The Forgotten History of the Lock: From Egyptian Pin Tumblers to Modern Cryptography

The lock on the door you used today operates on principles laid down in Egypt around 2000 BCE. The mechanism — a set of spring-loaded pins of varying lengths that drop into matching positions when the correct key is inserted, freeing a bolt to slide — was excavated from sites at Khorsabad and depicted on bas-reliefs at Karnak. A locksmith from the time of Hammurabi who walked into a modern hardware store would recognize most of the locks for sale, and would understand exactly how a pin tumbler works after a few seconds of inspection. Forty centuries separate the original from the descendant, and the design has barely changed.

This is one of the most striking continuities in the history of engineering. Most ancient technologies were superseded, lost, or reinvented in unrecognizable form. The pin tumbler lock survived as itself, refined incrementally, mass-produced in the nineteenth century, and now formally equivalent in security-theory terms to the cryptographic protocols that secure the internet. The history of the lock is the history of secrecy as an engineering problem, and it turns out that the basic insight has been correct for a very long time.

The Egyptian pin tumbler

The earliest verified locks come from the palace of Sargon II at Khorsabad, dating to around 700 BCE, but representations of similar mechanisms appear in Egyptian tomb art a thousand years earlier. The mechanism was a wooden block with a horizontal bolt, drilled with vertical pin holes. Above the bolt was a horizontal cavity containing pins of various lengths, and above that was a cover. When the bolt was in the locked position, the pins fell through holes in the bolt into corresponding holes in a fixed plate below, locking everything in place.

The key was a wooden rod with pegs sticking up from its top surface, matching the positions and required heights of the pins. The key was inserted through a hole in the side of the lock case, slid under the pins, and lifted. The pegs on the key pushed each pin up to exactly the height where the bottom of the pin cleared the bolt and the top did not protrude past the bolt's upper surface. With all pins at the shear line, the bolt could be slid back, opening the lock.

This is, in mechanism terms, identical to the modern pin tumbler. The differences are in materials (wood and bronze vs. brass and steel), in the orientation of the key (Egyptian keys were essentially flat planks; modern keys are blade-shaped to be inserted vertically), and in the precision (modern locks have tolerances of a few thousandths of an inch; ancient locks were probably looser by an order of magnitude). The principle is the same.

The Roman warded lock

The Romans inherited the pin tumbler design but largely abandoned it in favor of warded locks, which became the dominant European lock pattern for the next 1500 years. A warded lock contains a set of internal projections (wards) arranged so that only a key with matching cut-outs can rotate freely inside the keyway. The wards do not directly retain the bolt; they merely obstruct any key that does not have the right shape from reaching the lever that does retain it.

Warded locks are simpler to manufacture than pin tumblers and were adequate for the security needs of most Roman and medieval European applications — door locks for valuables, chest locks, gate locks. They are also famously easy to pick, because a key blank with the wards filed off can be rotated to operate the bolt regardless of the original keying. The Romans seem to have considered this an acceptable trade-off; the medieval Europeans inherited this judgment and lived with it for fifteen centuries.

The Roman version, made of iron and brass, is the lineal ancestor of the warded lock you can still buy for low-security applications like cabinet locks and pre-war interior door locks. Some patterns of Roman key design survived essentially unchanged into the eighteenth century.

The eighteenth-century revival

Pin tumbler locks were essentially absent from Western Europe between Roman times and the late eighteenth century. The revival began with a series of inventors responding to a publicized challenge — the British Society of Arts offered a prize in 1774 for an unpickable lock, and several inventors took up the work. Robert Barron's 1778 double-acting tumbler lock and Joseph Bramah's 1784 lock with a rotating barrel and radial slider pattern were major advances.

Bramah's lock was famously displayed with a £200 reward for anyone who could pick it; the prize stood unclaimed from 1790 to 1851, when American locksmith Alfred Charles Hobbs picked it during the Great Exhibition in London after 51 hours of work. The fact that it took a working professional 51 hours says something about both the lock and the state of the art.

The pin tumbler in its modern form was patented by Linus Yale Sr. and refined by his son Linus Yale Jr. in the 1860s. Yale Jr.'s 1865 patent on the small-format pin tumbler with a flat key blade is essentially the design used in nearly every modern residential door lock. The Yale lock is what you have on your front door, in your office, in your gym locker. The form factor has not changed in 160 years.

The lock as cryptographic primitive

The relationship between physical locks and cryptography is more than analogical. A pin tumbler lock implements what cryptographers call a one-way function: given the key, opening the lock is easy; given only the lock, finding the key is hard. The security parameter is the number of pins times the number of possible heights per pin — a 5-pin lock with 10 heights per pin has 100,000 possible keyings, which is roughly equivalent to a 17-bit secret.

This is enough security for most physical applications because the attacker has to be physically present to try keys, the lock provides feedback (a wrong key does not rotate), and physical countermeasures (cameras, alarms, time) limit the rate of attempts. The same 17-bit secret would be trivial to brute-force in cryptographic terms, but the attack surface is different. The lock works because of physical constraints on the attack, not because of the inherent strength of the secret.

The closer analogy is to the physical-token authentication protocols used in modern security: smart cards, FIDO2 hardware keys, physical 2FA tokens. These are explicitly designed as the cryptographic descendants of the physical key, with the same property that possession of the token authorizes use, and they secure a small per-token secret with strong cryptography against the modern threat model of network attackers.

The lock as institutional artifact

The history of the lock is also the history of trust. Roman and medieval locks were mostly symbolic — they kept honest people honest, and a serious attacker could defeat them with mild effort. The Renaissance saw the rise of professional locksmiths organized into guilds, with masters protecting closely-held knowledge and apprentices binding themselves to decades of service. The Industrial Revolution democratized locksmithing by mass-producing locks at quality grades that previously required custom work.

The institutional layer matters because a lock's security depends on the trust system around it: who has copies of the key, who is allowed to make new keys, who responds when the lock is broken. The modern apartment master-key system is partly an engineering achievement (the same lock accepts both the resident's key and the building manager's key by clever pin arrangement) and partly an institutional achievement (the building manager's key copies are controlled, the resident's keys are not).

Digital authentication faces the same problem in a different form. A FIDO2 hardware key is cryptographically strong, but its security depends on the institutional layer around it: how it is enrolled, what happens when it is lost, who is allowed to authorize a new one. The institutional questions are older than the cryptographic ones, and the lock-and-key tradition has been wrestling with them for four thousand years.

The deeper observation

The pin tumbler lock is one of the longest-lived engineering designs in continuous use, and the modern descendant works on the same principle as the Egyptian original because the principle is fundamentally correct. Make the secret a shape with high combinatorial complexity, encode it in a physical token, and verify it through a mechanism where the verification is easy with the token and hard without. This is the same basic insight that drives modern cryptographic authentication, expressed in materials available to bronze-age engineers. The continuity is not because nothing has changed; it is because the underlying problem and the basic solution have not changed. Some engineering problems have stable answers, and locking-things-against-an-untrusted-party turns out to be one of them.