August 1999: Evaluation Criteria
August 1999: Evaluation Criteria
THE ADVANCED ted by members of the crypto- ITL Bulletins are published by the
graphic community from around the Information Technology Laboratory
ENCRYPTION world. At that conference and in a (ITL) of the National Institute of
STANDARD: published Federal Register notice, Standards and Technology (NIST).
NIST solicited public comments on Each bulletin presents an in-depth
A STATUS REPORT the candidates. A Second AES Candi- discussion of a single topic of
significant interest to the information
date Conference (AES2) was held in
NIST's Information Technology Lab- systems community. Bulletins are
March 1999 to discuss the results of
issued on an as-needed basis and
oratory is working with industry and the analysis conducted by the global are available from ITL Publications,
the cryptographic community to cryptographic community on the National Institute of Standards and
develop an Advanced Encryption candidate algorithms. The public Technology, 100 Bureau Drive, Stop
Standard (AES). The goal is to comment period on the initial 8900, Gaithersburg, MD 20899-8900,
develop a Federal Information Pro- review of the algorithms closed on telephone (301) 975-2832. To be
cessing Standard (FIPS) that speci- April 15, 1999. placed on a mailing list to receive
fies an encryption algorithm(s) future bulletins, send your name,
capable of protecting sensitive Evaluation Criteria organization, and address to this
(unclassified) government informa- office.
tion well into the next century. The In the call for candidate algorithms,
Bulletins issued since March 1998
algorithm(s) is expected to be used NIST specified the evaluation criteria
❐ Management of Risks in Information
by the U.S. Government and, on a that would be used to compare the
Systems: Practices of Successful
voluntary basis, by the private sec- candidate algorithms. These criteria Organizations, March 1998
tor. This ITL Bulletin gives a status were developed from public com- ❐ Training Requirements for
report on the development of the ments to the proposed criteria and Information Technology Security: An
AES, summarizes the evaluation pro- from the discussions at a public AES Introduction to Results-Based
workshop held on April 15, 1997, at Learning, April 1998
cess, and briefly describes the five
NIST. The evaluation criteria are ❐ A Comparison of Year 2000
finalist algorithms selected in Round Solutions, May 1998
1 of the AES development process. divided into three major categories:
❐ Training for Information Technology
Security, Cost, and Algorithm and
Security: Evaluating the Effectiveness
Background Implementation Characteristics. of Results-based Learning, June 1998
❐ Cryptography Standards and
On January 2, 1997, NIST Security is the most important factor
Infrastructures for the Twenty-first
announced the initiation of an effort in the evaluation. Security encom- Century, September 1998
to develop the AES and made a for- passes features such as resistance of ❐ Common Criteria: Launching the
mal call for algorithms on September the algorithm to cryptanalysis, International Standard, November
12, 1997. The call stipulated that the soundness of its mathematical basis, 1998
randomness of the algorithm output, ❐ What Is Year 2000 Compliance?,
AES must specify an unclassified,
and relative security as compared to December 1998
publicly disclosed encryption algo-
other candidates. ❐ Secure Web-based Access to High
rithm(s), available royalty-free, Performance Computing Resources,
worldwide. In addition, the algo- Cost is a second important area of January 1999
rithm(s) would implement symmet- evaluation that encompasses licens- ❐ Enhancements to Data Encryption
ric key cryptography as a block ing requirements, computational and Digital Signature Federal
cipher and (at a minimum) support a Standards, February 1999
efficiency (speed) on various plat-
❐ Measurement and Standards for
block size of 128-bits and key sizes forms, and memory requirements. Computational Science and
of 128-, 192-, and 256-bits. Since one of NIST’s goals is that the Engineering, March 1999
On August 20, 1998, NIST final AES algorithm(s) be available ❐ Guide for Developing Security Plans
worldwide on a royalty-free basis, for Information Technology Systems,
announced its acceptance of fifteen
intellectual property claims and April 1999
AES candidate algorithms at the First
potential conflicts must be consid- ❐ Computer Attacks: What They Are
AES Candidate Conference (AES1). and How to Defend Against Them,
These algorithms had been submit- Continued on page 2 May 1999
U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology
2 August 1999
ered in the selection process. The page http://www.nist.gov/aes has and other features of the code were
speed of the algorithms on a variety served as a tool to disseminate infor- measured as well. Statistical testing
of platforms must also be consid- mation such as papers for AES2 and was performed on all fifteen candi-
ered. During Round 1, the focus was other Round 1 public comments. dates to determine if the algorithms
primarily on the speed associated generate output that is statistically
Twenty-eight papers were submitted
with 128-bit keys. Additionally, indistinguishable from truly random
to NIST for consideration for AES2.
