, SecurityFocus 2000-10-02
A Belgian algorithm wins the gold in America's cryptolympics.
This was the most fun a block-cipher cryptographer could have.
The algorithm, known as Rijndael (pronounced RHINE-dahl), was revealed this morning as the new Advanced Encryption Standard (AES), successor to the thirty-year-old Data Encryption Standard (DES). The process for selecting the new algorithm began in January of 1997 and was coordinated by the National Institute for Standards in Technology (NIST). The new standard will be used by U.S. Government agencies and is likely to be implemented widely by software developers in their products.
Rijndael is the creation of two Belgian cryptographers, Vincent Rijman and Joan Daemen. NIST offered no material prize to the winners, and Rijndael has been open sourced and free to the public since its creation. But the two are pleased to see their work become the national standard. "I want people to see my work much like an artist does, says Daemen, a smart card developer at Proton World International. "Plus my company will get a lot of attention from this."
The choice of an algorithm that originated overseas surprised many observers. "Officially, the U.S. Government wouldn't even acknowledge the existence of good cryptography outside the U.S. as recently as a year ago," said David Banisar, a senior fellow at the Electronic Privacy Information Center. "This is light years from the shadowy days of the Digital Signature Standard and Clipper. Only time will tell if it's any more secure than these debacles."
NIST Director Ray Kammer conceded that the government's selection of a European algorithm represented "quite a thaw in U.S. policy," and said the federal government came to realize the "practical reality of the situation: that there are good algorithms and mathematicians all over the world." Kammer sought to reassure those who might be skeptical of the government's intentions by pointing out that the selection process was carried out in the public domain.
"The entire algorithm is disclosed, and the authors of the algorithm come from the private sector," said Kammer.
NIST officials praised Rijndal's speed in both hardware and software implementations and its efficiency in memory usage. NIST's Kammer praised Rijndael's flexibility and security, stating that the algorithm is likely to continue to be considered secure for quite some time. "If Moore's law continues and quantum computing doesn't change everything, this algorithm could have a thirty year run."
During the selection process candidates published papers at major conferences explaining disadvantages or security weaknesses in their competitors' algorithms. Security, performance, and simplicity were all major considerations. Also of concern were patent and other intellectual property issues -- in order to qualify as a candidate, an algorithm had to be completely "royalty-free," at least until the winner was announced.
"It was incredibly fun. This was the most fun a block-cipher cryptographer could have," said Bruce Schneier, creator of the Twofish algorithm, which was an AES finalist. "All five [of the finalists] are conceptually secure, so then NIST just took the best performer."
Despite some disappointment that his algorithm was not the one chosen, Schneier said he's happy enough with Rijndael's security that he'd use it in his own products, and he's relieved that the government has updated its standards to something more useable than DES. "The important thing about standards is to have them," he remarked.