NIST GCR 18‐017 The Economic Impacts of the Advanced Encryption Standard, 1996 ‐ 2017 David P. Leech Stacey Ferris, CPA John T. Scott, Ph.D. September 2018 This publication is available free of charge from: https://doi.org/10.6028/NIST.GCR.18-017 NIST GCR 18‐017 The Economic Impacts of the Advanced Encryption Standard, 1996‐2017 Prepared for U.S. Department of Commerce, Operating Unit: National Institute of Standards and Technology, Gaithersburg, MD 20899 This publication was produced as part of Contract SB134117RQ0572 with the National Institute of Standards and Technology. The contents of this publication do not necessarily reflect the views or policies of the National Institute of Standards and Technology or the U.S. Government. David P. Leech Stacey Ferris, CPA RM Advisory Services LLC John T. Scott, Ph.D. Dartmouth College September 2018 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Undersecretary of Commerce for Standards and Technology ACKNOWLEDGEMENTS First and foremost, we acknowledge the contributions of Dr. Eric Burger, of Georgetown University’s Security and Software Engineering Research Center (S2ERC), for technical advice throughout the project and especially for helping to infuse economically meaningful concepts with equally meaningful technical content during the survey design phase of the project. This publication is available free of charge from https://doi.o Economic impact assessments occur in stages. Ultimately, we owe a great debt to many, mostly unknown, survey respondents who took the time to respond to a relatively difficult survey. The preparation and execution of the survey also owes a great deal to those who participated in background interviews as well as the efforts of several cyber- security related associations and standards development organizations that encouraged their members to participate in the survey. Historical background information was provided by public and private sector individuals, some of whom participated in the early stages of the Advanced Encryption Standard (AES) program. They helped anchor our understanding of what was at stake in the decisions to launch the AES initiative, to participate in it, and to adopt AES-based encryption systems. Among current and former NIST personnel, we acknowledge the contributions of Larry Bassham, Lily Chen, Donna Dodson, James Foti, Edward Roback, Matthew Scholl, and Miles Smid. We would like to thank Vincent Rijmen at the University of Leuven, Belgium, one of the co-creators of the winning algorithm for AES, for his insights on AES, the competition, and the cryptographic environment of the rg/10.6028/NIST.GCR.18‐017 1990s. The following individuals provided insights from the private sector perspective: David Balenson (SRI International), John Callas (Apple), John Green (Hewlett Packard), Marc Ireland (UL Transaction Security), Brian LaMacchia (Microsoft), Lisa Yin (RC6 developer, formerly of RSA Labs), Matt Keller (Corsec), Matthew McGhee (COACT, Inc.), Ari Singer (TrustiPhi), Paul Spaven (3e Technologies International, Inc.), Ashit Vora (Acumen Security), Steven Weingart (Hewlett Packard), and others who wished to remain anonymous. Special thanks to Matt Keller who went the extra mile in providing a sounding board for numerous technology and industry issues as they arose over the course of the project. Several associations supported the survey phase of the project by making their members aware of the project and encouraging them to respond to the survey. We thank the following individuals and their organizations for their support in this regard: Chris Cook (College of Healthcare Information Management Executives, CHIME), Patrick Gaul (National Technology Security Coalition, NTSC), Marie Gilbert (Information Systems Audit and Control Association, ISACA), Matt Keller (Cryptographic Module User Forum, CMUF, and Common Criteria User Forum, CCUF), Alex Morris (Internet Engineering Task Force, IETF), Paul Nikolich (Institute of Electrical and Electronics Engineers, IEEE), Josh Poster (National Council of ISACs, NCI), Douglas Robinson (National Association of State Chief Information Officers, NASCIO), Eileen Sciarra (Information Systems Security Association, ISSA), Foy Shiver (Anti-Phishing Working Group, APWG), Steve Stevens (Accredited Standards Committee X9), and Lynn Terwoerds (Executive Women’s Forum on Information Security, EWF). Michael Walsh and Kathleen McTigue of NIST’s Technology Partnership Office (TPO) reviewed drafts of the report and offered many helpful suggestions. Kathleen McTigue This publication is available free of charge from https://doi.o was the NIST project manager and guided the project smoothly from start to completion. Cover page diagram of AES round transformations courtesy of John Savard. rg/10.6028/NIST.GCR.18‐017 TABLE OF CONTENTS EXECUTIVE SUMMARY ..................................................................................................................................... I 1. INTRODUCTION ............................................................................................................................................... 1 1.1 NIST’S TECHNOLOGY TRANSFER IMPACTS MISSION ............................................................................................. 1 1.2 ECONOMIC IMPACT ASSESSMENT FOCUS .................................................................................................................... 2 2. BACKGROUND ................................................................................................................................................. 5 This publication is available free of charge from https://doi.o 2.1 CRYPTOGRAPHY ABCS ..................................................................................................................................................... 5 2.2 ELEMENTS OF AN ENCRYPTION SYSTEM ..................................................................................................................... 9 2.3 THE U.S. ENCRYPTION REGULATORY ENVIRONMENT.......................................................................................... 11 2.4 THE GENESIS OF AES ...................................................................................................................................................... 15 2.4.1 Prelude to AES: It was not always thus .............................................................................................................. 15 2.4.2 Competition and Criteria ......................................................................................................................................... 17 2.4.3 Down-Select and Worldwide Cryptanalysis ..................................................................................................... 20 2.4.4 Final Selection .............................................................................................................................................................. 21 2.4.5 Cryptographic Algorithm/Module Validation Program .............................................................................. 23 3. ECONOMIC ANALYSIS FRAMEWORK ................................................................................................ 27 3.1 FIPS IN ECONOMIC CONTEXT ....................................................................................................................................... 27 3.1.1 Encryption Systems and Switching Costs .......................................................................................................... 27 3.1.2 Interoperability, Compatibility, and Standardization ................................................................................... 28 3.1.3 Standards as Public Goods ..................................................................................................................................... 29 3.1.4 FIPS as Market Failure-Mitigating Tools ......................................................................................................... 30 3.1.5 FIPS as Infra-technology ......................................................................................................................................... 33 3.2 ENCRYPTION SYSTEMS IN AN INDUSTRIAL CONTEXT ........................................................................................... 34 3.2.1 Encryption Systems Value Chain .......................................................................................................................... 34 3.2.2 Encryption System Market Size and Composition .......................................................................................... 39 4. ECONOMIC IMPACT ASSESSMENT APPROACH ............................................................................ 42 rg/10.6028/NIST.GCR.18‐017 4.1 SURVEY STRATEGY .......................................................................................................................................................... 42 4.1.1 Seven Broad Categories of Cost-Avoidance Benefits Identified ............................................................... 43 4.1.2 The Counterfactual Scenario .................................................................................................................................. 46 4.1.3 Segmenting the Survey Recipient Population................................................................................................... 49 4.2 SURVEY EXECUTION .......................................................................................................................................................