Is there a contingency plan in the event of a catestrophic attack on AES?
$begingroup$
NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:
I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.
Clearly, NIST has not done this and has only standardized Rijndael. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^{80}$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?
I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.
aes nist rijndael standards
asked 6 hours ago
forestforest
2,8351032
$endgroup$
|
show 2 more comments
$begingroup$
NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:
I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.
Clearly, NIST has not done this and has only standardized Rijndael. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^{80}$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?
I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.
aes nist rijndael standards
asked 6 hours ago
forestforest
2,8351032
$endgroup$
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
6 hours ago
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
2 hours ago
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
2 hours ago
1
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
2 hours ago
2
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
1 hour ago
|
show 2 more comments
$begingroup$
NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:
I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.
Clearly, NIST has not done this and has only standardized Rijndael. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^{80}$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?
I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.
aes nist rijndael standards
asked 6 hours ago
forestforest
2,8351032
$endgroup$
NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks:
I believe that there should be only one standard. NIST should decide on one standard in order to ensure that the standard is accepted and adopted as soon as possible. However, NIST can publish the choice of a backup cipher which will replace the standard in case it is broken or in case other circumstances (such as intellectual property problems) will prevent it from being used by the public.
Clearly, NIST has not done this and has only standardized Rijndael. Is there any process in place in the event that a severe cryptanalytic attack against AES is discovered? Imagine it's 2029 and a new paper comes out showing that all 14 rounds can be broken with a complexity of $2^{80}$ and a negligible amount of known plaintext. Would there be any official steps taken by NIST, for example changing the standard to use more rounds? Would one of the other AES candidates be chosen as AES2?
I don't believe that there will be a major break in the cipher without prior cryptanalysis showing it to be gradually weaker and weaker, so I highly doubt the total break, if one is ever discovered, will come as a surprise. However, I am still curious to know if there is an official policy on the matter.
aes nist rijndael standards
aes nist rijndael standards
asked 6 hours ago
forestforest
2,8351032
asked 6 hours ago
forestforest
2,8351032
asked 6 hours ago
forestforest
2,8351032
asked 6 hours ago
forestforest
2,8351032
asked 6 hours ago
forestforest
2,8351032
2,8351032
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
6 hours ago
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
2 hours ago
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
2 hours ago
1
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
2 hours ago
2
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
1 hour ago
|
show 2 more comments
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
6 hours ago
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
2 hours ago
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
2 hours ago
1
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
2 hours ago
2
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
1 hour ago
2
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
6 hours ago
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
6 hours ago
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
2 hours ago
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
2 hours ago
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
2 hours ago
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
2 hours ago
1
1
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
2 hours ago
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
2 hours ago
2
2
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
1 hour ago
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
1 hour ago
|
show 2 more comments
2 Answers
2
active
oldest
votes
$begingroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I think that they would see if the attack on the Rijndael algorithm also breaks any of the other 4 algorithms. If one is resistant to this attack, then that one would be chosen as the new AES.
answered 2 hours ago
AleksanderRasAleksanderRas
1,9791629
$endgroup$
add a comment |
$begingroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would chose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered 1 hour ago
Maarten Bodewes♦Maarten Bodewes
53.5k677192
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66553%2fis-there-a-contingency-plan-in-the-event-of-a-catestrophic-attack-on-aes%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I think that they would see if the attack on the Rijndael algorithm also breaks any of the other 4 algorithms. If one is resistant to this attack, then that one would be chosen as the new AES.
answered 2 hours ago
AleksanderRasAleksanderRas
1,9791629
$endgroup$
add a comment |
$begingroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I think that they would see if the attack on the Rijndael algorithm also breaks any of the other 4 algorithms. If one is resistant to this attack, then that one would be chosen as the new AES.
answered 2 hours ago
AleksanderRasAleksanderRas
1,9791629
$endgroup$
add a comment |
$begingroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I think that they would see if the attack on the Rijndael algorithm also breaks any of the other 4 algorithms. If one is resistant to this attack, then that one would be chosen as the new AES.
answered 2 hours ago
AleksanderRasAleksanderRas
1,9791629
$endgroup$
Selection process
- January 1997: The Department of commerce, with combination of the National Institute of Standards and Technology (NIST), announced an international search for a successor of DES.
