AES Resulted in a $250-Billion Economic Benefit

NIST has released a new study concluding that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the study and its conclusions—it’s all in the 150-page report, though—but I do like the pretty block diagram of AES on the report’s cover.

Posted on September 21, 2018 at 6:37 AM17 Comments


anon September 21, 2018 7:25 AM

Total global GDP over the past 20 years, about 1000 trillion dollars. So, 250 billion dollars, only 0.025%.

POLAR September 21, 2018 10:32 AM

The block diagram isn’t even in a vectorial format. Will they make reports for 7-Zip, the linux kernel and Libreoffice?

Dave September 21, 2018 11:42 AM

This is merely a specific instance of the more general:

$government_department has released has released a new study concluding that $government_department_work has resulted in a \$ $random_big_value economic benefit over the past ($now – $government_department_work_date) years

Hmm September 21, 2018 1:23 PM

Framing everything humans accomplish in economic terms is why we don’t deserve to survive long-term.

We need better gods.

William September 21, 2018 1:35 PM

Sounds like a low number considering over 2 billion devices, not counting internet infrastructure use AES. Particularly as it’s difficult to prove a negative and we can’t say with any certainty how costly it would have been to continue to rely on DES. By my calculations, a lot.

Anyways, my comment is really about a related cost savings I’ve noticed. And I say this without any horse in the race, but cursory comparison of education costs have shown me that the home of AES, KU Lueven, has an annual tuition rate of $9000 and is located in a beautiful town in eastern Flanders with quite an affordable cost of living.

I’ve never been there, but it looks very nice and thought I’d pass on this info as it could be useful to a reader of this blog who may be considering their education options.

Herman September 23, 2018 12:37 AM

“but I do like the pretty block diagram of AES on the report’s cover.” Ouch! – Damning praise.

Those kind of reports can only be pure marketing drivel that assumes the world will stand still without AES, as if there never was anything else.

Mark September 23, 2018 6:25 PM

I wonder what the financial impact of their NSA-sponsored random number generator is? We can’t trust NIST.

Weather September 23, 2018 11:41 PM

I like the picture, sub word and byte, if you v=I(for loop)*sub word byte
It produce collision between over values, add other basic maths,instead of a swap byte, you can use maths to workout the value,I had three add,mul,div,sub that just three had enough collision to match
The mix columns with the xor I’m thinking of mixing 7f80 it needs some filter like abov,

Clive Robinson September 24, 2018 2:32 AM

@ Mark,

I wonder what the financial impact of their NSA-sponsored random number generator is? We can’t trust NIST.

The problem is not can we trust NIST but can we trust the processes and procedures NIST uses.

The way standards are made is much the same in any standards body so if those processes and procedures are the same or sufficiently similar the question arises,

    What Standards body can we trust?

The other problem is that NIST were mandated to use the NSA, it was not NIST’s choice and probably not the choice of the NSA either.

The NSA like many SigInt entities most definitely work by “Security by Obscurity” and for good reason. Their primary task is “to break the security of other nations systems” so that they can gather intelligence from them. If you find a “break” it’s usually hard won, and if you give it away in any form then not only might that break be closed, it will give information to system designers not just what to avoid in future but insight into the SigInt entities “methods and sources”. It also causes distrust amongst SigInt entities of allied nations[1].

However long befor the NSA existed various subgames of the “great game” had been played. One of which is “finessing”[7] whereby you do things to weaken a potential adversaries hand. Frequently this is by pushing a deliberatly weakened or backdoored system under the disguise of improving things. I’ve mentioned before the AES competition and how the NSA finessed it. More promenently known is the Digital Random Number Generator that caused NIST to withdraw a standard.

Unfortunately as I’ve explained in the past ALL standards bodies that have anything even remotely connected to communications get this done to them. Which brings us back to my question above,

    What Standards body can we trust?

To which the answer is “None Currently”.

[1] Prior to World War Two atleast two people published information about their nations cryptanalysis that they should not have done. One was Winston Churchill about the British Admiralty “Room 40” the other was Herbert O Yardley about the American “Black Chamber”. The result was that during WWII both US and British cryptoanalysis efforts were hampered by mutual distrust at senior levels. This only became partly resolved when the British compleatly snowed under by Ultra work handed over all the work they had done on Japanese ciphers so they could be shot of it. It’s unknown just how many lives and materials were lost due to this, but it was in part this loss that drove forward a small handfull of people at Bletchley, that resulted in first a “hsndshake agrement” and later the BRUSA Agreement[2] that became the basis for UKUSA Agreement “special relationship” and the Five-Eyes.

