Announcement of Proposal to Update FIPS 197, The Advanced Encryption Standard

As a part of the periodic review of NIST’s cryptographic standards and guidelines, NIST's Crypto Publication Review Board ("Review Board") announced the review of Federal Information Processing Standards Publication (FIPS) 197, The Advanced Encryption Standard (AES) in May 2021.

NIST proposes to update FIPS 197. An update of a publication is appropriate when it only requires changes to correct errors or clarify its interpretation, and no changes are made to technical content. The proposed changes to FIPS 197 are summarized in the sections below.

A public comment period for the draft FIPS 197 update is open through February 13, 2023.  Public comments on the decision to update the FIPS, or on the draft update itself, may be submitted to cryptopubreviewboard [at] nist.gov (cryptopubreviewboard[at]nist[dot]gov), with “Comments on Draft FIPS 197 Update” in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.

Summary of the Draft Update of FIPS 197

The version history is summarized in Appendix D of the draft update of FIPS 197. The draft update includes extensive editorial improvements to the version that was published in November 2001, including the following:

• The frontmatter is modernized, e.g., a foreword and abstract are added.
• Terms and symbols are defined more comprehensively and consistently.
• Formatting/typesetting is improved in a variety of ways.
• Unnecessary formalism is removed.
• Diagrams are included for the three key schedules.
• Some references were updated, and additional references were provided.

Initial Public Comments

In May 2021, the Review Board requested initial public comments for the review of FIPS 197 (released 2001). In June 2021, the public comments were posted. The public comment to include a reference to NIST Special Publication (SP) 800-133 Rev. 2, Recommendation for Cryptographic Key Generation was accepted in the updated draft.

The other two public comments include a variety of observations and suggestions for the appropriate properties for a block cipher and its modes of operation. In particular, both comments request that NIST standardize an alternative block cipher with a larger block size. Neither comment recommends any changes to FIPS 197 itself.

NISTIR 8319

Published in July 2021, NIST Internal Report (NISTIR) 8319, Review of the Advanced Encryption Standard documented the main considerations in the review of FIPS 197.

Rationale for Updating FIPS 197

There are two elements to the decision to update a publication: 1) editorial revision is appropriate, and 2) technical revision is not necessary. In the case of FIPS 197, several potential clarifications are recommended in Section 3.5 of NISTIR 8319, and NIST identified a variety of other editorial improvements.

The technical content is the specification of a family of three block ciphers: AES-128, AES-192, and AES-256, where the numerical suffix indicates the bit length of the key. Since AES is adopted widely, the main question for the review is whether the specified block cipher family is sufficiently secure. The following is a summary of the security assessment:

• Classical security [Sections 3.1 and 3.2 of NISTIR 8319]: The key sizes remain adequate against classical exhaustive search. For the classical analytic attacks on instances of the AES algorithm that are listed in Table 2 of NISTIR 8319, either 1) the attack only applies to an unapproved, weakened variant, in which the number of rounds is reduced by at least three; or 2) the computational complexity of the attack is prohibitive. In the second category, the largest theoretical reduction in computational complexity over generic, exhaustive search occurs under the restrictive assumption of related-keys, and only for AES-192 and AES-256.
• Key Size and Post-Quantum Security [Section 3.3 of NISTIR 8319]: If large-scale quantum computers are developed, Grover’s algorithm would facilitate a brute force search for the key with computational work that is roughly the square root of the classical computational work. NIST expects to issue appropriate guidance on parameter choices and post-quantum security as part of the Post-Quantum Cryptography project.
• Implementation security [Section 3.4 of NISTIR 8319]: Implementation attacks based on "side channels" such as power consumption and execution timing are a general concern for keyed cryptographic algorithms, including the AES family. Cache-timing attacks are a significant additional concern for the AES algorithm because they can potentially be mounted remotely; mitigating this risk was a key motivation for the inclusion of an AES instruction in modern processors. NIST will consider developing separate guidance on how to protect implementations of the AES family against implementation attacks in general.