AES is a block cipher that will replace DES, but it is anticipated that Triple DES will remain an approved algorithm for U.S. Government use. Triple DES and DES are specified in FIPS 46-3.
The AES initiative was announced in January 1997 by NIST, and candidate encryption algorithm submissions were solicited.
On August 29, 1998, a group of 15 AES candidates were announced by NIST.
In 1999, NIST announced five finalist candidates.
These candidates were MARS, RC6, Rijndael, Serpent, and Twofish. NIST closed Round 2 of public analyses of these algorithms on May 15, 2000.
On October 2, 2000, NIST announced the selection of the Rijndael Block Cipher, developed by the Belgian cryptographers Dr. Joan Daemen and Dr. Vincent Rijmen, as the proposed AES algorithm. Rijndael was formalized as the Advanced Encryption Standard (AES) on November 26, 2001, as Federal Information Processing Standard Publication (FIPS PUB 197). FIPS PUB 197 states that This standard may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information (as defined in P.L.100-235) requires cryptographic protection.
Other FIPS-approved cryptographic algorithms may be used in addition to, or in lieu of, this standard. Depending upon which of the three keys is used, the standard might be referred to as AES-128, AES-192, or AES-256. It is expected that AES will be adopted by other private and public organizations inside and outside the United States.
The Rijndael Block Cipher
The Rijndael algorithm was designed to have the following properties:
Resistance against all known attacks Design simplicity Code compactness and speed on a wide variety of platforms
The Rijndael cipher can be categorized as an iterated block cipher with a variable block length and key length that can be independently chosen as 128, 192, or 256 bits. In decimal terms, there are approximately 3.4 × 1038 possible 128-bit keys, 6.2 × 1057 possible 192-bit keys, and 1.1 × 1077 possible 256-bit keys.
AES specifies three key sizes128, 192, and 256 bitswith a fixed block size of 128 bits.
As a measure of the relative strength of the Rijndael encryption algorithm, if a computer could crack the DES encryption by trying 256 keys in one second, the same computer would require 149 trillion (149 × 1012) years to crack Rijn-dael.
For a comparison, the universe is estimated to be fewer than 20 billion (20 × 109) years old. Rijndael defines an intermediate cipher result as a State upon which the transformations that are defined in the cipher operate. Instead of a Feistel network that takes a portion of the modified plaintext and transposes it to another position, the Rijndael Cipher employs a round transformation that is comprised of three layers of distinct and invertible transformations.
These transformations are also defined as uniform, which means that every bit of the State is treated the same. Each of the layers has the following respective functions:
The non-linear layer.
The parallel application of S-boxes that have optimum worst-case non-linearity properties.
The linear mixing layer. Layer that provides a guarantee of a high diffusion of multiple rounds.
The key addition layer.
An Exclusive Or of the Round Key to the intermediate State.
Round keys are derived from the Cipher key through a key schedule, which consists of a key expansion and Round key selectiondefined as follows in the Rijndael Block Cipher AES Proposal (AES Proposal: Rijndael, Joan Daemen and Vincent Rijmen, version 2, 9/8/99), submitted to NIST:
The total number of Round key bits is equal to block length multiplied by the number of rounds plus 1, (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits are needed.) The Cipher Key is expanded into an Expanded Key. Round Keys are taken from the Expanded Key . . . .
The number of rounds used in the Rijndael cipher is a function of the key size as follows:
256-bit key 14 rounds 192-bit key 12 rounds 128-bit key 10 rounds
The Rijndael Block Cipher is suited for the following types of implementations:
High-speed chips with no area restrictions A compact co-processor on a smart card