Small Team, Huge Results

What Happens to the Technology and the Team that Created It When a Research Project Succeeds Beyond Expectations?

February 14, 2006 - Research is risky business—for the scientists and engineers who stake years of their lives on the development of an idea, and for the companies that fund applied research projects. Researchers sometimes face periods of months or even years with no visible progress, and the fact is that most research projects fail to produce commercially viable technology.

Yet some research projects do produce innovations that help solve crucial problems for customers and provide new revenue streams for the company. The Elliptic Curve encryption technology described here as well as the Java programming language, Sun Cluster technology, asynchronous circuit design, and dozens of other innovations all started out as research projects at Sun Labs.

So it is important for research teams not only to steel themselves for the possibility of failure, but also to be prepared for stunning success.

Project Next Generation Crypto and Elliptic Curve Technology

Elliptical Curve

The Next Generation Cryptography Team at Sun Labs provides an excellent example of how the right preparation and the right attitude can actually accelerate the technology transfer process within the organization and beyond. The team's work on Elliptic Curve Cryptography (ECC) has created a foundation for next-generation Internet security—a foundation that has been endorsed not only at Sun but also by the U.S. government and key industry players, including Microsoft and Red Hat.

In this article, the team that developed ECC for Internet security applications offers insights about how technology transfer can work--and how to avoid the political and cultural mistakes that could otherwise jeopardize the adoption of the technology the team worked so hard to create. For more information about how Sun and the U.S. government are endorsing and adopting ECC technology, see the feature article on sun.com: Internet Security 2.0.

A Cryptographic Dream Team

Nils Gura, Sheueling Chang Shantz, Hans Eberle, and Vipul Gupta

Sheueling Chang Shantz, Sun's first female Distinguished Engineer, was not trying to revolutionize Internet security. Back in 2000/2001, designing a new security standard for the next wave of the Internet's evolution wasn't the goal; it wasn't even a far-fetched "vision". She was simply working on a piece of technology that she found interesting.

The technology was called Elliptic Curve Cryptography, an alternative to RSA, the primary public-key technology in use for providing secure communications over the Internet. Invented in 1985 by Victor Miller and Neal Koblitz, ECC provides the same degree of security as RSA with approximately one-sixth the key size, making the technology especially useful for small, mobile devices that are limited in power, CPU performance, memory, or bandwidth.

In 2001, Sheueling was developing an ECC cryptography library ("while I was supposed to be doing something else," she says). By 2002, the potential of ECC was sparking wide interest, both for use in industry applications and within the U.S. government. "We could foresee that with the growing e-commerce, wireless, and mobile markets, there would be more lightweight devices connected to the Internet and security would become a greater concern," said Sheueling. "Then when we saw that the U.S. government was starting to take a serious interest in security and actually endorsed ECC in 2002, we started putting a lot more emphasis on our ECC work."

Sun Labs created the Next Generation Cryptography Team, which included Sheueling and fellow Sun engineers Hans Eberle, Vipul Gupta, and Nils Gura. The team's initial area of focus was development of ECC for the Secure Sockets Layer (SSL) protocol—the dominant protocol for handling secure transactions over the Internet. "Each of us had been thinking about ECC for SSL, and now as a team we had the complementary software and hardware expertise to really accomplish something," said Sheueling.

Specifically, the team was chartered with implementing Sheueling's ECC crypto library and security architectures for various platforms (ranging from coin-sized sensors to high-performance Web servers); creating a common hardware architecture for accelerating ECC; and facilitating industry adoption of ECC by promoting standardization within SSL.

Within a few months, the team had already created a functioning system that proved the potential of the technology for secure communications among small devices as well as large servers. "But that was the easy part," said Sheueling. "The next step was to convince engineers within Sun's product groups that this was something with great commercial potential."

Technology Transfer: A Contact Sport

Technology transfer—transitioning promising technology from the lab into product groups that is responsible for incorporating the technology into the real products—is the holy grail of any applied research project, and the team's work on ECC was no exception. Yet the process of technology transfer can be unfamiliar and somewhat daunting to researchers whose sole focus has been developing the technology.

"It was important to all of us that this research would end up in real products, not just in white papers" said Vipul Gupta. "That's why we focused—right from the outset—on smoothing the technology transfer process. We wanted to work collaboratively with Sun's product groups and industry standards bodies so that they'd be partners, not adversaries."

The team recognized early on that one prerequisite to technology transfer was that ECC be supported by the SSL standard. Both servers and client devices had to embrace the technology so that both sides could communicate successfully. Thus, one of the first steps taken by the Next Generation Cryptography Team was to contribute ECC technology to OpenSSL, an open source security library. OpenSSL is already in use on a number of commercial applications; for example, OpenSSL allows Apache Web servers (which currently represent 60% of the Web server market) to communicate securely and efficiently with lightweight devices using ECC technology.

The team also provided ECC support to Network Security Services (NSS), which powers the Mozilla/Netscape and Firefox browsers and the Sun Java Enterprise System middleware (including the Web, Directory, Mail, Calendar and Messaging Server products); and Vipul Gupta was lead author on the IETF Internet draft that specifies the use of ECC technology in the SSL protocol.

