From Caesar Shifts to Quantum-Safe Cryptography: What Ciphers Teach About Cybersecurity

Problem

I wanted to build a project that stepped away from infrastructure and focused on one of the foundations underneath cybersecurity: cryptography.

NIST defines cryptography as the discipline that uses principles, means, and methods to transform data so its meaning can be hidden, unauthorized use can be prevented, or undetected modification can be prevented [1]. That definition is useful because it keeps the topic grounded. Cryptography is not only about hiding a message. It is also about trust, integrity, keys, assumptions, and the limits of what a control can prove.

The question behind this project was simple: how did ciphers progress from shifting letters by hand to the quantum-safe systems now being standardized for future security?

I chose four checkpoints: Caesar, Vigenere, XOR, and quantum-era cryptography. Each checkpoint shows a different lesson about secrecy, patterns, key handling, attacker capability, and long-term planning.

Project Setup

I treated this as a visual learning project, not a software build. The goal was to explain each cipher clearly enough that a reader could understand the security idea without needing advanced mathematics.

The project includes a progression timeline, a Caesar shift example, a Vigenere keyword example, an XOR truth table with a binary example, a QKD-versus-PQC comparison, and a progression table.

I also included references at the end of the post. Cryptography writing can sound confident very quickly, so I wanted the technical and historical claims to be easy to check.

Figure 1. Cipher progression timeline.

What I Built

Caesar Cipher: fixed substitution

The Caesar cipher is a substitution cipher. Each plaintext letter is shifted by a fixed number of positions in the alphabet, and the same shift rule is used across the message [2][3].

In the example below, a shift of +3 turns ATTACK into DWWDFN. The visual is simple, but that is the point. It shows the basic structure of encryption: plaintext, a rule, a key, and ciphertext.

Caesar is important in cybersecurity because it shows why transformation alone is not enough. A fixed shift leaves structure behind, and a small key space gives an attacker very little to search.

Figure 2. Caesar cipher shift diagram.

Vigenere Cipher: hiding the pattern better

The Vigenere cipher moves the idea forward by using a keyword to change the shift from one character to the next. It is a polyalphabetic cipher, which means it uses more than one substitution alphabet instead of one fixed alphabet [4].

That change matters. A repeated keyword can hide patterns better than a single Caesar shift, but it does not remove patterns completely. Repeated structure can still become evidence.

The cybersecurity lesson is practical: more complexity can help, but it does not automatically make a design secure. A stronger-looking system still needs a realistic attacker model.

Figure 3. Vigenere cipher keyword diagram.

XOR: the bit-level bridge to modern stream-cipher thinking

XOR moves the conversation from letters to bits. NIST defines exclusive-OR as bitwise modulo-2 arithmetic with no carry [5].

The operation is small, but the idea is powerful. A plaintext bit can be combined with a key bit or keystream bit to produce ciphertext. When the matching keystream is applied again, the operation reverses.

That idea appears in real protocols. RFC 8439 describes ChaCha20 as generating a keystream and XORing that keystream with plaintext to produce ciphertext [6].

The security lesson is that bit-level operations can be elegant and efficient, but the surrounding design matters. Key reuse, nonce misuse, or keystream reuse can turn a strong idea into a weak implementation.

Figure 4. XOR bit-mixing diagram.

Quantum-era cryptography: a new threat model

Quantum-era cryptography is not one cipher. It is a response to a different attacker model.

NIST has warned that if large-scale quantum computers are built, they will be able to break many public-key cryptosystems currently used across the Internet and other digital systems [7]. That does not mean every cipher fails at once. Instead, this timeline means organizations can proactively evaluate where public-key cryptography is deployed and align their security updates with the required lifespan of their sensitive data.

Two ideas often get grouped together: quantum key distribution and post-quantum cryptography. They are related to quantum risk, but they are not the same.

ETSI describes QKD as a quantum-safe technique where shared random secret keys are generated using quantum properties of optical signals [10]. NSA also notes that QKD uses special-purpose technology and should be viewed as a partial solution, not a complete replacement for modern cryptography [11].

Post-quantum cryptography takes a different path. NIST describes PQC as work on cryptographic systems that can remain secure against both quantum and classical computers while still fitting existing communications protocols and networks [7].

In 2024, NIST released the first three finalized post-quantum standards: FIPS 203 for ML-KEM, FIPS 204 for ML-DSA, and FIPS 205 for SLH-DSA [8][9]. That makes the topic practical, not speculative. The future work is inventory, migration, testing, and crypto-agility.

Figure 5. Quantum-era QKD vs PQC comparison.

Timeline and Progression Table

The table below summarizes the progression. The point is not that one stage simply replaces another. The point is that each stage exposes a different part of the security problem.

Figure 6. Cipher progression table.

Security and Implementation Notes

Classical ciphers are useful teaching tools, but they should not be confused with modern secure encryption.

