Communications Security for the Twenty-first Century: The Advanced Encryption Standard, Volume 47, Number 4

450 NOTICES OF THE AMS VOLUME 47, NUMBER 4 C ryptography was once the domain of generals and small children, but the advent of the Information Age changed that. In the early 1970s the National Security Agency (NSA) and the National Bureau of Standards (NBS) realized that noncombatant adults needed to protect their sensitive, but unclassified, information. Though NSA is the usual government agency for building cryptosystems, the agency was unwilling to design a cryptosystem for public consumption. Instead, NBS issued a public solicitation for a cryptographic algorithm. IBM responded. The company submitted a cryptosystem with a 56-bit key. (An assumption, first codified by Kerckhoffs in the nineteenth century, holds that security of a cryptosystem should rest entirely in the secrecy of the key and not in the secrecy of the algorithm. A conventional cryptosystem is considered secure when its work factor—the amount of time needed to decrypt—is about 2key length.) The new algorithm became the Data Encryption Standard (DES). In the first article of the two-part series, I described DES and the design principles behind “block-structured algorithms”. The box in the present article briefly defines some technical terms that were introduced in my DES article; more detail about these definitions may be found in that article. In the present article I describe the mathematics and politics behind DES’s successor: the Advanced Encryption Standard. A Twenty-Year Battle over Cryptography Many in industry and academia were skeptical of DES. Concern centered on whether NSA had placed a “trapdoor” in the algorithm (a shortcut to decryption). There were also objections to DES’s key length; critics believed that the relatively short key length had been chosen so that NSA could read DES-encrypted traffic. During the next two decades there were frequent battles over cryptography. Using export controls and threats of other legal action, the U.S. government attempted to stop the spread of strong cryptography.1 Seeking to build secure computer systems, industry found export controls on cryptography to be a major obstacle—though, to be sure, not the only one. In the late 1970s several MIT faculty were told they would be violating laws on arms exports if they presented their research in public-key cryptography at a conference in Ithaca, New York. Foreign nationals would be present, and discussion of the cryptographic research in such a venue was viewed as export of military arms. Several inventors of cryptographic devices found themselves silenced when secrecy orders, which forbid inventors from publicly discussing their work, were placed on their patent applications. NSA director Bobby Inman warned that if scientists did