Redirected from AES
AES was developed by two Belgian cryptographers, Joan Daemen[?] and Vincent Rijmen[?]. It was based on their previous design, Square. It is not a Feistel network design algorithm, like many of the other AES finalists. It is also known by the name of the original submission "Rijndael", something best pronounced by non Dutch speakers more or less as "Rhine dahl" (a long "i" and a silent "e"). Daemen and Rijmen have announced that, for those who object, that they have several other names, even more impossible for non Dutch speakers, ready. You have been warned.
Strictly speaking AES is not precisely Rijndael, as Rijndael supports larger block sizes (due to a request in NIST's initial call for AES candidates that was later withdrawn), whereas AES has a fixed block size of 128 bits.
AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As the new block cipher 'standard' it is currently being deployed on a large scale.
NSA reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US government non-classified data.
The most common way to attack block ciphers is to try various attacks on versions of the cipher with a reduced number of rounds. AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. The best known attacks are on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys. See [ (http://www.macfergus.com/pub/icrijndael)] for details of these particular attacks.
Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. The risk is that some way to improve these attacks will be found and the cypher will be broken. A "break" in cryptography is anything that is faster than an exhaustive search, so an attack that requires 2120 operations is considered a break even though it is quite infeasible. For practical applications any attack which is only just better than this is irrelevant, and these concerns can be ignored. However, if it can be improved...
Another concern is the mathematical structure of AES. Unlike most other block ciphers, AES has a very neat mathematical description [ (http://www.macfergus.com/pub/rdalgeq)], [ (http://www.isg.rhul.ac.uk/~sean/)]. This has not yet led to any attacks, but some researchers are worried that future attacks may find a way to exploit this structure.
Along with the cipher itself, a document concerning "modes of operation" is also expected to be made an official standard. For a general article on that topic (not specific to AES) see Block cipher modes of operation.
September 2002: A worrying theoretical attack on AES has been announced in a paper by Nicolas Courtois[?] and Josef Pieprzyk[?] entitled "Cryptanalysis of Block Ciphers with Overdefined Systems of Equations". This appears to show a potential weakness in the AES algorithm. It seems that the attack, if the maths are correct, is not currently practical as it would have a prohibitively high 'work factor'. There have been claims of considerable work factor improvement, however, so the attack technique might -- NB: "might" -- actually become practical sometime in the future. On the other hand, several cryptography experts have criticised the underlying mathematics of the proposed attack, suggesting that the authors have gotten their sums wrong. Whether this line of attack can be made to work against AES remains an open question. For the moment, as far as is publicly known, the XLS attack against AES is speculative. As is currently understood, it may or may not be possible to actually carry out the attack in practice.