Contrarian Minds: Sheueling Chang

Making security solutions stronger, faster, and -- this is very important -- smaller.

By Al Riske

12.Aug.04--Sheueling Chang leads a team of engineers working on next-generation security solutions, but the concept they're working with isn't new at all -- and that's a big part of its appeal.

Newness isn't exactly a valuable asset when it comes to security. New means unproven.

"Security technology is like wine. The longer you keep it, the better," Chang says. "The reason is you need to reach a point where you know whether you can trust it or not."

The math that underpins Chang's work in elliptic curve cryptography has been around for nearly 20 years, and enough smart people have banged it around long enough to be sure it's effective.

So what makes this project noteworthy? It will touch the lives of billions of people.

The first woman at Sun to become a Distinguished Engineer -- and the holder of 15 patents in areas as diverse as graphics acceleration and Internet payment systems -- Chang takes a contrarian view toward technology and what it means to innovate.

"Technology is only a tool to bring about innovation, but not the innovation itself," she says. "A true innovation is one that will ultimately have a broad and lasting impact on society."

Chang also believes, very firmly, that Thomas Edison got it right when he said: "Genius is 1 percent inspiration and 99 percent perspiration."

"The elliptic curve algorithm is well understood. What's needed now is the 99 percent perspiration," Chang says.

She and her team (Hans Eberle, Vipul Gupta, and Nils Gura) are providing just that. They're designing the software, protocols, and hardware to accelerate security solutions based on elliptic curve cryptography -- solutions that will find their way into smart cards, mobile phones, browsers, servers, radio frequency identification tags, and environmental sensors.

Until her team set to work three years ago, Chang says, "No one had the vision, courage, or persistence to bring elliptic curve technology to the forefront so it will have a broad impact on the Internet, particularly the new Internet that is coming."

The new Internet Chang refers to comprises a virtual tidal wave of pocket-sized devices -- smart cards, pagers, PDAs, and mobile phones by the billions -- plus tiny lightweight sensors by the trillions.

"The usage rate of cell phones is far surpassing that of the PC," she says. "That's where the massive impact will be."

In other words, more and more people are accessing network services with smaller, less powerful devices. We all like the mobility, but none of us want to sacrifice security. So Chang and her team are working to make sure we don't have to.

The popular Rivest-Shamir-Adleman algorithm, known as RSA, currently uses a 1024-bit key to scramble and unscramble data.

"That is adequate for commerce transactions today," Chang says. "But this key size will have to double by the end of this decade to provide the same level of security. At that point, RSA technology will become too heavyweight for wireless devices.

"The beauty of elliptic curve cryptography is that it uses very small keys and is computationally very efficient," she says. "This makes elliptic curve perfect for small devices.

There's another advantage as well: Elliptical curve cryptography can operate more quickly than RSA does.

"Generating RSA keys is quite time consuming. This is because each RSA key relies on having two very large prime integers. A computer must run for a long time to search for huge numbers that cannot be subdivided. Elliptic curve keys do not need to be prime, making it much easier to generate key pairs," Chang says. "If, for example, you need to issue smart cards for a health-care system to millions of customers, generating so many RSA keys on small token devices is not a trivial task."

With elliptic curve technology, one would need only a 160-bit key to provide the same level of security as current 1024-bit RSA keys. What's more, the new technology can be computed 4 to 10 times more efficiently on large servers and is 100 times more efficient on tiny sensors.

An obvious choice for small devices, the new technology will also pay off big time in the data center, where secure Web servers currently run three to nine times slower than regular Web servers on the same hardware platform.

"With elliptic curve's smaller key-size requirements and enhanced computational efficiency, IT will be able to utilize fewer servers for providing secure connections," Chang says.

That's important because the volume of secure commercial transactions is expected to double every few years.

A petite woman with short black hair and glasses, Chang is unfailingly polite and patient. She is also extremely persistent and highly ambitious.

"People would likely be surprised at the ambition I have," she says. "Maybe it has to do with the politeness, that I'm not trumpeting it loud enough, or I'm not working very hard to make myself look like a visionary. The reason is I am happier to be the type of visionary with one foot grounded rather than the one dancing in the clouds."

Chang is less concerned with simply creating new technologies -- innovation for innovation's sake -- and more interested in setting off a powerful chain reaction.

She believes that "if an innovation is good, you will trigger a new wave of innovations, because other smart people will see that spark of light that you just ignited ... and an avalanche of innovations will follow yours."

To her, that chain reaction is what defines real innovation.

"Many people want to be visionaries by doing the easy 1 percent of inspiration," she adds. "But the ones I truly respect are those who follow through with the 99 percent of perspiration. James Gosling is one like that. When James comes up with something, he sweats his butt off to carry it through."

Inspiration, perspiration -- and timing -- are key to Chang.

"Browsers and servers are impressive innovations," she says. "Is it because they are hard technologies to come up with? No. They were wildly successful because the timing was right. The Internet environment had all the gunpowder lying around ready to be lit. If you light the match too soon, you wouldn't have such an explosion. It has to be that the time and the environment is right. Then you light the match and boom!"

Chang believes the time is right for a new generation of security solutions.

"For a new security technology like this to be successful, it must be integrated with the applications and the security protocols. In addition, the security protocols need to be standardized to ensure interoperability across the industry," Chang says. "Sun is the first company to bring this technology into mainstream usage on the Internet in an open source forum."

Sun took a bold approach, she says. "First, we provisioned the technology in our own product line. Then we contributed an implementation to the two dominant open source libraries, OpenSSL, and Mozilla/NSS. Most importantly, we are working through the Internet Engineering Task Force to make the elliptic curve crypto system an open standard.

"We contribute the technology in a royalty-free way. What does that mean? That means industry adoption. That means startup companies can get started with this royalty-free standard implementation at almost no cost and put it into next-generation devices. You want to create a gunpowder environment, so all you have to do is light the match," Chang says.

And Sun will be ready, she says, with an explosion of fast, efficient, powerful solutions -- integrated into the Java Enterprise System, the Java Desktop System, Java Card technology, and even next-generation SPARC processors.

Stand back.