The book
Cleartext
Marcus Wynthor is twenty-nine, bored, and running out of reasons to stay late at Vantaris Systems. On a slow night in Austin, he opens a security-research forum and finds a post from an account he has never seen before. An API endpoint. A bearer token. One line of text: Test it on something you think is safe. He sends RSA-4096 ciphertext from a training archive and watches the plaintext come back in under two seconds. He generates a fresh key pair. Same result. Much of modern public-key cryptography rests on a small set of hardness assumptions — factoring large numbers, or the elliptic-curve discrete-log problem. Those assumptions have been wrong for at least the time it took this post to reach page three.
A thousand miles east, at Fort Meade, senior NSA cryptanalyst Kai Merrowe is called into a briefing he was not expecting. Someone outside the network has used agency credentials to submit three decryption requests through a relay chain that terminates in three different jurisdictions, none of them cooperative. The person who wrote those credentials in the first place is no longer with the agency. The machine they belong to is the most closely held secret in the US government, and Kai helped architect its analytical pipeline. His job is to identify the user and contain the breach, quietly, before the existence of the machine becomes a question someone in Congress has to answer.
Marcus brings what he found to a small anonymous collective of security researchers — no name, no logs, handles only — who trust each other's work more than they trust any institution. They begin to map what the API can break: RSA, elliptic-curve, the post-quantum standards NIST finalized in 2024. Kai begins to map the infrastructure behind the relay chain and discovers that the API has been active inside his own agency for an operation he was never briefed on. His daughter's face stares back at him from a photo on his desk. The list of Americans under active surveillance includes names he recognizes.
Two investigations, running toward each other from opposite ends of the same machine. The engineer has a little time left. The analyst has a committee behind him who will decide what "containment" is allowed to mean.
Cleartext is a near-future thriller about cryptography, institutional drift, and the quiet arithmetic that separates the person who builds a system from the person who uses it.
Themes
Cryptographic trust after trust is gone
The padlock in the browser is a promise made by math. When the math no longer holds, the promise is legally still in force, institutionally still assumed, and practically no longer true. Cleartext is set in the gap between those three things.
Institutional oversight and what it actually constrains
The US surveillance apparatus was not fundamentally redesigned after Snowden. It was reinterpreted. The book looks at the distance between what Congress believes it authorized and what a committee with the right clearances can actually do with a capability its members helped build.
Anonymity as a professional discipline
The collective Marcus falls into operates on strict operational hygiene: handles only, text-only channels, hybrid or post-quantum-secure messaging, no retained logs. By design, members are not supposed to know each other's civilian identities. The book is partly about how that discipline holds for as long as the stakes are abstract, and where it starts to give when real people and real consequences arrive.
On the research
Cleartext is fiction. The cryptography is not.
The RSA and elliptic-curve schemes described in the book are the ones the internet runs on today — the algorithms in TLS and the keys in your phone. The post-quantum lattice schemes are the standards NIST finalized in 2024 (ML-KEM and ML-DSA, FIPS 203 and 204), which the internet is beginning to migrate toward. The quantum computer in the story is a scale extrapolation of work that is genuinely underway. The resource estimates and timelines I use are faster than the public consensus and slower than the worst-case assumptions of people who watch this closely. The scenario is meant to be plausible, not prophetic.
The surveillance apparatus is drawn from primary-source material that is public: FISA amendments, inspector-general reports, declassified 2013-era NSA documents, and the Congressional oversight structure as it actually exists. Where the book invents a program, it invents inside constraints that match the real ones. CARDINAL and LOOKING GLASS are fictional. The legal and institutional gaps they exploit are not.
I spent several months working backward from "what would have to be true for this story to make internal sense" to the research that would make each technical beat defensible. I tried to build the technical parts so that readers inclined to look them up would find they broadly hold.
I am happy to talk about any of it.
— Andreas Renz