Crypto Accelerator

The performance of the cryptography system—meaning the speed with which the system can encrypt and decrypt messages—is critically important to the commercial viability of the technology. If the encryption process is time-consuming or bogs down the processor, end users experience frustrating delays in their secure communications and transactions.

The Next Generation Cryptography Team worked on several levels to increase the performance of ECC: optimizing the encryption algorithms, fine-tuning the software, and also accelerating the ECC processing in hardware. One of the earliest and most critical successes of the team was the development of cryptography acceleration hardware by Hans Eberle and Nils Gura.

Crypto Accelerator Card

"Usually encryption is handled by a co-processor," said Hans. "By integrating it into the main processor chip, we gain even higher performance efficiencies. Once the product groups at Sun saw that we could do an implementation that was compatible with the existing CPU architecture, the idea really caught on."

Humility Plays a Central Role

With a promising new technology and a compelling proof-of-concept prototype to show, the Next Generation Cryptography Team began to present to Sun's product groups. "This is where the right preparation and the right attitude can make a world of difference," said Vipul. "Sometimes researchers can take the approach that we developed this great technology, you need to use it, so now go figure out how. You end up with personality clashes, which can cripple technology transfer."

Patience is also a virtue when working with the product groups. Nils, for example, spent nearly a year working with Sun's product teams, helping with verifications and other technical requirements. "It doesn't make any sense to just hand them the specs and disappear," said Nils. "You need to be there to help them digest it and answer their questions. That way the implementation is more likely to be successful, and there's a greater chance that all the work you did in research will really stick."

According to Vipul, it is also important to present the new technology directly to the engineers, not only to management, in the early stages. "Engineer-to-engineer interaction is critical in establishing personal relationships that are based on trust," he said. "If you start with management, you create the impression that you want to ram something down the engineers throats."

The approach taken by the Next Generation Cryptography Team resulted in successful technology transfer on a scale that few research projects ever achieve. For example:

Sun has implemented ECC in its Java Enterprise Server (JES) Web Server 7.0, and forthcoming versions of other JES servers, Java Desktop Server, Java Card, and Java 2, Standard Edition will feature ECC.

Microsoft has committed to include an implementation of the IETF ECC specification in an upcoming release of Windows Vista browsers and servers.

Red Hat will support ECC in future versions of its implementation of the Linux operating system.

The team transferred a significant piece of complex design for use in next-generation UltraSPARC processors. Adding new functionality is always extremely complex and risky, so the teams ability to provide technology that could be seamlessly integrated is truly an impressive accomplishment.

The Solaris Operating System group has adopted the teams work on ECC for the Solaris Encryption Framework, a highly optimized cryptographic library for application developers.

"Sizzle" World's Smallest Secure Web Server

On the research front, the team's pioneering work has resulted in more than ten patents and over a dozen technical papers in peer-reviewed conferences and journals. Three of these articles won the "Best Paper Award" at their respective conferences. The team's results, on the performance improvement in secure web servers due to ECC, are quoted in white papers from other ECC vendors and their demonstration of efficient public-key cryptography on highly constrained devices was described as the "biggest breakthrough in sensor network security" by Prof. David Wagner of U.C. Berkeley. In 2004, the team also won the Chairman's Award, the top achievement award at Sun for individual or team innovation.

Onward and Upward: Whats Next for ECC—and the Team

By working closely with standards bodies, Sun product groups, and external research and government engineers, the Next Generation Cryptography Team has successfully seeded adoption of ECC technology and expects to witness an upward spiral in industry applications in the years ahead.

"We set out to tackle a very difficult challenge for such a small team. Its very exciting to see it going so well," said Sheueling. "I feel proud that we were able to make such a significant contribution. What we contributed to Open Source has helped migrate the Internet Security Foundation to a more secure and efficient encryption scheme, and will enable secure communications over billions of light-weight wireless devices."

With the core technology successfully transferred to various product groups at Sun, the Next Generation Cryptography Team has disbanded to allow team members to pursue new goals.

Sheueling, for example, is now working on creating an information portal for the mobile Web—a project she dubs "Moogle"—to expedite the delivery of pertinent information to people using mobile devices with limited power and memory, such as cell phones. "ECC will definitely be the security foundation for digital commerce transactions flowing over the mobile Web," she said.

Vipul is now working on Secure Ad-hoc Communications, a project focusing on the special security and networking needs for a new class of even smaller, simpler, wireless computing devices (e.g., tiny sensors and actuators) that are expected to proliferate in the next several years. ECC technology will also be a key part of his ongoing research.

And Hans and Nils are working together again, this time on a large-scale data center switch, investigating uses of proximity technology to scale up multiple-chip implementations in a cost-effective way.

For More Information

Additional details about Suns use of and advocacy for ECC technology, along with information about Sizzle, the worlds smallest secure Web server, and the latest version of Open SSL and Mozilla/NSS code containing ECC technology, can be found on the Sun Labs Next Generation Crypto Project Web site at http://research.sun.com/projects/crypto.