Reflections on AES and DES.... DES was developed by a team that wanted to call it "Dataseal" at IBM. Some IBM flacks renamed it Demon (for "demonstration cipher"), a name the original developers didn't like. So they agitated against the new name, and eventually someone decided to rename it Lucifer, which the original developers liked even less. One gets the impression that the flacks were just toying with the techies here, twisting the knife as it were. But then it was adopted (in a slightly different form) as the Data Encryption Standard of the US government, and everybody gave up on the "demonic" naming conventions and just started calling it DES. Now, Dataseal/Demon/Lucifer was pretty good. It may not have been the *most* secure algorithm of its time, but neither was it a transparent and useless "cipher" with obvious flaws other than the 56-bit keyspace. However, the important part of building up trust (or lack thereof) in the cipher came after it was chosen as the DES. That choice focused every cryptanalyst in the world on it, for a while, and sparked a fair amount of hard research in mathematics. Eventually someone found an attack better than brute force on it -- but the attack requires a very very large number of plaintext/ciphertext pairs to carry out, and seems unlikely in practice. The important thing though, is that people did the math, did the research, did the hard thinking -- and did it for a long time. When someone uses DES or 3DES today, she knows EXACTLY how much protection her data is getting, and knows that hundreds, possibly thousands, of brilliant people have focused many man-years on proving that that amount of protection *is* exactly how much she's getting. It may be that some other ciphers that were around at that time are more secure -- hell, no doubt about it really. But none of those ciphers have attracted the attention of as many really bright people making *sure* it's secure that being the DES has gotten for this cipher. Now, the newly minted AES is standing in place to receive the same attention from the worldwide community -- indeed, has already started to. Even if it's not technically as secure as Twofish and Serpent, the coming years of attention are going to reduce the likelihood of an attack that we just didn't know about on AES -- but not as much on Twofish and Serpent. So whatever its respective strength, our *knowledge* of its strength will become stronger and stronger as more and more time goes by with attention focused on it. Anyway, from the POV of confidence in a cipher, it's not really as important which cipher they picked. It's important that they picked one -- and now cryptanalytic attention is focused on it. Every day no flaw is found raises our confidence that there is none, making the security of this cipher more trustworthy. Regardless of its strength relative to the other candidates (which in reality we may never know except by the continued failure to find obvious breaks in anything) the trustworthiness of the cipher, deriving from the amount of effort and testing that have gone into it, will quickly eclipse the trustworthiness of all other candidates. It would have been the same whichever cipher they picked. Bear