secure your passwords

From Rijndael To AES To FIPS 197

On January 2, 1997, the American National Institute for Standardization and Technology (NIST) invited cryptographers from all over the world to develop candidates for a new Advanced Encryption Standard for the protection of sensitive electronic information. NIST is an Agency of the US Government Commerce Department's Technology Administration.

Twenty-one teams of cryptographers from 11 countries submitted candidates. These included several major companies like the computer manufacturer IBM, the information security company RSA Security, Deutsche Telekom and the Japanese NTT. The candidate algorithms were evaluated for more than two years with respect to security, performance and suitability for different applications.

Some candidates were discarded because they did not reach the required security level. Others put too heavy a burden on the processor, making the applications too slow. Five finalists were selected for the the final evaluation round: MARS, designed by IBM; RC6, designed by RSA Security; Twofish, designed by the US company Counterpane; Serpent, designed by three scientists from the UK, Denmark and Israel; and Rijndael, designed by two Flemish researchers.

On October 2, 2000, the winner was announced: the algorithm Rijndael, developed by Dr. Joan Daemen, employed at Protonworld International, and Dr. Vincent Rijmen, postdoctoral researcher of the Fund for Scientific Research - Flanders (Belgium), employed at the COSIC lab of the department of Electrical Engineering - ESAT of the K.U.Leuven.

The strong points of Rijndael are a simple and elegant design, efficient and fast on modern processors, but also compact in hardware and on smartcards. These features make Rijndael suitable for a broad range of applications.

In 2001, Rijndael was officially published as the Advanced Encryption Standard (AES). It is used to protect sensitive but 'unclassified' electronic information of the US government. Since 2000, a large number of products and applications have been AES-enabled. Therefore, it will become a worldwide de facto standard in numerous other applications such as Internet security, bank cards, ATMs and wireless networks.

On May 26th 2002, the Secretary Of Commerce announced AES as the Federal Information Processing Standard (FIPS) 197 making it compulsory and binding on Federal agencies for the protection of sensitive data. NIST will review the FIPS every five years to consider whether the standard should be reaffirmed, amended or withdrawn. Use of the FIPS is encouraged when it provides the desired security for commercial and private organizations.

An important condition to enter the AES competition was that the designers gave up all intellectual property claims on their algorithm. Rijndael is freely available for everybody, and will continue to be so in the future; the designers don't gain financially from the design.

Extracts from the NIST Fact Sheet dated March 2001

17/ Is NIST concerned that the algorithm is of foreign origin? No. The complete algorithm specification and design rationale have been available for review by NIST, NSA, and the general public for more than two years. From the beginning of the AES development effort, NIST has indicated that the involvement of the international crypto community has been necessary for the development of a high-quality standard.	20/ Will NIST continue to monitor the algorithm's security, and how will it handle security issues that may arise in the future? Yes. As is the case with its other cryptographic algorithm standards, NIST will continue to follow developments in the cryptanalysis of Rijndael. Once the AES becomes an official standard, that standard will be formally re-evaluated every five years. Maintenance activities for the standard will be developed at the appropriate time, in full consideration of the situation's particular circumstances. Should an issue arise that requires more immediate attention, NIST will act expeditiously and consider all available alternatives at that time.
18/ Approximately how big are the AES key sizes? The AES will specify three key sizes: 128, 192 and 256 bits. In decimal terms, this means that there are approximately: 3.4 x 1038 possible 128-bit keys; 6.2 x 1057 possible 192-bit keys; and 1.1 x 1077 possible 256-bit keys. In comparison, DES keys are 56 bits long, which means there are approximately 7.2 x 1016 possible DES keys. Thus, there are on the order of 1021 times more AES 128-bit keys than DES 56-bit keys.	21/ How long will the AES last? No one can be sure how long the AES - or any other cryptographic algorithm - will remain secure. However, NIST's Data Encryption Standard (DES) was a U.S. Government standard for approximately twenty years before it was known to be 'cracked' by massive parallel network computer attacks and special-purpose 'DES-cracking' hardware. The AES supports significantly larger key sizes than what DES supports. Barring any attacks against AES that are faster than key exhaustion, then even with future advances in technology, AES has the potential to remain secure well beyond twenty years.
19/ What is the chance that someone could use the 'DES Cracker'-like hardware to crack an AES key? In the late 1990s, specialized 'DES Cracker' machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message. Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.