Although cryptography is a difficult subject for many to understand, most people use it nearly every day without ever being aware of it. Whenever you key in your PIN number at an ATM machine, it is encrypted before being sent to a computer that verifies it. Likewise, when a credit card is swiped through the reader at a supermarket, the data is encrypted before it is sent for processing.
This is the story of two little guys in a garage who took on the Nasdaq-quoted heavyweight security companies and won. It concludes with the US government's adoption of a new encryption standard called "Rijndael" (pronounced Rhinedoll). The announcement was made at the beginning of October, and it is planned to have the new standard in place by early next year.
It is the culmination of a three-year selection process in which the US Department of Commerce invited all the world's leading cryptographers to submit details of their algorithms for consideration by experts from the National Institute of Standards and Technology (NIST). The details were to be posted to a website hosted by NIST so that competitors could see and freely attack each other's efforts.
John Daemon of Proton World International and Vincent Rijmen of the Catholic University in Louvain were both respected in the world of cryptography, but compared to competitors like IBM, RSA Data Security and Counterpane, they were decidedly "garage".
The competition began with 15 contestants attending the first convention in California. Before the conference was over, two of the entries were cracked, so that left a field of 13. By the time the third and final conference was held in New York in April of this year, the field had been reduced to five, with Counterpane's "Twofish" algorithm the odds-on favourite with most independent observers.
It came as a shock to many when Norman Mineta, the US Secretary of Commerce, announced that the Rijndael submission was the winner and would become the standard encryption technique for all the US government's sensitive, unclassified data-in-transit for the foreseeable future.
Just how long that will be is a moot point. The last standard - Data Encryption Standard (DES) - lasted 20 years before it became susceptible to key attack. The size of the encryption key is critical to any algorithm's security. The DES key was 56 bits in length. The Rijndael key will come in three sizes: 128, 192, and 256 bits.
By the late 1990s, DES cracker machines became available that were capable of recovering the 56-bit DES key in a few hours. It would take such a machine longer than the accepted age of the universe to recover the simplest Rijndael key.
However, the key size specification was set as a prerequisite by the US standards body, so other entrants' algorithms would be equally immune to key attack. So why was Rijndael chosen?
According to the NIST, Rijndael appeared to perform very well across a wide range of computing environments, and was found to be particularly suited to use in embedded hardware such as mobile phones and smart cards. Rijndael also outperformed the competition in all time trials.
Their algorithm differed from the opposition in that it avoided the so-called "Feistel transposition". This routine is common to most algorithms. The Feistel routine involves splitting the block of data to be encrypted into two pieces. The algorithm works by performing mathematical operations on one half, and using output (results) from these operations on the other half.
This is a serial process and may require many iterations (called "rounds" in cryptography). The Rijndael approach works on all the bits of the input data simultaneously, and is therefore faster and more suited to implementation on parallel processors and in hardware.
Some critics raised objections that Rijndael had avoided any obfuscation techniques to hide its encryption mechanism from crackers. Rijndael replied that obfuscation was a waste of time, but did not elaborate any further. More streetwise observers think that the Belgians were avoiding the attentions of the Hitachi company, which holds many US patents on encryption obfuscation techniques, and had promised to defend them vigorously. Indeed, some cynics claimed that there was little to choose between the top three contenders, and that the US officials chose Rijndael precisely because there would be no ensuing legal hassle.
The US decision to adopt the Rijndael algorithm means, of course, that the little guys are now millionaires. It also ensures that the technique will achieve enormous market penetration outside of government agencies, so the little guys won't be little guys any more. Watch out for a Nasdaq flotation.
Fintan Gibney is an IT consultant with the Irish software company, SmartForce.