[Federal Register Volume 63, Number 177 (Monday, September 14, 1998)]
[Notices]
[Pages 49091-49093]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-24560]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 970725180-8168-02]
RIN 0693-ZA16
Request for Comments on Candidate Algorithms for the Advanced
Encryption Standard (AES)
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice; Request for comments.
-----------------------------------------------------------------------
SUMMARY: A process to develop a Federal Information Processing Standard
(FIPS) for Advanced Encryption Standard (AES) specifying an Advanced
Encryption Algorithm (AEA) has been initiated by the National Institute
of Standards and Technology (NIST). Earlier this year, candidate
algorithms were nominated to NIST for consideration for inclusion in
the AES. Those candidate algorithms meeting the minimum acceptability
criteria have been announced by NIST and are available electronically
at the address listed below.
This notice solicits comments on the candidate algorithms from the
public, and academic and research communities, manufacturers, voluntary
standards organizations, and Federal, state, and local government
organizations. These comments will
[[Page 49092]]
assist NIST in narrowing the field of AES candidates to five or fewer
for more detailed examination.
It is intended that the AES will specify an unclassified, publicly
disclosed encryption algorithm available royalty-free worldwide that is
capable of protecting sensitive government information well into the
next century.
DATES: Public comments are due April 15, 1999.
Authors who wish to be considered to be invited to brief their
papers at the Second AES Candidate Conference must submit their papers
by February 1, 1999.
ADDRESSES: Comments on the candidate algorithms should be sent to
Information Technology Laboratory, Attn: AES Candidate Comments,
Building 820, Room 562, National Institute of Standards and Technology,
Gaithersburg, MD 20899.
Comments may also be sent electronically to [email protected]
Specifications of the candidate algorithms are available
electronically at http://csrc.nist.gov/encryption/aes/aes__home.htm>
as if information on how to obtain software implementations of the
candidate algorithms (for evaluation and analysis purposes) and
information on the Second AES Candidate Conference.
Comments received in response to this notice will be made part of
the public record and will be made available for inspection and copying
in the Central Records and Reference Inspection Facility, Room 6020,
Herbert C. Hoover Building, 14th Street between Pennsylvania and
Constitution Avenues, NW, Washington, DC, 20230.
Electronic comments received by NIST will be made available
electronically at http://csrc.nist.gov/encryption/aes/aes__home.htm>
FOR FURTHER INFORMATION CONTACT:
For general information, contact: Edward Roback, National Institute of
Standards and Technology, Building 820, Room 426, Gaithersburg, MD
20899; telephone 301-975-3696 or va fax at 301-948-1233.
Technical questions may be made by contacting either Miles Smid at
(301) 975-2938, or Jim Foti at (301) 975-5237.
SUPPLEMENTARY INFORMATION:
I. Availability of AES Candidate Algorithm Specifications/
Implementations
Specifications of the candidate algorithms are available
electronically at http://csrc.nist.gov/encryption/aes/aes__home.htm>.
That site also contains information on ordering two CDROMs containing
the AES candidate-related information. The first CDROM contains the
same descriptions of the algorighm candidates available on the web
site. The second CDROM contains the ANSI C and JavaTM
referenced and optimized implementations which are available for
algorithm testing purposes.
The second CDROM (candidate algorithm implementations) is subject
to U.S. export controls for destinations outside the U.S. and Canada.
Information is available on the web site regarding how interested
parties outside the U.S. and Canada can obtain a copy of the second
CDROM.
Note that, with a few exceptions, the submitters of candidate
algorithms have only made their candidate algorithms publicly available
for AES testing and evaluation purposes. Unless otherwise specified by
the submitter, these algorithms are protected and may not be otherwise
used (e.g., in commercial or non-commercial products).
II. Comments Solicited on AES Candiate Algorithms
Written comments on the candidate algorithms are solicited by NIST
in this ``Round 1'' technical evaluation in order to help NIST reduce
the field of AES candidates to five or fewer for the ``Round 2''
technical analysis. It is envisioned that this narrowing will primarily
be based on security, efficiency, and intellectual property
considerations. Comments are specifically sought on: (1) specific
security, efficiency, intellectual property, and other aspects of
individual AES candidate algorithms; and, (2) cross-cutting analyses of
all candidates. As discussed below, NIST particularly would appreciate
receiving recommendations (with supporting justification) for the
specific five (or fewer) algorithms which should be considered for
Round 2 analysis. To facilitate review of the comments, it would be
useful if those submitting comments would clearly indicate the
particular algorithm(s) to which their comments apply.
NIST will accept both: 1) general comments; and, 2) formal
analysis/papers which will be considered for presentation at the
``Second AES Candidate Conference.''
Since comments submitted will be made available to the public, they
must not contain proprietary information.
Comments and analysis are sought on any aspect of the candidate
algorithms, including, but not limited to:
1. Comments on Candidate Algorithms Based Upon AES Evaluation Criteria
In the call for AES candidate algorithms (Federal Register,
September 12, 1997 [Volume 62, Number 177], pages 48051-48058), NIST
published evaluation criteria for use in reviewing candidate
algorithms. For reference purposes, these are reproduced below.
Comments are sought on the candidate algorithms and all aspects of the
evaluation criteria.
Evaluation Criteria (as published September 12, 1997).
Security (i.e., the effort required to cryptanalyze):
The security provided by an algorithm is the most important
factor in the evaluation.
Algorithms will be judged on the following factors:
i. Actual security of the algorithm compared to other submitted
algorithms (at the same key and block size).
ii. The extent to which the algorithm output is
indistinguishable from a random permutation on the input block.
iii. Soundness of the mathematical basis for the algorithm's
security.
iv. Other security factors raised by the public during the
evaluation process, including any attacks which demonstrate that the
actual security of the algorithm is less than the strength claimed
by the submitter.
