he age of on-line commerce has arrived. Already, consumers can turn on their computers and buy everything from books to groceries to stocks to cars without leaving their homes or offices. All it takes is a modem, a Web browser and a credit card. But that's just the beginning, say technology forecasters, who predict that within the next five years anywhere from $300 billion to $1 trillion worth of business will be transacted over the Internet each year.

Perhaps the most remarkable fact about the explosion of Web-based business during just the past half decade is that the flow of orders and cash is taking place over an insecure conduit, one whose open structure-designed by academics for the free exchange of ideas and data-makes intercepting and altering sensitive information child's play. As more computer users tap into the Internet with wireless connections in the years ahead, snatching data may become even easier.

What has made possible the early success of Internet business-and what will prove absolutely vital to its future expansion-is a relatively new discipline that marries esoteric mathematics with computer science and electrical engineering. Called modern cryptography, the field is a digital descendent of cryptology, the centuries old practice of scrambling messages to keep state secrets and military communications from falling into the wrong hands. Once, cryptography was practiced almost exclusively by governments. But as businesses and researchers seek more effective and more efficient methods for encrypting information, data scrambling is becoming more and more the province of industry and academia.

"There is a gold rush for applications in cryptography today," says Christof Paar, assistant professor of electrical and computer engineering and founder of WPI's Cryptography and Information Security Research Laboratory (CRIS). "The Internet is taking off, with everyone thinking they can make some money in the on-line world. Financial transactions require security, so this growing desire to profit from the Net is the driving force behind an explosion of new security applications, including digital certificates, smart cards and digital cash."

Paar is one of the rising stars in this brave new crypto-world. He came to WPI three years ago after earning his bachelor's, master's and doctoral degrees in Germany, the last at the Institute for Experimental Mathematics at the University of Essen. His early research, conducted in Germany, as an exchange student at the Michigan Technological University, and as a visiting researcher at the University of Massachusetts, Amherst, focused on error codes, mathematical functions that enable audio and video CDs to continue playing even after they've been scratched.

"Error codes were already fairly well-established, so I came to WPI looking for a newer, hotter area of applications," he says. "Since the early 1990s, cryptography has been a fast growing field, and it happens to rely on the same mathematical principles as error codes."

Those principles belong to a field known as number theory, one of the oldest areas of mathematics. With its roots extending back to the writings of Pythagorus, number theory deals with the properties of integers and their relationship to one another. Until recently, it was thought to have no real-world applications. Number theory entered the limelight in 1976 with the publication of a seminal paper by Whitfield Diffie and Martin Hellmann. Diffie and Hellman invented public-key encryption, which solved a central problem in cryptography that had threatened to limit its utility in the blossoming on-line world (See How Private? How Safe?).

The development of public-key cryptography coincided with the rise of electronic commerce, wireless networks and high-quality multimedia services. What ties these emerging technologies together is the need to be able to send and receive large volumes of data across insecure networks in a safe manner. To meet this demand, a host of cryptographic software applications, with names like RSA, PGP (Pretty Good Privacy) and SSL (Secure Sockets Layer), have found their way into popular Web browsers and onto widely used commercial Internet sites.

For the most part, Paar says, the development of network security technology has been the exclusive province of computer scientists and mathematicians. In fact, Paar is one of relatively few researchers in the nation approaching cryptography from the perspective of an engineer. "One important aspect of modern cryptography," he says, "is implementing security protocols in hardware-chips, circuit boards, special-purpose computers, and so on-which is what electrical and computer engineers do. Few other research groups have the interest-or the capability-to pursue cryptographic hardware in such a systematic manner."

In CRIS, several graduate students and a number of teams of undergraduates completing their Major Qualifying Projects are focusing their efforts on two broad areas: the development of hardware architectures for modern cryptographic schemes and research in the area of fast software algorithms. Paar's research on both fronts has won him more than a half million dollars in grants and contracts from such companies as GTE Government Systems, Lockheed Martin, Texas Instruments, Technical Communications Corporation, and Bosch, a German company. Much of the current work in CRIS revolves around making cryptographic systems faster and more efficient. In part, that means developing speedier algorithms.

"RSA is the industry leader in public-key cryptography, accounting for the majority of commercial applications, including the security feature in the popular Netscape browser," Paar says. "But because the keys used in RSA applications are so large, and require so much arithmetic to process, security systems are becoming relatively slow. So people have started to look at alternatives."

One popular alternative that is rapidly gaining in acceptance employs a set of one-way mathematical functions known as elliptic curves. The advantage of elliptic curves is that they appear to provide as much security as RSA and similar public-key algorithms, but with much smaller keys (150 to 250 bits for elliptic curves, vs. 1,024 to 2,048 bits for RSA). "Elliptic curves execute much faster than RSA, but the big question is whether they really are as secure." (See How Private? How Safe?)

Paar's research group has been looking, not at the security of elliptic curves, but at how to make them execute as fast as possible. The team has derived a new algorithm related to elliptic curves and has earned a patent for one particular fast implementation method.

