BY DR. SCOTT VANSTONE
In 1986, Whit Diffie published his article, “The First Ten Years of Public Key Cryptology”*, and in the section titled “Where is Public-Key Cryptography Going?” Diffie predicted that “[u]nless the available systems suffer a cryptanalytic disaster, …the very success of public key cryptography will delay the introduction of new ones until the equipment now going into the field becomes outmoded for other reasons.” Since 1986, the “other reasons” have been clearly brought in play by the advent of the wireless world, with its constrained computing, storage and battery life.
In this column, I want to try to answer from a 2004 perspective the same question: “Where is public-key cryptography going?”
At the time of Diffie’s article, Elliptic Curve Cryptography had just been discovered by Victor Miller and Neil Koblitz. Over the last 20 years it has been researched extensively and adopted into a number of industry standards.
On October 24, 2003, a significant event in the history of ECC occurred. In an unprecedented move, the US Government’s National Security Agency (NSA) licensed ECC, MQV (a public-key key agreement scheme created by Menezes, Qu, and Vanstone) and related intellectual property for the U.S. Government’s mission critical national security applications, declaring it a “crucial technology”. The US Government views ECMQV as a major component of key management.
Why is this significant? A major hurdle to wide-scale adoption of any security technology is standardization. When the NSA endorsed the Data Encryption Standard (DES) in 1979, it became a standard around the world. DES became FIPS-approved (NIST Federal Information Processing Standards) and then over time, moved into wider commercial usage, becoming one of the most widely used cryptographic algorithms of all time. Today, 25 years later, although DES is now being replaced by AES, it has not completely disappeared. As technology requires stronger and stronger security, I believe that ECC and AES are well positioned to experience a similar adoption rate and lifespan.
Following in the footsteps of DES, ECC in conjunction with AES has already been incorporated into a number of key international standards, including ANSI X9.63, IEEE Std 1363-2000, IETF RFC 3278, ISO 15946-3 and NIST SP 800-56. Adoption into global standards will assist in pushing ECC into wider commercial usage.
The adoption by the US Government will also help to push ECC into wider commercial usage. Today, government agencies and departments look for COTS (commercial off-the-shelf) products that have proven security built into them—it makes it easier to receive technical support and allows them to take advantage of the latest technology. Additionally, because security is a concern in many industries, these same products are also used outside the government. The advantages ECC provides apply equally as well to industries such as finance and the postal system, as shown in this issue of Code and Cipher.
Aside from the United States, other governments are also looking at ECC. For example the Chinese government is considering ECC as a way to fix security issues with 802.11 use in its country. The level of security and standardization of ECC makes it ideal in solving problems such as this one.
To answer the proposed question: Where is public-key cryptography going? For now, keep your eyes on the bright future of ECC.
_____________________________________________________________
For those interested in more detail information on practical implementations of ECC, see the recently published book by Hankerson, Menezes and Vanstone titled Guide to Elliptic Curve Cryptography, Springer Verlag, 2003.
*Whit Diffie’s article appeared in Gus Simmons’ book Contemporary Cryptology, The Science of Information Integrity, IEEE Press, 1992.
This issue of Code and Cipher focuses on Elliptic Curve Cryptography applied to address specific industry needs.