Claimed attacks will be evaluated for practicality.
Cost
i. Licensing requirements: NIST intends that when the AES is
issued, the algorithm(s) specified in the AES shall be available on
a worldwide, non-exclusive, royalty-free basis.
ii. Computational efficiency: The evaluation of computational
efficiency will be applicable to both hardware and software
implementations. Round 1 analysis by NIST will focus primarily on
software implementations and specifically on one key-block size
combination (128-128); more attention will be paid to hardware
implementations and other supported key-block size combinations
(particularly those required in the Minimum Acceptability
Requirement section) during Round 2 analysis.
Computational efficiency essentially refers to the speed of the
algorithm. NIST's analysis of computational efficiency will be made
using each submission's mathematically optimized implementations on
the platform specified under Round 1 Technical Evaluation below.
Public comments on each algorithm's efficiency (particularly for
various platforms and applications) will also be taken into
consideration by NIST.
iii. Memory requirements: The memory required to implement a
candidate algorithm--for both hardware and software implementations
of the algorithm--will also be considered during the evaluation
process. Round 1 analysis by NIST will focus primarily on software
implementations; more attention will be paid to hardware
implementations during Round 2.
Memory requirements will include such factors as gate counts for
hardware
[[Page 49093]]
implementations, and code size and RAM requirements for software
implementations.
Testing will be performed by NIST using the mathematically
optimized implementations provided in the submission package. Memory
requirement estimates (for different platforms and environments)
that are included in the submission package will also be taken into
consideration by NIST. Input from public evaluations of each
algorithm's memory requirements (particularly for various platforms
and applications) will also be taken into consideration by NIST.
Algorithm and Implementation Characteristics
i. Flexibility: Candidate algorithms with greater flexibility
will meet the needs of more users than less flexible ones, and
therefore, inter alia, are preferable. However, some extremes of
functionality are of little practical application (e.g., extremely
short key lengths)--for the cases, preference will not be given.
Some examples of ``flexibility'' may include (but are not
limited to) the following:
a. The algorithm can accommodate additional key- and block-sizes
(e.g., 64-bit block sizes, key sizes other than those specified in
the Minimum Acceptability Requirements section, [e.g., keys between
128 and 256 that are multiples of 32 bits, etc.])
b. The algorithm can be implemented securely and efficiently in
a wide variety of platforms and applications (e.g., 8-bit
processors, ATM networks, voice & satellite communications, HDTV, B-
ISDN, etc.).
c. The algorithm can be implemented as a stream cipher, Message
Authentication Code (MAC) generator, pseudo-random number generator,
hashing algorithm, etc.
ii. Hardware and software suitability: A candidate algorithm
shall not be restrictive in the sense that it can only be
implemented in hardware. If one can also implement the algorithm
efficiently in firmware, then this will be an advantage in the area
of flexibility.
iii. Simplicity: A candidate algorithm shall be judged according
to relative simplicity of design.
2. Intellectual Property
Comments are also sought specifically regarding any patents
(particularly any not otherwise identified by the submitter of each
candidate) that may be infringed by the practice of each nominated
candidate algorithm.
3. Cross-Cutting Analyses
Analysis comparing the entire field of candidates in a consistent
manner for particular characteristics would be useful. Example of this
type of analysis might include: (1) Comparisons of implementations of
all algorithms written in the same programming language for memory use,
timings for encryption/decryption/key setup/key change, and so forth;
(2) comparisons of all algorithms against a particular cryptologic
attack; or (3) comparison of all algorithms for infringement against a
particular patent.
4. Overall Recommendations
When all factors are considered, which candidate algorithms should
be selected for the next round of evaluation and why? (Since NIST
intends to select five or few algorithms for Round 2, it would be
useful to identify five or fewer in this regard.) Also, conversely,
identification and justification of which algorithms should NOT be
selected for the next round of evaluation. Such comments (with
supporting justifications) will be of great use to NIST and help assure
timely progress of the AES selection process.
III. Initial Planning for the Second AES Candidate Conference
An open public conference is being planned for the spring of 1999
to discuss analyses of the candidate algorithms. Those individuals who
have submitted particularly insightful and useful comments may be
invited by NIST to present their papers at the conference. Panels may
also be organized around individual algorithms or cross-cutting
analysis topics. Also, submitters of candidate algorithms will be
invited to attend and engage in discussions responding to comments
regarding their candidates. Because of the anticipated volume of
comments, not all authors of comments can be invited to participate on
the official program. At the conference, NIST intends to provide a
briefing of the results of its efficiency testing of the candidate
algorithm implementations, along with any other testing it may have
completed.
In order to allow for timely conference preparation, authors who
wish to be considered on the official program of the Second AES
Candidate Conference must have their papers submitted to NIST by
February 1, 1999. (They are to be sent to the same address as the
general comments but should also be annotated as ``conference paper
candidate.'' They will automatically be entered into the public record
of AES candidate comments.)
As details and registration procedures are finalized, they will be
posted to http://csrc.nist.gov/encryption/aes/aes__home.htm>.
IV. General AES Development Information
For information regarding NIST's plans to test the candidate
algorithms, the overall AES selection process, and the call for
candidate algorithms, see NIST's notice in the Federal Register,
September 12, 1997 (Volume 62, Number 177), pages 48051-48058,
``Announcing Request for Candidate Algorithm Nominations for the
Advanced Encryption Standard (AES).''
Appreciation
NIST extends its appreciation to all submitters and those parties
providing public comments during the AES development process.
Dated: September 4, 1998.
Robert E. Hebner,
Acting Deputy Director.
[FR Doc. 98-24560 Filed 9-11-98; 8:45 am]
BILLING CODE 3510-CN-M
