Is there a contingency plan in the event of a catastrophic attack on AES?
Clash Royale CLAN TAG#URR8PPP
$begingroup$
NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:
I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.
NIST has not done this, according to section 2.4 of a report from NIST. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^80$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?
I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.
aes nist rijndael standards
asked Jan 17 at 8:30
forestforest
3,4951338
$endgroup$
add a comment |
$begingroup$
NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:
I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.
NIST has not done this, according to section 2.4 of a report from NIST. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^80$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?
I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.
aes nist rijndael standards
asked Jan 17 at 8:30
forestforest
3,4951338
$endgroup$
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
Jan 17 at 8:49
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
Jan 17 at 12:11
1
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
Jan 17 at 12:12
2
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
Jan 17 at 12:38
6
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
Jan 17 at 13:58
add a comment |
$begingroup$
NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:
I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.
NIST has not done this, according to section 2.4 of a report from NIST. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^80$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?
I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.
aes nist rijndael standards
asked Jan 17 at 8:30
forestforest
3,4951338
$endgroup$
NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:
I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.
NIST has not done this, according to section 2.4 of a report from NIST. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^80$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?
I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.
aes nist rijndael standards
aes nist rijndael standards
asked Jan 17 at 8:30
forestforest
3,4951338
asked Jan 17 at 8:30
forestforest
3,4951338
edited Jan 21 at 5:18
forest
asked Jan 17 at 8:30
forestforest
3,4951338
asked Jan 17 at 8:30
forestforest
3,4951338
asked Jan 17 at 8:30
forestforest
3,4951338
3,4951338
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
Jan 17 at 8:49
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
Jan 17 at 12:11
1
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
Jan 17 at 12:12
2
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
Jan 17 at 12:38
6
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
Jan 17 at 13:58
add a comment |
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
Jan 17 at 8:49
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
Jan 17 at 12:11
1
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
Jan 17 at 12:12
2
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
Jan 17 at 12:38
6
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
Jan 17 at 13:58
2
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
Jan 17 at 8:49
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
Jan 17 at 8:49
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
Jan 17 at 12:11
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
Jan 17 at 12:11
1
1
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
Jan 17 at 12:12
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
Jan 17 at 12:12
2
2
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
Jan 17 at 12:38
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
Jan 17 at 12:38
6
6
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
Jan 17 at 13:58
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
Jan 17 at 13:58
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered Jan 17 at 14:03
Maarten Bodewes♦Maarten Bodewes
54.2k678193
$endgroup$
6
$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48
2
$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes♦
Jan 17 at 16:18
1
$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22
$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
Jan 19 at 3:12
$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes♦
Jan 19 at 11:23
add a comment |
$begingroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.
answered Jan 17 at 13:02
AleksanderRasAleksanderRas
2,1821630
$endgroup$
2
$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES.- I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
$endgroup$
– Ella Rose♦
Jan 17 at 15:57
1
$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17
$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
Jan 19 at 3:15
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66553%2fis-there-a-contingency-plan-in-the-event-of-a-catastrophic-attack-on-aes%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered Jan 17 at 14:03
Maarten Bodewes♦Maarten Bodewes
54.2k678193
$endgroup$
6
$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48
2
$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes♦
Jan 17 at 16:18
1
$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22
$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
Jan 19 at 3:12
$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes♦
Jan 19 at 11:23
add a comment |
$begingroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered Jan 17 at 14:03
Maarten Bodewes♦Maarten Bodewes
54.2k678193
$endgroup$
6
$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48
2
$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes♦
Jan 17 at 16:18
1
$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22
$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
Jan 19 at 3:12
$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes♦
Jan 19 at 11:23
add a comment |
$begingroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered Jan 17 at 14:03
Maarten Bodewes♦Maarten Bodewes
54.2k678193
$endgroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered Jan 17 at 14:03
Maarten Bodewes♦Maarten Bodewes
54.2k678193
edited Jan 17 at 15:54
answered Jan 17 at 14:03
Maarten Bodewes♦Maarten Bodewes
54.2k678193
answered Jan 17 at 14:03
Maarten Bodewes♦Maarten Bodewes
54.2k678193
answered Jan 17 at 14:03
Maarten Bodewes♦Maarten Bodewes
54.2k678193
54.2k678193
6
$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48
2
$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes♦
Jan 17 at 16:18
1
$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22
$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
Jan 19 at 3:12
$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes♦
Jan 19 at 11:23
add a comment |
6
$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48
2
$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes♦
Jan 17 at 16:18
1
$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22
$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
Jan 19 at 3:12
$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes♦
Jan 19 at 11:23
6
6
$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48
$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48
2
2
$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes♦
Jan 17 at 16:18
$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes♦
Jan 17 at 16:18
1
1
$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22
$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22
$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
Jan 19 at 3:12
$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
Jan 19 at 3:12
$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes♦
Jan 19 at 11:23
$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes♦
Jan 19 at 11:23
add a comment |
$begingroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.
answered Jan 17 at 13:02
AleksanderRasAleksanderRas
2,1821630
$endgroup$
2
$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES.- I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
$endgroup$
– Ella Rose♦
Jan 17 at 15:57
1
$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17
$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
Jan 19 at 3:15
add a comment |
$begingroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.
answered Jan 17 at 13:02
AleksanderRasAleksanderRas
2,1821630
$endgroup$
2
$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES.- I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
$endgroup$
– Ella Rose♦
Jan 17 at 15:57
1
$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17
$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
Jan 19 at 3:15
add a comment |
$begingroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.
answered Jan 17 at 13:02
AleksanderRasAleksanderRas
2,1821630
$endgroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.
answered Jan 17 at 13:02
AleksanderRasAleksanderRas
2,1821630
edited Jan 18 at 8:16
answered Jan 17 at 13:02
AleksanderRasAleksanderRas
2,1821630
answered Jan 17 at 13:02
AleksanderRasAleksanderRas
2,1821630
answered Jan 17 at 13:02
AleksanderRasAleksanderRas
2,1821630
2,1821630
2
$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES.- I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
$endgroup$
– Ella Rose♦
Jan 17 at 15:57
1
$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17
$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
Jan 19 at 3:15
add a comment |
2
$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES.- I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
$endgroup$
– Ella Rose♦
Jan 17 at 15:57
1
$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17
$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
Jan 19 at 3:15
2
2
$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.$endgroup$
– Ella Rose♦
Jan 17 at 15:57
$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.$endgroup$
– Ella Rose♦
Jan 17 at 15:57
1
1
$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17
$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17
$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
Jan 19 at 3:15
$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
Jan 19 at 3:15
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66553%2fis-there-a-contingency-plan-in-the-event-of-a-catastrophic-attack-on-aes%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
Jan 17 at 8:49
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
Jan 17 at 12:11
1
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
Jan 17 at 12:12
2
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
Jan 17 at 12:38
6
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
Jan 17 at 13:58