In 1991, a programmer named Phil Zimmermann released a piece of software called Pretty Good Privacy. It let anyone encrypt a message so completely that no government, no corporation, no intelligence agency could read it without the key. He put it on the internet for free.

The United States government opened a criminal investigation.

The charge was arms trafficking.

Not metaphorically. Literally. The US State Department had classified strong encryption as a munition, in the same legal category as tanks, fighter jets, and missiles. Exporting it without a licence was a federal crime. Zimmermann had put PGP on a public server. People outside the US had downloaded it. As far as the government was concerned, he had shipped weapons across borders.

The investigation ran for three years. It was eventually dropped. But the message had been sent: mathematics, in the wrong hands, was considered a threat to national security.

They were right. It was. It still is. That is precisely the point.

what cryptography actually is#

Before the politics, the foundations.

Cryptography is the practice of securing information so that only the intended recipient can read it. The core mechanism is encryption, transforming readable data into unreadable noise using a mathematical key, and transforming it back using another key or the same one.

There are two fundamental models.

Symmetric encryption uses one key for both locking and unlocking. Fast and efficient, but with an obvious problem: how do you share the key with someone without someone else intercepting it? If you could share it securely, you probably did not need the encryption in the first place.

Asymmetric encryption also called public key cryptography, solves this. It uses two mathematically linked keys: a public key and a private key. What one encrypts, only the other can decrypt. You publish your public key everywhere. Anyone can use it to send you a message only you can read. You keep the private key secret. No secure channel required. Strangers can communicate privately on first contact.

This was not a small idea. It was a revolution.

Before public key cryptography, secure communication at scale required either physical key exchange, couriers, secure rooms, diplomatic bags, or trust in a central authority managing keys for everyone. Both were slow, expensive, and vulnerable. Asymmetric encryption eliminated both requirements. It gave cryptographic security to anyone with a computer.

The mathematics underneath this, elliptic curves, prime factorisation, discrete logarithms, is deep. What matters operationally is simpler: the private key never leaves your control. Everything else follows from that.

the cypherpunks and the war over encryption#

Zimmermann did not invent public key cryptography. That work was done in the 1970s by Whitfield Diffie, Martin Hellman, and independently by researchers at GCHQ whose work was classified for decades. But Zimmermann did something arguably more radical: he put it in civilian hands.

The context matters. In 1991 the internet was young and the surveillance apparatus was old. Governments had spent decades building systems for intercepting communications, phone taps, mail interception, signals intelligence. All of it assumed that the cost and complexity of strong encryption put it out of reach for ordinary people. Zimmermann proved that assumption wrong.

He was not alone. Around the same time, a loose network of mathematicians, programmers, and activists had formed around a mailing list. They called themselves cypherpunks. Their core belief was simple and radical: privacy is not a privilege granted by governments. It is a right asserted through mathematics. Code, not law, is the only reliable guarantor of freedom.

Their manifesto, written by Eric Hughes in 1993, opens with a line that has not aged:

“Privacy is necessary for an open society in the electronic age.” - Eric Hughes, A Cypherpunk’s Manifesto, 1993

The cypherpunks understood something that most people still do not: the default state of networked infrastructure is surveillance. Every unencrypted message is a postcard. Every unencrypted connection is a conversation in a crowded room. Encryption is not paranoia. It is the only rational response to how networks actually work.

The US government understood this too, which is why they fought it. The Crypto Wars of the 1990s, the legal battles, export restrictions, and political pressure campaigns to keep strong encryption out of civilian hands, were not about terrorism or crime. They were about control. An encrypted world is one where governments cannot read everything by default. That is not a bug. That is the feature.

Zimmermann won. The criminal investigation was dropped in 1996. Export restrictions on encryption were eventually relaxed. PGP became a standard. The cypherpunks’ ideas became the infrastructure of the modern internet.

secure communication | the most obvious case#

The first and most visible victory of cryptography in civilian life is secure communication.

When you send a message on Signal, end-to-end encryption means that only you and the recipient hold the keys. Signal itself cannot read your messages. A court order served to Signal produces nothing useful. The message exists, encrypted, on your device and theirs. The key exists nowhere else.

This is what Zimmermann built PGP to do for email in 1991. The principle is identical. The implementation has improved. The stakes have not changed.

Email without encryption is a postcard. Your provider reads it. Every server it passes through can read it. Any intelligence agency with access to those servers can read it. This is not hypothetical, it is how mass surveillance programmes like PRISM worked. They did not break encryption. They went around it, to the unencrypted data sitting on servers.

The lesson is not that encryption is unbreakable. It is that unencrypted communication offers no protection at all, and encrypted communication raises the cost of surveillance from near-zero to genuinely difficult. That difference matters.