memory requirements and con- data. Testing results are available on
Twenty-one of those papers were
straints for software implementa- the AES home page.
presented at AES2 as part of the for-
tions of the candidates are important
mal program, and several of the
considerations. Selection Process Prior to
remaining seven were also pre-
The third area of evaluation is algo- sented during an informal session at Round 2
rithm and implementation charac- that conference. All of the submitted At the conclusion of the Round 1
teristics such as flexibility, hardware papers were posted on the AES public review, NIST established an
and software suitability, and algo- home page several weeks prior to AES technical review team to recom-
rithm simplicity. Flexibility includes AES2 in order to promote informed mend algorithms for Round 2 evalu-
the ability of an algorithm: discussions at the conference. ations. The team was composed of
■ to handle key and block sizes AES2 gave members of the global NIST employees who had been
beyond the minimum that must be cryptographic community a chance engaged in reviewing the algo-
supported, to present and discuss the analysis rithms, reviewing the public com-
■ to be implemented securely and that had been performed on the AES ments on the candidates, selecting
efficiently in many different types candidates during Round 1, as well papers for AES2, conducting NIST’s
of environments, and as other important topics relevant to efficiency and randomness testing,
■ to be implemented as a stream the AES development effort. In addi- attending and presenting informa-
cipher, hashing algorithm, and to tion to the AES2 papers, NIST tion at the AES conferences, and
provide additional cryptographic received fifty-six sets of public com- managing the AES development pro-
services. ments on the candidate algorithms cess. The team met several times
during Round 1. All of these com- over the course of two months to
It must be feasible to implement an
ments were made publicly available develop their consensus position.
algorithm in both hardware and soft-
ware, and efficient firmware imple- on the AES home page on April 19, During the evaluation process, the
mentations are advantageous. The 1999. NIST team considered all comments,
relative simplicity of an algorithm’s papers, verbal comments at confer-
NIST performed an analysis of math-
design is also an evaluation factor. ences, NIST studies, reports, and
ematically optimized ANSI C and
Java™ implementations* of the candi- proposed modifications. The team
Results from Round 1 date algorithms that were provided discussed each candidate relative to
by the submitters prior to the begin- the announced evaluation criteria
The Round 1 public review
ning of Round 1. Additionally, NIST and other pertinent criteria sug-
extended from the official
performed extensive statistical test- gested during the public analysis.
announcement of the fifteen AES
candidates on August 20, 1998, at ing on all of the candidates. The test-
AES1 until the official close of the ing of ANSI C implementations
focused on the speed of all fifteen ITL Bulletins Via E-Mail
comment period on April 15, 1999.