This summer, Paar and Daniel V. Bailey '98, a computer science graduate who is working toward a master's degree in Paar's lab, presented a paper at Crypto '98, the nation's largest and most competitive conference on cryptography. The paper was based on Bailey's Major Qualifying Project, co-advised by Paar and Stanley Selkow, professor of computer science, which won the Provost's MQP Award in computer science in April. [Another MQP advised by Paar won the Provost's Award in Electrical and Computer Engineering in 1996.] The paper by Bailey and Paar details a method for speeding up elliptic curve cryptosystems using a mathematical approach Paar and Bailey call Optimal Extension Fields.

One of the most effective ways to speed up cryptographic algorithms is to implement them with dedicated hardware. Building a system into a computer chip or plug-in board not only makes it run faster, but makes it more secure, Paar says. "If your crypto system is running as software on your PC, there's a potential weakness because an attacker could get access to the algorithms or your keys. If everything is running in a chip, the physical access to that information is greatly restricted. The National Security Administration has known this for a long time, and now the commercial sector is slowly realizing that to get the greatest security, you need to start out with hardware."

One innovative approach to developing hardware for cryptography recently won Paar a prestigious faculty career development grant, called a CAREER Award, from the National Science Foundation. The four-year, $210,000 award will support the development of cryptographic systems using reconfigurable hardware. "This is the first NSF grant for crypto-hardware," Paar says.

"My proposal to the NSF combined two of the hottest areas in electrical engineering, cryptography and reconfigurable hardware. Usually, the disadvantage of implementing algorithms in hardware is that you give up the low development costs and flexibility of software. Once hardware is built you're stuck with it, but reconfigurable hardware is reprogrammable, so it combines the flexibility of software with the security of dedicated hardware. It represents a real paradigm shift in digital engineering."

Paar will be using a type of reconfigurable hardware known as field programmable gate arrays (FPGAs), logic chips that can be reprogrammed on the fly. "One of the new trends in cryptography is building systems that are algorithm independent," Paar says. "That means that the user and the server negotiate about which algorithm will be used in a particular transaction. Achieving this flexibility with software is not too difficult, but how can you do that with hardware? We are probably the first research group to think about doing this systematically with FPGAs."

Building hardware that can reconfigure itself within microseconds to run vastly different algorithms that employ keys of widely varying lengths will be no easy task, Paar says. Just designing a plug-in PC board that can handle the complicated arithmetic involved in processing a single cryptographic algorithm will be a challenge. "Your PC is designed to do math with 32-bit numbers," he says. "With RSA, you must perform computations with numbers that are 30 to 40 times that length. We have to look carefully at the kinds of gate structures that will allow that kind of arithmetic."

While the development of algorithm-independent FPGAs is just beginning, Paar and his students have already used the devices to speed up the implementation of the most widely used private-key algorithm, the Data Encryption Standard or DES. Developed by the federal government in the 1970s to be the standard for strong encryption, DES is used in applications where keys can be exchanged securely and is also the backbone of some public-key applications.

"Using FPGAs, we did an incredibly fast implementation of DES," Paar says. "In software, you are limited to data throughput speeds of about 10 megabits per second. With dedicated hardware, you can achieve speeds of up to 1,600 megabits. Our implementation was clocked at 400 megabits per second."

Because of the importance of information security to the future of on-line commerce, Paar's cryptography group at WPI has been in demand not just as researchers, but as educators. Paar teaches two graduate courses on cryptography and data security that have been offered on campus and, for three years running, on-site at GTE Corporation in Waltham, Mass. "Just a few years ago, when we first offered the initial course, we were one of the pioneers," he says. "Now, a number of universities offer one course, but only a few offer a follow-up course, as we do."

Paar also teaches a short course on applied cryptography and data security through WPI's Office of Continuing Education. It has proved a popular offering at WPI's Waltham Campus and has also been delivered at the NASA Lewis Research Center in Cleveland, Ohio, and at Philips Research Laboratories in Briarcliff Manor, N.Y. For the past two years, CRIS has offered the WPI Cryptography and Data Security Seminar Series. This year's series included speakers from WPI, the University of Massachusetts, MIT, GTE CyberTrust and RSA Labs.

Like Paar's courses and seminars, his students are in great demand. "Job opportunities in this field are completely crazy," he says. "There are many companies that are in or are just getting into Internet businesses, and they are desperately looking for people who are fluent in cryptography. There are very few schools that are offering this program, and even fewer schools doing it from an engineering perspective."

The German high-technology firm Secunet, a new subsidiary of one of the country's oldest technical holding companies, was so keen on hiring a student trained in Paar's lab that it held a contest, with the first prize being a one-year graduate fellowship in WPI's Electrical and Computer Engineering Department. The first recipient is Harald Weidner, a Ph.D. candidate at the University of Zurich.

"Our approach to cryptography is clearly what companies are looking for," Paar says. "But it is also, in a real sense, in tune with what WPI is all about. The University's philosophy is about combining theory and practice. That's what we do here. We take the theory of a highly arcane mathematical field, and implement it in a practical, usable manner. It's an approach that has proved highly successful for us, and for our students."