Advanced Encryption Standard process
Encyclopedia
The Advanced Encryption Standard
(AES), the block cipher
ratified as a standard by National Institute of Standards and Technology
of the United States (NIST), was chosen using a process markedly more open and transparent than its predecessor, the aging Data Encryption Standard
(DES). This process won plaudits from the open cryptographic
community, and helped to increase confidence in the security of the winning algorithm from those who were suspicious of backdoors in the predecessor, DES.
A new standard was needed primarily because DES has a relatively small 56-bit key
which was becoming vulnerable to brute force attack
s. In addition the DES was designed primarily for hardware and is relatively slow when implemented in software. While Triple-DES avoids the problem of a small key size
, it is very slow even in software; is unsuitable for limited-resource platforms, and may be affected by potential security issues connected with the (today comparatively small) block size of 64 bits.
community was immediately intense, and NIST received a great many submissions during the three month comment period.
The result of this feedback was a call for new algorithms on September 12, 1997. The algorithms were all to be block ciphers, supporting a block size
of 128 bit
s and key sizes of 128, 192, and 256 bits. Such ciphers were rare at the time of the announcement; the best known was probably Square
.
In the ensuing debate, many advantages and disadvantages of the different candidates were investigated by cryptographers; they were assessed not only on security, but also on performance in a variety of settings (PCs of various architectures, smart card
s, hardware implementations) and on their feasibility in limited environments (smart cards with very limited memory, low gate count implementations, FPGAs).
Some designs fell due to cryptanalysis
that ranged from minor flaws to significant attacks, while others lost favour due to poor performance in various environments or through having little to offer over other candidates. NIST held two conferences to discuss the submissions (AES1, August 1998 and AES2, March 1999), and in August 1999 they announced that they were narrowing the field from fifteen to five: MARS, RC6
, Rijndael, Serpent
, and Twofish
. All five algorithms, commonly referred to as "AES finalists", were designed by cryptographers considered well-known and respected in the community.
The AES2 conference votes were as follows:
A further round of intense analysis and cryptanalysis followed, culminating in the AES3 conference in April 2000, at which a representative of each of the final five teams made a presentation arguing why their design should be chosen as the AES.
on February 28, 2001 for the draft FIPS to solicit comments. On November 26, 2001, NIST announced that AES
was approved as FIPS PUB
197.
NIST won praises from the cryptographic community for the openness and care with which they ran the standards process. Bruce Schneier
, one of the authors of the losing Twofish algorithm, wrote after the competition was over that "I have nothing but good things to say about NIST and the AES process".
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
(AES), the block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
ratified as a standard by National Institute of Standards and Technology
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
of the United States (NIST), was chosen using a process markedly more open and transparent than its predecessor, the aging Data Encryption Standard
Data Encryption Standard
The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
(DES). This process won plaudits from the open cryptographic
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
community, and helped to increase confidence in the security of the winning algorithm from those who were suspicious of backdoors in the predecessor, DES.
A new standard was needed primarily because DES has a relatively small 56-bit key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
which was becoming vulnerable to brute force attack
Brute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...
s. In addition the DES was designed primarily for hardware and is relatively slow when implemented in software. While Triple-DES avoids the problem of a small key size
Key size
In cryptography, key size or key length is the size measured in bits of the key used in a cryptographic algorithm . An algorithm's key length is distinct from its cryptographic security, which is a logarithmic measure of the fastest known computational attack on the algorithm, also measured in bits...
, it is very slow even in software; is unsuitable for limited-resource platforms, and may be affected by potential security issues connected with the (today comparatively small) block size of 64 bits.
Start of the process
On January 2, 1997, NIST announced that they wished to choose a successor to DES to be known as AES. Like DES, this was to be "an unclassified, publicly disclosed encryption algorithm capable of protecting sensitive government information well into the next century." However, rather than simply publishing a successor, NIST asked for input from interested parties on how the successor should be chosen. Interest from the open cryptographicCryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
community was immediately intense, and NIST received a great many submissions during the three month comment period.
The result of this feedback was a call for new algorithms on September 12, 1997. The algorithms were all to be block ciphers, supporting a block size
Block size (cryptography)
In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size...
of 128 bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s and key sizes of 128, 192, and 256 bits. Such ciphers were rare at the time of the announcement; the best known was probably Square
Square (cipher)
In cryptography, Square is a block cipher invented by Joan Daemen and Vincent Rijmen. The design, published in 1997, is a forerunner to the Rijndael algorithm, which has been adopted as the Advanced Encryption Standard...
.
Rounds one and two
In the nine months that followed, fifteen different designs were created and submitted from several different countries. They were, in alphabetical order:- CAST-256CAST-256In cryptography, CAST-256 is a block cipher published in June 1998. It was submitted as a candidate for the Advanced Encryption Standard ; however, it was not among the five AES finalists. It is an extension of an earlier cipher, CAST-128; both were designed according to the "CAST" design...
, CRYPTONCRYPTONIn cryptography, CRYPTON is a block cipher submitted as a candidate for the Advanced Encryption Standard . It is very efficient in hardware implementations and was designed by Chae Hoon Lim of Future Systems Inc....
