Susan Landau Designing Cryptography for the New Century ryptography was once the domain of generals is 56 bits. With narrow exceptions, products incorpo- and curious children, but the advent of the rating DES could not be exported. A 1996 National CInformation Age changed that. In the early Research Council report on cryptography policy rec- 1970s the National Security Agency (NSA) and the ommended an immediate loosening of export con- National Bureau of Standards (NBS) realized that trols. No changes occurred until 1998, when a non-combatant adults needed to protect their sen- $250,000 special-purpose machine built by the Elec- sitive, but unclassified, information. Though NSA tronic Frontier Foundation cracked a DES-encrypted is the usual government agency for building cryp- message in 56 hours [5]. (This has since been tosystems, the agency was unwilling to design a improved to 22 hours through a combination of cryptosystem for public use. Instead NBS issued a 100,000 networked PCs and the EFF machine.) At public solicitation for a cryptosystem. IBM that point, U.S. export controls were relaxed to per- responded. The company submitted a cryptosys- mit DES in exported products. In recent months tem with a 56-bit key. The new algorithm became export controls have been further eased. the Data Encryption Standard (DES). Many in industry and academia were skeptical of A New Standard DES. Concern centered on whether NSA had placed A DES replacement was overdue. In 1997 the a trapdoor, a shortcut to decryption, in the algorithm. National Institute of Standards and Technology There were also objections to DES’s key length; crit- (NIST) announced a competition for the algorith- 1 ics believed the relatively short key length had been m’s replacement, and held public meetings to discuss chosen so that NSA could read DES-encrypted traffic. the criteria for a proposed Advanced Encryption (IBM said its own engineers had insisted on parity bits Standard (AES). Key length was most important. A for the register-to-register transfer of key data, thus 1996 ad hoc committee had argued 90 bits was cur- decreasing the key length to 56 from the original 64.) rently the minimum key length needed to provide During the next two decades there were frequent data security for 20 years [1]. NIST sought that battles over cryptography. Using export controls and much security and more—encrypted files should threats of other legal action, the U.S. government remain confidential well after AES was retired. attempted to stop the spread of strong cryptography. NIST settled on a minimum key length of 128 bits.2 Seeking to build secure computer systems, industry Given the government’s intransigence over export- found export controls on cryptography to be a serious ing strong cryptography, initial reaction was mistrust- blockage (though, to be sure, not the only one). [4] ful. One concern was the role of the NSA in the Industry battles centered on bits: how many would process. Another was foreign participation; after all, the government allow in exported products? Under a cryptanalysis expertise is international. Both concerns 1992 agreement, the magic number was 40 bits. DES seem to have been allayed. While NSA is—appropri- 1 2 DES is a private-key, or symmetric, cryptographic system, in which encryption and Triple-DES—-three iterations of DES with either two keys (K1, K2, K1) or three decryption use the same key. Public-key cryptography typically needs significantly (K1, K2, K3)—had become popular. But triple-DES does not take optimal advantage more bits to achieve the same level of security as a private-key algorithm. of 32-bit processors and is too slow. COMMUNICATIONS OF THE ACM May 2000/Vol. 43, No. 5 115 ately enough—studying the candidates, there have Cryptosystem Design been no complaints about its part in NIST’s evalua- The simplest techniques for encrypting a block of tion. And NIST allowed foreign participation in the symbols are substitution and transposition. Substi- AES competition. tution replaces a symbol by another; transposition After public input, NIST settled on straight- permutes the symbols of a block around. Crypt- forward requirements: the algorithm must implement analysis can be viewed as trying to determine the symmetric (secret) key cryptography, the algorithm plaintext by approximating the encryption function. must be a block cipher, and the algorithm must work Viewed this way, linear functions of the input and on 128-bit blocks and with three key sizes: 128, 192, key are poor design choices; such functions can be and 256 bits. If selected, candidates would have to be easily solved. Thus nonlinear functions form the available worldwide on a nonexclusive, royalty-free basis of cryptographic design. But cryptographic basis. Evaluations would be on security, cost, and functions must be invertible, fast to