Ross Anderson, RIP

A Great Scot and an Amazing Cryptographer

Published in

ASecuritySite: When Bob Met Alice

13 min readMar 29, 2024

I am so sad about the passing of Ross Anderson on 28 March 2024. He was truly one of the most amazing cryptographers in the world. Ross was a Professor of Security Engineering at the University of Cambridge and at the University of Edinburgh. In 2023, he was elected as a Fellow of the Royal Society of Edinburgh (FRSE).

Here is Ross presenting a keynote talk at the One Conference, The Hague, 2018

and a keynote talk at AsiaCCS 2017 in Abu Dhabi:

and on Bitcoin problems:

Ross was not shy in getting involved in politics and regularly gave written evidence on privacy, and was a strong advocate against Brexit [here]:

and in privacy issues related to the track-and-trace application [here]:

A bit about Ross

Ross was born in September 1956 and attended the High School of Glasgow until 1973. From 1974 until 1978, he studied for a BA in Mathematics at Trinity College, Cambridge, while also working with Ferranti on inertial navigation systems.

He completed his PhD in 1995, and his PhD supervisor was Roger Needham (and was also a world-leading researcher in areas of security, operating systems, computer architecture and networking). In 2005, the two of them wrote a classic paper of “Programming Satan’s Computer” [here][2]:

After his PhD, he has a research assistant, and, in 1995, he became an academic at the University of Cambridge, and then a full Professor in 1992. In 2021, he also became a Professor at the University of Edinburgh.

In his research career, he was a strong advocate of the rights of the citizen to privacy. He advanced many areas of cryptography, including inventing the Red Pike cipher (and which was the first approved encryption method for the NHS), and the Serpent method (and which was close to becoming the standard for the NIST-defined Advanced Encryption Standard). In 1998, he founded the Foundation for Information Policy Research, which is a think tank on issues related to information technology policy.

Overall, his Security Engineering book has been cited over 4,497 times [here]:

Me and Ross

Over the past few years, I had been close to arranging a catch-up for the world leaders in cryptography series of talks, but we could never find a time which suited us. And, so, in honour of his memory, I recap some of the things he was involved with. Overall, many will know of Ross from his book on Security Engineering [here]:

The Economics of Information Security

And, so, in the days before we had the catchy term cybersecurity, we used the more correct term of Information Security. Ross was a leader in defining new methods for assessing the true costs of information security and cybercrime [3]:

Bugs in our Pockets

When you have people like Ross Anderson, Ron Rivest, Bruce Schneier and Whitfield Diffie are part of a research paper, you sit up and take notice [here]:

Their target is the use of client-side scanning (CSS), and that it is not effective in preventing crime. Along with this, it does not prevent surveillance. The authors argue that some agencies would like CSS installed on all mobile phone devices, and not just for suspects. This may risk the privacy of law-abiding citizens and may overrule the actual risks to society. For them, the risks of implementing CSS is far more dangerous than the previously defined methods to break end-to-end encryption:ethods to break end-to-end encryption:

The ability of citizens to freely use digital devices, to create and store content, and to communicate with others depends strongly on our ability to feel safe in doing so. The introduction of scanning on our personal devices — devices that keep information from to-do notes to texts and photos from loved ones — tears at the heart of privacy of individual citizens. Such bulk surveillance can result in a signiﬁcant chilling eﬀect on freedom of speech and, indeed, on democracy itself.

Red Pike

The AES method is a block cipher which uses a block size of 128-bits and key sizes of 128 bits, 192 bits and 256 bits. It operates by uses a key scheduling method which takes part of the key for a number of rounds. For a 128-bit key, we have 10 rounds, and for a 256-bit key, we have 14 rounds. In each round, we take a 4ⅹ4 matrix of byte values (16 bytes = 128 bits), and then swap rows and columns. We also use an S-box to scramble the bytes.

