Note: This document is the combination of two separate documents from the Web: A short summary and then the FAQ page from the National Institute of Standards and Technology (NIST) was pulled from the Web and has been included here in full detail. The AES Algorithm is the successor to the venerable DES algorithm, and is not the Federal Standard (FIPS-197) for encypting unclassified, but sensitive information.

Table of Contents for the Advanced Encryption Standard (AES Algorithm FAQ


  1. Background Information on the AES Algorithm

  2. How the Winning AES Algorithm was Selected

  3. Security for the AES Algorithm

  4. Will AES Replace DES and 3DES?

  5. How did NIST Test the AES Algorithm

  6. Return to the Main Menu



Return to the Beginning of This Document


The Advanced Encryption Standard (AES) is an encryption algorithm for securing sensitive but unclassified material by U.S. Government agencies and, as a likely consequence, may eventually become the de facto encryption standard for commercial transactions in the private sector. (Encryption for the US military and other classified communications is handled by separate, secret algorithms.)

In January of 1997, a process was initiated by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, to find a more robust replacement for the Data Encryption Standard (DES) and to a lesser degree Triple DES.

The specification called for a symmetric algorithm (same key for encryption and decryption) using block encryption (see block cipher) of 128 bits in size, supporting key sizes of 128, 192 and 256 bits, as a minimum. The algorithm was required to be royalty-free for use worldwide and offer security of a sufficient level to protect data for the next 20 to 30 years.

It was to be easy to implement in hardware and software, as well as in restricted environments (for example, in a smart card) and offer good defenses against various attack techniques.

The entire selection process was fully open to public scrutiny and comment, it being decided that full visibility would ensure the best possible analysis of the designs. In 1998, the NIST selected 15 candidates for the AES, which were then subject to preliminary analysis by the world cryptographic community, including the National Security Agency. On the basis of this, in August 1999, NIST selected five algorithms for more extensive analysis. These were:

  1. MARS, submitted by a large team from IBM Research

  2. RC6, submitted by RSA Security

  3. Rijndael, submitted by two Belgian cryptographers, Joan Daemen and Vincent Rijmen

  4. Serpent, submitted by Ross Andersen, Eli Biham and Lars Knudsen

  5. Twofish, submitted by a large team of researchers including Counterpane's respected cryptographer, Bruce Schneier

Implementations of all of the above were tested extensively in ANSI C and Java languages for speed and reliability in such measures as encryption and decryption speeds, key and algorithm set-up time and resistance to various attacks, both in hardware- and software-centric systems. Once again, detailed analysis was provided by the global cryptographic community (including some teams trying to break their own submissions).

On October 2, 2000, NIST announced that Rijndael had been selected as the proposed standard. On December 6, 2001, the Secretary of Commerce officially approved Federal Information Processing Standard (FIPS) 197, which specifies that all sensitive, unclassified documents will use Rijndael as the Advanced Encryption Standard.

What follows is the full Frequently Asked Questions for the AES algorithm, which can be found at the www.aes.org web site.


ADVANCED ENCRYPTION STANDARD (AES)
Questions and Answers

Part 1: Background Information for the AES Algorithm


  1. What is the Advanced Encryption Standard (AES)?
  2. The Advanced Encryption Standard (AES) is a Federal Information Processing Standard (FIPS), specifically, FIPS Publication 197, that specifies a cryptographic algorithm for use by U.S. Government organizations to protect sensitive, unclassified information. NIST anticipates that the AES will be widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government - and outside of the United States - in some cases.


  3. What algorithm did NIST select for the AES, and how do you pronounce it?
  4. NIST selected Rijndael as the AES algorithm. The algorithm's developers have suggested the following pronunciation alternatives: "Reign Dahl", "Rain Doll", and "Rhine Dahl".


  5. Who submitted the algorithm, and where are they from?
  6. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen (Yo'-ahn Dah'-mun) of Proton World International and Dr. Vincent Rijmen (Rye'-mun), a postdoctoral researcher in the Electrical Engineering Department (ESAT) of Katholieke Universiteit Leuven. Both gentlemen have been very active in the cryptographic community.


  7. Is there a document that provides details on NIST's selection for the AES?
  8. NIST's ad hoc AES selection "team" wrote a Report on the Development of the Advanced Encryption Standard (AES). It is a comprehensive report that discusses various issues related to the AES, presents analysis and comments received during the public comment period, summarizes characteristics of the five finalist AES algorithms, compares and contrasts the finalists, and presents NIST's selection of Rijndael.

    Complete AES-related information is available on the AES home page. The site includes NIST's Report on the Development of the Advanced Encryption Standard (AES); Rijndael specifications, test values, and code; all public comments, including analysis papers from the various AES conferences; and other "historical" AES information.