, DEALDEALIn cryptography, DEAL is a block cipher derived from the Data Encryption Standard . The design was proposed in a report by Lars Knudsen in 1998, and was submitted to the AES contest by Richard Outerbridge .DEAL is a Feistel network which uses DES as the...
, DFCDFC (cipher)In cryptography, DFC is a block cipher which wascreated in 1998 by a group of researchers from École Normale Supérieure, CNRS, and France Télécom and submitted to the AES competition.Like other AES candidates, DFC operates on blocks of 128 bits, using a key of 128, 192, or 256 bits...
, E2E2 (cipher)In cryptography, E2 is a block cipher which was created in 1998 by NTT and submitted to the AES competition.Like other AES candidates, E2 operates on blocks of 128 bits, using a key of 128, 192, or 256 bits. It uses a 12-round Feistel network...
, FROGFROGIn cryptography, FROG is a block cipher authored byGeorgoudis, Leroux and Chaves. The algorithm can work with any block size between 8 and 128 bytes, and supports key sizes between 5 and 125 bytes...
, HPCHasty Pudding CipherThe Hasty Pudding Cipher is a variable-block-size block cipher designed by Richard Schroeppel, which was an unsuccessful candidate in the competition for selecting the U.S. Advanced Encryption Standard...
, LOKI97LOKI97In cryptography, LOKI97 is a block cipher which was a candidate in the Advanced Encryption Standard competition. It is a member of the LOKI family of ciphers, earlier instances being LOKI89 and LOKI91...
, MAGENTAMAGENTAIn cryptography, MAGENTA is a symmetric key block cipher developed by Michael Jacobson Jr. and Klaus Huber for Deutsche Telekom. The name MAGENTA is an acronym for Multifunctional Algorithm for General-purpose Encryption and Network Telecommunication Applications...
, MARS, RC6RC6In cryptography, RC6 is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard competition. The algorithm was one of the five finalists, and was also submitted to the...
, Rijndael, SAFER+SAFERIn cryptography, SAFER is the name of a family of block ciphers designed primarily by James Massey on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule...
, SerpentSerpent (cipher)Serpent is a symmetric key block cipher which was a finalist in the Advanced Encryption Standard contest, where it came second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen....
, and TwofishTwofishIn cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but was not selected for standardisation...
.
In the ensuing debate, many advantages and disadvantages of the different candidates were investigated by cryptographers; they were assessed not only on security, but also on performance in a variety of settings (PCs of various architectures, smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s, hardware implementations) and on their feasibility in limited environments (smart cards with very limited memory, low gate count implementations, FPGAs).
Some designs fell due to cryptanalysis
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
that ranged from minor flaws to significant attacks, while others lost favour due to poor performance in various environments or through having little to offer over other candidates. NIST held two conferences to discuss the submissions (AES1, August 1998 and AES2, March 1999), and in August 1999 they announced that they were narrowing the field from fifteen to five: MARS, RC6
RC6
In cryptography, RC6 is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard competition. The algorithm was one of the five finalists, and was also submitted to the...
, Rijndael, Serpent
Serpent (cipher)
Serpent is a symmetric key block cipher which was a finalist in the Advanced Encryption Standard contest, where it came second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen....
, and Twofish
Twofish
In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but was not selected for standardisation...
. All five algorithms, commonly referred to as "AES finalists", were designed by cryptographers considered well-known and respected in the community.
The AES2 conference votes were as follows:
- Rijndael: 86 positive, 10 negative
- SerpentSerpent (cipher)Serpent is a symmetric key block cipher which was a finalist in the Advanced Encryption Standard contest, where it came second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen....
: 59 positive, 7 negative - TwofishTwofishIn cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but was not selected for standardisation...
: 31 positive, 21 negative - RC6RC6In cryptography, RC6 is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard competition. The algorithm was one of the five finalists, and was also submitted to the...
: 23 positive, 37 negative - MARS: 13 positive, 84 negative
A further round of intense analysis and cryptanalysis followed, culminating in the AES3 conference in April 2000, at which a representative of each of the final five teams made a presentation arguing why their design should be chosen as the AES.
Selection of the winner
On October 2, 2000, NIST announced that Rijndael had been selected as the proposed AES and started the process of making it the official standard by publishing an announcement in the Federal RegisterFederal Register
The Federal Register , abbreviated FR, or sometimes Fed. Reg.) is the official journal of the federal government of the United States that contains most routine publications and public notices of government agencies...
on February 28, 2001 for the draft FIPS to solicit comments. On November 26, 2001, NIST announced that AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
was approved as FIPS PUB
Federal Information Processing Standard
A Federal Information Processing Standard is a publicly announced standardization developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract...
197.
NIST won praises from the cryptographic community for the openness and care with which they ran the standards process. Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
, one of the authors of the losing Twofish algorithm, wrote after the competition was over that "I have nothing but good things to say about NIST and the AES process".
External links
- A historical overview of the process can be found on NIST's website.
- On the sci.crypt newsgroup, there are extensive discussions about the AES process.