1. What is the Advanced Encryption Standard (AES)?

The Advanced Encryption Standard (AES) will be a new Federal Information Processing Standard (FIPS) Publication that will specify a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information. NIST also anticipates that the AES will be widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government - and outside of the United States - in some cases.

2. What algorithm has been selected by NIST, and how do you pronounce it?

NIST has selected Rijndael as the proposed AES algorithm. The algorithm's developers have suggested the following pronunciation alternatives: "Reign Dahl," "Rain Doll" and "Rhine Dahl."

3. Who submitted the algorithm, and where are they from?

The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen (Yo'-ahn Dah'-mun) of Proton World International and Dr. Vincent Rijmen (Rye'-mun), a postdoctoral researcher in the Electrical Engineering Department (ESAT) of Katholieke Universiteit Leuven.

4. Is there a document that provides details on NIST's selection for the AES?

NIST's ad hoc AES selection "team" has written Report on the Development of the Advanced Encryption Standard (AES). It is a comprehensive report that discusses various issues related to the AES, presents analysis and comments received during the public comment period, summarizes characteristics of the five finalist AES algorithms, compares and contrasts the finalists, and presents NIST's selection of Rijndael.

Complete AES-related information is available on the AES home page, www.nist.gov/aes. The site includes NIST's Report on the Development of the Advanced Encryption Standard (AES); Rijndael specifications, test values, and code; all public comments, including analysis papers from the various AES conferences; and other "historical" AES information.

5. Why is this announcement of the AES significant?

This announcement marks the culmination of a four-year effort involving the cooperation between the U.S. Government, and private industry and academia from around the world to develop an encryption technique that has the potential to be used by millions of people in the years to come. NIST anticipates that this algorithm will be used widely - both domestically and internationally.

6. Is the AES now an official U.S. Government standard?

No. NIST has simply announced the algorithm that will be formally proposed for incorporation in a new Draft Federal Information Processing Standard (FIPS) for public review and comment. Thereafter, the standard--revised, if appropriate - will be proposed to the Secretary of Commerce for adoption as an official Government standard.

7. When will a draft of the AES standard become available? Will the public be able to comment on the draft standard?

NIST intends to publish a Draft FIPS for the AES approximately one to two months after the AES announcement. At that time, a Federal Register notice will solicit public comments on the Draft FIPS for the AES for a period of 90 days.

When the Federal Register publishes that notice, NIST will post the Draft FIPS for the AES on home page, http://www.nist.gov/aes/, along with information on how and where to submit public comments.

8. When will the AES become an official standard?

The AES will become official after the 90-day public comment period concludes,
NIST makes appropriate changes to the Draft FIPS, and the Secretary of Commerce approves the FIPS. Current estimates place this sometime in the spring of 2001 (i.e., April-June).

9. In summary, what is the projected AES development timeline?

A tentative timeline for the remainder of the AES development effort is as follows:

October 2, 2000 Announcement of NIST's selection for the AES.
November 2000 Draft FIPS for the AES published for public comments.
February 2001 Comment period closes.
April-June 2001 (?) AES FIPS becomes official; conformance testing available.

This timeline is subject to change, depending on the publication date of the Draft FIPS and other factors.

10. Why did NIST select Rijndael to propose for the AES?

When considered together, Rijndael's combination of security, performance, efficiency, ease of implementation and flexibility make it an appropriate selection for the AES.

Specifically, Rijndael appears to be consistently a very good performer in both hardware and software across a wide range of computing environments regardless of its use in feedback or non-feedback modes. Its key setup time is excellent, and its key agility is good. Rijndael's very low memory requirements make it very well suited for restricted-space environments, in which it also demonstrates excellent performance. Rijndael's operations are among the easiest to defend against power and timing attacks.

Additionally, it appears that some defense can be provided against such attacks without significantly impacting Rijndael's performance. Rijndael is designed with some flexibility in terms of block and key sizes, and the algorithm can accommodate alterations in the number of rounds, although these features would require further study and are not being considered at this time. Finally, Rijndael's internal round structure appears to have good potential to benefit from instruction-level parallelism.

