[Federal Register Volume 64, Number 178 (Wednesday, September 15, 1999)]
[Notices]
[Pages 50058-50061]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-24014]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 970725180-9196-03]
RIN No. 0693-ZA16
Request for Comments on the Finalist (Round 2) Candidate
Algorithms for the Advanced Encryption Standard (AES)
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice; request for comments.
-----------------------------------------------------------------------
SUMMARY: A process to develop a Federal Information Processing Standard
(FIPS) for an Advanced Encryption Standard (AES) specifying an Advanced
Encryption Algorithm (AEA) has been initiated by the National Institute
of Standards and Technology (NIST). In the Fall of 1998, NIST announced
fifteen publicly submitted algorithms as candidates for the AES, and
invites public review, comment, and analysis in order to narrow the
field of candidates to (approximately) five or fewer finalists. During
the Round 1 technical evaluation period, these fifteen candidates were
subjected to extensive analysis and testing by the cryptographic
community.
[[Page 50059]]
At the conclusion of Round 1, NIST took the following information
into consideration: (1) The submitted (official) versions of the AES
candidate algorithms, (2) Round 1 public comments, (3) papers and
discussions at the Second AES Candidate Conference, (4) results of NIST
efficiency and statistical analysis, and (5) other relevant data (e.g.,
presentations at the Sixth Fast Software Encryption Workshop,
discussions on NIST's AES Electronic Discussion Forum, etc.). Using
this information, NIST has selected the AES finalist candidate
algorithms (``finalists''), which will be subjected to further analysis
during Round 2 of the AES development effort. A list of the finalists,
along with specifications and intellectual property information, is
available at the AES home page, http://www.nist.gov/aes.
This notice announces the beginning of the Round 2 technical
evaluation period for the AES finalists. Additionally, the notice
solicits comments on the finalists from the general public, academic
and research communities, manufacturers, voluntary standards
organizations, and Federal, state, and local government organizations.
NIST will use these comments to select one or more of the finalists for
inclusion in a draft Federal Information Processing Standards
Publication (FIPS PUB), on which public comments will be invited via a
future Federal Register announcement.
NIST's goal is that the AES will specify one or more unclassified,
publicly disclosed encryption algorithm(s) available royalty-free
worldwide that is (are) capable of protecting sensitive government
information well into the next century.
DATES: Public comments for Round 2 are due May 15, 2000. Paper
proposals for the Third AES Candidate Conference (which are also
considered as public comments) are due to NIST by January 15, 2000. The
Third AES Candidate Conference (AES3) is scheduled for April 13-14,
2000.
ADDRESSES: Comments and paper proposals should be sent electronically
to AESround2@nist.gov. Alternatively, they may be sent to: Information
Technology Laboratory Attn: AES Finalist Comments (Bldg. 820, Room
423), National Institute of Standards and Technology, 100 Bureau Drive,
STOP 8930, Gaithersburg, MD 20899-8930, U.S.A.
AES-related comments received in response to this notice will be
made part of the public record. Papers proposed for presentation at
AES3 will be posted on the AES home page http://www.nist.gov/aes prior
to the beginning of AES3. All additional Round 2 comments will be made
available at the AES home page shortly after the Round 2 comments
period closes.
FOR FURTHER INFORMATION CONTACT: The AES home page http://www.nist.gov/
aes has all current NIST information pertaining to the AES development
effort. Recent results and ongoing discussions regarding the finalists
and AES-related issues takes place at the AES Electronic Discussion
Forum, http://aes.nist.gov/aes/default.htm. General questions may be
directed to Edward Roback at (301) 975-3696, or eroback@nist.gov.
Technical questions may be made by contacting Jim Foti at (301) 975-
5237, jfoti@nist.gov, or Elaine Barker at (301) 975-2911,
ebarker@nist.gov.
Algorithm-specific questions should be directed to the algorithm's
submitter. Contact information for the submitters is located on the AES
home page.
SUPPLEMENTARY INFORMATION:
1. AES Finalist Candidate Algorithms
NIST has selected the AES finalists for Round 2. The list of
finalists, along with their specifications and intellectual property
statements, is available electronically at the AES home page. At that
same location, NIST is also making available a document that presents
the rationale for NIST's selection of the finalists.