compute, and implementation flexibility. As simplicity aids in should have small key size and memory require- understanding, implementing, and assessing the secu- ments. So linear functions end up playing an essen- rity of the candidates, design simplicity would count. tial role. A proper combination of simple operations The winner should work in a variety of venues, such as XOR (exclusive or addition modulo 2, including 8-bit processors, smartcards, ATM net- sometimes written as ), substitution, and permu- works, HDTV, voice, and satellite communications. tation, produces a cryptosystem whose strength is A year into the evaluation procedure, NIST would greater than the sum of its parts. determine five finalists, a year later, the winner (or These operations are all that is behind DES, which winners—NIST might pick more than one). NIST’s is an iterated block cipher, a cryptosystem on a block biggest challenge was determining the candidates’ of symbols that sequentially repeats an internal func- strength. Cryptanalysis is a young science without an tion, called a round. It is currently customary to overarching theory. Certifying a 128-bit symmetric encrypt data using a primitive that operates on a key algorithm is a voyage into the unknown. NIST block of symbols of moderate size. Although there are could use mathematical arguments and various mea- non-iterative block ciphers (RSA), iteration is a nat- sures (for example, how much a candidate’s output ural way to procede because that yields a small object was indistinguishable from a random permutation) to (this is useful in hardware) with good complexity. establish an algorithm’s security. But such approaches Some version of self invertibility is also useful. This are only as strong as the imagined attack model. At enables one object (a chip, a piece of software) to both the end one is left with statements of the form: “We encrypt and decrypt. Feistel ciphers, in which the tried, and algorithm X could not be attacked by 2t–bit input is split into t-bit halves L0, R0 and methods D, L, or S.” Such an approach does not mapped after r rounds to Lr, Rr, succinctly accomplish inspire confidence. this. In the ith round, the right half of the previous If an algorithm uses a k-bit key, the measure of round becomes the new left half, Li <— Ri–1, while the k security is how close the algorithm is to being 2 - new right half Ri is a function of a round subkey Ki secure, that is, whether there are significantly better (derived from the key K), and both halves from the methods for breaking the system than a brute-force previous round, Ri <— Li–1 f (Ri–1, Ki ) where f is an search of the entire key space. (An assumption, first arbitrary function. Decryption is the algorithm run in codified by Kerckhoffs in the 18th century, holds reverse, with subkeys used in the opposite order. DES that security of a cryptosystem should rest entirely in is a 16-round Feistel cipher. the secrecy of the key, and not in the secrecy of the One school of thought in cryptosystem design lets algorithm.) Sometimes an algorithm’s weakness is technology strongly guide the choice of operations, readily apparent, but frequently weaknesses may take thereby obtaining algorithmic complexity with high- years to discover. With DES, one strong form of speed performance. NSA takes a different tack. Any attack—differential cryptanalysis—had apparently widely deployed system will be implemented across a been known to the algorithm’s designers, but linear variety of hardware and software systems, so the cryptanalysis, discovered in 1993, seems to be new. agency believes in “keep it simple,” and prefers to use DES was indeed at least theoretically vulnerable to elementary primitives such as XOR and table look- this type of attack. up. As opposed to more complex operations such as 116 May 2000/Vol. 43, No. 5 COMMUNICATIONS OF THE ACM floating-point arithmetic, these functions act the same bits that reveal information about the key. th way regardless of system architecture. There are Let B[i] denote the i bit of an array B, and B[i1, i2, countless other tradeoffs, with perhaps the most fun- …, ik] = B[i1] B[i2] … B[ikk], and P, C and K damental being between those algorithms that are be the plaintext, ciphertext, and key respectively. Fun- simpler to verify, and those that are more complex but damentally one is seeking relationships of the form: more difficult to verify. In a block-structured cryp- P[i1, i2, …, ia] C[j1, j2,… jb] = K[k1, k2, …, kc]. tosystem, this particular issue plays out on the ques- In the case of DES, both differential and linear tion of rounds: should there be many simple rounds cryptanalysis are theoretical rather than practical or fewer, more complex ones? Even relatively simple attacks. Yet these are very powerful cryptanalytic tech- cryptosystems can be secure when run for 32 rounds.