A Comparative Evaluation of Algorithms in the Implementation of an Ultra-Secure Router-to-Router Key Exchange System

This paper presents a comparative evaluation of possible encryption algorithms for use in a self-contained, ultra-secure routerto-router communication system, first proposed by El Rifai and Verma. The original proposal utilizes a discrete logarithm-based encryption solution, whichwill be compared in this paper to RSA, AES, and ECC encryption algorithms. RSA certificates are widely used within the industry but require a trusted key generation and distribution architecture. AES and ECC provide advantages in key length, processing requirements, and storage space, also maintaining an arbitrarily high level of security. This paper modifies each of the four algorithms for use within the self-contained router-to-router environment system and then compares them in terms of features offered, storage space and data transmission needed, encryption/decryption efficiency, and key generation requirements.


Introduction
With the rise of globalization, microelectronics, and the information age, the need for rapid, long-distance transmission of unconditionally secure information has never been greater.Whether dealing with military intelligence, corporate secrets shared between two (or more) company offices, remote control of vital national infrastructure components such as power and traffic control systems, or mechanical instructions transmitted to off-site medical devices for telesurgery, device updates, and health reports, there are many situations where the rapid, accurate, and secure transmission of information between two parties is a basic necessity.In extreme cases, alteration or even decryption of this information by unauthorized parties may result in damages of billions of dollars and the lives of others.
Historically, only two encryption schemes have been proposed which offer unconditional security, both unsuitable for practical telecommunications.The first, the one-time pad, proposed by Gilbert Vernam in 1919 [1], utilizes a singleuse encryption key equal to the message length which both the sending and receiving parties may use to encrypt and decrypt the message.The disadvantages of this system in a long-term high data rate communication system are obvious, with each message requiring a preshared key equal to the message length.The second, recently proposed unconditional cryptographic system is quantum cryptography, where security is achieved through the laws of quantum mechanics, which allow for very accurate determination of eavesdroppers along a quantum channel, as well as the simultaneous determination of small shared and secure random values.Currently available quantum encryption protocols include BB84, proposed in 1984 by Bennett and Brassard [2], the variant SARG04 [3], and the later-developed B92 [4].All three solutions, while unconditionally secure, possess severe limitations which make them unsuitable for general commercial use, including reliance on single-photon generators (greatly limiting practical data rate) and, most importantly, the presence of a physical, well characterized quantum channel between endpoints, with a maximum practical distance of a few hundred km.While some research has been proposed in the use of multiphoton quantum sources [5] and channel extension [6], this technology remains extremely expensive and unfeasible for general commercial use.
While unconditional security may be an unachievable goal, it may be realized to an arbitrarily high level via existing symmetric and asymmetric encryption systems.Currently, the most widely used form of global network communication between two distant parties relies on public key, asymmetric key cryptography such as RSA for transferring symmetric keys.Symmetric encryption systems then use these keys to encrypt the information being transferred.Noteworthy corporations offering SSL certificates with Elliptic Curve Cryptography (ECC), RSA, and DSA support include Symantec (formerly Verisign), GoDaddy, and Comodo.
Although presenting a viable and widely used solution to secure communication, allowing for message encryption and authentication, the security certificate system requires the presence of a trusted third party for the verification of the identity and legitimacy of certificate owners.The compromise of or loss of trust in such a third party, or the inability to contact the distribution network at need, may result in a large-scale breakdown of reliable and secure communications [7].Furthermore, the increasingly large RSA key length requirements of public certificates to guarantee secure communication may be a barrier to practical implementation on limited-resource devices.
A novel proposal [9] for a secure communication system not requiring a third party for key generation and distribution involves instead a system of paired routers, communicating securely on any standard classical channel.Each router pair would be factory-initialized with a shared secret, enabling direct secure communication between the two regardless of network distance or security, with shared transmitted data on each end decrypted and used as the basis of further secure key generation as necessary.While the original system uses a variant of the discrete logarithm problem to introduce the nonlinearity necessary in a secure encryption system, nonlinearity introduced via other encryption methods offers alternative advantages.This paper first examines the originally proposed discrete logarithm-based encryption system and then proposes and compares other more commonly used encryption systems which may be used in this entirely selfcontained environment, including RSA, ECC, and AES based encryption.

