Cryptographers Seek DES Successor

  • Rutrell Yasin
  • InternetWeek
  • August 17, 1998

The successor to the aging Data Encryption Standard (DES) will begin to emerge this week as some of the world's top cryptographers convene to review proposals for a new, advanced encryption standard.

Officials at the National Institute for Standards and Technology (NIST) will kick off the first round of "evaluation and analysis" of proposed DES algorithm replacements at the Advanced Encryption Standard (AES) Candidate Conference in Ventura, Calif., later this week.

"This is sort of the debut of the candidate algorithms and the opportunity for any interested [cryptographer] to find out how they work," said Miles Smid, manager of NIST's security technology group.

The AES conference is being held a few days before the International Cryptographer Conference, enabling leading cryptographers from around the world to review the proposals, Smid said.

Fifteen companies and organizations met NIST's June 15 deadline for proposals to replace DES, an encryption standard that has been backed by the U.S. government for more than two decades. Among the candidates are technologies from Cylink Corp., Entrust Technologies Ltd., IBM and RSA Data Security, as well as proposals from universities and smaller companies, such as Counterpane Systems.

The emergence of the Internet and client/server networks has spurred the need for an encryption algorithm that is stronger than DES, industry experts said. Over the past two years, RSA has sponsored several "DES challenges" that have proved the relative ease with which DES could be cracked. As a result, NIST is seeking to replace DES with an advanced encryption standard that will protect both public- and private-sector data—even well into the next decade.

Tried And True

Proposals from Entrust, IBM and RSA draw on existing technology, according to the companies.

Entrust "draws heavily on work already published. Other [submissions] seem to have a lot more that's new," which means the technology will take longer to evaluate, said Carlisle Adams, developer of Entrust's CAST-256 algorithm.

CAST-256 is a symmetric cipher that encrypts blocks of input data. It offers greater flexibility in key size than DES, and supports large block sizes for a higher degree of security, Entrust said.

The three fastest of the proposed ciphers are IBM's MARS, RSA's RC6 and Counterpane's TwoFish, said Bruce Schneier, president of Counterpane and inventor of the widely known Blowfish cipher. TwoFish's range—the 128-bit block cipher—can be used in large microprocessors, 8-bit smart card microprocessors and 32-bit hardware, he said.

So far, one proposed cipher known as the LOCKI encryption scheme has been cracked. Developed by cryptographers in Australia, LOCKI is a private block cipher with 128-bit data and a 256-bit key schedule.

"It will be interesting to see what the authors' response will be" when crypto experts question them about their algorithm, Smid said. "That should be an interesting presentation and question-and-answer" session.

Schneier plans to present analysis at the conference that exposes another proposed cipher that was cracked by his team of designers.

With so many large players involved, some smaller candidates expressed concern that companies with marketing clout will have an advantage. Others say they don't expect such favoritism to take place.

"It's in everyone's best interest to have a good algorithm chosen," said Matt Robshaw, a scientist at RSA.

NIST will hold the second round of evaluations next spring somewhere outside the United States, Smid said. "After that, we will narrow the [proposals] to five candidates."

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.