Request for Comments on the AES Finalists

[Federal Register: September 15, 1999 (Volume 64, Number 178)]
[Notices]
[Page 50058-50061]
From the Federal Register online via GPO Access [wais.access.gpo.gov]
[DOCID:fr15se99-50]

DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 970725180-9196-03]
RIN No. 0693-ZA16

Request for Comments on the Finalist (Round 2) Candidate Algorithms for the Advanced Encryption Standard (AES)

AGENCY: National Institute of Standards and Technology (NIST), Commerce.

ACTION: Notice; Request for comments.

SUMMARY: A process to develop a Federal Information Processing Standard (FIPS) for an Advanced Encryption Standard (AES) specifying an Advanced Encryption Algorithm (AEA) has been initiated by the National Institute of Standards and Technology (NIST). In the Fall of 1998, NIST announced fifteen publicly submitted algorithms as candidates for the AES, and invites public review, comment, and analysis in order to narrow the field of candidates to (approximately) five or fewer finalists. During the Round 1 technical evaluation period, these fifteen candidates were subjected to extensive analysis and testing by the cryptographic community.

At the conclusion of Round 1, NIST took the following information into consideration: (1) The submitted (official) versions of the AES candidate algorithms, (2) Round 1 public comments, (3) papers and discussions at the Second AES Candidate Conference, (4) results of NIST efficiency and statistical analysis, and (5) other relevant data (e.g., presentations at the Sixth Fast Software Encryption Workshop, discussions on NIST's AES Electronic Discussion Forum, etc.). Using this information, NIST has selected the AES finalist candidate algorithms ("finalists"), which will be subjected to further analysis during Round 2 of the AES development effort. A list of the finalists, along with specifications and intellectual property information, is available at the AES home page.

This notice announces the beginning of the Round 2 technical evaluation period for the AES finalists. Additionally, the notice solicits comments on the finalists from the general public, academic and research communities, manufacturers, voluntary standards organizations, and Federal, state, and local government organizations. NIST will use these comments to select one or more of the finalists for inclusion in a draft Federal Information Processing Standards Publication (FIPS PUB), on which public comments will be invited via a future Federal Register announcement.

NIST's goal is that the AES will specify one or more unclassified, publicly disclosed encryption algorithm(s) available royalty-free worldwide that is (are) capable of protecting sensitive government information well into the next century.

DATES: Public comments for Round 2 are due May 15, 2000. Paper proposals for the Third AES Candidate Conference (which are also considered as public comments) are due to NIST by January 15, 2000. The Third AES Candidate Conference (AES3) is scheduled for April 13-14, 2000.

ADDRESS:Comments and paper proposals should be sent electronically to AESround2@nist.gov. Alternatively, they may be sent to:

Information Technology Laboratory
Attn: AES Finalist Comments (Bldg. 820, Room 423)
National Institute of Standards and Technology
100 Bureau Drive, STOP 8930
Gaithersburg, MD 20899-8930
U.S.A.

AES-related comments received in response to this notice will be made part of the public record. Papers proposed for presentation at AES3 will be posted on the AES home page prior to the beginning of AES3. All additional Round 2 comments will be made available at the AES home page shortly after the Round 2 comment period closes.

FOR FURTHER INFORMATION CONTACT: The AES home page has all current NIST information pertaining to the AES development effort. Recent results and ongoing discussions regarding the finalists and AES-related issues takes place at the AES Electronic Discussion Forum.

General questions may be directed to Edward Roback at (301) 975-3696.

Technical questions and questions may be made by contacting Jim Foti at (301) 975-5237, or Elaine Barker at (301) 975-2911.

Algorithm-specific questions should be directed to the algorithm's submitter. Contact information for the submitters is located on the AES home page.

SUPPLEMENTARY INFORMATION:

1. AES Finalist Candidate Algorithms

NIST has selected the AES finalists for Round 2. The list of finalists, along with their specifications and intellectual property statements, is available electronically at the AES home page. At that same location, NIST is also making available a document that presents the rationale for NIST's selection of the finalists.

