Cracking the Cipher Market:
Made-in-Japan Encryption Technologies

With the rapid growth of corporate and public interest in the potentials of electronic commerce, many Japanese companies are turning their attention to the development of encryption technologies. Moreover, the controversial strict control by the US gov ernment on the export of cryptographic software and technologies has been giving Japanese companies unparalleled opportunity to develop their own encryption algorithms and encryption-embedded products rather than relying on imported technology. Under authority of the International Traffic in Arms Regulation, which defines cryptographic devices (including software) as munitions, all US-made cryptographic software requires an export license from the US Department of State. Because the US governme nt has been reluctant to grant export licenses for the software stronger than an undefined "basic level" (currently a 40-bit key length for secret-key encryption and a 512-bit key length for public-key encryption), the American encryption techno logies being introduced to Japan and the rest of the world are much weaker than those being used in the US. Netscape, for example, has been offering a 40-bit secret-key-based SSL (Secure Sockets Layer protocol) in Japan but selling a 128-bit length SSL pr oduct in the US. While this restriction seems likely to be eased soon, it is unlikely that the US will completely scrap all export limits for encryption technologies in the near future.

" The exportable key length [of the US software] is not practical to be applied for the electronic commerce businesses," says Takashi Okamoto, research director at the Electronic Commerce Promotion Council of Japan (ECOM) -- a non-profit orga nization established early this year and backed by the Ministry of International Trade and Industry (MITI). "For electronic commerce applications, I think a 64-bit key length will be necessary, at least, for secret-key encryption."

To prepare for the development of practical electronic commerce applications, several Japanese manufacturers have enhanced their development of security technologies. Also, MITI -- a major player in the promotion of electronic commerce in Japan -- has been turning increased attention to transaction security issues. MITI has charged ECOM with studying possible security problems (including setting up evaluation criteria for the application of encryption technologies) of its 19 assorted electronic commer ce projects. MITI has allocated ¥10 billion for such projects in its fiscal 1996 and 1997 budgets.

Made-in-Japan encryption

An ECOM working group on security-related technology was formed in April to study public concern about the safety of electronic commerce applications. The working group consists of about 40 companies (mainly those in the computer, finance, and trade in dustries) of the nearly 200 ECOM members. This working group will develop evaluation criteria for applying encryption technologies, and it will look at some made-in-Japan cryptography technologies and techniques.

One representative made-in-Japan encryption technology is FEAL (Fast-data Encipherment ALgorithm), developed by Nippon Telegraph and Telephone Corporation (NTT). FEAL is based on Data Encryption Standard (DES), whose initial version was developed in 1 986; the current version -- with a 128-bit key length -- was announced in 1989. FEAL already has been embedded in an NTT facsimile system, LSIs and boards released by NTT-subsidiary NTT Electronics Technology (NEL), and routers released by NTT, NEL, and L AN product manufacturer Soliton Systems.

Mitsubishi Electric Corporation, meanwhile, last year developed its own DES-type product, MISTY, which also has a 128-bit key length. MISTY, a block-encryption algorithm based on a cipher strength evaluation index that applies both linear cryptoanalys is and differential cryptoanalysis, has already been embedded in some Mitsubishi network products.

Hitachi, too, developed its DES-type method, MULTI2, which has a 64-bit key length, but can also offer a 256-bit system key. It has been employed for Hitachi's Keymate series digital signature software. And NEC has developed a 64-bit key DES-type prod uct called ENCRiP, although the algorithm has not yet been incorporated into any commercial systems.

Other algorithms

In addition to these major companies, two venture companies have introduced their own encryption algorithms to the Japanese electronic commerce applications market. Advance, a Tokyo-based company, has commercialized the Key Predistribution System (KPS) developed in 1990 at Yokohama National University and the University of Tokyo. The unique point of KPS is that it need not be combined with a public-key method, like RSA, for distribution of its secret-key cryptography; most other secret-key methods use RSA for their key distribution. So far, KPS has been incorporated into e-mail software products released by Advance and Toshiba Information System, and IC cards and boards released by Advance.

Yokohama-based Laurel Intelligent Systems in 1993 developed its own 64-bit key block-encryption algorithm called SXAL/MBAL. The SXAL/MBAL algorithm has been employed for PCMCIA cards and IC cards released by Share Service, a software company which has a tie-up with Digital Equipment Corporation Japan for the development of security products. The algorithm also was incorporated into an IC card used for an electronic commerce trial conducted in June by the Japan Research Institute.

All of these pure made-in-Japan technologies are secret-key types, and most of the companies have been anticipating their application mainly in the domestic market. Since RSA is used widely worldwide, most Japanese manufacturers consider that their own technologies may not be competitive in the world market. For their global businesses and future business potentials in electronic commerce applications, Japanese companies still seek the incorporation of major technologies like RSA.

Competing on the world market

One Japanese company, NEL, has stated its intention to enter into the world market by embedding RSA and triple-DES into chips. With a 14-year background in LSI production and 10 years of experience in security product sales, NEL plans to introduce encr yption-embedded chipsets to Japan and the US within this year. To be released on an OEM basis through Nihon RSA, a subsidiary of RSA Data Security, is an RSA-based chip with a 1,024-bit key length and a triple-DES-based chip with a 112-bit key length -- b oth of which are much stronger than the exportable US chips. While these chips are based on the US-born technologies, NEL is implementing the technologies into the chips by using their own public algorithm. NEL is also developing security software to enha nce the strength of the international version of Netscape's weakened-for-export SSL.

Does this Japanese challenge represent a near-term threat to American industries? Regarding sales of the chip itself, NEL says it doesn't expect much at the beginning; the market for encryption chips is not yet clear, and US companies are offering sim ilar-strength chips. More significant for NEL is establishing a closer relationship with RSA Data Security, licenser of the RSA algorithm.

According to Hyoh Ikawa, NEL's senior managing director, the idea of NEL's chip development using the RSA algorithm was actually brought up during talks with RSA Data Security, with whom NEL has had a two-year relationship for RSA licensing. NEL also participated in the formation of the Japanese subsidiary of VeriSign, a spin-off of RSA Data Security, which was established in February to provide digital ID services for Japanese electronic commerce businesses. NEL, along with two other NTT subsidiaries -- NTT PC Communications and NTT Data Communications Systems -- holds a 15% share of VeriSign Japan.

Ikawa notes that having a background in chip production and encryption businesses will be an advantage for future encryption product opportunities, because encryption-embedded chips require sufficient knowledge of encryption technology to make the chi ps and systems function properly. " This kind of technology incorporation into neat and adequate commercialization has been a field the Japanese are good at," he notes. " We will also make full use of our strength in encryption technology a nd LSI production [for this business]."

The two-fold path

So, Japanese companies are seeking to enter the encryption business by two routes: not only through the development of their own encryption algorithms, but also by integrating promising encryption technologies into chips and systems. The US government' s export restrictions on encryption products seems to have done little to hinder Japan's efforts; rather, it seems to have spurred Japanese companies to search for opportunities in the encryption business. If anyone has been held back by the American expo rt rules, it seems to have been some US companies who have missed the window of opportunity to claim leadership of the fast-growing electronic commerce segment of the Japanese market.

About Noriko Takezaki