution protocol. |
| 1985 | Neal Koblitz and Victor Miller, independently, propose Elliptic Curve Cryptography (ECC) — using groups of points on elliptic curves instead of \(mathbb{Z}_p^*\). |
| 1985 | Goldwasser, Micali, Rackoff publish The Knowledge Complexity of Interactive Proof Systems — zero-knowledge proofs. |
Maturation (1986–1999)
| Date | Event |
|---|---|
| 1989 | PGP 1.0 (Phil Zimmermann) — first popular encrypted e-mail tool; becomes PGP 2.0 in 1992 with IDEA, RSA, MD5. |
| 1991 | MD5 published by Ron Rivest (RFC 1321). |
| 1991 | DSA (Digital Signature Algorithm) proposed by NIST (FIPS 186) — a Schnorr/ElGamal variant. |
| 1992 | Whitfield Diffie publishes The First Ten Years of Public-Key Cryptography. |
| 1993 | Mihir Bellare + Phillip Rogaway introduce the Random Oracle Model (CCS '93). |
| 1993 | SHA-0 (FIPS 180) — quickly replaced by SHA-1 in 1995. |
| 1993 | Eli Biham + Adi Shamir publish Differential Cryptanalysis of the Data Encryption Standard — a method already developed in 1990; the NSA had known it since the 1970s (DES was designed to resist it). |
| 1993 | Mitsuru Matsui introduces linear cryptanalysis; breaks DES with 2^43 known plaintexts. |
| 1994 | Peter Shor publishes Algorithms for Quantum Computation: Discrete Log and Factoring (FOCS '94) — Shor's algorithm breaks RSA, DH, ECC if a large-scale quantum computer exists. |
| 1995 | SHA-1 (FIPS 180-1) published. |
| 1995 | SSL 2.0 published by Netscape. |
| 1996 | SSL 3.0 published. |
| 1996 | Lov Grover publishes a quantum algorithm that gives a quadratic speedup in search — implying symmetric keys would need to double for post-quantum resistance. |
| 1997 | NIST launches the AES competition (to replace DES). |
| 1997 | GCHQ declassifies the CocksWilliamsonEllis works on "non-secret encryption" (1969–1974). |
| 1998 | Daniel Bleichenbacher publishes Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 — breaks TLS-RSA. The million-message attack. Returns to haunt as ROBOT in 2017. |
| 1998 | Paul Kocher, Joshua Jaffe, Benjamin Jun publish Differential Power Analysis — begins the modern era of side-channel attacks. (Kocher's timing attacks in 1996.) |
| 1998 | TLS 1.0 standardized (RFC 2246) — basically SSL 3.0 with minor changes. |
| 1999 | DES broken in 22 hours by the EFF Deep Crack (US$250k of hardware) + distributed.net. Confirms the 56-bit key is infeasible. |
AES era and standardizations (2000–2010)
| Date | Event |
|---|---|
| 2000 | NIST selects Rijndael (Joan Daemen + Vincent Rijmen) as AES (FIPS 197 published in 2001). 128-bit block, 128192256-bit keys. |
| 2001 | Niels Ferguson + Bruce Schneier publish Helix (later evolving into Phelix); a growing pattern of AEAD stream ciphers. |
| 2002 | Galois/Counter Mode (GCM) published by David McGrew + John Viega — an AEAD mode that becomes standard in TLS, IPsec, SSH. |
| 2002 | Bernstein publishes an AES timing attack demonstrating that the S-box table in cache leaks the key. |
| 2003 | Boneh-Franklin Identity-Based Encryption (IBE) made practical with pairings on elliptic curves. |
| 2004 | Wang Xiaoyun, Yiqun Lisa Yin, Hongbo Yu announce collisions in MD5, MD4, RIPEMD, HAVAL-128 (CRYPTO '04 rump session). MD5 effectively broken. |
