Cryptography Reference
In-Depth Information
of DES were numbered. The pressure from the business world to create and
use secure algorithms is very strong today; we will see this particularly in
Chapter 8. The AES Initiative of the NIST is an excellent example showing
how the situation has changed during the past twenty years.
Remember how DES was born (Section 4.3.1)? Back then, the NBS had major
difficulties in obtaining a usable proposal at all, and they had to involve the NSA
due to a lack of internal competency. And today? Successor NIST challenged
a new standard at the beginning of 1997; it was to be named
AES
(
Advanced
Encryption Standard
). But this time it seemed that all the leading people in
public cryptological research had participated in the challenge, submitted a large
number of proposals, discussed and cryptanalyzed the algorithms submitted,
until eventually they were spoilt for choice. Though it was primarily a matter
of a new US standard, proposals and analyses were submitted from all over
the world. Eventually, a Belgian algorithm was selected to become the new
security standard in the USA. This alone shows almost symbolically how much
cryptology has changed during the past twenty years.
Everything had actually run so smoothly that there was hardly a reason for
criticism. Even the requirements to the new standard were not formulated by
the NIST alone, but in an open workshop especially conducted to this end in
April 1997. For defining the requirements was not an easy task — after all, AES
was to be secure for long into the future so that it had to meet extremely strict
criteria from the outset. You can read the result in Figure 5.17.
The required block length of 128 bits relates to the birthday attack discussed in
Section 5.1.1 in connection with the CBC mode: having two equal ciphertext
blocks, one can draw conclusions on the XOR product of the pertaining plain-
text blocks, thus obtaining a (minimal) hint on the plaintext. The probability
for such an event should be as small as possible. With 128-bit blocks, such a
pair generally occurs with more than 100 million terabytes of ciphertext, which
would seem to be sufficient for the next twenty years.
This meant that, for example, IDEA with its 64-bit block length was ruled
out, among others. RC5 was not an eligible candidate either since it works
most effectively with 64-bit blocks on 32-bit processors. Thus, RC6 came into
existence, as described in Section 5.4.4. And the requirement for a key length
up to 256 bits is by no means paranoid considering that quantum computers
might exist (Section 5.9) within the next twenty years.
A worldwide search for candidates began as a consequence. The NIST pre-
sented 15 proposals at the first conference in August 1998. At the second AES
