Certicom Corp. of Canada has announced plans to introduce its highly touted data encryption technology on smart cards.
Schlumberger has agreed to produce chip cards and core operating systems to which Certicom will add its Elliptic Curve Cryptosystem, or ECC.
The elliptic curve approach, available more than 10 years but just beginning to generate serious interest in electronic banking and digital commerce circles, is designed to improve the efficiency of highly complex cryptographic calculations, and hence speed the completion of on-line transactions.
Incorporated in Schlumberger's Multiflex smart cards, ECC would be applied to the creation of digital signatures, which reliably authenticate transactions over the Internet and other open networks.
This would be an example of a hardware implementation of data encryption, which is considerably more secure than storing a cardholder's key-the string of data bits used to encrypt a message-in computer software.
Also known as token-based security, smart-card hardware also has the advantage of portability.
Many banking strategists and technologists see cryptographic authentication on multifunction chip cards as crucial to mainstream participation in electronic commerce. Stratton Sclavos, president of the digital certificate vendor Verisign Inc., has termed the smart-card security token "the digital wallet of the future."
"The combination of public key and smart-card technologies offers an ideal solution for many applications requiring strong authentication," said Lisa Pretty, Certicom's director of strategic development.
"Certicom's ECC is attractive because of its strength and efficiency," said Nadaradjane Ramatchandirane, North American smart-card technology development director for Schlumberger, which has its base in France. "We have worked closely with Certicom to bring prototype products quickly to market."
Elliptic Curve Cryptosystem's main selling point is that it can deliver equivalent security on fewer bits, requiring far less computing capacity than common RSA cryptographic algorithms-those associated with RSA Data Security Inc.-or the U.S. government's Digital Signature Standard.
ECC draft standards are under review by the American National Standards Institute, Internet Engineering Task Force, and other bodies.
In the summer 1995 edition of CryptoBytes, an RSA Laboratories newsletter, Alfred Menezes of Auburn University concluded that elliptic curves "offer the most security per bit of any known public key scheme."
A variation on those words appears in Certicom's current pitch: "the highest strength per bit of any known public key system, minimizing the requirement for larger key sizes."
The company estimates ECC requires just 106 bits to equal the security of a 512-bit RSA key; an ECC key of 155 bits is equivalent to a 1,024-bit RSA. Digital signatures could therefore be correspondingly smaller and quicker to verify.
ECC's shorter bit lengths are seen as well suited for what technologists call "small-footprint environments," such as smart cards, and they would be less taxing on the Internet merchant servers that show signs of strain when they have to crunch security algorithms like those in the MasterCard-Visa Secure Electronic Transactions protocol.
"The smaller key sizes result in smaller system parameters, smaller public-key certificates, bandwidth savings, and faster implementations," wrote Prof. Menezes, a consultant to Certicom. "Elliptic curve systems are particularly beneficial in applications where computational power and integrated-circuit space is limited, such as smart cards, PCMCIA cards (common in laptop computers), and wireless devices."
Elliptic curve is a mathematical concept dating back to the last century. Its application to cryptography was proposed by researchers-Victor Miller at International Business Machines Corp. and Neal Koblitz at the University of Washington-in 1985.
That same year, Certicom was formed as Mobius Encryption Technologies. (Mobius became Certicom in 1995, when it also went public.) The company, based in Mississauga, Ontario, grew out of the data encryption group of the University of Waterloo, Ontario, with which it remains closely associated.
It took several years of technical advances to make Elliptic Curve Cryptosystem begin to look feasible for mass-commercial use, and in the meantime Certicom established itself as a prominent data security vendor. Its customers include Toronto Dominion Bank, which uses Certicom technology in its TD Access on-line banking and brokerage system.
In another sign of growing interest in data-encryption efficiency, Certicom recently licensed elliptic curve technology to Terisa Systems Inc. and Tandem Computers Inc.'s Atalla division, two U.S. companies in the thick of digital commerce development and seeking ways to maximize throughput.