The Round 1 candidate algorithms that were not selected for Round 2
are no longer part of the AES development effort, and, therefore, will
not be selected for inclusion in the AES FIPS. Those algorithms
(including the specifications and reference and optimized code) may or
may not be in the public domain (this includes using the code for
testing and research purposes), so algorithm implements, users, and
others should be aware of the intellectual property status of each
individual algorthm. When the algorithms were initially submitted
before the start of Round 1, each submitter signed an intellectual
property statement, part of which states that
* * * If my algorithm * * * is not selected for inclusion in the
FIPS (including those not selected for second round of public
evaluation), I understand that all rights, including use rights of
the reference and mathematically optimized implementations, revert
back to the submitter (and other owner[s] as appropriate).
Please note that the selection of an algorithm as a finalist does
not constitute endorsement by NIST of the algorithm or it security.
Similarly, the non-selection of an algorithm is not necessarily to be
taken as a statement about the algorithm's quality, security,
efficiency, or other characteristics. Algorithms selected as finalists
were determined to be more suitable for the proposed FIPS. For specific
details on an algorithm and its particular security characteristics,
one should consult the various Round 1 public comments that were
submitted to NIST (available on the AES home page).
Although no formal process has been established to address minor
modifications of the finalists that may become necessary, NIST reserves
the right to work with the submitters of the finalists regarding any
such modifications. NIST intends to do this in the most open and public
manner possible. This is consistent with the made in the original call
for candidate algorithms, to which all submitters agreed that
* * * the U.S. Government may, during the course of the lifetime
of the AES or during the FIPS public review process, modify the
algorithm's specifications (e.g., to protect against a newly
discovered vulnerability).
2. Availability of AES CD-3
All persons with AES CD-1 and CD-2 should be aware of potential
intellectual property issues with implementing and using algorithms on
those CDs, especially for those algorithms that were not selected for
Round 2. Please see the note in Section 1, above.
In addition to making specifications available on the AES home
page, during Round 2 NIST will make a CD-ROM available ( to be
designatede ``AES CD-3'') which contains the algorithm specifications,
supporting documentation, and submitted code for the AES finalists. It
is anticipated that this code will be different from the code provided
before the start of Round 1 (e.g., updated to be more efficient,
additional code for various platforms, etc.). The submitters of the AES
finalists are being given one month from the start of Round 2 to
provide NIST with any updated code.
AES CD-3 should be available approximately 2-3 months after the
beginning of Round 2. When it is ready for distribution, NIST will re-
activate the AES CD Request Form at http://csrc.nist.gov/encryption/
aes/round1/cdreq.htm. To those people in the U.S. and Canada who
received AES CD-2, NIST will automatically send a copy of AES CD-3. So,
for those people, there will be no need to provide NIST with an
additional CD-ROM request.
[[Page 50060]]
Since AES CD-3 will contain algorithm code, it will be subject to
export control, and NIST will handle export requests approriately. For
those people outside of the U.S. and Canada who received AES CD-2 (for
whom an export license was granted), AES CD-3 will automatically be
distributed only after a new export license is granted and their copy
of AES CD-2 is returned to NIST, as required by the conditions of the
original export license. Information on where to send AES CD-2 is
posted on the AES CD Request Form mentioned above.
3. Comments Solicited on the AES Finalists
Written comments on the finalists are solicited by NIST in this
Round 2 technical evaluation in order to help NIST select one or more
algorithms for specification in a draft AES FIPS. To facilitate the
review of the comments, NIST asks the submitters of comments to clearly
indicate the algorithm(s) to which their comments apply. Also, as
guidance to comment submitters, the original Evaluation Criteria
published on September 12, 1997, are reproduced in Section 4 below.
NIST will accept both general comments and formal analyses/papers
that will be considered for presentation at the Third AES Candidate
Conference (see Section 5 below).
Since submitted comments will be made available to the public, the
comments must not contain proprietary information.
Comments and analysis are sought on any aspect of the candidate
algorithms, including--but not limited to--the following topics.
3.1 Cryptanalysis
Since security will be the most important characteristic of the
selected algorithm(s), NIST strongly encourages and welcomes
cryptanalysis of the finalists.
3.2 Intellectual Property of the AES Finalists
NIST seeks detailed comments regarding any intellectual property--
particularly any patent not already identified by the finalists'
submitters--that may be infringed by the practice of any of the
finalists algorithms. This also includes comments from all parties--
including submitters--regarding specific claims that the practice of a
finalist algorithm infringes on their patent(s). Claims regarding
infringement of copyrighted software are also particularly solicited.
