Is there a contingency plan in the event of a catastrophic attack on AES?












15












$begingroup$


NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:




I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.




NIST has not done this, according to section 2.4 of a report from NIST. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^{80}$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?



I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.










share|improve this question











$endgroup$








  • 2




    $begingroup$
    I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
    $endgroup$
    – kelalaka
    Jan 17 at 8:49










  • $begingroup$
    @kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
    $endgroup$
    – redplum
    Jan 17 at 12:11






  • 1




    $begingroup$
    @redplum That's a related key attack which is not an issue when you're using AES with random keys.
    $endgroup$
    – forest
    Jan 17 at 12:12






  • 2




    $begingroup$
    Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
    $endgroup$
    – SEJPM
    Jan 17 at 12:38








  • 6




    $begingroup$
    Of course, with the government shutdown, this question could not have come at a worse time.
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 13:58
















15












$begingroup$


NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:




I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.




NIST has not done this, according to section 2.4 of a report from NIST. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^{80}$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?



I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.










share|improve this question











$endgroup$








  • 2




    $begingroup$
    I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
    $endgroup$
    – kelalaka
    Jan 17 at 8:49










  • $begingroup$
    @kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
    $endgroup$
    – redplum
    Jan 17 at 12:11






  • 1




    $begingroup$
    @redplum That's a related key attack which is not an issue when you're using AES with random keys.
    $endgroup$
    – forest
    Jan 17 at 12:12






  • 2




    $begingroup$
    Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
    $endgroup$
    – SEJPM
    Jan 17 at 12:38








  • 6




    $begingroup$
    Of course, with the government shutdown, this question could not have come at a worse time.
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 13:58














15












15








15


3



$begingroup$


NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:




I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.




NIST has not done this, according to section 2.4 of a report from NIST. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^{80}$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?



I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.










share|improve this question











$endgroup$




NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:




I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.




NIST has not done this, according to section 2.4 of a report from NIST. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^{80}$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?



I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.







aes nist rijndael standards






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 21 hours ago







forest

















asked Jan 17 at 8:30









forestforest

3,0341034




3,0341034








  • 2




    $begingroup$
    I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
    $endgroup$
    – kelalaka
    Jan 17 at 8:49










  • $begingroup$
    @kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
    $endgroup$
    – redplum
    Jan 17 at 12:11






  • 1




    $begingroup$
    @redplum That's a related key attack which is not an issue when you're using AES with random keys.
    $endgroup$
    – forest
    Jan 17 at 12:12






  • 2




    $begingroup$
    Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
    $endgroup$
    – SEJPM
    Jan 17 at 12:38








  • 6




    $begingroup$
    Of course, with the government shutdown, this question could not have come at a worse time.
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 13:58














  • 2




    $begingroup$
    I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
    $endgroup$
    – kelalaka
    Jan 17 at 8:49










  • $begingroup$
    @kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
    $endgroup$
    – redplum
    Jan 17 at 12:11






  • 1




    $begingroup$
    @redplum That's a related key attack which is not an issue when you're using AES with random keys.
    $endgroup$
    – forest
    Jan 17 at 12:12






  • 2




    $begingroup$
    Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
    $endgroup$
    – SEJPM
    Jan 17 at 12:38








  • 6




    $begingroup$
    Of course, with the government shutdown, this question could not have come at a worse time.
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 13:58








2




2




$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
Jan 17 at 8:49




$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
Jan 17 at 8:49












$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
Jan 17 at 12:11




$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
Jan 17 at 12:11




1




1




$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
Jan 17 at 12:12




$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
Jan 17 at 12:12




2




2




$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM
Jan 17 at 12:38






$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM
Jan 17 at 12:38






6




6




$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes
Jan 17 at 13:58




$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes
Jan 17 at 13:58










2 Answers
2






active

oldest

votes


















11












$begingroup$

I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.



I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.



Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.