  9. Why is this approval of the AES FIPS significant?
  10. This announcement marks the culmination of a four-year effort involving the cooperation between the U.S. Government, and private industry and academia from around the world to develop an encryption technique that has the potential to be used by millions of people in the years to come. NIST anticipates that this algorithm will be used widely - both domestically and internationally.


  11. Is the AES now an official U.S. Government standard?
  12. Yes. The Secretary of Commerce approved the adoption of the AES as an official Government standard, effective May 26, 2002.


    Return to the Beginning of This Document


    Part 2: NIST's Selection of the AES Algorithm


  13. Why did NIST select Rijndael to propose for the AES?
  14. When considered together, Rijndael's combination of security, performance, efficiency, ease of implementation and flexibility make it an appropriate selection for the AES.

    Specifically, Rijndael appears to be consistently a very good performer in both hardware and software across a wide range of computing environments regardless of its use in feedback or non-feedback modes. Its key setup time is excellent, and its key agility is good. Rijndael's very low memory requirements make it very well suited for restricted-space environments, in which it also demonstrates excellent performance. Rijndael's operations are among the easiest to defend against power and timing attacks.

    Additionally, it appears that some defense can be provided against such attacks without significantly impacting Rijndael's performance. Rijndael is designed with some flexibility in terms of block and key sizes, and the algorithm can accommodate alterations in the number of rounds, although these features would require further study and are not being considered at this time. Finally, Rijndael's internal round structure appears to have good potential to benefit from instruction-level parallelism.


  15. What about the other four algorithms that were not selected?
  16. In terms of security, NIST states in its report that "all five algorithms appear to have adequate security for the AES." NIST is not saying that there is anything "wrong" with any of the other four algorithms. However, when all of the analysis and comments were taken into consideration, the NIST team felt that Rijndael was the best selection for the AES.


  17. Why did NIST select only one algorithm to propose for the AES?
  18. NIST considered the possibility of selecting multiple algorithms for the AES, since that was a topic of discussion during the public evaluation periods. Many arguments were made both for and against the inclusion of multiple algorithms in the standard, and NIST's AES selection team considered those comments prior to evaluating the algorithms.

    Briefly, NIST's AES selection team decided to select only one algorithm for several reasons. First, other FIPS-approved algorithms (e.g., Triple DES) offer a degree of systemic resiliency, should a problem arise with the AES. Second, multiple AES key sizes provide for increased levels of security. Third, a single algorithm AES will promote interoperability and decrease the complexity of implementations that will be built to comply with the AES specifications, hopefully promoting lower implementation costs than a multiple algorithm AES. Fourth, a single AES algorithm addresses vendors' concerns regarding potential intellectual property costs.

    NIST's report offers more details.


  19. Is NIST designating a backup algorithm?
  20. No. Based on public comments and discussion, NIST's AES selection team decided not to designate a "backup" algorithm from among the other four finalists. Some vendors expressed concerns that a backup algorithm would become a de facto requirement in products (for immediate availability in the future), leading to higher implementation costs and a potential decrease in the interoperability of AES products. Also, given the uncertainty of the potential applicability of future breakthroughs in cryptanalysis, it would be unclear whether a designated backup would actually provide any resiliency for the main algorithm selection. Finally, NIST's AES selection team anticipated that other algorithms (whether specified in Government standards or not) will continue to be available in commercial products.

    NIST's report offers more details.


  21. How has the public been involved in the development of the AES?
  22. From the beginning of the AES development effort, NIST has relied on the public's participation, including:


    1. assisting NIST in the design of submission requirements and evaluation criteria (including minimum key and block size requirements and intellectual property requirements);
    2. developing and submitting candidate algorithms;
    3. analyzing the candidates and sharing those results with the public and NIST;
    4. actively participating in several international conferences; and
    5. commenting on the the Draft FIPS for the AES.

NIST expects that the cryptographic community will continue to analyze the AES through various conferences such as CRYPTO, EUROCRYPT, ASIACRYPT, and the Fast Software Encryption Workshop (FSE).


    Return to the Beginning of This Document


    Part 3: Security and Maintenance of the AES


  1. Did NIST consider adding more rounds to Rijndael?
  2. Prior to its evaluation of the five finalists, NIST's AES selection team discussed the issue of whether it should change the number of rounds for one or more of the algorithms, since that issue had been raised by the public during the recent comment period. Some of those public comments offered specific reasons for changing the number of rounds, although many did not, and there seemed to be no agreement regarding which algorithm(s) should be altered (and if so, exactly how that should be done).

