Talk:Advanced Encryption Standard

Missing image Key-crypto-sideways.png WikiProject on Cryptography

This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography in the Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.

Template:CryptographyReader

	Pending tasks for [[Template:Articlespace:Advanced Encryption Standard]]: (https://academickids.com:443/encyclopedia/index.php?title=Talk:Advanced_Encryption_Standard&action=purge)	edit (https://academickids.com:443/encyclopedia/index.php?title=Talk:Advanced_Encryption_Standard/to_do&action=edit) - watch (https://academickids.com:443/encyclopedia/index.php?title=Talk:Advanced_Encryption_Standard/to_do&action=watch) - purge (https://academickids.com:443/encyclopedia/index.php?title=Talk:Advanced_Encryption_Standard&action=purge)
	Talk:Advanced Encryption Standard/to do

Contents

1 what doubts? what experts? 2 more pronounciation problems 3 merge w/ Rijndael? 4 "GPL license" 5 Comparison to other algorithms 6 DJB's attack 7 More detail?

what doubts? what experts?

The article says 'some experts doubt that it is really as secure as it should be for important applications'.

Which experts?

-- The Anome

---

Bruce Schneier and Rich Schroeppel are two who come to mind. A few others seem to have vague doubts. I should point out that Rijndael has not actually been broken, and in fact it has been proven mathematically that some of the more popular methods can't break it. The main worry is that the whole thing looks too simple, and has more algebraic structure than is normal for a block cipher. There is a possibility that some new kind of algebraic attack might exist.

If you trawl through the AES website, you can find the public comments, and quite a few there thought Rijndael was too simple. (Note that not all the comments are by experts though :-) When the final choice was announced, Schneier said

"I believe that within the next five years someone will discover an academic attack against Rijndael. I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic. So while I have serious academic reservations about Rijndael, I do not have any engineering reservations about Rijndael."

which is not the most ringing endorsement you could hope for.

I have seen a draft of a paper by Ferguson, Schroeppel and Whiting, pointing out all sorts of interesting algebraic properties of Rijndael, of a kind that make some people nervous, but without actually finding a break. Not sure if they managed to get it published yet, or if so where.

So my statement in the article might be just slightly too strong as it is, but we should probably convey somehow that not all the experts find Rijndael completely convincing.

When did Bruce Schneier raise doubts about AES? Is there a published paper about this that you can point me to? To my knowledge, Schneier even recommends AES to be used instead of his very own Blowfish in new designs, despite the fact that, to date, there are no known vulnerabilities to the Blowfish. --K1 11:14, 21 Jun 2004 (UTC)

Ferguson and Schneier are cool about the algorithm in Practical Cryptography (2003), if I remember correctly. I'll try and look it up. — Matt 12:55, 21 Jun 2004 (UTC)

p56: "We have one criticism of AES: we don't quite trust the security"; p57, discussing possible algebraic cryptanalysis: "This is an extremely unfair criticism of AES. We don't have an attack on AES. And every cipher, including AES, could be attacked in the future. Yet the simple algebraic structure of AES opens it up to an entirely different class of attacks."; p58: "In the end, everybody will use AES because it is the U.S. government standard. We even advise people to use it, because it is the standard and using the standard avoids lots of discussions and problems...the aggressive design coupled with the clean algebraic structure just makes us uneasy." — Matt 13:12, 21 Jun 2004 (UTC)

more pronounciation problems

You have to say "Rhine doll" like a North American, or it is just wrong.

merge w/ Rijndael?

Would anyone object to making this article about the AES standard (i.e. a general term description, listing of the finalists, etc.) and kept all the stuff specifically about Rijndael in the Rijndael encryption algorithm article ? --Imran 02:35, 1 Feb 2004 (UTC)

Hmm...AES is now essentially synonymous with Rijndael; the a minor technical difference isn't worth having two pages (Rijndael has a wider range of block sizes specified). My suggestion would be to merge Rijndael and AES, and the discussion of the competition and other finalists can remain in AES competition. — Matt 03:32, 14 Jul 2004 (UTC)

Matt, Imran's got the right of it here, I think. AES =/= Rijndael quite. There are permitted block length differences if nothing else. That sort of thing probably doesn't belong in AES, aside from a note about the not quite exact identity of the two, but does belong in Rijndael. Reactions? ww 19:42, 14 Jul 2004 (UTC)

