Advanced Encryption Standard

The Advanced Encryption Standard, more commonly referred to as AES, is a block cipher with a block size of 128 bits and key sizes of 128, 192, and 256 bits. It was adopted by NIST as US FIPS PUB 197 in November 2001 after a 5-year standardisation process.

Development

AES was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. It was based on their previous design, Square. It is not a Feistel network design, like many of the other AES finalists. It is also known by the name of the original submission "Rijndael", something best pronounced by non-Dutch speakers more or less as "Rhine dahl" (a long "i" and a silent "e"). Daemen and Rijmen have announced that, for those who object, that they have several other names already prepared which will be even more impossible for non-Dutch speakers.

Strictly speaking AES is not precisely Rijndael, as Rijndael supports larger block sizes (due to a request in NIST's initial call for AES candidates that was later withdrawn), whereas AES has a fixed block size of 128 bits.

AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As the new block cipher "standard", it is currently being deployed on a large scale.

Security

As of October 2002, there are no known successful attacks against AES. The NSA reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government non-classified data.

The most common way to attack block ciphers is to try various attacks on versions of the cipher with a reduced number of rounds. AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. The best known attacks are on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys. See [1] for details of these particular attacks.

Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. The risk is that some way to improve these attacks will be found and the cypher will be broken. A "break" in cryptography is anything that is faster than an exhaustive search, so an attack that requires 2¹²⁰ operations is considered a break even though it is quite infeasible. For practical applications any attack which is only just better than this is irrelevant, and these concerns can be ignored.

Another concern is the mathematical structure of AES. Unlike most other block ciphers, AES has a very neat mathematical description [[1], [[1]. This has not yet led to any attacks, but some researchers are worried that future attacks may find a way to exploit this structure.

Along with the cipher itself, a document concerning "modes of operation" is also expected to be made an official standard. For a general article on that topic (not specific to AES) see Block cipher modes of operation.

Attacks

September 2002: A worrying theoretical attack on AES has been announced in a paper by Nicolas Courtois and Josef Pieprzyk entitled "Cryptanalysis of Block Ciphers with Overdefined Systems of Equations". This appears to show a potential weakness in the AES algorithm. It seems that the attack, if the maths are correct, is not currently practical as it would have a prohibitively high "work factor". There have been claims of considerable work factor improvement, however, so the attack technique — might — actually become practical sometime in the future. On the other hand, several cryptography experts have criticised the underlying mathematics of the proposed attack, suggesting that the authors have gotten their sums wrong. Whether this line of attack can be made to work against AES remains an open question. For the moment, as far as is publicly known, the XLS attack against AES is speculative. As is currently understood, it may or may not be possible to actually carry out the attack in practice.