| 2005 | Wang, Yin, Yu publish a theoretical attack on SHA-1 (263 operations for a collision; below the ideal 280). |
| 2005 | TLS 1.1 (RFC 4346). |
| 2005 | DJB (Daniel J. Bernstein) publishes Salsa20 (eSTREAM project). |
| 2006 | Start of the eSTREAM project (ECRYPT) — selects a portfolio of stream ciphers. |
| 2008 | Marc Stevens et al. demonstrate a chosen-prefix collision in MD5 — forges a fake SSL certificate. |
| 2008 | TLS 1.2 (RFC 5246). |
| 2008 | Satoshi Nakamoto publishes the Bitcoin whitepaper (Oct 2008); genesis block on Jan 3, 2009. |
| 2009 | Craig Gentry (PhD Stanford) publishes the first Fully Homomorphic Encryption (FHE) scheme based on ideal lattices. |
| 2010 | Bernstein publishes Curve25519 (2006 paper, popularized post-2010). |
Post-Snowden era (2011–2017)
| Date | Event |
|---|---|
| 2011 | BEAST (Browser Exploit Against SSLTLS) — Duong + Rizzo demonstrate CBC IV-prediction in SSL 3.0TLS 1.0. |
| 2012 | CRIME (Compression Ratio Info-leak Made Easy) — Duong + Rizzo. Leakage via TLS compression. |
| 2012 | Argon2 not yet — but scrypt (Colin Percival, 2009) and PBKDF2 dominate. |
| 2013 | Edward Snowden reveals NSA documents: the BULLRUN program (standards sabotage), DualECDRBG confirmed backdoored, EDGEHILL (GCHQ), interference in the IETF. |
| 2013 | Lucky Thirteen (AlFardan + Paterson) — timing attack on CBC-mode TLS. |
| 2014 | POODLE (Padding Oracle On Downgraded Legacy Encryption) — Möller, Duong, Kotowicz (Google) — forces a downgrade to SSL 3.0 and breaks padding. |
| 2014 | Heartbleed (CVE-2014-0160) — bug in the OpenSSL TLS heartbeat extension; leaks server memory. Discovered by Google + Codenomicon. |
| 2014 | FREAK (Factoring RSA Export Keys) — forces a downgrade to "export-grade" RSA 512-bit, breakable in hours. |
| 2014 | WireGuard begins development (Jason Donenfeld) with the Noise Protocol Framework and Curve25519. |
| 2015 | Logjam — DH 1024 downgrade with precomputation; feasible for a state actor (NSA-grade). |
| 2015 | Signal Protocol (X3DH + Double Ratchet) formally published (Marlinspike, Perrin). Adopted by WhatsApp in 2016. |
| 2015 | TLS 1.3 draft begins (finalized 2018). |
| 2015 | Let's Encrypt launched in production (Sep 2015) — ACME automation. |
| 2016 | NIST PQC competition announced (Jan 2017 calls for submissions; 69 initial proposals). |
| 2016 | DROWN — a cross-protocol attack that uses still-enabled SSLv2 on a server to break modern TLS on the same key. |
| 2016 | Sweet32 (Bhargavan + Leurent) — birthday attack on 64-bit block ciphers (3DES, Blowfish) in CBC/CTR modes with long traffic. |
| 2017 | SHA-1 practical collision — Google + CWI publish SHAttered (chosen-prefix; colliding PDF). |
| 2017 | ROCA (CVE-2017-15361) — flawed RSA key generation in Infineon chips used in smartcardsTPMsEstonian eID. Millions of keys breakable. |
| 2017 | KRACK (Key Reinstallation Attack) — Mathy Vanhoef breaks the WPA2 4-way handshake. |
| 2017 | ROBOT (Return Of Bleichenbacher's Oracle Threat) — Bleichenbacher 1998 attack still working on Cisco, Citrix, F5, IBM, Oracle servers. |
TLS 1.3 era and PQC migration (2018–present)
| Date | Event |