Encryption is only one part of cryptography. NIST defines encryption as transforming plaintext into ciphertext using a cryptographic algorithm and key, but broader cryptography also supports goals such as confidentiality, integrity, non-repudiation, and authenticity depending on the mechanism [1][2].

This distinction matters in real security work. A cipher may hide a message, but it does not automatically prove who sent it, whether it was modified, whether the key was protected correctly, or whether the implementation is safe.

That is why key management is part of the story. NIST SP 800-57 focuses on cryptographic key management across the key lifecycle, which reinforces that security depends on algorithms, keys, operational controls, and implementation discipline [12].

The quantum section also needs careful framing. QKD is interesting, but it is not a universal replacement for public-key cryptography. PQC is broader because it targets algorithms that can be deployed through existing protocols and systems [7][10][11].

What I Learned

This project helped me see cryptography as a progression of questions instead of a list of isolated algorithms.

Caesar asks whether a simple keyed rule can hide a message. Vigenere asks whether changing the shift can hide the pattern better. XOR asks what encryption looks like once information becomes bits. Quantum-era cryptography asks what happens when the attacker’s computing model changes.

The useful lesson is that every cipher teaches both a capability and a limitation. Caesar teaches substitution, but also key-space weakness. Vigenere teaches polyalphabetic hiding, but also repeated-key risk. XOR teaches reversible bit mixing, but also the danger of key or keystream misuse. Quantum-era cryptography teaches that future security depends on planning before the threat is fully operational.

That mindset is useful for cybersecurity work. Strong security is not just knowing the tool. It is knowing what the tool proves, what it does not prove, and where its assumptions begin to fail.

Next Improvements

For the quantum section, I would expand the migration angle by mapping common enterprise cryptography use cases to the NIST post-quantum standards. Certificates, VPNs, signatures, key establishment, and long-term encrypted data all create different migration questions.

Conclusion

This project was a reminder that cryptography is not just a set of algorithms. It is a way of thinking about trust, secrecy, patterns, keys, and the assumptions an attacker can challenge.

The progression from Caesar to Vigenere to XOR to quantum-era cryptography shows how cybersecurity keeps moving from simple rules toward stronger models, better validation, and more careful engineering.

The biggest takeaway was that good security work depends on knowing what a control proves and what it does not prove. That habit applies whether the topic is a historical cipher, a modern stream cipher, or the future of quantum-safe cryptography.

The views expressed here are my own and do not represent any employer or organization.

References

  1. NIST CSRC Glossary, Cryptographyhttps://csrc.nist.gov/glossary/term/cryptography
    Definition of cryptography and its information-security scope.

  2. NIST CSRC Glossary, Encryptionhttps://csrc.nist.gov/glossary/term/encryption
    Definition of encryption as transforming plaintext into ciphertext using an algorithm and key.

  3. Encyclopaedia Britannica, Caesar Cipherhttps://www.britannica.com/topic/Caesar-cipher
    Background on Caesar cipher as a substitution cipher associated with Julius Caesar.

  4. Encyclopaedia Britannica, Vigenere Cipherhttps://www.britannica.com/topic/Vigenere-cipher
    Background on Vigenere as a polyalphabetic cipher and its historical role.

  5. NIST CSRC Glossary, Exclusive-ORhttps://csrc.nist.gov/glossary/term/exclusive_OR
    Definition of XOR as bitwise modulo-2 arithmetic without carry.

  6. RFC 8439, ChaCha20 and Poly1305 for IETF Protocolshttps://www.rfc-editor.org/rfc/rfc8439
    Primary standards-track source describing ChaCha20 keystream generation and XOR with plaintext.

  7. NIST IR 8105, Report on Post-Quantum Cryptographyhttps://csrc.nist.gov/pubs/ir/8105/final
    NIST background on why large-scale quantum computers threaten many public-key cryptosystems and why PQC is needed.

  8. NIST, Post-Quantum Cryptography Projecthttps://csrc.nist.gov/projects/post-quantum-cryptography
    NIST project page noting that the principal PQC standards were released in 2024 and that organizations should begin migration.

  9. NIST News, First Three Finalized Post-Quantum Standardshttps://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
    Official NIST announcement for FIPS 203, 204, and 205, including ML-KEM, ML-DSA, and SLH-DSA.

  10. ETSI ISG QKDhttps://www.etsi.org/technical-groups/qkd/
    Industry standards source explaining QKD as a quantum-safe technique for generating shared random secret keys using optical signals.

  11. NSA, Quantum Key Distribution and Quantum Cryptographyhttps://www.nsa.gov/Cybersecurity/Quantum-Key-Distribution-QKD-and-Quantum-Cryptography-QC/
    Security guidance explaining that QKD uses special-purpose technology and should be understood as a partial solution.

  12. NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Managementhttps://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
    Authoritative key-management guidance used to support the point that cryptography depends on more than the cipher alone.

Next
Next

Extending My Splunk AWS Homelab: VPC Flow Logs, Cloud Network Visibility, and Splunk Validation