GPG, GNU Privacy Guard, is the direct descendant of Zimmermann’s PGP. Older, less convenient, and more powerful than Signal. It works for email, files, code signatures, and identity verification. It is the right tool when you need cryptographic proof, not just a private conversation.

secure web | the infrastructure you use every day#

The padlock in your browser’s address bar is cryptography. Every time you connect to a website over HTTPS, your browser and the server perform a handshake using asymmetric encryption, agree on a shared session key, and switch to symmetric encryption for the actual data transfer. This happens in milliseconds, invisibly, billions of times a day.

Without it, every login, every bank transfer, every private search, every message sent through a web interface would be transmitted in plaintext across networks you do not control. Your internet provider could read it. Anyone operating a router between you and the server could read it. The entire commercial internet, the one built on logins, accounts, and private data, would be impossible.

TLS, the protocol underlying HTTPS, is one of the most consequential pieces of software ever written. It is also almost entirely invisible. Most people have never thought about it. They click the padlock, see the green, and move on. The cryptography does its work underneath.

Certificate authorities, the organisations that issue the certificates that make HTTPS work, are the weak point in this system. They are trusted third parties, which means they are single points of failure and potential coercion. Governments have pressured certificate authorities. Certificate authorities have been compromised. The trust model is not perfect.

But imperfect cryptographic trust is still vastly better than no cryptography at all. The web as a platform for private communication, commerce, and organisation exists because of TLS. It is easy to take for granted. It should not be.

cryptocurrency | trust replaced by proof#

The most radical application of cryptography in recent decades is also the most misunderstood.

Strip away the speculation, the memes, the market cycles, and the noise. At its core, Bitcoin, and the broader idea of cryptocurrency, is a cryptographic proof system for ownership and transfer of value. No bank. No government. No trusted intermediary. Just mathematics.

Here is the foundational idea. In traditional finance, you trust a bank to maintain a ledger saying you own a certain amount of money. The bank can freeze your account, reverse transactions, comply with government orders, or fail entirely. Your ownership is contingent on their cooperation.

In Bitcoin, ownership is proved cryptographically. Your Bitcoin is controlled by a private key, a number only you hold. To spend it, you sign a transaction with that key. The signature can be verified by anyone on the network without revealing the key itself. No permission required. No intermediary to comply with a freeze order. The math is the bank.

This is directly descended from the cypherpunk tradition. Hal Finney, one of the first people to receive a Bitcoin transaction, was a cypherpunk. Wei Dai, whose b-money proposal influenced Satoshi Nakamoto’s design, was on the cypherpunk mailing list. The connection is not incidental, Bitcoin is applied cypherpunk philosophy. Cryptographic sovereignty over value, not just over messages.

The private key in a Bitcoin wallet works exactly like the private key in a GPG keyring. Same mathematics, same principle, same responsibility. Lose the key, lose access. Share the key, lose control. The key is not a password that can be reset. It is proof of ownership. There is no recovery mechanism because there is no trusted party to recover from.

This is simultaneously the most powerful and most demanding aspect of the system. Self-custody of a Bitcoin private key is ungovernable in the same way a TAZ is ungovernable, not because it defies the law, but because it operates outside the systems the law was built to control.

Bitcoin was the proof of concept. What followed, Ethereum, smart contracts, decentralised finance, extended the same cryptographic principles into programmable trust.

beyond the three | an expanding landscape#

These are three of the most visible applications. The same mathematics underlies code signing, digital identity, secure voting, and almost every system that needs to establish trust without a central authority. These are topics I will be returning to, because the same tools governments once tried to ban are now being studied by those same governments as instruments of control. Central bank digital currencies, digital identity frameworks, programmable money with conditions attached.

Cryptography is neutral. The question is always who holds the keys, and who decides who gets to hold them.

the common thread#

Secure communication. Secure web. Cryptocurrency. Three different applications, one underlying idea.

Cryptography transfers power from institutions to individuals. It makes certain guarantees, privacy, authenticity, ownership, that do not depend on trusting a third party. The mathematics does not care who you are, what you believe, or what a court order says. If you hold the key, you hold the power.

This is why governments in the 1990s classified encryption as a weapon. It is why export controls were fought over for a decade. It is why the Crypto Wars never really ended, they just moved to new battlegrounds. Backdoors in encryption standards. Pressure on tech companies. Surveillance of metadata when content is protected.

The weapon they tried to ban is now the foundation of the internet, the mechanism of global commerce, and the infrastructure of financial sovereignty. It did not win through legislation or political advocacy. It won because mathematicians put it in the public domain and programmers put it in the hands of anyone who wanted it.

Phil Zimmermann uploaded a file to an FTP server in 1991. The government called it arms trafficking.

He was right to do it. They were right to be afraid.