Cryptography and Data Security:

Long-Term Challenges
Burt Kaliski, RSA Security
Northeastern University CCIS Mini Symposium
on Information Security
November 9, 2004
Approach

• Looking toward future generations of information technology –

30-year timeframe

• Cryptography, network security grow in importance as essential

building blocks

• Challenges lie ahead – what can we do?

• Two kinds of solution to consider:

— “Easy”: apply current knowledge to alleviate problems

— “Better”: discover new knowledge that overcomes them

Challenge #1: No Algorithm Is Safe

• Today’s algorithms remain secure for 30+ years against known

attacks on classical computers, with sufficiently large keys

• The risk: unknown attacks and quantum computers

— Quantum computers would break today’s number-theoretic public-
key cryptography; halve effective key size of secret-key algorithms
— Unknown attacks could have equally dramatic effect

• Key problem: With a few exceptions, no algorithms are proven

secure unconditionally
Algorithm Directions: “Easy”

1. Employ multiple algorithms based on different hard problems

— Presumably less likely all to fall at once

2. Deploy secret-key-only architectures where feasible

3. Adopt Merkle hash signatures
— (2.) and (3.) reduce the dependence on number-theoretic public-
key cryptography, which is riskiest against quantum computers
— However, no assurance that specific secret-key algorithms and
hash functions resist specific quantum (or classical) attacks

4. Introduce quantum cryptography as an extra layer of

protection
— But limited to link encryption with photon transmission
Algorithm Directions: “Better”

1. Develop alternative algorithms based on different hard

problems
— A broader portfolio against attack
— But involves a long testing process – few hard problems have
survived last 30 years

• Find new algorithms that are provably resistant to attack – or

fully prove strength of existing ones
— Requires major breakthroughs in computational complexity theory
• e.g., lower bounds for integer factoring

3. Invent quantum or other form of cryptography that isn’t limited

to photon transmission, e.g., “RF quantum”?
— Assumes new results in physics
Challenge #2: No Data Is Safe

• Data and keys can be reasonably well protected today against

compromise with trusted hardware, software

• The risk: Attacks are becoming more sophisticated, and

usability competes with security
— Side-channel analysis can expose keys in many implementations

— Availability requirements often encourage multiple copies of data

• Key problem: Security architectures today generally based

around explicit data and keys
— Each instance an opportunity for compromise
Data Protection Directions: “Easy”

• Build implementations of existing algorithms to address side-

channel attacks — not just for speed & space

• Employ architectures based on implicit data and keys:

— Secret splitting: Data stored in n shares, k required to reconstruct

— Distributed cryptography and secure multi-party computation:

Keys stored and used in shares – never explicitly reconstructed

3. Adopt techniques that “heal” the effects of compromise:

— Proactive security: Shares are periodically refreshed

— Forward security: Keys are updated regularly such that past keys
cannot be computed from current ones
Data Protection Directions: “Better”

1. Design new algorithms that are provably less vulnerable to

side-channel attacks and other compromises
— “physically observable cryptography” (Micali, Reyzin)

— potentially a difficult tradeoff versus conventional attacks

2. Develop new, practical data protection techniques based on

other hard problems
— e.g., only on hash functions

3. Invent something physics-based, e.g., “quantum secret-

splitting”?
And That’s Just the Data …

• Future networks, with numerous mobile components in ad hoc

configurations, will also be at risk to a host of new attacks, e.g.:
— Routing table corruption, leading to network partition, traffic
analysis
— “Selfish” nodes that expend others’ resources but do not
contribute their own

• Countermeasures here involve a new way of viewing networks,

where trust is earned, not assumed (Jakobsson et al.):
— “Micropayments” as network diagnostics

— Reputation management

— Game theory
Summary

• Today’s cryptography and data protection are reasonably

strong, but 30 years is a long time

• Better long-term assurance requires new techniques and

methods of analysis
— An architecture of implicit data built on a foundation of provable
algorithms

• Research challenge is the same as for networks: a roadmap

from today’s “gigabit security” into terabits and beyond
Contact Information

• Burt Kaliski
VP Research, RSA Security
Chief Scientist, RSA Laboratories
bkaliski@rsasecurity.com
http://www.rsasecurity.com/