11. What about the other four algorithms that were not selected?

In terms of security, NIST states in its report that "all five algorithms appear to have adequate security for the AES." NIST is not saying that there is anything "wrong" with any of the other four algorithms. However, when all of the analysis and comments were taken into consideration, the NIST team felt that Rijndael was the best selection for the AES.
.

12. How has the public been involved in the development of the AES?

From the beginning of the AES development effort, NIST has relied on the public's participation, including:

a) assisting NIST in the design of submission requirements and evaluation criteria (including minimum key and block size requirements and intellectual property requirements);
b) developing and submitting candidate algorithms;
c) analyzing the candidates and sharing those results with the public and NIST; and
d) actively participating in several international conferences.

NIST also anticipates that the public will have very useful input on the Draft FIPS for the AES, and in the on-going analysis of Rijndael. It is expected that such analysis will be presented and published through various conferences such as CRYPTO, EUROCRYPT, ASIACRYPT, and the Fast Software Encryption Workshop (FSE).

13. Will the AES replace Triple DES and DES?

The AES is being developed to replace DES, but NIST anticipates that Triple DES will remain an approved algorithm (for U.S. Government use) for the foreseeable future. Single DES is being phased out of use, and is currently permitted in legacy systems, only.

Triple DES and DES are specified in a FIPS 46-3, while the AES will be specified in a completely separate FIPS. The status of the algorithms in each FIPS is handled separately by NIST.

14. Is NIST concerned that the algorithm is of foreign origin?

No. The complete algorithm specification and design rationale have been available for review by NIST, NSA, and the general public for more than two years. From the beginning of the AES development effort, NIST has indicated that the involvement of the international crypto community has been necessary for the development of a high-quality standard.

15. Approximately how big are the AES key sizes?

The AES will specify three key sizes: 128, 192 and 256 bits. In decimal terms, this means that there are approximately:

3.4 x 10³⁸ possible 128-bit keys;
6.2 x 10⁵⁷ possible 192-bit keys; and
1.1 x 10⁷⁷ possible 256-bit keys.

In comparison, DES keys are 56 bits long, which means there are approximately
7.2 x 10¹⁶ possible DES keys. Thus, there are on the order of 10²¹ times more AES 128-bit keys than DES 56-bit keys.

16. What is the chance that someone could use the "DES Cracker"-like hardware to crack an AES key?

In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2⁵⁵ keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.

17. Will NIST continue to monitor the algorithm's security, and how will it handle security issues that may arise in the future?

Yes. As is the case with its other cryptographic algorithm standards, NIST will continue to follow developments in the cryptanalysis of Rijndael. Once the AES becomes an official standard, that standard will be formally reevaluated every five years. Maintenance activities for the standard will be developed at the appropriate time, in full consideration of the situation's particular circumstances. Should an issue arise that requires more immediate attention, NIST will act expeditiously and consider all available alternatives at that time.

18. How long will the AES last?

No one can be sure how long the AES - or any other cryptographic algorithm - will remain secure. However, NIST's Data Encryption Standard (DES) was a U.S. Government standard for approximately twenty years before it became practical to mount a key exhaustion attack with specialized hardware. The AES supports significantly larger key sizes than what DES supports. Barring any attacks against AES that are faster than key exhaustion, then even with future advances in technology, AES has the potential to remain secure well beyond twenty years.

19. Who will be required to implement and use the AES?

When the AES is published as a FIPS, the algorithm will officially be identified as an approved encryption algorithm that can be used by U.S. Government organizations to protect sensitive (unclassified) information. As is currently the case, those Government organizations will be able to use other FIPS-approved algorithms in addition to, or in lieu of, the AES.

Commercial and other non-U.S. Government organizations are invited - but not required - to adopt and implement the AES and NIST's other cryptographic standards.

20. When will products implementing the AES be available?

It is anticipated that commercial products implementing Rijndael will be available shortly after the announcement. However, as indicated above, the AES itself will not become an official standard until sometime in 2001. When the AES becomes official, then NIST will have conformance testing available for products that implement Rijndael.