3.5 Crypto-agility and information half-life

Because fundamental advances in cryptanalysis cannot be reliably predicted, especially for prolonged periods of time, it is desirable to design security systems in such a way that the transition to longer keys (or stronger cryptographic mechanisms) is possible and, ideally, easy to do. This concept is called crypto-agility. It is an important feature of a secure system: when, for example, NIST looked for a new standard block cipher algorithm (the Advanced Encryption Standard, or AES; see Chapter 14, Block Ciphers and Their Modes of Operation) in a competition held between 1997 and 2000, all candidate algorithms had to support varying key lengths of 128, 192, and 256 bits.

Conceptually, crypto-agility is to information security what software updates are to software engineering. A well-designed security system takes into account that at some future point in time, it will face some previously unknown attacks. Because the specific attacks are unknown at design time, the system must be specified and implemented in a way that makes it easy to change the key lengths or even replace the cryptographic mechanisms.

However, while crypto-agility allows efficient patching of a security system in case of (unexpected) cryptanalytic advances, it doesn’t protect against offline attacks. This is especially critical if Alice and Bob need to keep their information confidential.

Eve can monitor the communication between Alice and Bob, store that data, and decrypt it later – maybe even some years later – when new cryptanalytic attacks or more powerful computing equipment become available. Thus, there remains a fundamental risk to the long-term protection of confidentiality [63].

The extent to which Alice’s and Bob’s data is susceptible to this risk depends on the half-life of their information, that is, the period of time within which their information is valuable for an attacker. As an example, say Alice operates a stock trading platform and transmits stock prices to Bob. Based on this information, Bob makes his trading decisions and sends them back to Alice to place his orders. In this case, the information that Alice and Bob exchange has a very short half-life: if Eve manages to decrypt that data a year later, she most likely won’t gain anything (and there will be no harm to Bob).

If, on the other hand, Alice is a government agency sending classified information to Bob about who works on what project in that government’s embassy, then it’s an entirely different matter. If Eve can decrypt such information, it will likely have serious implications for Alice and Bob, even if Eve needs 10-20 years to succeed.

As a result, besides best practices such as frequent key updates, crypto-agility, and reduction of the transmission and storage of confidential data to the absolutely necessary extent, the key length of cryptographic algorithms should also be chosen by taking into account the half-life of the information these algorithms must protect.

A consequence of this is that the practical impact of cryptanalytic advances and progress in semiconductor technology heavily depends on the specific information to be protected. As an example, even if cryptographically relevant quantum computers will be built, numerous applications – at least initially – won’t be affected.