There is a new Advanced Encryption Standard... Now What?

In 1976 the National Bureau of Standards, now the National Institute Standards and Technology (NIST), adopted an algorithm called the “Data Encryption Standard” (DES) as a federal information-processing standard for protecting information. DES works like this: you choose a random 56-bit key K , and then compute the function C = DESK(P ) for a 64-bit “plaintext” P . The “ciphertext,” C , is also 64-bits long. The idea is that P is transformed into some “random” string C so that P is hidden from users who lack a copy of K . (This is a very informal definition; cryptographers use a much more precise definition which we’ll skip here.) An algorithm of this type is called a “block cipher” because its inputs and outputs are of the same fixed size; this size is called the “block size” and for DES it is 64-bits. Block ciphers like DES can be used as a building block for more complex tasks like encrypting and authenticating arbitrary messages, for example. Since the DES key is 56-bits, there are 256 possible keys. In 1976 this was a lot of keys, but these days one can build a machine for a few hundred thousand dollars which will exhaustively search through all 256 keys in just a few hours. Therefore we have long been in need of a replacement for DES. NIST, aware of this need, launched a process in 1997 aimed at adopting a new block cipher, dubbed the “Advanced Encryption Standard” (AES) which would supplant DES as a federal standard. The AES would have a block size of 128-bits, longer keys (NIST specified that the algorithm must accept keys of 128, 192, and 256 bits), resist all known attacks, be efficient in hardware and software, be patent-free, and run well on both 8-bit architectures (like some smartcards) or on 32-bit commodity processors. Submissions were received from RSA, IBM, and other groups. After years of scrutiny by the cryptographic community, an algorithm called Rijndael (pronounced “rhine-doll”) was signed into law as the new AES. (See www.nist.gov/aes for more information.) Rijndael was invented by two young Belgian cryptographers, Joan Daemen and Vincent Rijmen. To some, Rijndael seemed a risky choice. Why? All other submissions to NIST used the traditional “Feistel Network” structure (or variations of it), which was well-known and trusted. DES had also used this structure. But Rijndael was an evolutionary descendant of “Square” (see DDJ 10/99??) which is based on a very different idea: the algorithm treats the input as a matrix and it transforms this matrix by shifting rows, mixing columns, and renaming bytes via a table, all in some prescribed order. This novel design gave Rijndael several advantages over many of its competitors: it is simple, efficient, and quite elegant. (And, some would add, unpronounceable.)