[2] Even then trust was still limited as the various issues with SIGABA (ECM Mk2) demonstrated. The US had examined the British Typex and deduced some information from it as to why it was more secure than the German Enigma. This they then independently developed and put into SIGABA unaware that the British had already worked out the idea prior to producing the Typex but left it out of the design due to manufacturing cost and reliability reasons. The seniors in the US had deemed that it was “so secret” that the British should not be made aware of it. However at a lower level the British had not just seen a SIGABA close up but actually discused with US personnel why they had not included it in Typex… It came out in discussions about a new design of cipher machine that Gordon Welchman was working on that the British were hoping to get the US to manufacture parts for that was to forefill a “joint operations roll”. Basically rather than build a new machine the British wanted to use SIGABA for the joint operations roll as that would mean not having to manufacture one, and whilst they were happy to hand over the Rockex[3] designs to certain allies they did not want it available to others. The reason it came out was that the US did not want the UK to have an intermediate cipher system, thus the Welchman design was overly complex and it was arguments over “reliability”[4] that brought out the fact that the British knew all about the internals of SIGABA and it’s weaknesses. One of the many “Opps moments” that occure when so much secrecy between allies occurs.

[3] The Diplomatic Wirless Service which was formed by the British Foreign and Commonwealth Office had developed the idea of the Rockex and had engaged the Canadian engineer Benjamin “Pat” Bayly to design it. The Rockex was a “One Time Tape” system that would convert the 5bit 32valued teleprinter code into a 26charecter 5letter group cipher that like the One Time Pad was theoretically unbreakable. However theory and practice often do not see “eye to eye”. The reason the British did not want to hand out what was a high level cipher system to all it’s allies was two fold. Firstly they had solved what we would now call the electrical and achostic EmSec issues that were major failing in most nations cipher systems. But from a practical point One Time systems are not practical for most usages, only for a limited subset of point to point links.

[4] These days few people realise that cryptography had in many respects stagnated after WWII. Systems were being put in the field that were known to be not just weak but very weak[5]. The reason was “mechanical reliability”. Like locks there are limits on what you can do with electromechanical cipher systems, and cryptanalysis had long since surpassed such crypto systems that could be made reliable in use.

[5] It has long been suspected that “fielding” such systems had been a deliberate policy as part of the “Security by Obscurity” idea. That is you “finesse” your opponent[7].

[6] Finessing is a term borrowed from “contract bridge” that was and still is a popular card game with a certain type of British intelligentsia. In essence you play a weak card to out a stronger card so that you can keep an even stronger card to win an extra trick you would not otherwise have got.

[7] In crypto circles finessing[6] can mean deliberatly fielding a known vulnarable system such that a less knowledgable opponent uses or copies it. Such systems usually have “weak key” issues. That is whilst some keys are strong others are weak. If you know which is which you only put strong keys in your key schedules, the adversary picks randomly. Thus if the system has 1/5 of the key space as very weak keys, 3/5 weak keys, and 1/5 strong keys 20% of the adversaries traffic will be readable to you immediately. If appropriate records are kept and used then those “ins” provide ways into 60% of the remaining traffic, whilst the adversary does not read any of your traffic within a period that it is of primary use to the adversary.

echo September 24, 2018 2:55 PM


We all know what happened to Gordon Welchman on the instigation of the UK government. As for US leaks the US also released information on the Welrod pistol the UK government was refusing to release. I know people say Hollywood is nonsense (and the UK state wordplaying over “suppressor” versus “silencer” is annoying) but the Welrod is a known known. I am left wondering why so many silenced guns available on the open market in the US make such a racket and why nobody has manufactured a modern day equivalent of the Welrod and why Hollywood movies rarely if ever feature the Welrod. After a search I discovered the B&T VP9 sold for “veterinary” purposes. Oh, well then. Too touchy feely for modern criminals it seems.