This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.






share|improve this answer











$endgroup$









  • 5




    $begingroup$
    And another one 3-AES :)
    $endgroup$
    – kelalaka
    Jan 17 at 15:48






  • 2




    $begingroup$
    Thanks for the corrections, kelalaka. I think AESede sounds better :)
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 16:18






  • 1




    $begingroup$
    I wanna see the Keccak cipher.
    $endgroup$
    – Joshua
    Jan 17 at 17:22










  • $begingroup$
    Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
    $endgroup$
    – forest
    2 days ago










  • $begingroup$
    @forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
    $endgroup$
    – Maarten Bodewes
    2 days ago





















5












$begingroup$

Selection process




  1. January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.


The requirements for AES are:




  • AES must be a symmetrical algorithm, specifically a block cipher

  • AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)

  • AES must support key sizes of 128-bit, 192-bit and 256-bit

  • AES must be relatively easy to implement in hardware and software

  • AES must have an above average performance

  • AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)

  • AES must be usable in Smartcards (low computer memory)

  • AES must be free of use and open source


The possiblity to submit a possible AES ended on June 15. 1998.



In total there were 15 proposals submitted.



5 out of 15 were selected as a possible successor to DES, which will be named AES:




  • MARS cipher

  • RC6

  • Rijndael (AES)

  • Serpent

  • Twofish


All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).



Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.






share|improve this answer











$endgroup$









  • 2




    $begingroup$
    If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
    $endgroup$
    – Ella Rose
    Jan 17 at 15:57






  • 1




    $begingroup$
    True, I changed my answer to make it more clear that this is my personal opinion on the matter
    $endgroup$
    – AleksanderRas
    Jan 18 at 8:17










  • $begingroup$
    I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
    $endgroup$
    – forest
    2 days ago













Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66553%2fis-there-a-contingency-plan-in-the-event-of-a-catastrophic-attack-on-aes%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









11












$begingroup$

I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.



I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.



Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.



This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.






share|improve this answer











$endgroup$









  • 5




    $begingroup$
    And another one 3-AES :)
    $endgroup$
    – kelalaka
    Jan 17 at 15:48






  • 2




    $begingroup$
    Thanks for the corrections, kelalaka. I think AESede sounds better :)
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 16:18






  • 1




    $begingroup$
    I wanna see the Keccak cipher.
    $endgroup$
    – Joshua
    Jan 17 at 17:22










  • $begingroup$
    Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
    $endgroup$
    – forest
    2 days ago










  • $begingroup$
    @forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
    $endgroup$
    – Maarten Bodewes
    2 days ago


















11












$begingroup$

I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.



I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.



Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.



This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.






share|improve this answer











$endgroup$









  • 5




    $begingroup$
    And another one 3-AES :)
    $endgroup$
    – kelalaka
    Jan 17 at 15:48






  • 2




    $begingroup$
    Thanks for the corrections, kelalaka. I think AESede sounds better :)
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 16:18






  • 1




    $begingroup$
    I wanna see the Keccak cipher.
    $endgroup$
    – Joshua
    Jan 17 at 17:22










  • $begingroup$
    Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
    $endgroup$
    – forest
    2 days ago










  • $begingroup$
    @forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
    $endgroup$
    – Maarten Bodewes
    2 days ago
















11












11








11





$begingroup$

I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.



I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.



Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.



This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.






share|improve this answer











$endgroup$



I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.



I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.



Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would choose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.



This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make the most sense in the short term and would allow NIST some breathing space to think of a replacement.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 17 at 15:54

























answered Jan 17 at 14:03









Maarten BodewesMaarten Bodewes

53.6k677193




53.6k677193








  • 5




    $begingroup$
    And another one 3-AES :)
    $endgroup$
    – kelalaka
    Jan 17 at 15:48






  • 2




    $begingroup$
    Thanks for the corrections, kelalaka. I think AESede sounds better :)
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 16:18






  • 1




    $begingroup$
    I wanna see the Keccak cipher.
    $endgroup$
    – Joshua
    Jan 17 at 17:22










  • $begingroup$
    Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
    $endgroup$
    – forest
    2 days ago