The requirements for AES are:
- AES must be a symmetrical algorithm, specifically a block cipher
- AES must use 128-bit block sizes (192-bit and 256-bit could be possible extensions)
- AES must support key sizes of 128-bit, 192-bit and 256-bit
- AES must be relatively easy to implement in hardware and software
- AES must have an above average performance
- AES must be resistant to all known attacks of cryptanalysis (especially power- and timing-attacks)
- AES must be usable in Smartcards (low computer memory)
- AES must be free of use and open source
The possiblity to submit a possible AES ended on June 15. 1998.
In total there were 15 proposals submitted.
5 out of 15 were selected as a possible successor to DES, which will be named AES:
- MARS cipher
- RC6
- Rijndael (AES)
- Serpent
- Twofish
All of these algorithms met the requirements. The Rijndael algorithm was chosen because it was especially high-performance in hardware and software (it only needs 500 lines of code in C).
Even though I could not find any notion of "next-steps" if the current AES would be broken (also as of now NIST is partly down because of the government shutdown), I think that they would see if the attack on the Rijndael algorithm also breaks any of the other 4 algorithms. If one is resistant to this attack, then that one would be chosen as the new AES.
answered 2 hours ago
AleksanderRasAleksanderRas
1,9791629
edited 1 hour ago
answered 2 hours ago
AleksanderRasAleksanderRas
1,9791629
answered 2 hours ago
AleksanderRasAleksanderRas
1,9791629
answered 2 hours ago
AleksanderRasAleksanderRas
1,9791629
1,9791629
add a comment |
add a comment |
$begingroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would chose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered 1 hour ago
Maarten Bodewes♦Maarten Bodewes
53.5k677192
$endgroup$
add a comment |
$begingroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would chose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered 1 hour ago
Maarten Bodewes♦Maarten Bodewes
53.5k677192
$endgroup$
add a comment |
$begingroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would chose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered 1 hour ago
Maarten Bodewes♦Maarten Bodewes
53.5k677192
$endgroup$
I'm not aware of any official NIST policy on the matter, so I can only make educated guesses.
I guess new algorithms have sprung up and are already in place. Chacha20 is used in TLS 1.2 and 1.3 although the Poly1305 MAC does still rely on AES. For hash functions: neither SHA-2 nor SHA-3 are depending on AES in any way. The sponge function in Keccak (SHA-3) can also be used as a symmetric cipher (Ketje, Keyak and Kravasse) and - with a bit of tweaking - as MAC (KMac). So rather than to move backwards I think NIST would simply standardize on existing ciphers together with more modern ciphers based on Keccak.
Although I see merit in the answer of AleksanderRas, I personally don't think that one of the original AES candidates would be chosen as new AES (or FES, for fixed encryption standard). The world has moved on; there are likely more secure and certainly faster block ciphers around. For instance, I could see that Bruce Schneier and the Skein team would chose Threefish over Twofish. Possibly Serpent would make a chance if Rijndael is broken, as runner up with a high security margin. It does seem to have much in common with AES though, so maybe a break could also influence the security of Serpent, even if it does have a high number of rounds.
This brings us to an important final point: possibly a broken AES could simply be fixed by upping the number of rounds. In that case: the king is dead, long live the king. The hardware is there after all, and quite often the number of rounds can be configured. This would make most sense in the short term and would allow NIST some breathing space to think of a replacement.
answered 1 hour ago
Maarten Bodewes♦Maarten Bodewes
53.5k677192
answered 1 hour ago
Maarten Bodewes♦Maarten Bodewes
53.5k677192
answered 1 hour ago
Maarten Bodewes♦Maarten Bodewes
53.5k677192
answered 1 hour ago
Maarten Bodewes♦Maarten Bodewes
53.5k677192
53.5k677192
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66553%2fis-there-a-contingency-plan-in-the-event-of-a-catestrophic-attack-on-aes%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
$begingroup$
I think the first approach against an attack was the increasing key size. Though this may not prevent all kind of attacks.
$endgroup$
– kelalaka
6 hours ago
$begingroup$
@kelalaka increasing key size does not nessecarily increase the security. For example, the best known attack on AES256 is better than the best known attack on AES128.
$endgroup$
– redplum
2 hours ago
$begingroup$
@redplum That's a related key attack which is not an issue when you're using AES with random keys.
$endgroup$
– forest
2 hours ago
1
$begingroup$
Note that chances are that a replacement of all AES implementations would take about a decade (based on similar estimates for a migration to PQ crypto), longer if additional time is needed to select a replacement (2-5 years).
$endgroup$
– SEJPM♦
2 hours ago
2
$begingroup$
Of course, with the government shutdown, this question could not have come at a worse time.
$endgroup$
– Maarten Bodewes♦
1 hour ago