During Round 1, many members of candidates on various desktop sys- We now offer the option of
the global cryptographic commu- tems, using different combinations delivering your ITL Bulletins in ASCII
nity supported the AES development of processors, operating systems, format directly to your e-mail
effort by analyzing and testing the and compilers. The submitters’ address. To subscribe to this service,
Java™ code was tested for speed and send an e-mail message to
fifteen AES candidates.
memory usage on a desktop system, [email protected] with the message
NIST facilitated and focused the dis- subscribe itl-bulletin, and your
cussion of the candidate algorithms proper name, e.g., John Doe. For
* Certain commercial equipment,
by providing an electronic discus- instruments or materials are identified instructions on using listproc, send a
sion forum that was used to com- in this paper to foster understanding. message to [email protected] with
Such identification does not imply the message HELP. To have the
ment on the candidates, discuss recommendation or endorsement by bulletin sent to an e-mail address
relevant AES issues, inform the pub- the National Institute of Standards and
Technology, nor does it imply that the other than the From address, contact
lic of new analysis results, etc. This the ITL editor at 301-975-2832 or
materials or the equipment identified is
discussion forum is located at necessarily the best available for the [email protected].
http://aes.nist.gov. The AES home purpose.
August 1999 3
The review of each algorithm tion process resulted in the team RC6 is an algorithm that is simple
included a methodical evaluation of selection of five candidates with enough to memorize and should be
the following factors: superior characteristics as finalists easy to implement compactly in
for Round 2 evaluation. both software and hardware. Its sim-
■ security (including any known
plicity also should facilitate its fur-
attacks or weaknesses), It is important to note that the selec-
ther security analysis in Round 2,
■ efficiency (both speed and tion of an algorithm as a finalist does
memory usage), which is assisted by the analysis of
not constitute endorsement by NIST
■ flexibility (implementation on low- its predecessor, RC5. RC6 does not
of the algorithm or its security. Simi-
and high-end smart cards; support use substitution tables; instead, the
larly, the non-selection of an algo-
of additional key and block sizes, principal engine for its security is the
rithm is not necessarily to be taken
including whether the reference technique of rotating digits by a
as a statement about the algorithm’s
code actually supported the addi- varying number of places that is
quality, security, efficiency, or other
tional key sizes; suitability for use determined by the data. In general,
characteristics.
as a pseudo-random number gen- RC6 is fast and it is particularly fast
erator, hashing algorithm, etc.; on platforms that support its rotation
and whether or not encryption Round 2 AES Finalists and multiplication operations effi-
and decryption were the same ciently; its key setup is also fast. RC6
Using the analyses and comments
procedure), was submitted to the AES develop-
received, NIST selected five finalist
■ algorithm simplicity, and ment effort by RSA Laboratories.
algorithms: MARS, RC6TM,
■ other issues that were discussed in
the received public comments. Rijndael, Serpent, and Twofish. Rijndael performs excellently
No significant security vulnerabilities across all considered platforms. Its
Although it was considered, the were found for these candidates dur- key setup is fast and its memory
team readily agreed that it was not ing the Round 1 analysis, and each requirements are low, so it also
possible to conduct a quantitatively of these algorithms constitutes should perform well in hardware and
based selection of the finalists. For potentially superior technology. in memory-constrained environ-
example, comments were not Below is a summary of each of the ments. The straightforward design
received regarding the security anal- finalist candidates in alphabetical and the conservative choice of opera-
ysis of some candidates, whereas order. Profiles and overall assess- tions should facilitate its further anal-
other algorithms were reported as ments for all fifteen Round 1 candi- ysis, and the operations should be
“broken.” Since security is consid- dates can be found in the NIST relatively easy to defend against cer-
ered the most important evaluation Round 1 Report (from which this tain attacks on physical implementa-
criteria, the AES review team made a summary is extracted), which is tions. Even though parallel
first cut of the candidates based on available on the AES home page. processing was not considered dur-
security, then proceeded with the ing the Round 1 selection process by
other selection criteria. This evalua- MARS incorporates its “crypto-
the AES review team, Rijndael has the
graphic core” into an innovative,
potential of benefiting from advances
heterogeneous overall structure. It
in computer processors that allow
Who we are also features a variety of operations,
many instructions to be executed in
including the technique of rotating
The Information Technology parallel. Rijndael was submitted to
digits by a varying number of places
Laboratory (ITL) is a major research the AES development effort by Joan
that is determined by both the data
component of the National Institute Daemen and Vincent Rijmen.