But what happens if we want to make our block cipher simpler, and just implement it in just a few lines of code? This might be the case for a limited-memory IoT device. One such cipher is Red Pike, which was proposed as a standard for the NHS in 1996 [here]:

the NHS’s needs should be addressed by a family of related encryption products built on the Red Pike encryption algorithm. This algorithm has recently been made available to the NHS by CESG, the National Technical Security Authority within HMG

Red Pike — a name which is likely to derive from an area of the English Lake District — is a classified UK government encryption algorithm. It was created for the NHS by GCHQ but could be used in a range of applications. Overall it is a 64-bit block cipher with a 64-bit key length. Over the last two decades, there are few referenced articles to it, but it is quoted in a paper by Ross Anderson and Markus Kuhn [here]. Overall it uses simple bitwise operations, and has no S-boxes, no key scheduling, no look-up tables, and is implemented in a few lines of code.

Ross creates an interesting narrative in how the BMA was persuaded that Red Pike a study involving four academics:

In order to try and persuade the BMA that Red Pike was sound, the government 
commissioned a study of it by four academics [7]. This study states that 
Red Pike `uses the same basic operations as RC5' (p 4) in that the principal 
operations are add, exclusive or, and left shift. It `has no look-up tables, 
virtually no key schedule and requires only five lines of code' (p 4). 
Other hints include that `the influence of each key bit quickly cascades' 
(p 10) and each encryption involves of the order of 100 operations' (p 19).

Ross didn’t hold back in his criticism and in its RC5-derived roots, “RC5 may be about the worst possible algorithm choice for secret-algorithm hardware applications”, and that it was susceptible to the glitch attack.

In the end, Ross outlined that he had serious doubts about the methods and that S-boxes should be used. So, in an era of standards in cryptography, where “rolling your own” is not seen as a good thing, it is rather strange to see a method which was kept fairly secret.

A 64-bit key, unfortunately, is too small these days, and could be cracked by modern machines, but, at the time (1996), the key size would have been fairly secure. It must be remembered that in 1996, the Intel Pentium was the King of processors and had a blistering clock speed of 200MHz. With processor clock speeds now of nearly 4GHz, and with GPUs containing thousands of processing elements, modern computing devices would find cracking a 64-bit key a fairly easy task.

Red Pike uses a key size of 64-bits and a buffer size of 64-bits [here]:

/* Red Pike cipher source code */
 
 #include <stdint.h>
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h> typedef uint32_t word;
 
 #define CONST 0x9E3779B9
 #define ROUNDS 16
 
 #define ROTL(X, R) (((X) << ((R) & 31)) | ((X) >> (32 - ((R) & 31))))
 #define ROTR(X, R) (((X) >> ((R) & 31)) | ((X) << (32 - ((R) & 31))))
 
 void encrypt(word * x, const word * k)
 {
   unsigned int i;
   word rk0 = k[0];
   word rk1 = k[1];
 
   for (i = 0; i < ROUNDS; i++)
   {
     rk0 += CONST;
     rk1 -= CONST;
 
     x[0] ^= rk0;
     x[0] += x[1];
     x[0] = ROTL(x[0], x[1]);
 
     x[1] = ROTR(x[1], x[0]);
     x[1] -= x[0];
     x[1] ^= rk1;
   }
 
   rk0 = x[0]; x[0] = x[1]; x[1] = rk0;
 }
 
 void decrypt(word * x, const word * k)
 {
   word dk[2] =
   {
     k[1] - CONST * (ROUNDS + 1),
     k[0] + CONST * (ROUNDS + 1)
   };
 
   encrypt(x, dk);
 }
main ( int argc, char *argv[] ) 
{char *key;
char *buffer;
char dec[100]="";
char ch[5]="";if (argc==3) 
{	buffer=argv[1];
	key=argv[2];
}word b[2]={6,6};
word k[2]={6,6};printf ("\nEncrypt: ");for (int i=0;i<strlen(buffer);i+=4)
{
	b[0]=(int)buffer[i]+(int)(buffer[i+1]<<8);
	b[1]=(int)buffer[i+2]+(int)(buffer[i+3]<<8);	k[0]=(int)key[0]+ (int)key[1]<<8;
	k[1]=(int)key[2]+ (int)key[3]<<8;
 		encrypt(b,key);
	printf ("%x%x",b[0],b[1]);
	decrypt(b,key);
        ch[0]=b[0]& 0xff;
        ch[1]=(b[0]& 0xff00)>>8;
        ch[2]=b[1]& 0xff;
        ch[3]=(b[1]& 0xff00)>>8;
	ch[4]=0;	strcat(dec,ch);}printf ("\nDecrypt: %s",dec);
}