Related Work: Discrete Logarithm
The encryption system initially proposed in [9] is a variant of the discrete logarithm problem.This problem states that for the equation  =   mod() if a user knows , , and , computing  is computationally trivial.If, however, only  and  are known (and ), then there is no efficient algorithm to compute .
Under the proposed encryption system, the sender, Alice, and the receiver, Bob, choose a large prime  and its primitive root .These values may be public.Additionally, Alice secretly chooses two random positive numbers ,  1 < , Bob secretly chooses one random positive number  2 < , and both Alice and Bob know a shared secret random number .
(4) Bob, who knows the value of  2 , may easily recover  from  3 and use it to calculate Alice's chosen key  =   mod(), which is used to encrypt further communications.
As these 3 transmitted equations involve a total of 4 unknowns to any intercepting party (, ,  1 ,  2 ), determining the key for anyone who is not Alice or Bob is a nontrivial task, equivalent to finding the exponential of a discrete log problem.
Although initialization of the system requires shared public values of  and  and a shared secret random value , once a key has been used for a certain length of time, decrypted data transmitted between Alice and Bob may be used by both parties in an algorithm to determine a new  value, and Alice or Bob may propose a new key exchange.With each iteration in a cycle, new values of ,  1 , and  2 are arbitrarily chosen, while  is partially updated with a shared algorithm applied to the decrypted data transmissions of the previous iteration.With each complete cycle, the  value chosen will be completely replaced from the same iteration of the previous cycle.Further details may be found in [9].
If the key transfer protocol is not completed successfully, whether due to data loss or due to malicious interference, it may be necessary to reinitialize the system via use of another preshared secret .
Storage requirements for this system involve a preshared secret of length .Although no minimum length is required for , for increased security, it should be assumed that  is relatively large, at a minimum approaching the approximate length of . itself should be a large prime, in order to deter brute force attacks.Processing time for this encryption system for both encryption and decryption is relatively trivial, involving multiple multiplication, exponentiation, and mod operations.As both endpoints share a common key , this system does not allow for external message authentication or differentiation between messages originating from Alice or Bob.
The most efficient attack currently used on the general case of the discrete logarithm problem is the number field sieve [10], arriving at a solution for a prime number  in   [1/3; 3 2/3 ] (this is approximately ).The security provided may thus be directly compared to that of RSA, which also may be most efficiently defeated via the general number field sieve, although discrete logarithms offer slightly more protection for a given key size.A quantum system, once it exists, may use Shor's algorithm to solve this problem in polynomial time [11].

Alternative I: RSA
The RSA algorithm has the advantage of being one of the most widely used and studied encryption methods today and is extremely elegant, simple, and well-tested.As the default algorithm used by many SSL providers, as well as the basic public key encryption scheme most others are compared to, RSA is used here as a baseline for the comparison of other encryption methods, even though it is not as storageefficient or processing-efficient as other algorithms studied and requires the use of longer key lengths for equivalent security.Current commonly used RSA key lengths include 1024 and 2048 bits.
The basic principle of RSA security rests on the theory that it is extremely difficult to factor the product of two large prime numbers into its constituent factors.Each individual in the RSA network must create 2 complimentary keys, commonly referred to as a public key and a private key, with each key able to decrypt messages enciphered using its compliment.To create this key pair, Alice and Bob must each do the following [1]: (1) Choose two similar large prime numbers  and , which are within a few digits of each other in length.
and  are multiplied together to form a modulus .
(4) Message encryption may then be expressed, using the one key, as  = ( 1 )(mod ), while decryption uses the other key as  =  2 (mod ).