The difference is hairsplitting, really, and since Rijndael has been adopted as the AES, they are used synonymously in practice. I don't think it's sustainable to have two separate articles based on a small technicality when a single sentence in the lead section of AES would suffice. — Matt 20:01, 14 Jul 2004 (UTC)

"GPL license"

"GPL license" makes as much sense as "LCD display". I'll leave it to the native speakers to get rid of this "General Public License license". How about:

• just "GPL"
• "GPL-licensed" (if this is English ;-)
• "GP license" or "GP License" (unfamiliar)
• "General Public License"

80.237.206.93 02:54, 19 Jan 2005 (UTC)

Comparison to other algorithms

This might be out of scope of the article but how does AES 256 compare to blowfish and other algorythms in issues such as encryption time, hypothetical security etc

Regarding encryption time, Rijndael was chosen as AES over a number of other candidates in part because of its good performance over a range of platforms (this should, at some stage, be explained in the AES process article). To be honest, you'd probably want to compare Twofish with AES in this regard, rather than Blowfish. Blowfish has a very complex key schedule, which means that it takes a lot of time to process the key before encryption can take place — Rijndael is faster in this respect.

No problems with the security of any of AES, Twofish or Blowfish have been established. — Matt Crypto 13:06, 14 Mar 2005 (UTC)

DJB's attack

I just spent a good deal of time removing POV from DJB's cache timing attack on AES. Yes, in theory this attack can work. However, I feel strongly that, in practice, this attack isn't an issue. Samboy 22:58, 30 Apr 2005 (UTC)

More detail?

Do other editors feel it is worthwhile to describe AES in enough detail for a programmer to be able to implement Rijndael/AES without referring to any other documents. Samboy 01:39, 17 May 2005 (UTC)

OK, I'm beginning the work on this. I am doing this by creating a series of sub-articles which describe various aspects of AES' algorithm in more detail. I have already written articles on the Rijndael Galois field and Rijndael S-box. I need to write an article on Rindael's key schedule, write a Rijndael test vectors article, and a Rijndael Mix column article. Samboy 08:56, 18 May 2005 (UTC)

I agree that we should be describing the algorithm entirely. However, I'm not sure I agree on how we should best do this — in particular, I'm not sure we should be describing it from a view for implementation (as in, "here's some C code for multiplying in a Galois Field" etc). Perhaps that might be better in Wikibooks? Similarly, test vectors might be better off given within Wikisource. I think we could fit the entire description onto one page. Anyway, I'm not totally sure what I think, but I'm glad you're interested in helping improve this article ;-) — Matt Crypto 10:53, 18 May 2005 (UTC)

Thanks for the input. I agree that C examples have the following two issues:

• They are useless to someone who doesn't know C. There are at least two different public domain implementations of C out there for people willing to work with C code.
• They may violate the Genre of an encyclopedia. Actually, I'm hitting a similiar Genre problem with the article for Bell numbers. A lot of math articles in Wikipedia are written for people who have a BS or higher in Mathematics; however the underlying concept of a Bell number (and even a method for calculating one) is simple enough that an intelligent elementry school kid can understand what is going on if the information is presented correctly. Unlike history or a lot of social sciences, a lot more care should be made to make a given concept accessible to an average reader.

I think psudo-code will work better. In the case of multiplying two number's in AES' Galois Field, I already have psudo-code that does this (in the article, no less).

Anyway, I won't have time to address these issues until this weekend. In the meantime, I'll explain that AES can be speeded up on a 32-bit computer with 4k (or even 1k) of table space by table lookup on the main Rijndael article. Samboy 18:28, 18 May 2005 (UTC)

One thought that occurred to me: rather than integrating implementation-specific information for each component of the cipher, how about collecting it all in an "Implementation aspects" section? If it gets too large, we might consider splitting it out into an Implementation aspects of AES article. — Matt Crypto 01:25, 19 May 2005 (UTC)

That sounds like a good idea. Merges are always a good thing. The only thing is that we should move it to the Implementation aspects of AES article if this article becomes bigger than 32k. As an interesting aside, XTEA and Blowfish have faster speeds on PCs than AES does, but AES kills them on 8-bit smart cards (and, presumably, dedicated hardware; AES killed RC6 with the NSA did their hardware speed tests (http://csrc.nist.gov/CryptoToolkit/aes/round2/NSA-AESfinalreport.pdf) PDF file; I assume that XTEA and Blowfish will have similar problems). Samboy 04:49, 19 May 2005 (UTC)

I just checked; we're not even halfway to the 32k point. Samboy 09:04, 19 May 2005 (UTC)