  • $begingroup$
    @forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
    $endgroup$
    – Maarten Bodewes
    2 days ago
















  • 5




    $begingroup$
    And another one 3-AES :)
    $endgroup$
    – kelalaka
    Jan 17 at 15:48






  • 2




    $begingroup$
    Thanks for the corrections, kelalaka. I think AESede sounds better :)
    $endgroup$
    – Maarten Bodewes
    Jan 17 at 16:18






  • 1




    $begingroup$
    I wanna see the Keccak cipher.
    $endgroup$
    – Joshua
    Jan 17 at 17:22










  • $begingroup$
    Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
    $endgroup$
    – forest
    2 days ago










  • $begingroup$
    @forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
    $endgroup$
    – Maarten Bodewes
    2 days ago










5




5




$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48




$begingroup$
And another one 3-AES :)
$endgroup$
– kelalaka
Jan 17 at 15:48




2




2




$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes
Jan 17 at 16:18




$begingroup$
Thanks for the corrections, kelalaka. I think AESede sounds better :)
$endgroup$
– Maarten Bodewes
Jan 17 at 16:18




1




1




$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22




$begingroup$
I wanna see the Keccak cipher.
$endgroup$
– Joshua
Jan 17 at 17:22












$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
2 days ago




$begingroup$
Why would they choose Threefish? Wasn't it designed for Skein, not as a general-purpose block cipher?
$endgroup$
– forest
2 days ago












$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes
2 days ago






$begingroup$
@forest Possibly. There were hints for performing encryption using the tweakable block cipher as well in Skein. We'd have to ask the author - actually I did ask the author - but at that time they were understandably more concerned with Skein / SHA-3 competition for sure (and, at that time I wasn't ready to ask the question either, as I was still mentioning CBC and stuff). You can however see that the Keccak authors also are continuing to create a full symmetric cryptosystem out of their sponge construction.
$endgroup$
– Maarten Bodewes
2 days ago













5












$begingroup$

Selection process




  1. January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.


The requirements for AES are:




  • AES must be a symmetrical algorithm, specifically a block cipher

  • AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)

  • AES must support key sizes of 128-bit, 192-bit and 256-bit

  • AES must be relatively easy to implement in hardware and software

  • AES must have an above average performance

  • AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)

  • AES must be usable in Smartcards (low computer memory)

  • AES must be free of use and open source


The possiblity to submit a possible AES ended on June 15. 1998.



In total there were 15 proposals submitted.



5 out of 15 were selected as a possible successor to DES, which will be named AES:




  • MARS cipher

  • RC6

  • Rijndael (AES)

  • Serpent

  • Twofish


All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).



Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.






share|improve this answer











$endgroup$









  • 2




    $begingroup$
    If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
    $endgroup$
    – Ella Rose
    Jan 17 at 15:57






  • 1




    $begingroup$
    True, I changed my answer to make it more clear that this is my personal opinion on the matter
    $endgroup$
    – AleksanderRas
    Jan 18 at 8:17










  • $begingroup$
    I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
    $endgroup$
    – forest
    2 days ago


















5












$begingroup$

Selection process




  1. January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.


The requirements for AES are:




  • AES must be a symmetrical algorithm, specifically a block cipher

  • AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)

  • AES must support key sizes of 128-bit, 192-bit and 256-bit

  • AES must be relatively easy to implement in hardware and software

  • AES must have an above average performance

  • AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)

  • AES must be usable in Smartcards (low computer memory)

  • AES must be free of use and open source


The possiblity to submit a possible AES ended on June 15. 1998.



In total there were 15 proposals submitted.



5 out of 15 were selected as a possible successor to DES, which will be named AES:




  • MARS cipher

  • RC6

  • Rijndael (AES)

  • Serpent

  • Twofish


All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).



Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.






share|improve this answer











$endgroup$









  • 2




    $begingroup$
    If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
    $endgroup$
    – Ella Rose
    Jan 17 at 15:57






  • 1




    $begingroup$
    True, I changed my answer to make it more clear that this is my personal opinion on the matter
    $endgroup$
    – AleksanderRas
    Jan 18 at 8:17










  • $begingroup$
    I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
    $endgroup$
    – forest
    2 days ago
















5












5








5





$begingroup$

Selection process




  1. January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.


The requirements for AES are:




  • AES must be a symmetrical algorithm, specifically a block cipher

  • AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)

  • AES must support key sizes of 128-bit, 192-bit and 256-bit

  • AES must be relatively easy to implement in hardware and software

  • AES must have an above average performance

  • AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)

  • AES must be usable in Smartcards (low computer memory)

  • AES must be free of use and open source


The possiblity to submit a possible AES ended on June 15. 1998.



In total there were 15 proposals submitted.



5 out of 15 were selected as a possible successor to DES, which will be named AES:




  • MARS cipher

  • RC6

  • Rijndael (AES)

  • Serpent

  • Twofish


All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).



Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.






share|improve this answer











$endgroup$



Selection process




  1. January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.


The requirements for AES are:




  • AES must be a symmetrical algorithm, specifically a block cipher

  • AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)

  • AES must support key sizes of 128-bit, 192-bit and 256-bit

  • AES must be relatively easy to implement in hardware and software

  • AES must have an above average performance

  • AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)

  • AES must be usable in Smartcards (low computer memory)

  • AES must be free of use and open source


The possiblity to submit a possible AES ended on June 15. 1998.



In total there were 15 proposals submitted.



5 out of 15 were selected as a possible successor to DES, which will be named AES:




  • MARS cipher

  • RC6

  • Rijndael (AES)

  • Serpent

  • Twofish


All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).



Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I, personally, would suggest the following: Try the attack that breaks the Rijndael algorithm on the other 4 algorithms and evaluate if it also breaks any of these. If one is resistant to this attack, then that one should be chosen as the new AES.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 18 at 8:16

























answered Jan 17 at 13:02









AleksanderRasAleksanderRas

2,1191630




2,1191630








  • 2




    $begingroup$
    If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
    $endgroup$
    – Ella Rose
    Jan 17 at 15:57






  • 1




    $begingroup$
    True, I changed my answer to make it more clear that this is my personal opinion on the matter
    $endgroup$
    – AleksanderRas
    Jan 18 at 8:17










  • $begingroup$
    I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
    $endgroup$
    – forest
    2 days ago
















  • 2




    $begingroup$
    If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
    $endgroup$
    – Ella Rose
    Jan 17 at 15:57






  • 1




    $begingroup$
    True, I changed my answer to make it more clear that this is my personal opinion on the matter
    $endgroup$
    – AleksanderRas
    Jan 18 at 8:17










  • $begingroup$
    I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
    $endgroup$
    – forest
    2 days ago










2




2




$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
$endgroup$
– Ella Rose
Jan 17 at 15:57




$begingroup$
If one is resistant to this attack, then that one would be chosen as the new AES. - I think you really need a citation for this claim. "I think" is not a good format for answers regarding the official policies of NIST. It might seem like a reasonable thing for them to do, but that doesn't mean it's what they plan on doing.
$endgroup$
– Ella Rose
Jan 17 at 15:57




1




1




$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17




$begingroup$
True, I changed my answer to make it more clear that this is my personal opinion on the matter
$endgroup$
– AleksanderRas
Jan 18 at 8:17












$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
2 days ago






$begingroup$
I already know what I would personally do. I also feel I know what certain major vendors would do, but that doesn't answer what the US government would do for the standards. After all, if a major vendor switches to 18-round Rijndael or to Serpent, they could no longer claim to be using a government standard. The companies that absolutely need to use a government standard would probably revert to 3DES.
$endgroup$
– forest
2 days ago




















draft saved

draft discarded




















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66553%2fis-there-a-contingency-plan-in-the-event-of-a-catastrophic-attack-on-aes%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

1300-talet

1300-talet

Display a custom attribute below product name in the front-end Magento 1.9.3.8