|---|---|
| 2018 | TLS 1.3 finalized (RFC 8446) — removes RSA key transport, MD5, SHA-1, RC4, CBC, compression; adds 0-RTT, mandatory ChaCha20-Poly1305, AEAD only. |
| 2018 | GDPR takes effect (May 2018) — demands adequate crypto for personal data. |
| 2018 | WireGuard merged into the Linux kernel (5.6, 2020), but the formal paper and public implementation date from 2017–18. |
| 2019 | EDNS Client Subnet privacy — concerns about DNS leak; DNS-over-HTTPS (DoH, RFC 8484) and DNS-over-TLS (DoT, RFC 7858) grow. |
| 2019 | NIST PQC Round 2 — 26 remaining candidates. |
| 2020 | NIST PQC Round 3 — 7 finalists + 8 alternates. |
| 2020 | Zerologon (CVE-2020-1472) — Kerberos/Netlogon: an AES-CFB8 implementation with a fixed IV allows zeroing a domain controller password. |
| 2021 | SIKE (Supersingular Isogeny Key Encapsulation) eliminated from PQC — Castryck + Decru break it in hours with classical mathematics (Jul 2022). |
| 2022 | NIST announces the first PQC winners: CRYSTALS-Kyber (KEM), CRYSTALS-Dilithium + FALCON + SPHINCS+ (signatures). Jul 2022. |
| 2022 | Apple iMessage Contact Key Verification announced — PQC basis. |
| 2023 | Signal announces PQXDH (Sep 2023) — replaces X3DH with a hybrid PQ layer (X25519 + ML-KEM). |
| 2023 | Apple iMessage PQ3 announced in Feb 2024 — Curve25519 + Kyber-1024. |
| 2024 | NIST publishes FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA) in Aug 2024. FALCON renamed to FN-DSA (FIPS 206 draft). |
| 2024 | Cloudflare + Google enable the X25519MLKEM768 hybrid in production TLS 1.3. |
| 2024 | Terrapin (CVE-2023-48795) — truncation attack on the SSH BPP. |
| 2025 | Mainstream PQC migration — CNSA 2.0 (NSA) requires software ML-KEM/ML-DSA by 2030, hardware by 2033. |
| 2025 | HQC announced by NIST as a second PQC KEM (Mar 2025) — a backup for ML-KEM in case lattice-based is broken. |
| 2026 | Current state: TLS 1.3 + ChaCha20-Poly1305 + X25519MLKEM768 hybrid is the recommendation. RSA, classic DH, ECDSA-P256 still dominant but migration active. |
Pending milestones (2026–2030+ expected)
- Mandatory PQC in CNSA 2.0 (NSA), eIDAS 2.0 (EU), new FIPS validations in 2026+.
- Cryptographically relevant quantum advantage — not expected before 2030; estimates vary (Google Quantum AI, IBM, IonQ, PsiQuantum, Quantinuum each with their own roadmaps).
- MLS (Messaging Layer Security) (RFC 9420, July 2023) gaining adoption as a replacement for the Signal Protocol for groups.
- TLS 1.4 / TLS-PQ drafts in progress.
- Schnorr signatures more widespread (Bitcoin Taproot activated Nov 2021; Ethereum moving in this direction).
- Practical FHE still 10–100× slower than plaintext computation; OpenFHE / Concrete / TFHE-rs maturing.
- Confidential Computing (SEV-SNP, TDX) becoming standard in the cloud (Azure, GCP, AWS Nitro). Remote attestation as contractual.
Cross-reference
- Technical detail of each algorithm: see files
04-symmetric.md,05-asymmetric.md,06-hash-and-mac.md,08-post-quantum.md. - Technical detail of each protocol: see
07-protocols.md. - Technical detail of each attack: see
11-attacks.md. - Biography of the people cited: see
12-people.md. - Contextual detail of the incidents: see
13-incidents.md.