My favouriate bit of code is the way the decrypt is just the encrypt process, with a small change [here]:

void decrypt(word * x, const word * k)
 {
   word dk[2] =
   {
     k[1] - CONST * (ROUNDS + 1),
     k[0] + CONST * (ROUNDS + 1)
   };
 
   encrypt(x, dk);
 }

A sample run is [here]:

PIKE Encryption 
Message: abcde
Key: aaaaEncrypt: d3d6e4c6dae19022ea46529fe5210331
Decrypt: abcde

Serpent

In 2000/2001, NIST ran a competition on the next-generation symmetric key method, and Rijndael won (and which was created by its Belgium creators: Vincent Rijmen and Joan Daemen). But in second place was Serpent, and which was created by Ross Anderson, Eli Biham, and Lars Knudsen. Let’s have a look at the competition, and then outline an implementation of Serpent in Go lang. In the end, it was the speed of Rijndael that won, over the enhanced security of Serpent. If NIST had seen security as more important, we might now be using Serpent than Rijndael for AES [here]:

The competition

NIST created the race for AES (Advanced Encryption Standard). It would be a prize that the best in the industry would join, and the winner would virtually provide the core of the industry. So, in 1997, NIST announced the open challenge for a block cipher that could support 128-bit, 192-bit, and 256-bit encryption keys. The key evaluation factors were:

Security:

They would rate the actual security of the method against the others submitted.
This would method the entropy in the ciphertext — and show that it was random for a range of input data.
The mathematical foundation of the method.
A public evaluation of the methods, and associated attacks.

Cost:

The method would provide a non-exclusive, royalty-free basis licence across the world;
It would be computationally and memory efficient.

Algorithm and implementation characteristics:

It would be flexible in its approach, and possibly offer different block sizes, key sizes, convertible into a stream cipher, and so on.
Be ready for both hardware and software implementation, for a range of platforms.
Be simple to implement.

Round 1

The call was issued on 12 Sept 1997 with a deadline of June 1998, and a range of leading industry players rushed to either create methods or polish down their existing ones. NIST announced the shortlist of candidates at a conference in August 1998, and which included some of the key leaders in the field such as Ron Rivest, Bruce Schneier, and Ross Anderson (University of Cambridge) [report]:

Australia LOKI97 (Lawrie Brown, Josef Pieprzyk, Jennifer Seberry).
Belgium RIJNDAEL (Joan Daemen, Vincent Rijmen).
Canada: CAST-256 (Entrust Technologies, Inc), DEAL (Richard Outerbridge, Lars Knudsen).
Costa Rica FROG (TecApro Internacional S.A.).
France DFC (Centre National pour la Recherche Scientifique).
Germany MAGENTA (Deutsche Telekom AG).
Japan E2 (Nippon Telegraph and Telephone Corporation)
Korea CRYPTON (Future Systems, Inc.)
USA: HPC (Rich Schroeppel), MARS IBM, RC6(TM) RSA Laboratories [try here], SAFER+ Cylink Corporation, TWOFISH (Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson) [try here].
UK, Israel, Norway SERPENT (Ross Anderson, Eli Biham, Lars Knudsen).

One country, the USA, had five short-listed candidates, and Canada has two. The odds were thus on the USA to come through in the end and define the standard. The event, too, was a meeting of the stars of the industry. Ron Rivest outlined that RC6 was based on RC5 but highlighted its simplicity, speed, and security. Bruce Schneier outlined that TWOFISH had taken a performance-driven approach to its design, and Eli Biham outlined that SERPENT and taken an ultra-conservative philosophy for security, in order for it to be secure for decades.

