AES#
The Advanced Encryption Standard is a symmetric block cipher, based on the Rijndael cipher. It was standardised by NIST in 2001 on FIPS 197.
Rule or recommendation |
Comments |
---|---|
ANSSI: recommended or obsolete? |
Recommended |
Follows rule 2, OK for long-term use (beyond 2026). |
|
Recommended, block size if 128 bits. |
|
Follows rule 2, OK for long-term use (beyond 2026). |
|
Recommended, minimum key length if 128 bits. |
|
|
Overview#
There are three variants standardised by FIPS 197: AES-128, AES-192, AES-256. The differences between variants are the key size (128, 192, and 256 bits respectively) and the number of rounds.
All three variants have a block size of 128 bits, meaning that they can only encrypt or decrypt 128 bits of data. To address larger data sizes, they are used with a mode of operation, which chains calls to the block cipher to process arbitrary amounts of data[1].
Modes of operation#
There are two types of modes of operation: confidentiality-only and authenticated modes. The latter ensures both the confidentiality of the message as well as its integrity, so using these modes should be preferred when possible. Note that confidentiality-only modes are used by authenticated modes, and that the following recommendations apply when using these modes to construct authenticated ones.
Confidentiality-only modes#
These modes of operation require an IV, which must either be:
a value generated with a cryptographically secure pseudo-random number generator;
a value that must be used only once (a nonce).
The different modes of operation are:
Mode |
Status |
Comments |
---|---|---|
CTR |
Recommended |
Stream mode: never re-use the same (key, IV) pair as this allows an attacker to recover the XOR of both plaintexts. |
OFB |
Recommended |
Stream mode: never re-use the same (key, IV) pair as this allows an attacker to recover the XOR of both plaintexts. |
CBC |
Recommended |
|
CBC-CS |
Recommended |
|
CFB |
Recommended |
Requires padding, as it treats messages whose length is a multiple of the block size. Since it requires padding, implementations must ensure the decryption process prevents padding oracle attacks. |
Authenticated modes#
The modes GCM, CCM, and EAX are recommended when used with a recommended primitive such as AES.
Mode |
Status |
Comments |
---|---|---|
CCM |
Recommended |
|
GCM |
Recommended |
|
EAX |
Recommended |
Constructions#
Constructions refer to ways of combining a (block) cipher with a Message Authentication Code (MAC) to ensure both the confidentiality and the authenticity of the message.
Construction |
Status |
Comments |
---|---|---|
Encrypt-then-MAC |
Recommended |
|
Mac-then-Encrypt |
Deprecated |
|
Encrypt-and-MAC |
Deprecated |
|
ANSSI rules and recommendations#
Symmetric keys#
RègleCléSym
For symmetric keys used up to 2025, the minimum length is 112 bits.
For symmetric keys used from 2026 onwards, the minimum length is 128 bits.
RecommandationCléSym
The minimum recommended length for symmetric keys is 128 bits.
Block ciphers#
RègleBlocSym
For use up to 2025, the minimum block size is 64 bits.
For use from 2026 onwards, the minimum block size is 128 bits.
The maximum number of blocks encrypted with a single key is \(2^{n/2 - 5}\), where \(n\) is the block size in bits.
RecommendationBlocSym
The recommended block size for block ciphers is 128 bits.
RègleAlgoBloc
For an algorithm used up to the end of 2025, no attack requiring less than \(2^{100}\) operations must be known.
For an algorithm used in 2026 and beyond, no attack requiring less than \(2^{125}\) operations must be known.
RecommendationAlgoBlog
It is recommended to use block cipher algorithms that are well-tested and scrutinized by academia.
Modes of operation#
RègleModeChiff
There must be no attack of complexity less than \(2^{n/2}\) calls of the primitive, where \(n\) is the bit size of the block.
RecommandationModeChiff
The use of a non-deterministic encryption mode of operation is recommended.
An encryption mode of operation will be preferably used with an integrity mechanism. This mechanism can be independent from the encryption mode.
Preferably use modes of operation that have a security proof.
Stream ciphers#
RègleChiffFlot
For a stream cipher algorithm used up to the end of 2025, there must not be a known attack requiring less than \(2^{100}\) operations.
For a stream cipher algorithm used in 2026 and beyond, there must not be a known attack requiring less than \(2^{125}\) operations.
RecommendationChiffFlot
It is recommended to use block cipher primitives instead of stream cipher ones. If the properties of a stream cipher are required, it is possible to use a mode of operation of a block cipher that is recommended and emulates a stream cipher.
If a stream cipher is used, it is recommended that the algorithm used has been scrutinized by academia.