Speaking of which the SOE Welman submarine project to be “driven by anybody, no submarine or diving experience being essential” seems to have been later independently invented by South American drug cartels to great effect.

Clive Robinson September 25, 2018 11:09 AM

@ echo,

I am left wondering why so many silenced guns available on the open market in the US make such a racket and why nobody has manufactured a modern day equivalent of the Welrod

The reason so many make a racket is “wrong ammunition” or “wrong breach configuration”.

So yes if you want to make a silenced weapon you still could. But due to breach issues you would have to design a new gun. But the ammunition issue also effects it’s utility. You are looking for a sub-sonic moving round without much diameter. Most amunition is not designed this way because it has quite a limited range and low impact energy dispersal.

The only ammunition I’ve ever used with those sorts of criteria are “anti-vermin” rounds designed to have just enough punch to kill a fox or similar “rabies vector” at close range (ie caught in a cage).

As for the Wellrod, you can buy originals as one or two collectors have them and demonstrate them. But they need a lot of maintenance for obvious reasons. I used to know someone back in the days when I “wore the green” that had a business designing and manufacturing “moderators” and thus had the opportunity to see him refurbish a Wellrod.

echo September 25, 2018 1:04 PM


It would be a lovely project to design and build a modern Welrod which addressed the issue. Unfortunately it’s not something I would ever use or encourage using. I just couldn’t.

“Moderator” was the other alternative word I was trying to remember.

Lucky you. I like seeing this kind of thing and listening to all the blather. It’s quiet restful. I’m sure this makes me odd in a lot of ways.

Clive Robinson September 25, 2018 3:35 PM

@ echo,

I like seeing this kind of thing and listening to all the blather. It’s quiet restful. I’m sure this makes me odd in a lot of ways.

To each there own imagine how dull this life would be if all women were clones of say Paris Hilton, or any one of a number of imaginary stereotypical types…

But having been accused of being an “Engineers Engineer” in the past and kind of regard myself as a sort of “failed scientist” because I could not put up with the academic politics having tried several times. I happen to like people that are curious about the world around them.

All though the evidence is scant I happen to believe that after a certain age it’s the mind that keeps the body alive and not the other way around. Thus the more active your mind the less likely you are to atrophy at an early age. As I jokingly say, I plan to live as long as life is interesting, which hopefully should make me immortal 😉

Clive Robinson September 26, 2018 1:36 AM

@ Alyer Babtu, echo,

Whatever happened to handheld rail guns, e.g., this kind of thing

Whilst rail guns may not make a loud bang magneto constriction and similar effects on the energy storage units etc will make quite a noise if such a projectile weapon is to become not just of any use but reliable.

As for what is shown on the endgadget site, it’s either a fake or somebody on the make for funding off of an idea that will not realy work (remember Starwars SDI from the “Ronnie the raygun Reagan” era, never delivered). Even Naval gun size rail guns are still not at engineering prototype level today. In essence they use a sliding armature system to make best use of the Lorentz force. That device is more like a linear motor which has a whole different bunch of issues not least of which is “What do you make the barrel from”.

To see why it’s unlikely to “do the business” work out the required energy release to get an ordinary service issue hand gun bullet up to the required kinetic behaviour[1]. Then convert that energy directly into it’s electrical equivalent then work out the time period that energy has to be released in[2]. Then go looking not just for the energy storage components but the high current wiring and avalanche switching devices oh and also work out the inductance of the coils etc. Then work out the impedence and then look up the ESR on those types of capacitor…

I’ve actually built a HERF weapon for fun which is way way easier, but you run into the pulse generator issue but only at a fraction of what would be required to fire a few tens of grams of metal even if you could get 95% energy conversion.

[1] Around 500j @ 400m/S for service issue hand guns, you can trade mass for velocity on the bullet but that means larger energy.

[2] Assume in the case shown 2.5cm max length per coil thus 0.025/400 = 62.5uS[3]

[3] But the coils have rise times just as capacitors do and 5lr is a good aproximation to a steady state value so 12.5uS is what you are looking at as bottom line rise time. But that coil is with an “iron core” for the bullet for only a short but most important period. But solid iron / steel makes realy bad inductors at the best of times with working frequencies well down in the bottom end of the audio frequencies at best (wind a single layer solenoid transformer on a nail to see just how bad ;-)…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.