April 15, 1998 5:50 PM PDT
Crypto contest seeks new standard
The National Institute of Standards and Technology (NIST) expects 10 to 15 proposals by the final June 15 deadline. Already Cylink and RSA Data Security, a subsidiary of Security Dynamics Technology, have submitted preliminary proposals.
The competition is to select a replacement for the Data Encryption Standard (DES) that is now widely used by the federal government and others to encrypt and decrypt sensitive data. Because DES is more than 20 years old, the Advanced Encryption Algorithm (AES) is designed as a replacement, although both algorithms are likely to be used during a transition period. A final decision on the replacement won't come for more than two years.
"It is intended that the AES will specify an unclassified, publicly disclosed encryption algorithm available royalty free worldwide that is capable of protecting sensitive government information well into the next century," states a September 12, 1997, Federal Register notice requesting the proposals.
"There has been growing concern that DES is not secure," said Lauren Hall, a lobbyist on encryption issues for the Software Publishers Association. "You are seeing a recognition that it's time to move beyond DES."
RSA's proposal has not been named or published, but chief scientist Burt Kaliski said it builds on RSA's RC5 encryption algorithm. Enhancements were required because RC5 didn't meet NIST requirements on key size (a measure of the strength of a cipher) and block sizes.
RSA's proposal supports key sizes of 128 bits (the minimum specified by NIST), 192 bits, and 256 bits. NIST also required at least a 128-bit "block size," which describes how much data is encrypted in a single operation.
Kaliski said RSA will publish its proposal after June 15, the final deadline for submissions to NIST. NIST expects to publish all submissions August 20.
Cylink's proposal is called Safer-+ (Safer-Plus) and it builds on Cylink's Safer technology, first published in 1993. Like RSA's proposal, it supports key sizes of 128, 192, and 256 bits and block sizes of 128 bits.
"It's a very straightforward extension of Safer," said Chuck Williams, Cylink's chief scientist. Building on existing technology, as both Cylink and RSA do, is important because it means the algorithms have been published and tested by other cryptographers.
Jonathan Callas, chief technology officer for security at Network Associates, said the competition will spur advances in cryptography that will have benefits beyond those the government reaps. His company is not submitting a proposal for the competition.
"I fully expect that at least one of the runners-up will be widely used," said Callas, who was CTO at Pretty Good Privacy before Network Associates acquired it last year. "These algorithms are kind of like the engines of crypto products. By NIST saying, 'We want bigger engines than anything now developed,' it's spurring development in a new level of advanced cryptography. It's a great idea."
But the winner won't gain a direct financial boost because NIST has specified the winning algorithm must be available for free around the world.
"If you wrote the cipher that became AES, that's a feather in your hat as a cryptographer," Callas said, and that success would reap financial benefits to the company that employs the cryptographer as well.
In addition, RSA's Kaliski noted, public key algorithms such as RSA's are still used in security systems, so a larger market for AES potentially means more sales for RSA public key encryption, too. "Between now and when AES is accepted, we will probably be offering commercial versions [of its AES proposal], too," Kaliski added.
Crypto vendor Certicom, which will not submit an NIST proposal, hopes its elliptic curve (EC) algorithms also will gain when AES is finalized.
In addition, the AES competition also is open to universities, and several have strong crypto research programs: Massachusetts Institute of Technology, Canada's University of Waterloo, and the University of California at Berkeley.