Round 2

And so the second conference was arranged for 23 March 1999, after which, on 9 August 1999, the five AES finalists were announced:

Belgium RIJNDAEL (Joan Daemen, Vincent Rijmen).
USA: MARS IBM, RC6(TM) RSA Laboratories, TWOFISH (Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson)
UK, Israel, Norway SERPENT (Ross Anderson, Eli Biham, Lars Knudsen).
Canada: CAST-256 (Entrust Technologies, Inc),

The big hitters were now together in the final, and the money was on them winning through. Ron Rivest, Ross Anderson and Bruce Schiener all made it through, and with half of the candidates being sourced from the USA, the money was on MARS, TWOFISH or RC6 winning the coveted prize. While the UK and Canada had both had a strong track record in the field, it was the nation of Belgium that surprised some and had now pushed itself into the final [here].

While the other cryptography methods which tripped off the tongue, the RIJNDAEL (‘Rain-doll’) method took a bit of getting used to, with its name coming from the surnames of the creators: Vincent Rijmen and Joan Daemen.

Ron Rivest — the co-creator of RSA, had a long track record of producing industry-standard symmetric key methods, including RC2, and RC5, along with creating one of the most widely used stream cipher methods: RC4. His name was on standard hashing methods too, including MD2, MD4, MD5, and MD6. Bruce Schneier, too, was one of the stars of the industry, with a long track record of creating useful methods, including TWOFISH and BLOWFISH.

Final

After nearly two years of review, NIST opened up to comments on the method, which ran until May 2000. A number of submissions were taken, and the finalist seemed to be free from attacks, with only a few simplified method attacks being possible:

Table 1: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4863838/

As we can see in Table 1, the methods had different numbers of rounds: 16 (Twofish), 32 (Serpent), 10, 12, or 14 (Rijndael), 20 (RC6), and 16 (MARS). Rijndael had a different number of rounds for different key sizes, with 10 rounds for 128-bit keys and 14 for 256-bit keys. Its reduced number of rounds made it a strong candidate for being a winner.

In the AES conference to decide the winner, Rijndael received 86 votes, Serpent got 59 votes, Twofish 31 votes, RC6 23 votes, and MARS 13 votes. Although Rijndael and Serpent were similar, and where both used S-boxes, Rijndael had fewer rounds and was faster, but Serpent had better security. The NIST scoring was:

For many observers, Seperent pushed itself to be more secure and over-engineered with the number of rounds. The following is some sample code [here]. A sample run:

Key:	5bfbb8f09ea47e56a0a27008b6037c4a
Cipher:	0fbfc075154a4041a2fc5dab2612fdf100000000000000000000000000000000
Decrypted: Testing 123

Conclusions

As cryptographers and cybersecurity professionals, it is sad when we lose one of our own. It is with a heavy heart that I mourn the loss of Ross Anderson. He was someone who has broken down barriers in the ‘art of the possible’ and rallied against those who wish to spy on our citizens.

Cryptography is an area which is typically not driven by faceless corporations but by the passion and drive of researchers to go into the world and address many of the problems of our existing digital world. The world was made a whole lot more secure and trustworthy with his presence, and Ross has truly built a foundation for us all to build on.

So, let’s build a more secure, robust and trusted world in his honour. Keep the faith that cryptography can build a better world!

Postscript

Ross was on the top of my list to chat with for the World-leaders in Cryptography series, as he was a world-leader. Unfortunately, we never did catch-up in Edinburgh:

And, so, here’s a podcast from July 2023:

and on health care security and privacy in 2013:

Overall, I’ve only captured a small part of Ross’s career, if you want more, try here:

Ross Anderson's Home Page

Research] [Blog] [Videos] [Politics] [My Book] [Music] [Seminars] [Contact Details] Machine Learning needs Better…

www.cl.cam.ac.uk

Reference

[1] Bugs in our Pockets: The Risks of Client-Side Scanning Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, Carmela Troncoso, Oct 2021.

[2] Anderson, R., & Needham, R. (2005). Programming Satan’s computer. Computer Science Today: Recent Trends and Developments, 426–440.

[3] Anderson, R., & Moore, T. (2006). The economics of information security. science, 314(5799), 610–613.