The Round 1 candidate algorithms that were not selected for Round 2 are no longer part of the AES development effort, and therefore will not be selected for inclusion in the AES FIPS. Those algorithms (including the specifications and reference and optimized code) may or may not be in the public domain (this includes using the code for testing and research purposes), so algorithm implementers, users, and others should be aware of the intellectual property status of each individual algorithm. When the algorithms were initially submitted before the start of Round 1, each submitter signed an intellectual property statement, part of which states that "* * * If my algorithm * * * is not selected for inclusion in the FIPS (including those not selected for second round of public evaluation), I understand that all rights, including use rights of the reference and mathematically optimized implementations, revert back to the submitter (and other owner[s] as appropriate)."

Please note that the selection of an algorithm as a finalist does not constitute endorsement by NIST of the algorithm or its security. Similarly, the non-selection of an algorithm is not necessarily to be taken as a statement about the algorithm's quality, security, efficiency, or other characteristics. Algorithms selected as finalists were determined to be more suitable for the proposed FIPS. For specific details on an algorithm and its particular security characteristics, one should consult the various Round 1 public comments that were submitted to NIST.

Although no formal process has been established to address minor modifications of the finalists that may become necessary, NIST reserves the right to work with the submitters of the finalists regarding any such modifications. NIST intends to do this in the most open and public manner possible. This is consistent with the statement made in the original call for candidate algorithms, to which all submitters agreed that " * * * the U.S. Government may, during the course of the lifetime of the AES or during the FIPS public review process, modify the algorithm's specifications (e.g., to protect against a newly discovered vulnerability)."

2. Availability of AES CD-3

All persons with AES CD-1 and CD-2 should be aware of potential intellectual property issues with implementing and using algorithms on those CDs, especially for those algorithms that were not selected for Round 2. Please see the note in Section 1, above.

In addition to making specifications available on the AES home page, during Round 2 NIST will make a CD-ROM available (to be designated "AES CD-3") which contains the algorithm specifications, supporting documentation, and submitted code for the AES finalists. It is anticipated that this code will be different from the code provided before the start of Round 1 (e.g., updated to be more efficient, additional code for various platforms, etc.). The submitters of the AES finalists are being given one month from the start of Round 2 to provide NIST with any updated code.

AES CD-3 should be available approximately 2-3 months after the beginning of Round 2. When it is ready for distribution, NIST will re-activate the AES CD Request Form. To those people in the U.S. and Canada who received AES CD-2, NIST will automatically send a copy of AES CD-3. So, for those people, there will be no need to provide NIST with an additional CD-ROM request.

Since AES CD-3 will contain algorithm code, it will be subject to export control, and NIST will handle export requests appropriately. For those people outside of the U.S. and Canada who received AES CD-2 (for whom an export license was granted), AES CD-3 will automatically be distributed only after their copy of AES CD-2 is returned to NIST, as required by the conditions of the original export license. Information on where to send AES CD-2 is posted on the AES CD Request Form mentioned above.

3. Comments Solicited on the AES Finalists

Written comments on the finalists are solicited by NIST in this Round 2 technical evaluation in order to help NIST select one or more algorithms for specification in a draft AES FIPS. To facilitate review of the comments, NIST asks the submitters of comments to clearly indicate the algorithm(s) to which their comments apply. Also, as guidance to comment submitters, the original Evaluation Criteria published on September 12, 1997 are reproduced in Section 4 below.

NIST will accept both general comments and formal analyses/papers that will be considered for presentation at the Third AES Candidate Conference (see Section 5 below).

Since submitted comments will be made available to the public, the comments must not contain proprietary information.

Comments and analysis are sought on any aspect of the candidate algorithms, including - but not limited to - the following topics.

3.1 Cryptanalysis

Since security will be the most important characteristic of the selected algorithm(s), NIST strongly encourages and welcomes cryptanalysis of the finalists.

