pogonici - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does Microsoft's FourQ cryptographic library work?

Microsoft introduced a new cryptographic library based on FourQ, which the company says is faster than competing algorithms. Expert Michael Cobb takes a closer look at FourQLib.

Microsoft released a new cryptographic library that is reportedly faster and more secure than existing options. What can you tell me about FourQLib, and is this cryptographic library something enterprises should look into using?

Encryption is one of the most effective ways to keep data secure, but as new discoveries in cryptanalysis are made and computing power increases, older algorithms need to be retired and replaced. For example, DES was once the standard algorithm used for encryption, but now, a regular desktop computer can break it. MD5 and SHA-1 were widely used hash algorithms, but they are now considered weak and are being replaced by SHA-2; The National Institute of Standards and Technology (NIST) has already published its successor, SHA-3.

New encryption algorithms have to be both secure and efficient, as a higher level of security requires more computing resources. For example, the algorithm selected for SHA-3, called Keccak, was notably faster than the other algorithms under consideration. Microsoft Research published an elliptic curve library, called FourQLib, which it claimed is considerably faster than currently approved elliptic curve-based algorithms. Elliptic curve cryptography is gaining favor with many security experts as an alternative to RSA for implementing public-key cryptography. It's based on the algebraic structure of elliptic curves over finite fields that can create faster, smaller and more efficient cryptographic keys.

FourQ, outlined in an International Association for Cryptologic Research paper, targets the 128-bit security level, which is the level NIST recommends or requires for federal government systems. Keccak instances with a capacity of 256 bits offer a generic security strength level of 128 bits against all generic attacks.

Cryptographic algorithms provide different strengths of security, depending on the algorithm and the key size used. Security bits estimate the computational steps or operations that are required to decrypt a ciphertext, and are used as a guide to a cipher's ability to protect data based upon an adversary's estimated potential capabilities over time. This is not to be confused with key length, the size measured in bits of the key used in a cryptographic algorithm.

Microsoft's tests showed FourQ is around four to five times faster than the original NIST P-256 curve, and between two and three times faster than curves that are currently under consideration as NIST alternatives, such as Curve25519. (As simplicity tends to deliver better security, some speed enhancements were sacrificed to keep the FourQ algorithm simple to read and easy to audit.)

The cryptographic library is largely written in portable C, and is available for public download. Further independent verification will be needed before enterprises should consider incorporating FourQ into their own software. Speed can be tested using SUPERCOP, a toolkit developed by the VAMPIRE Lab for measuring the performance of cryptographic software, but it will take longer for the global cryptographic community to conduct detailed analysis of FourQ's cryptographic security.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out why there are concerns about the Diffie-Hellman key exchange

Read how client puzzles can help fix the TLS protocol

Learn about the security issues with the RC4 cipher

This was last published in February 2016

Dig Deeper on Disk and file encryption tools