2

I was at a conference earlier this week sponsored by a library about data archiving. The conference was not about cryptography. One of the speakers said that the Advanced Encryption Standard (AES) was going to be 20 years old next year (Rijndael was first published in 1998) and that it was getting near the end of its life.

I'm familiar with cryptography, and I've been troubled by this statement ever since, because I didn't think that AES was in any danger. The algorithm has sufficient key lengths, even to resist quantum computer attacks, and there are no algorithmic flaws that have been discovered. Recall that DES was showing its age in the mid 1990s, but that was because it's key length was unreasonably short, not for any other reason.

Are there current reasons to consider upgrading or replacing AES?

vy32
  • 439
  • 3
  • 13

1 Answers1

0

The two main weaknesses where AES shows its age are the 128bit blocksize and the fact that AES 192 and 256 have far less security margin than the pure key size would suggest (some reasons for that here).

Besides that the concept of a block cipher with modes begins to be regarded as risky (authentication, padding, nonces) and more higher level primitives should be used in APIs (newer approaches like NaCl secretbox).

So from a crypto community standpoint it shows its age but is still time proofen and not broken. Especially since alternatives enjoy less general acceptance (especially if compliance voodoo is required).

I would argue long term archives cannot escape the voodoo argument for now, so they do rely on AES (at least in western geographies).

I think a successor will provide more than 128bit block size (or state), start with large key sizes and support efficient authenticated methods and maybe some support for parallelisation. It will hopefully define a approved family of modes/parameters in favor of free composition of primitives.

eckes
  • 666
  • 5
  • 11