Score:2

How much information is required to specify a new variant of AES beyond the key length and the number of rounds?

cn flag

Three different versions of the Advanced Encryption Standard (AES) have been standardized, which use keys of bit length 128, 192, and 256 respectively. They also use different numbers of rounds: 10, 12, and 14 rounds respectively. But my understanding is that the three versions of AES are otherwise extremely similar.

  1. How much additional information would need to be specified in order to create a new version of AES with a different key length? Do the key length and the number of rounds pretty much nail down the whole algorithm in sufficient detail that you can just say "Okay, my new version of AES has key length 64 bits and you use 8 rounds", and it's obvious how to fill in the rest of the details? Or do you need to do a lot more work? (I know that Rijndael also allows key sizes 160 and 224 bits, but I'm wondering about going beyond those bounds.)
  2. Would such a new version of AES require extensive new cryptanalysis, or would it just be a simple matter of plugging the new bit length and number of rounds into already-known formulas in order to estimate the hardness of decryption?

I know that there are more version-specific details beyond just the bit length and the number of rounds, such as the key schedule, but I'm not familiar with what those details are.

kelalaka avatar
in flag
NIST was initially asked for 128,160,192,224, and 256-bit key and block size, later they changed what we have in AES since there is no need!. They are very similar since they have the size of the same block. **The answer to your question is opinion-based**. Rijndael is not immediately designed, the first designed SHARK, then Square then BKSQ. It is years of reading understanding and experience.You can see from the book T_he Design of Rijndael The Advanced Encryption Standard (AES) Second Edition_
Fractalice avatar
in flag
I agree with @kelalaja, although certainly the effort nowadays would be much less due to the large amount of accumulated knowledge. Not to mention that we are talking about a *variant* of the AES.
cn flag
@kelalaka I think that my question was perhaps too broadly phrased; I've edited it to (hopefully) clarify what I'm getting at. I'm just wondering whether or not it's straightforward to generalize the general AES template to other key sizes and numbers of rounds; I'm not asking for an actual estimate for the "amount of work".
kelalaka avatar
in flag
Read the _The Design of Rijndael The Advanced Encryption Standard (AES) Second Edition_ There you can find clues...
cn flag
@kelalaka Judging by the fact that you aren't saying "Yes, it's trivial to adapt AES to other key sizes and numbers of rounds", I'm assuming that the answer to my question is "Quite a lot of information."
kelalaka avatar
in flag
Just to increase the key size the round goes 10, 12, 14 doesn't mean that 512 will have 19 rounds. They have analyzed it and the time showed that one should have 15 instead of 14.
cn flag
@kelalaka I thought that in principle, the key size and the number of rounds can be set independently? Perhaps I'm still not making my question clear: I'm just talking about *defining* a new variation of AES, not analyzing its security. The numbers that I gave in my question were just a completely random example (other than not being any of the existing Rijndael bit sizes).
SAI Peregrinus avatar
si flag
The other thing to consider is that AES is a NIST standard, in FIPS 197. So there's a TON of work to convince NIST to produce a new version of FIPS 197. They'd only do that if there were a very good reason, such as a break in current AES. And since a break in AES is unlikely to be alleviated by simply extending AES, they'd be more likely to replace it entirely. So to answer the title's question, the work needed to extend AES likely starts by breaking AES, which is enormously difficult, and that break has to be mitigatable by increasing the key size/round count (even harder).
SAI Peregrinus avatar
si flag
Rijndael, on the other hand, is pretty easy to extend to larger round counts and key sizes. Adding rounds is trivial, changing the key schedule without introducing insecurity or making it too slow is harder. The 128-bit block size makes larger key sizes than the current 256 bits rather useless though, not to mention that basic thermodynamics ensures 256 bit keys will be secure even against quantum computers the size of entire planets for millions of years.
cn flag
@SAIPeregrinus Thank you, these are very helpful comments. I was just wondering about the purely technical difficulty of developing a new standard, rather than "human" factors like the difficulty of persuading NIST to do something. I guess I probably should have phrased my question in terms of Rijndael rather than AES. Why does the 128-bit block size make key sizes larger than 256 bits "rather useless"? Could this be easily changed by simply increasing the block size, or would that be a difficult undertaking (at the purely algorithmic, not the practical, level)?
Maarten Bodewes avatar
in flag
To be honest I think that what you are asking for is too generic. It depends on the change that you make how much of the crypt-analysis needs to be changed, if at all. Adding key sizes doesn't make much sense as AES-128 is secure against any attacks with normal computers. To protect against multi-target and quantum computers you can use AES-256. Any other attacks depend on other, unknown attack vectors. With the advantage of hindsight, I think that AES-192 was already a mistake.
kelalaka avatar
in flag
[After 20 years of AES, what are the retrospective changes that should have been made?](https://crypto.stackexchange.com/q/87604/18298)
cn flag
@kelalaka That question is interesting, but respectfully, it has very little to do with my question here. I have edited my question to discuss the possibility of using a smaller rather than a larger key size, in order to (hopefully) clarify that my question has nothing to do with improving the security or utility of AES.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.