Belgian unknowns beat top companies to create new encryption system

When two unknown Flemish computer scientists were chosen to provide the encryption formula that will protect the US government…

When two unknown Flemish computer scientists were chosen to provide the encryption formula that will protect the US government's top secret documents for the next 30 years, their rivals included a small army of engineers from International Business Machines, the author of the "bible" of cryptology, and programmers from Deutsche Telekom and NTT Communications.

"It was like entering a competition to design a new computer system and discovering Bill Gates is the competition," says Joan Daemen, 35, an engineer who is developing the next generation of smart cards for Proton World International, a Brussels-based technology company.

While IBM's team had 11 engineers, Mr Daemen's only collaborator was Vincent Rijmen, a 30year-old researcher at the Catholic University in Leuven and sometime hacker, who downloaded some of his rivals' algorithms from the Internet and found their flaws.

Encryption is used to scramble credit transfers in online transactions, making it crucial to the growth of public confidence in ecommerce. Algorithms, the equations at the heart of computerised encryption systems, encode everything from electronic mail to the personal identification numbers used with automated bank machines.

READ MORE

The cryptographers spent five years developing their formula, which is called Rijndael (pronounced "Rhine doll"), after an Internet search revealed their first choice Rijndam, a combination of their names, was a convalescent home in Holland. They have agreed to give the formula away.

In order to enter what has become known as the "cryptology Olympics", 15 teams from across the world had to submit algorithms to the US National Institute of Standards and Technology, an agency of the US Commerce Department, where they were scrutinised by the world's leading cryptographers.

A lot of money is at stake. According to the National Institute of Standards and Technology, Rijndael will be adopted by US federal agencies, including the National Security Agency, which is in charge of some of America's most secret documents. The standard is also being adopted by the US financial industry, and the institute predicts it will protect thousands of billions of dollars' worth of transactions every day.

Beyond providing stringent security, Rijndael's versatility proved a big advantage, since it can run securely and efficiently on large computers, desktop computers and even small devices such as smart cards.

"People expected us to choose a large American company. Rijndael won because it was the best," says Mr Jim Foti, a mathematician at the national institute. Rijndael will replace the old data encryption standard (DES), developed by IBM and adapted as the US federal government's standard in 1977. It is no longer considered effective owing to the enormous growth in computer power in the past three decades. Cryptographers have since built powerful computer systems that can crack its codes. "Our system provided greater security, "says Mr Daemen.

Rijndael is much more difficult for would-be hackers to attack than the old standard. The security of an encryption system is determined by the length of a numeric key used to cipher and decipher messages. DES, for example, uses a key 56 bits long, which means a code-cracking computer would need to try 72 x 10(to the power of 16 - 72 followed by 16 zeros) combinations before it could crack it. Rijndael, in contrast, has a key-bit size of 128, meaning a hacker would have to go through 34 x 10(to the power of 37 - 34 followed by 37 zeros) possible keys before finding the right combination to open the computer's "door".

Until recently, cryptography was considered an arcane science, used primarily by wartime code-makers to protect military secrets. However, encryption has entered the public imagination through books and films depicting the Allied quest to unscramble messages from the German Enigma encoding machine during the Second World War. It underwent a revival in the 1970s when the US government began to cast around for an encryption standard to protect classified documents. Today e-commerce has put cryptography under the global spotlight. It is a sign of cryptography's global sweep that Belgium has managed to produce the standard that will be used by the world's superpower. Mr Daemen says that while the US leads Europe in Internet usage, Europe's leadership in the development of smart cards has given cryptographers an edge.

The new standard is expected to have the biggest influence in the e-commerce and financial services industries.

According to Forrester, the research group, the global e-commerce market for business-to-business transactions is expected to grow to about $1,300 billion by 2003. However, growth has been slowed because consumers and businesses are wary of a perceived lack of privacy, a high fraud level and the inability to distinguish legitimate businesses from rogues.

Mr Norman Moneta, US commerce secretary, predicts that the new standard will "allow e-commerce and e-government to flourish safely". When he announced earlier this month that the Belgians had won the three-year competition, he hailed Rijndael as "a very significant step towards creating a more secure digital economy".

Organisations doing business with the US government have adopted the standard and it is expected to be embraced by Internet authorities, as well as the global financial industry.

The American National Standards Institute, which oversees security standards for financial institutions, is adopting it and commercial products incorporating it are available.

Mr Foti says a machine capable of breaking DES would take 149,000 billion years to break Rijndael at the lowest of its three levels of security.

Although the US decision is likely to force the business world to adopt the technology, it will not bring huge commercial gains to its inventors. So far their only reward has been a free plane ticket to the US for the award ceremony.

Under the terms of the competition, the algorithm will be freely available, allowing it to be incorporated into other products by software manufacturers.

With or without Bill Gatesstyle riches, the Belgians are happy. "We get the prestige. We have become known as the JeanClaude Van Damme of the encryption world. He may be "the muscles from Brussels' but we are its brains", says Mr Daemen.