3.2 Intellectual Property of the AES Finalists

NIST seeks detailed comments regarding any intellectual property - particularly any patent not already identified by the finalists' submitters - that may be infringed by the practice of any of the finalist algorithms. This also includes comments from all parties - including submitters - regarding specific claims that the practice of a finalist algorithm infringes on their patent(s). Claims regarding infringement of copyrighted software are also particularly solicited. NIST views this input as a critical factor in the eventual widespread adoption and implementation of the algorithm(s) specified in the FIPS.

NIST reminds all interested parties that the adoption of AES is being conducted as an open standards-setting activity. Specifically, NIST has requested that all interested parties identify to NIST any patents or inventions that may be required for the use of AES. NIST hereby gives public notice that it may seek redress under the antitrust laws of the United States against any party in the future who might seek to exercise patent rights against any user of AES that have not been disclosed to NIST in response to this request for information.

3.3 Cross-cutting Analyses of All of the AES Finalists

Public analysis comparing the entire field of finalists in a consistent manner for particular characteristics will be very useful. Examples of this type of analysis might include comparisons of the finalists regarding: 1) performance on various smart cards, when the implementations are constructed to defend against timing and power analysis attacks, 2) performance and/or memory use measurements, when written in the same programming language, 3) relative performance on 64-bit processors, 4) performance of assembly language implementations on various platforms, and 5) performance of hardware implementations or simulations.

Additionally, surveys, analyses, and comments are invited regarding prospective future platforms and applications that will implement the AES FIPS algorithm(s).

During Round 2, NIST may take into consideration the issue of having "variable rounds" in the AES finalists. Therefore, NIST invites comments on how NIST should address the "variable rounds" issue during and after Round 2.

3.4 Overall Recommendations Regarding the Selection of the Algorithm(s) for the Proposed FIPS.

When all factors are considered, which candidate algorithm(s) should be selected for inclusion in the FIPS? Also, conversely, NIST seeks the identification and justification of which algorithms should not be selected by NIST. Such comments (with supporting justifications) will be of great use to NIST and help assure timely progress of the AES selection process.

3.5 Related Recommendations Regarding Implementation of the AES FIPS.

In addition to selecting the algorithm(s) to be included in the proposed FIPS, issues regarding the implementation requirements of the standard will also need to be addressed. Therefore, NIST is seeking comments (with rationale) on what requirements should be included in the FIPS. For example, if NIST selects multiple algorithms for inclusion in the proposed FIPS, should the standard require that products conforming to the FIPS implement 1) one algorithm, 2) two (or more) algorithms, 3) all algorithms, or 4) a varying number of algorithms, depending on the type of implementation (e.g., require all algorithms in software implementations, only one in hardware implementations, etc.)?

Also, upon final publication as a FIPS, NIST intends to provide validation testing for implementations of the AES algorithm(s), as it does with other FIPS-approved cryptographic algorithms. Comments pertaining to such validation testing are also welcome.

4. Evaluation Criteria

In the call for AES candidate algorithms (Federal Register, September 12, 1997 [Volume 62, Number 177], pages 48051-48058), NIST published evaluation criteria for use in reviewing candidate algorithms. For reference purposes, these criteria are reproduced below:

[Beginning of Excerpt]

Security (i.e., the effort required to cryptanalyze)
The security provided by an algorithm is the most important factor in the evaluation.
Algorithms will be judged on the following factors:

Actual security of the algorithm compared to other submitted algorithms (at the same key and block size).
The extent to which the algorithm output is indistinguishable from a random permutation on the input block.
Soundness of the mathematical basis for the algorithm's security.
Other security factors raised by the public during the evaluation process, including any attacks which demonstrate that the actual security of the algorithm is less than the strength claimed by the submitter.

Claimed attacks will be evaluated for practicality.

Cost

Licensing requirements: NIST intends that when the AES is issued, the algorithm(s) specified in the AES shall be available on a worldwide, non-exclusive, royalty-free basis.

