Last week at the Black Hat Conference, there was an insightful talk titled “The Factoring Dead: Preparing for the Cryptopocalypse”. The presentation discussed the inevitable fall of King RSA crypto because of its weakness and the growing number of effective attacks on that particular public-key encryption system. It’s fantastic that as an industry, we are taking this imminent threat seriously. However, the talk also encouraged the industry to move toward ECC (elliptic curve crypto). I find this troubling for two reasons:
- The notion of a reigning Crypto King is dangerous. Relying on ANY single algorithm is a risk we cannot afford to take on the Internet. What ever happened to the security industry’s sacred risk mitigation mantra in defense in depth?
- ECC is doomed when quantum computers arrive - which experts agree on and anticipate will occur in the lifetime of systems that are being deployed today.
Talk about going from the frying pan to the fire.
ECC issues aside, it’s dangerous as an industry to have a knee jerk reaction and say “the algorithm we all depend on 100% today (RSA) is looking shaky - let's all go depend solely on a different algorithm!" To a first approximation, processing is free and channel capacity is free these days. We should be taking advantage of that to think about how we build an Internet that is cryptographically robust even if a widely trusted algorithm gets broken. If we don't do that, we end up going through the same cycle over and over again. Then, it’s exponentially crazy to rely entirely on ECC when we already know that quantum computers break ECC. The correct way to go is to build in support for multiple algorithms running in parallel, and a good place to start is ECC running in parallel with NTRU. Wait, you’ve never heard of the fastest, quantum computer proof crypto algorithm?! How is that possible, you ask, when the industry is starving for secure communications?
NTRU has been around for quite some time and has been waiting patiently for the industry to finally stop living the glory days of RSA and ECC as viable long-term options. It has done its time: it’s an IEEE standard, X9 standard, and has been endorsed as NIST as the most practical of the lattice-based crypto algorithms to withstand quantum-computing attacks. If we have a solution that has been tested by the governing bodies, shouldn’t the industry as whole get on the same page, consider it in the mix as the future of crypto, and move collectively towards adoption?
I’d like to introduce you to NTRU:
- No known quantum computing attacks
- As required security level goes up, performance advantage of NTRU over other algorithms grows even faster
- As required security level goes up, key size grows slower than RSA / DSA / Diffie-Hellman
- 200x times faster than RSA - Acknowledged by Ari Juels, Chief Scientist at RSA Labs: "[NTRU] is considerably faster; that is something we acknowledge"
- Endorsed by NIST - “Of the various lattice based cryptographic schemes that have been developed, the NTRU family of cryptographic algorithms appears to be the most practical. …” - Quantum Resistant Public Key Cryptography: a Survey
- IEEE Standard (1363.1-2008)
- X9 standard (X9.98) for secure communications in financial services systems
- Smallest code size (ideal for M2M)
- 4.5K of compiled machine code
- Consumes minimal resources including CPU and battery
RSA is a black dwarf star, no longer emitting the energy needed to secure our communications. However, the larger question is where do we go next? First, we need to come to a consensus that relying on a King Crypto creates a risky single point of failure and agree to an alternative approach. Then, we need to take a close examination at the encryption algorithms available today and determine which two (or possibly three) are the viable options for years to come.
I made my business case for NTRU, and so hasn’t the industry at some level already. Let’s encourage others to do similarly. This is a big decision folks, let’s do it right.