By Charles Seife AN ENCRYPTION scheme designed with the help of a 16-year-old Irish school student could have hidden flaws, some cryptography specialists say. The new algorithm is claimed to be significantly faster than the industry standard. Experts say that no one can be sure that it is secure until it has been made public and thoroughly analysed. Bruce Schneier a cryptographer with Counterpane Systems, a Minneapolis-based security consultancy, is sceptical. “Cryptography is conservative. You don’t want to jump on the bandwagon immediately. If you don’t have a proof, then it’s nothing,” he says. “The question is: is it secure?” Like the popular RSA algorithm, the new scheme uses public-key encryption. This relies upon mathematical operations that are easy to do but which are very difficult to undo. The RSA algorithm uses exponentiation to encode and decode a message. Encoding the message involves raising a number to a power, and is fairly simple. To decode the message, the recipient has to calculate a discrete logarithm of a number—a task related to the factorisation of a large integer into two prime factors. This operation is almost impossible without knowing a secret key. So the encrypted message remains secure even when the key used to encrypt it is publicly available. Unfortunately, exponentiation can take be quite time-consuming when large messages are involved. The new algorithm, which is dubbed Cayley-Purser, claims to shorten the time it takes to encrypt and decrypt messages. Like RSA it relies upon the security of discrete logarithms, but instead of exponentiating numbers Cayley-Purser multiplies matrices together. This cuts down the number of multiplications and additions needed to encrypt or decrypt a message, which in turn reduces the time it takes to run the program. “Essentially, RSA is cubic in the length of the key, while our algorithm is quadratic in the length of the key,” explains William Whyte, a cryptographer with Baltimore-Zergo technologies, the electronic security firm which is behind the new algorithm. “In practice, with a key length of 1024 bits, which is what is generally used, it comes out about 75 times faster.” The problem with the Cayley-Purser system is that the encrypted message is much larger than an equivalent RSA message, so it takes longer to transmit. Last week, the new algorithm hit the headlines because one of its developers, Sarah Flannery from Blarney near Cork in the Republic of Ireland, is still at school. Flannery worked out the basis of the algorithm during a two-week stint at Baltimore-Zergo in Dublin. She then refined the idea and did a great deal of mathematical analysis. “She’s done a lot of very original research in there that would do a grad student proud,” says Whyte. Despite the media fanfare, Flannery says it is too early to celebrate. Cayley-Purser could be as had to crack as RSA, but it may not be. “I’ve tried to show, mathematically, that in the places you can attack, the problem is equivalent to attacking RSA,” says Flannery. “I’ve proven it for all the methods that I can see,