and the secret key. Consequently,
of Standards and Technology (NIST)
of the Technology Administration, while MARS performs well in gen- Serpent is ultra-conservative in its
U.S. Department of Commerce. We eral, it performs particularly well on security margin; the designers chose
develop tests and measurement computer platforms that support its to use twice as many iterations as
methods, reference data, proof-of- rotation and multiplication opera- they believed secure against cur-
concept implementations, and tions efficiently. NIST accepted a rently known attacks. Consequently,
technical analyses that help to modification to MARS for Round 2 Serpent’s performance is relatively
advance the development and use (proposed by the submitter) that slow compared to the other four
of new information technology. We should improve its ability and flexi- finalists. In some settings, however,
seek to overcome barriers to the bility to function in some memory- this should be mitigated by the effi-
efficient use of information
constrained environments, such as ciency of optimized implementations
technology, and to make systems
low-end smart cards. MARS was sub- using what the submitters call the
more interoperable, easily usable,
scalable, and secure than they are mitted to the AES development “bitslice” mode, for which the algo-
today. effort by the International Business rithm was specially designed. Ser-
Machines Corporation. pent should fit well in hardware
4 August 1999
(with potential tradeoffs of speed Next Steps forum for discussion of the analyses
versus space) and in memory- of the AES finalists. Submitters of the
With the announcement of the final-
constrained environments. The AES finalists will be invited to attend
ists, NIST formally opens the "Round
straightforward design and the con- and engage in discussions regarding
2" public evaluation process and
servative choice of operations should comments on their algorithms. AES3
solicits comments on the remaining
facilitate further analysis of this candi- will be held April 13-14, 2000, in
algorithms through May 15, 2000.
date, and the operations should be New York, New York. Registration
Comments can be submitted via the
easy to defend against certain attacks and logistical information will be
AES home page. NIST actively seeks
on physical implementations. Serpent posted on the AES home page. Pro-
comments and analysis on any
was submitted to the AES develop- posed papers for this conference are
aspect of the candidate algorithms,
ment effort by Ross Anderson, Eli due to NIST by January 15, 2000.
including but not limited to the fol-
Biham, and Lars Knudsen.
lowing topics: Following the close of the Round 2
Twofish exhibits fast and versatile public analysis period on May 15,
■ cryptanalysis,
performance across most platforms; it 2000, NIST intends to study all avail-
■ intellectual property,
also should perform well both in able information and propose the
■ crosscutting analyses of all of the
hardware and in memory- AES, which will incorporate one or
AES finalists,
constrained environments. It features more AES algorithms selected from
■ selection and use of multiple AES
variable substitution “tables” that algorithms, the finalists. The AES will be
depend on the secret key. The sub- ■ overall recommendations, and announced as a proposed Federal
mitters believe that such tables gener- ■ implementation issues. Information Processing Standard
ally offer greater security than tables (FIPS) that will be published for
with fixed values. The possibility of NIST is providing an opportunity for public review and comment. Fol-
pre-computing these tables to vary- the sponsors of the AES finalists to lowing the comment period, the
ing degrees helps Twofish offer a revise the ANSI C and Java™ imple- standard will be revised, as appro-
wide variety of performance mentations of their algorithms. NIST priate, by NIST in response to those
tradeoffs. Depending on the setting, intends to make these implementa- comments. A review, approval, and
Twofish can be optimized for speed, tions available (via CD-ROM) within promulgation process will then fol-
key setup, memory, code size in soft- two months of the beginning of low. If all steps of the AES develop-
ware, or space in hardware. Twofish Round 2. ment process proceed as planned, it
was submitted to the AES develop- Near the end of Round 2, NIST will is anticipated that the standard will
ment effort by Bruce Schneier, John sponsor the Third AES Candidate be completed by the summer of
Kelsey, Doug Whiting, David Wag- Conference (AES3), an open, public 2001.
ner, Chris Hall, and Niels Ferguson.