Computational efficiency: The evaluation of computational efficiency will be applicable to both hardware and software implementations. Round 1 analysis by NIST will focus primarily on software implementations and specifically on one key-block size combination (128-128); more attention will be paid to hardware implementations and other supported key-block size combinations (particularly those required in the "Minimum Acceptability Requirements" section) during Round 2 analysis.
Computational efficiency essentially refers to the speed of the algorithm. NIST's analysis of computational efficiency will be made using each submission's mathematically optimized implementations on the platform specified under "Round 1 Technical Evaluation" below. Public comments on each algorithm's efficiency (particularly for various platforms and applications) will also be taken into consideration by NIST.

Memory requirements: The memory required to implement a candidate algorithm--for both hardware and software implementations of the algorithm--will also be considered during the evaluation process. Round 1 analysis by NIST will focus primarily on software implementations; more attention will be paid to hardware implementations during Round 2.
Memory requirements will include such factors as gate counts for hardware implementations, and code size and RAM requirements for software implementations.

Testing will be performed by NIST using the mathematically optimized implementations provided in the submission package. Memory requirement estimates (for different platforms and environments) that are included in the submission package will also be taken into consideration by NIST. Input from public evaluations of each algorithm's memory requirements (particularly for various platforms and applications) will also be taken into consideration by NIST.

Algorithm and Implementation Characteristics

Flexibility: Candidate algorithms with greater flexibility will meet the needs of more users than less flexible ones, and therefore, inter alia, are preferable. However, some extremes of functionality are of little practical application (e.g., extremely short key lengths)--for those cases, preference will not be given.
Some examples of "flexibility" may include (but are not limited to) the following:

The algorithm can accommodate additional key- and block-sizes (e.g., 64-bit block sizes, key sizes other than those specified in the Minimum Acceptability Requirements section, [e.g., keys between 128 and 256 that are multiples of 32 bits, etc.]).

The algorithm can be implemented securely and efficiently in a wide variety of platforms and applications (e.g., 8-bit processors, ATM networks, voice & satellite communications, HDTV, B-ISDN, etc.).

The algorithm can be implemented as a stream cipher, Message Authentication Code (MAC) generator, pseudo-random number generator, hashing algorithm, etc.

Hardware and software suitability: A candidate algorithm shall not be restrictive in the sense that it can only be implemented in hardware. If one can also implement the algorithm efficiently in firmware, then this will be an advantage in the area of flexibility.

Simplicity: A candidate algorithm shall be judged according to relative simplicity of design.

[End of excerpt]

5. Initial Planning for the Third AES Candidate Conference (AES3)

Near the end of Round 2, NIST will sponsor the Third AES Candidate Conference (AES3) - another open, public forum that will be used to discuss analyses of the AES finalists. Additionally, submitters of the AES finalists will be invited to attend and engage in discussions regarding comments on their algorithms.

AES3 will be held April 13-14, 2000, at the Hilton New York and Towers, in New York City. The AES home page contains registration and logistical information, in addition to information on other nearby hotels. As for AES2 (March 22-23, 1999), AES3 will be held during the same week and at the same location as the Fast Software Encryption (FSE) Workshop.

Paper submissions for AES3 should be sent to AESround2@nist.gov as an official comment, with a note indicating that the paper is being submitted for AES3. The deadline for AES3 submissions is January 15, 2000. All papers must be submitted in one of the following formats: Adobe PDF, Postscript, Rich Text Format (RTF), or Microsoft Word97 (For Adobe PDF and Postscript submissions, please embed all necessary fonts within the document.). All papers received for AES3 - regardless of their acceptance for presentation at AES3 - will be made available on the AES home page prior to the conference.

Appreciation

NIST extends its appreciation to all AES candidate algorithm submitters - both those submitters whose algorithms did and did not qualify for Round 2 - and those people providing public comments during the AES development process.

Dated: September 9, 1999.

/s/

Karen Brown
Deputy Director, NIST

[FR Doc. 99-24014 Filed 9-14-99; 8:45 am]
BILLING CODE 3510-CN-M'

Last Modified: January 26, 2001

Technical contact: Morris Dworkin
Administrative/process questions: Elaine Barker, Bill Burr