Cryptography standard thrown a curve

The striking of an interoperability agreement between several major manufacturers of cryptography products should be a boon for future e-commerce implementations, according to one industry observer.

“The definition of e-commerce is between entities,” said Victor Wheatman, an analyst with consultancy Gartner Group Inc. in San Jose, Calif. “You might be able to control things that go on within your own house, but you can’t control things within the other person’s house and if you want to communicate across a divide, having the same language or same standards in place certainly facilitates e-commerce.”

The interoperability agreement, which covers security solutions based on elliptic curve cryptography, is called the Standards for Efficient Cryptography Group (SECG). Participating companies include Certicom Corp., Ernst & Young, 3Com Corp., Fujitsu Ltd., GTE Cybertrust, Hewlett-Packard Co. and Motorola Inc.

The most widely deployed public key cryptography is technology belonging to RSA Data Security Inc., Wheatman said. But elliptical curve cryptography promises to provide more efficient encryption than RSA or other cryptography alternatives, he noted.

Because of its efficient performance and low memory utilization, elliptic curve cryptography should become the market leader in the personal digital assistant (PDA) and wireless device markets, said Bill Lattin, Certicom’s director of security infrastructure marketing in San Mateo, Calif.

“If you’re in a constrained device environment, such as PDAs or cell phones where you have low data rate transmission and low memory availability, elliptic curve works well, because the data storage and data transmission requirements are low,” he said.

Lattin also believes elliptic curve cryptography is ideal for smart cards, because it allows them to be manufactured more cheaply.

“Everybody needs security, but no one wants to pay a lot for security and elliptic curve allows you to have a secure smart card using a simple eight-bit microprocessor,” he said. “You don’t need a cryptographic co-processor.”

Elliptic curve cryptography is used in 3Com’s new Palm VII handheld organizer, which allows users to send and receive e-mail over a wireless link, Lattin noted.

The IEEE, ISO and ANSI have already established standards for elliptic curve implementations, but Lattin said they’re not specific enough to ensure interoperability.

“To categorize those standards, they’re quite broad in their coverage and the focus of this group (SECG) is really on interoperability,” he said. “The joke about standards is there are so many of them it virtually guarantees non-interoperability. The focus of this group is to create a standard whose raison d’