| Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present |
|
17 September 1999. Thanks to DN.
The Washington Post, September 17, 1999
By Michael E. Ruane
Washington Post Staff Writer
Serpent takes its name from a passage in the Bible and is said to be powerful but a bit slow. Twofish is fast, flexible, but complex. MARS, says its builder, is as strong as a castle with a moat full of alligators.
All three are mathematical gladiators, if you will, battling for a coveted prize in the shrouded arena of secret codes and cyphers, an honor that experts call "the golden ring" of cryptography.
They are finalists in the first-ever public competition to become the federal government's new secret code for sensitive, unclassified information.
They were selected last month, along with two other strong codes called Rijndael and RC6, by the National Institute of Standards and Technology, in Gaithersburg, which has been running the competition for the last two years.
The winner, who gets tons of prestige but nary a cent, will probably be announced next summer.
The contestants are complex mathematical formulas, or algorithms, that, along with a secret variable called a key, seek to scramble, or encrypt, information so that it can only be unscrambled, or decrypted, by someone with the same formula and key.
Although the art of code-writing and code-breaking became famous in military circles, the revolution in computer technology and the Internet has created a huge demand for and trade in nonmilitary encryption.
Cryptology "used to be wholly in the domain of the military and the diplomats," said Edward A. Roback, an NIST computer specialist who is chairman of the code selection committee. "Now you have all these crypto-cypher-punk [Internet] news groups. . . . This has been an amazing transformation."
The government, for one, has a vast trove of tax and other sensitive information that needs to be protected from unauthorized eyes. So do the financial services and other industries that utilize electronic commerce and data-sharing.
In 1977, the government, largely in secret, adopted its first official civilian code, originally called Lucifer, later named DES, for Data Encryption Standard. It is now widely used in private industry.
But it has grown old and vulnerable to modern supercomputers that have the potential to break it.
Hence the search for a new code that NIST calls the Advanced Encryption Standard, or AES--"a crypto algorithm for the twenty-first century," as the AES Web site proclaims it.
"DES has lasted 20 years," NIST mathematician Jim Foti said. "We're looking to get 20 or 30 years" out of AES. Foti said NIST actually may pick two winners, if there are two of equal merit. But the focus now is on the best one.
The competition for a prize in which the government says any royalties must be forgone has still been fierce. And the openness--there is a $50 book available about Twofish--has generated tough analysis, along with public confidence, observers say.
Twenty-one entries were submitted a little over a year ago. They came from mathematicians and computer experts from around the world: Frog, from Costa Rica; Magenta, from Germany; Crypton, from South Korea.
Six were eliminated quickly. Ten more were thrown out last month. Some were cracked by competitors. Others were too slow or used too much memory.
Among the finalists, Serpent was entered by Ross Anderson, Eli Biham and Lars Knudsen, a team from Britain, Israel and Norway. Twofish was created by a Minneapolis firm. MARS came from International Business Machines Corp.; Rijndael from Belgium; and RC6 from a laboratory in Bedford, Mass.
Anderson, 42, a lecturer at Britain's Cambridge University, said the name Serpent comes from a chapter in the Old Testament's Book of Amos, which tells of a man pursued by a bear, a lion and a serpent. The team already had invented cyphers nicknamed Bear and Lion, so the new one became Serpent.
"It would be quite a coup to be selected as the AES algorithm," said Anderson, who said he got his start in cryptography by cracking a pay TV code as a young computer whiz 15 years ago. "It wouldn't be the end of the world to lose it. But it would be a great honor to be chosen. I'm sure we'd manage to drink a bottle of wine or so."
Twofish, a descendent of an earlier algorithm called Blowfish, was created by a team led by Bruce Schneier, 36, the chief technical officer at Counterpane Internet Security Inc., of Minneapolis.
"I think it's really big," he said of the contest in a telephone interview last week. "In terms of fame and glory, it's really a big deal. You get to find the encryption standard for the next 20 years.
"You've got to assume that normal people will think you're a lunatic," he said, but "just being in the field of finalists, you're proud."
Schneier likened the AES competition to "a big demolition derby." The algorithms are made public. Each team tries to crack the other's entry. "And the last one left standing wins," he said. "It's a big deal. It's validation from the community."
Nev Zunic, 42, an IBM program manager and cryptography expert based in Poughkeepsie, N.Y., led the creation of MARS.
"It's important in the sense that whoever wins isn't going to realize any great revenues," he said. "But they will realize some acclaim in the industry as designer of the next generation standard."
MARS, he said, stands for multiplication, addition, rotation and substitution--mathematical functions performed inside the algorithm.
"There is some art that goes into designing these algorithms," he said. "It's mathematical art."
MARS actually is constructed like a heavily fortified castle with outside layers of protection guarding the algorithm's central core against cryptanalysis, or code-breaking, "attacks."
"The core itself is very strong," Zunic said in a telephone interview last week. "It could be an algorithm by itself." But it is bolstered by mathematical "blocking functions in front and behind."
"It's sort of like having a . . . castle and you want to protect it," he said. "You can have a high wall, but once that high wall is broken into by people climbing over it, you want a secondary mechanism."
It's like a "moat and wall, but make that moat really wide and fill it with mines and alligators."
Zunic said the AES contest is bringing needed recognition to the artists working in a traditionally shadowy field.
"It's still not one of those topics discussed at social engagements," Zunic said. "Up to three or four years ago, you mentioned cryptography and people's eyes would glass over."
"Now," he said, "it's okay to mention the word."
© Copyright 1999 The Washington Post Company