    NIST's selection team recognized that changing the number of rounds would decrease the utility of the large amount of analysis that has taken place during the last two years. For some algorithms, it is not clear how the algorithm would be fully defined (e.g., the key schedule) with a different number of rounds, or how such a change would impact the security analysis. Another consideration was that none of the algorithms' submitters proposed to change the number of rounds in their algorithms, when they were given an opportunity to propose minor modifications in the summer of 1999. For these reasons, NIST's AES selection team decided it would be most appropriate to base its evaluation and selection on the five algorithms as they were originally submitted (i.e., without changing the number of rounds).

    NIST's report offers more details.


    Return to the Beginning of This Document


    Part 4: Will the AES Replace DES and 3DES?


  3. Will the AES replace Triple DES and DES? >

    The AES has been developed to replace DES, but NIST anticipates that Triple DES will remain an approved algorithm (for U.S. Government use) for the foreseeable future. Single DES is being phased out of use, and is currently permitted in legacy systems, only.

    Triple DES and DES are specified in FIPS 46-3, while the AES is specified in FIPS 197. The status of the algorithms in each FIPS is handled separately by NIST.


  4. Is NIST concerned that the algorithm is of foreign origin?
  5. No. The complete algorithm specification and design rationale was available for review by NIST, NSA, and the general public for more than two years before the selection. From the beginning of the AES development effort, NIST has indicated that the involvement of the international crypto community has been necessary for the development of a high-quality standard.


  6. Approximately how big are the AES key sizes?
  7. The AES specifies three key sizes: 128, 192 and 256 bits. In decimal terms, this means that there are approximately:

    3.4 x 1038 possible 128-bit keys;

    6.2 x 1057 possible 192-bit keys; and

    1.1 x 1077 possible 256-bit keys.

    In comparison, DES keys are 56 bits long, which means there are approximately 7.2 x 1016 possible DES keys. Thus, there are on the order of 1021 times more AES 128-bit keys than DES 56-bit keys.


  8. What is the chance that someone could use the "DES Cracker"-like hardware to crack an AES key?
  9. In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

    Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.


  10. Will NIST continue to monitor the algorithm's security, and how will it handle security issues that may arise in the future?
  11. Yes. As is the case with its other cryptographic algorithm standards, NIST will continue to follow developments in the cryptanalysis of Rijndael. The AES will be formally reevaluated every five years. Maintenance activities for the standard will be developed at the appropriate time, in full consideration of the situation's particular circumstances. Should an issue arise that requires more immediate attention, NIST will act expeditiously and consider all available alternatives at that time.


  12. How long will the AES last?
  13. No one can be sure how long the AES - or any other cryptographic algorithm - will remain secure. However, NIST's Data Encryption Standard (DES) was a U.S. Government standard for approximately twenty years before it was known to be "cracked" by massive parallel network computer attacks and special-purpose "DES-cracking" hardware. The AES supports significantly larger key sizes than what DES supports. Barring any attacks against AES that are faster than key exhaustion, then even with future advances in technology, AES has the potential to remain secure well beyond twenty years.


    Return to the Beginning of This Document


    Part 5: Implementation, Testing, and Use of the AES


  14. Who will be required to implement and use the AES?
  15. The AES algorithm is an approved encryption algorithm that can be used by U.S. Government organizations to protect sensitive (unclassified) information. As is currently the case, those Government organizations will be able to use other FIPS-approved algorithms in addition to, or in lieu of, the AES.

    Commercial and other non-U.S. Government organizations are invited - but not required - to adopt and implement the AES and NIST's other cryptographic standards.


  16. Will NIST test for the conformance of products with the AES?
  17. Confromance testing of the AES will be conducted under the Cryptographic Module Validation Program (CMVP), run jointly by NIST and the Communications Security Establishment (CSE) of the Government of Canada. Commercial, accredited laboratories test cryptographic implementations for conformance to NIST's standards, and if the implementations conform, then NIST and CSE issue jointly-signed validation certificates for those implementations.


  18. Are test values and reference code available for the AES?
  19. Yes, test values and code provided by the Rijndael submitters are available, in order to assist implementers.


  20. Will implementations of the AES be exportable?
  21. Yes, AES implementations will be exportable, and AES implementations in proprietary systems will just need a one-time review prior to export. For full details, please contact the Department of Commerce's Bureau of Export Administration (BXA), which maintains the export regulations related to cryptographic technology. More information on current export regulations is available from BXA's Information Technology Controls Division; TEL: (202) 482-0707, or FAX: (202) 501-0784.


This FAQ was Last Modified by NIST on: January 28, 2002


Return to the Beginning of This Document