Home & Office

RSA weighs in on teen's 'breakthrough'

Crypto experts praise Irish high-school student, reserve judgment on new technique.
Written by ZDNet Staff, Contributor

She's young, she's brilliant, and she knows what she's talking about. But to prove she's a real prodigy, her work must still endure the test of time.

Or so say encryption experts who gathered for the RSA Data Security Conference in San Jose, California this week. They agreed that 16-year-old Sarah Flannery of Blarney, Ireland knows encryption, but they criticised media claims that her techniques are faster and better than established algorithms. "She knows what she's talking about," said Ronald Rivest, Webster professor of electrical engineering and computer science at the Massachusetts Institute of Technology (MIT) and the 'R' in RSA. "But there's not enough information to evaluate her work."

Rivest had spoken with Flannery after the initial press reports, which claimed that the teen's technique worked faster than the ubiquitous RSA technology, while being equally secure. He described her as "pleasant." But he also acknowledged that she "knew her number theory" -- that being high praise indeed in the company of cryptographers.

Yet, details of Flannery's algorithm for scrambling data were not known, leaving cryptographers in the dark about whether it really is more secure. "We are looking at, probably, five years before we know if this will stand up," said Paddy Holahan, vice president of marketing for Baltimore Technology Inc. Flannery did a two-week stint at Baltimore Technologies as an intern, meeting Dr. Michael Purser, who gave her the idea for her work.

It's extremely difficult to prove the efficacy of any encryption code, which renders data secure by making it unreadable without a unique key. In most cases, formal proofs by mathematics don't work. Instead, algorithms are publicly published and then tested extensively by the cryptographic community -- a process that can take years.

"Who is the authoritative voice which is attesting to this breakthrough?," asked D. James Bidzos, president of encryption software firm RSA Data Security, targeting the press reports that claimed the Irish student's technique is anywhere from 10 to 30 times faster than RSA's own. Even Flannery herself agreed that Bidzos has a point. "Obviously, [my technique] hasn't been put up for peer review and hasn't been attacked yet," said Flannery during a phone interview from her home in Cork County, Ireland.

Bidzos said that even the most brilliant cryptographers rarely get it right the first time. "The bad news is that this will probably not make it unscathed through the review process," he said. "The good news is that it sounds like she knows her stuff -- we have another bright person interested in encryption."

Flannery has named her coding technique the Cayley-Purser algorithm after Arthur Cayley, an eminent 19th-century Cambridge mathematician who worked with matrices, and Michael Purser, the Baltimore Technologies cryptographer who suggested the method to her in March 1998. According to William Whyte, another Baltimore Technologies cryptographer who worked with Flannery, the algorithm uses 2-by-2 matrices, a four-way combination of numbers. Each number is limited to a certain size, called a modulus. In a Usenet mail message, Whyte predicted that the security of Flannery's approach should be the same as an RSA key using a modulus of the same size.

And it is faster for larger messages. Flannery's analysis indicates that a 700-bit key would be encrypted 22 times faster than RSA's algorithm. "The downside," wrote Whyte, "is that both the key and the (coded text) are about eight times the length of the modulus, rather than more-or-less the length of the modulus as with RSA."

In other words, while faster, Flannery's coding technique is a memory hog. Yet, certain applications may benefit from Cayley-Purser. "It sounds like it has a different sweet spot than RSA," said Bruce Schneier, a noted cryptographer and president of crypto-firm Counterpane Systems Inc. of Minneapolis. "Assuming it's secure, it's not better -- just different."

For Flannery, the algorithm won her an award at the Irish Young Scientists and Technology Exhibition and far too much attention, in her mind, from the media. "The press has been just crazy," she said. What's next? While she considered patenting her algorithm, she has instead decided to submit it to the Crypto 99 conference, if she can get a paper ready in time.

While some inventors might be able to turn a profit on new technology, that time is over for cryptography, said one scientist. "Sarah is level-headed enough to know that new public-key algorithms only made you millions if you invented them in the Seventies," wrote Baltimore's Whyte.

Yet, Flannery has no shortage of options for school, or even a job. "We would definitely offer her a position," said Baltimore's Holahan. Rivest's attention could mean a scholarship at MIT. "Several schools have called me up," said Flannery, who has two years to go before she enters college. "It is certainly broadening my plans for the future."

Editorial standards