Typically, as the sending party must know the recipient's public key, as well as their own private key, RSA is not used within a self-contained system.Key generation for large primes may also be time consuming and resource intensive.Instead, third-party organizations must exist and are trusted to verify that a given public key corresponds to the stated owner's private key.Issued certificates linking a public key and verification of its owner's identity are generally valid for a set length of time, after which a new key must be generated and a new certificate request verifying the key's owner must be submitted to the central verification authority.
As our proposed router system must be self-contained after initial manufacture, this third-party verification method is not feasible, and we cannot rely on external communication for the identity verification of new public key data, requiring a slight modification of the standard RSA system.Instead, Alice's router will need to be initialized with prestored values for Alice's private key and Bob's public key, and Bob's will have Alice's public key and his own private key.In this scenario, it is not necessary for either party to know their own public key, and all 4 keys are kept private within the network.
Encryption and decryption function as standard RSA operations, with Alice encrypting data with Bob's public key and Bob decrypting data with his private key, and vice versa.After a data threshold is exceeded, Alice and Bob will both calculate new RSA key pairs and encrypt and send their new public keys using the old keys, with this encryption further acting as identity verification previously requiring a third party.For example, Alice's new public key would be encrypted first with her old private key for authentication and identity verification and then with Bob's old public key for security; then it will be sent to Bob. Bob would decrypt data using his own old private key and then Alice's old public key.Once both parties have received the new keys, all data will be transmitted using these.This system would allow for the use of RSA indefinitely, with rapid key updates, without the necessity of a third party.In the event of a communication failure due to data loss or malicious action, it may be necessary to switch to a new preshared certificate pair and begin the process again.
Storage requirements for an -bit RSA system are comparatively large, as larger key lengths are needed to assure equivalent security.Specifically, each router using this bit RSA algorithm will need to store 1 public and 1 private key, each consisting of an -bit modulus and a smaller exponent (also of maximum length about ) for maximum total requirement of 4 bits per router.Processing time for RSA is also comparatively long, due to the larger key lengths and exponentiation operations required.The security of RSA is based upon the difficulty of the factorization problem.As with the discrete logarithm attack, the current approach to integer factorization involves the general number field sieve algorithm [12], which for an integer  will arrive at a solution in   [1/3; 1.923], that is, ( (1.923+( 1))(log ) 1/3 (log log ) 2/3 ).A quantum computer, should it ever exist, may factor large integers in polynomial time [11].
Although it is obvious that RSA offers several disadvantages when compared to other symmetric and asymmetric ciphers, it also offers at least one key advantage when compared to the other algorithms herein: message authentication.Unlike discrete logarithm, ECC, or AES encryption, since neither Alice nor Bob knows the other individual's private key, it would be possible for a third-party external audit, given hardware access to both router keys and all traffic sent, to determine the sender of all encrypted data.Using the other encryption systems, given the encrypted data alone, it is possible to determine that either Alice or Bob sent a message, but not to authenticate which one encrypted the data.

Alternative II: AES
AES, based upon the Rijndael cipher, was announced by the National Institute of Standards and Technology in 2001 and was shortly thereafter approved as an accepted encryption standard by the United States Federal Government.AES, similar to its predecessor, DES, is a symmetric block cipher, using a shared secret key to encrypt a data stream one block at a time.In AES, each 128-bit data block undergoes 10-14 rounds (depending on key length) of permutations, substitutions, and additions [1].AES is an extensively used and studied algorithm and like most symmetric ciphers offers advantages in terms of required processing power, processing time, and key length when compared to asymmetric ciphers such as RSA and ECC.The simplicity of each round enables simple and rapid implementation on any 8-bit processor, while the chaining of multiple rounds per block provides excellent security.The AES algorithm itself is quite straightforward to implement within hardware, and hardware AES optimization is currently already present in many modern, commercially available processors, including current processors from Intel, AMD, and Qualcomm, making this an excellent algorithm choice for use with existing components.
