Cryptography and Security: The Narrow Road from Theory to Practice Burt Kaliski, RSA Security ISPEC 2006, Hangzhou, China April 13, 2006

Introduction Many research results in cryptography over the past 30 years Few have made it from theory into practice What’s worked well? What hasn’t? Why not, and what researchers can do about it

From Theory to Practice Not every idea will make it into practice, of course “Innovation funnel” suggests that only a few ideas survive the necessary testing Thomas A. Edison: Genius is one per cent inspiration and ninety-nine per cent perspiration. Goal: Increase likelihood that a good idea in cryptography will actually be applied

Some Observations Examples from “Practice & Experience” What’s worked well and What hasn’t NB: “Worked well” doesn’t mean it was brought into practice perfectly, and “hasn’t” doesn’t mean it wasn’t brought into practice at all. But some good ideas have found their way into practice much more easily than others.

What’s Worked Well Basic public-key cryptography —PKCS #1 v1.5 RSA —discrete log. systems (Diffie-Hellman, DSA) —elliptic curve cryptography

What Hasn’t Public-key enhancements and variations —RSA-OAEP, -PSS, -KEM —Cramer-Shoup schemes provable security in standard model, but … —various zero-knowledge versions —other public-key families, e.g., NTRU

What’s Worked Well Basic digital signatures —sign + verify

What Hasn’t Special digital signatures —blind, group, designated confirmer … Direct Anonymous Attestation is a potential exception

What’s Worked Well Advanced Encryption Standard and Triple-DES —culminating many years of research on DES replacements

What Hasn’t Stream ciphers —other than RC4 … Modes of operation —other than basic four (or five)

What’s Worked Well HMAC message authentication —Hash (K 1 || Hash (K 2 || M))

What Hasn’t Many other “fast” MACs Incremental message authentication

What’s Worked Well Shamir secret sharing —k of n for root keys

What Hasn’t Secret sharing with other access structures Distributed cryptography Secure multi-party computation

What’s Worked Well Password hashing —Hash (password + salt)

What Hasn’t Password-authenticated key establishment —aka “zero-knowledge” password protocols

What’s Worked Well SSL-protected e-commerce —server PKI —session key establishment —session encryption

What Hasn’t Digital cash Secure auctions Electronic voting

What’s Worked Well Montgomery multiplication —AR n * BR n  ABR n

What Hasn’t Karatsuba-Ofman multiplication —A H B H, A L B L, (A H +A L )(B H +B L ), recursively

What’s Worked Well Side-channel implementation countermeasures —protection for basic RSA, ECC, AES, etc.

What Hasn’t Intrusion-resilient cryptography —alternatives to RSA, ECC, AES, etc. that are less vulnerable by design

What’s Worked Well Software codebreaking —distributed key search and integer factorization

What Hasn’t Hardware codebreaking —e.g., factoring circuits —“Deep Crack” for DES is a notable exception

Why Not? 1. “Not secure enough” 2. “Too many choices” 3. “No clear advantage” 4. “Too complicated” 5. “Not practical”

“Not Secure Enough” New ideas in cryptography often need a long period of testing before others are confident to adopt them In many cases not enough people are even looking at the idea Expectations keep increasing based on experience with previous ideas Example: NTRU based on a new problem, and also held to a much higher standard than, say, RSA Tight reductions from known problems against broad adversaries gives the most confidence —But ideas based on new problems are also needed!

“Too Many Choices” Research in an area can often result in a multiplicity of choices, none of which has enough support to move ahead of the rest Results build on one another, and it may not be clear when a result is finally “stable” Example: New modes of operation for block ciphers are numerous, though gradually being standardized Competitions can help bring a research area to conclusion and enable a few good choices to advance

“No Clear Advantage” New ideas, though good, may not be enough better than methods that are already available to justify the cost of making the change —Long-term assurances not as appreciated in the short term Cost of introducing a new technology can be very significant, especially when it depends on industry standards Example: RSA-PSS, -KEM provide long-term assurances, but require upgrades to existing systems Transition planning can help phase in a new idea while still supporting available methods New applications generally a better target than existing ones

“Too Complicated” Some new ideas are just too “different” for designers to work with, especially in terms of business models and use cases Example: distributed cryptography requires a non-hierarchical “workflow” that’s not usually found in applications Reference implementations that enable new applications and hide the technical details can facilitate adoption —e.g., RSAREF and PGP for public-key cryptography

“Not Practical” And for some ideas, the time has not yet come — other technologies may need to advance or be developed Example: general secure multiparty computation is still computationally burdensome —Even public-key crypto was challenged in its early days! Patience may be called for, and there’s plenty of time to improve the theory and speculate on future applications in the meantime

Conclusions Researchers whose goal is to have the results of their research applied need to think about technology transfer Results are still important even if not applied directly, since they advance the science in general But better security depends on good research being put into practice Hopefully these experiences will help more good ideas move through that narrow road

Contact Information Burt Kaliski Chief Scientist, RSA Laboratories Vice President of Research, RSA Security