To modify AES for use in our closed system, Alice and Bob's routers will both require a single preshared AES key and a reliable PRNG.Initial communication will be made using the preshared key.After a data threshold has been reached, similar to the discrete logarithm system, Alice and Bob will input the decrypted data into an algorithm (such as a cryptographic hash function) to generate a random value .This value will be used as a PRNG seed on both systems to generate identical intermediate keys of the desired AES key length.To compensate for any bias in the data used to generate  (similar data between data cycles may lead to a smaller PRNG seed pool), the intermediate key may be XOR' d with the previous AES key to generate a new, random shared secret key by which further communication will be encrypted.
As mentioned earlier, AES offers efficient processing time, and the storage requirements for this system are minimal, requiring a single preshared key to be saved on each of the two end routers, much shorter than a security-equivalent RSA key pair.No effective cryptanalytic attacks are currently known against AES, with the current best attacks only a few orders of magnitude above the worst-case brute force scenario and requiring infeasibly large amounts of storage space [13].Unlike asymmetric encryption algorithms, AES is likely resistant to attacks by theoretical future quantum computers.In the event of a communication failure due to data loss or malicious action, it may be necessary to switch to a new preshared key and begin the process again.

Alternative III: ECC
Elliptic Curve Cryptography (ECC) is an asymmetric cryptographic system, which uses a variant of the discrete logarithm problem as applied to points in an elliptic curve group as the core of its security.Many consumers have recently begun adopting ECC as an alternative to RSA, due to its efficiency in both key size and processing requirements.Careful choice of the ECC curve is necessary to avoid potential security hazards.
In Elliptic Curve Cryptography, first a curve is chosen, with variables and coefficients restricted over either the finite field GF(2  ) of the form  2 + =  3 + 2 + or a prime curve over   and modulo  where variables and coefficients range from 0 to ( − 1) of the form  2 mod  = ( 3 +  + )mod .
In the prime curve case, there are a limited number of nonnegative integer points between (0, 0) and ( − 1,  − 1) which satisfy any given elliptic curve values for  and .Similarly, for the finite field case, there will be a limited number of (, ) integer values that lie on the curve for any given values of  and .
These points are used to define a finite abelian group, with rules for addition defined specifically for the abelian group, similar to modular multiplication in conventional algorithms.Likewise, multiple additions are preformed similarly to modular exponentiation.Using abelian group rules, given two points  and ,  =  is easily calculated given  and  but difficult to calculate given  and , forming the one-way trapdoor function at the basis of elliptic cryptography.
Generally, the curve parameter values of ,  and ,  and  are made public and often correspond to one of several wellstudied elliptic curves. and  are the coefficients discussed earlier, forming the curve   (, ), where  is an integer in the finite field 2  (finite field curve) or a large prime number (prime curve).A base point  is picked such that the smallest positive integer  that satisfies  = 0 is very large.With all curve parameters defined, Alice and Bob may begin the key selection process [1].
(1) Alice and Bob both choose secret integers   and   less than  as their private keys.(2) Public keys are generated according to   =   ×  and   =   ×  and shared with each other.(3) A common secret key is generated my multiplying the known private key with the opposite public key, with   ×   =   ×   .
(4) To encrypt or decrypt data, the data is first encoded as a point  on the elliptic curve and then sent as a ciphertext message as a pair of points (,  + ) with  as any chosen positive integer and decrypted with the matching private key using (   −   ).
Modifying this system to function in our self-contained router environment involves a process similar to that used for RSA.All curve parameters are assumed to be publicly known, and use of a known secure curve is assumed.Each router must be initialized with secret data corresponding to its own private key and the public key of the other router.Again, it is not strictly necessary for each party to know or retain its own public key, and, in any case, all 4 key values are kept secret within the network.
Encryption and decryption function as standard ECC operations, with Alice encrypting data with Bob's public key and Bob decrypting data with his private key, and vice versa.After a data threshold is exceeded, Alice and Bob will both calculate new public and private ECC keys, choosing new secret integers, and encrypt and send each other their new public keys using their old private keys.Once both parties have received the new keys, all data will be transmitted using these.This system would allow for the use of ECC indefinitely, with rapid key updates, without the necessity of a third party.In the event of a communication failure due to data loss or malicious action, it may be necessary to switch to a new preshared certificate pair and begin the process again.Unlike in RSA, the use of a common secret key prevents message authentication via external audit.
Storage requirements for ECC involve two large integers of size  or smaller, corresponding to the public and private keys, on each router, for a total maximum storage capacity of 2 per shared secret per router.Key lengths used are much shorter than those needed for equivalent RSA or discrete logarithm security levels, about double the size of that found in symmetric encryption systems.Likewise, while not quite as processing-efficient as a symmetric cryptosystem, ECC offers large performance gains when compared to RSA.The best known attack to ECC is Pollard's Rho [14] which may be paralyzed and needs relatively little memory but is nevertheless not computationally feasible for currently used curve parameters.As with other public key protocols, ECC is expected to be vulnerable to attack by quantum computers, once such exist.

Algorithm Comparison
The RSA, ECC, AES, and discrete logarithm protocols may each provide an arbitrary level of security, determined by the length of the encryption keys used for each algorithm [8]. Figure 1 visually illustrates the required key length needed by various encryption algorithms in order to achieve a level of security comparable to a specified RSA key length (e.g., to achieve the same level of security provided by 2048-bit RSA encryption, AES requires only a 112-bit key).In the case of the discrete logarithm method, the equivalent key length of the prime  used was determined using the general number field algorithm as compared to RSA key lengths and was found to be approximately equal in requirement with RSA key  equivalent to a discrete log key 0.84 (less than onebit difference).ECC and AES hold clear advantages here over RSA and discrete log methods, as key sizes for the latter two increase rapidly as increased security is needed, while the key length : security ratio remains relatively linear for ECC and AES.The longer key lengths of RSA and discrete log will also require additional bandwidth for public key transfer, compared to shorter ECC public keys, and no additional bandwidth overhead is required for AES.
Storage requirements for preshared secret data per router (ignoring overhead and indexing values), as outlined by the modified algorithms described earlier, are as follows: (1) -bit RSA requires a maximum of 4 bits per secret.
(2) -bit ECC requires a total of 2 bits per secret.
(3) -bit AES requires a single stored -bit key.(4) -bit discrete log method involves a preshared secret , assumed to be of maximum length .
Using these values, in combination with the key length requirements illustrated in Figure 1, it is possible to calculate the minimum storage requirements of each router for preshared secret data.For example, from Figure 1, we see that a 2048-bit RSA or discrete logarithm key is the equivalent of a 224-bit ECC key, or a 112-bit AES key.Each shared secret stored by the router at this security level would thus require a maximum of (2048 * 4) = 8192 bits for RSA and 2048 bits for discrete log but only (224 * 2) = 448 bits for ECC, or 112 bits for AES.Using these calculations, Figure 2 illustrates the total number of preshared secrets which may be stored per gigabyte of memory for any given security level and encryption algorithm (e.g., 8,000,000,000/8192 = 976,562 shared secrets per GB for 2048-bit RSA, or over 70 million shared secrets per GB for the equivalent 112-bit AES).As calculated in Figure 2, a single GB of router secret data storage allocation may hold hundreds of thousands of shared secrets even when using the inefficient RSA algorithm at the 7680-bit security level.When using AES, millions of shared secrets may be stored in this space.Regardless of algorithm choice, shared secret storage space is unlikely to be a limiting factor in practical router implementation.
Encryption and decryption performance for the various algorithms are difficult to measure and are heavily influenced by system architecture and software/hardware optimizations.Generally, however, symmetric key ciphers such as AES will offer the fastest encryption and decryption times.ECC offers dramatically superior key pair generation performance

Figure 1 :
Figure 1: Key length versus security for AES, ECC, RSA, and discrete log.Data source: National Security Agency, Central Security Service [8].