NIST views this input as a critical factor in the eventual widespread
adoption and implementation of the algorithm(s) specified in the FIPS.
NIST reminds all interested parties that the adoption of AES is
being conducted as an open standards-setting activity. Specifically,
NIST has requested that all interested parties identify to NIST any
patents or inventions that may be required for the use of AES. NIST
hereby gives public notice that it may seek redress under the antitrust
laws of the United States against any party in the future who might
seek to exercise patent rights against any user of AES that have not
been disclosed to NIST in response to this request for information.
3.3 Cross-Cutting Analyses of All of the AES Finalists
Public analysis comparing the entire field of finalists in a
consistent manner for particular characteristics will be very useful.
Examples of this type of analysis might include comparisons of the
finalists regarding: (1) Performance on various smart cards, when the
implementations are constructed to defend against timing and power
analysis attacks, (2) performance and/or memory use measurements, when
written in the same programming language, (3) relative performance on
64-bit processors, (4) performance of assembly language implementations
on various platforms, and (5) performance of hardware implementations
or simulations.
Additionally, surveys, analyses, and comments are invited regarding
prospective future platforms and applications that will implement the
AES FIPS algorithm(s).
During Round 2, NIST may take into consideration the issue of
having ``variable rounds'' in the AES finalists. Therefore, NIST
invites comments on how NIST should address the ``variable rounds''
issue during and after Round 2.
3.4 Overall Recommendations Regarding the Selection of the
Algorithm(s) for the Proposed FIPS
When all factors are considered, which candidate algorithm(s)
should be selected for inclusion in the FIPS? Also, conversely, NIST
seeks the identification and justification of which algorithms should
not be selected by NIST. Such comments (with supporting justifications)
will be of great use to NIST and help assure timely progress of the AES
selection process.
3.5 Related Recommendations Regarding Implementation of the AES FIPS
In addition to selecting the algorithm(s) to be included in the
proposed FIPS, issues regarding the implementation requirements of the
standard will also need to be addressed. Therefore, NIST is seeking
comments (with rationale) on what requirements should be included in
the FIPS. For example, if NIST selects multiple algorithms for
inclusion in the proposed FIPS, should the standard require that
products conforming to the FIPS implement (1) one algorithm, (2) two
(or more) algorithms, (3) all algorithms, or (4) a varying number of
algorithms, depending on the type of implementation (e.g., require all
algorithms in software implementations, only one in hardware
implementations, etc.)?
Also, upon final publication as a FIPS, NIST intends to provide
validation testing for implementations of the AES algorithm(s), as it
does with other FIPS-approved cryptographic algorithms. Comments
pertaining to such validation testing are also welcome.
4. Evaluation Criteria
In the call for AES candidate algorithms (Federal Register,
September 12, 1997, [Volume 62, Number 177], pages 48051-48058), NIST
published evaluation criteria for use in reviewing candidate
algorithms. For reference purposes, these criteria are reproduced
below:
[Beginning of Excerpt]
Security (i.e., the effort required to cryptanalyze).
The security provided by an algorithm is the most important
factor in the evaluation.
Algorithms will be judged on the following factors:
i. Actual security of the algorithm compared to other submitted
algorithms (at the same key and block size).
ii. The extent to which the algorithm output is
indistinguishable from a random permutation on the input block.
iii. Soundness of the mathematical basis for the algorithm's
security.
iv. Other security factors rasied by the public during the
evaluation process, including any attacks that demonstrate that the
actual security of the algorithm is less than the strength claimed
by the submitter.
Claimed attacks will be evaluated for practicality.
Cost
i. Licensing requirements: NIST intends that when the AES is
issued, the algorithm(s) specified in the AES shall be available on
a worldwide, non-exclusive, royalty-free basis.
ii. Computational efficiency: The evaluation of computational
efficiency will be applicable to both hardware and software
implementations. Round 1 analysis by NIST will focus primarily on
software implementations and specifically on one key-block size
combination (128-128); more attention will be paid to hardware
[[Page 50061]]
implementations and other supported key-block size combinations
(particularly those required in the ``Minimum Acceptability
Requirements'' section) during Round 2 analysis.
Computational efficiency essentially refers to the speed of the
algorithm. NIST's analysis of computational efficiency will be made
using each submission's mathematically optimized implementations on
the platform specified under ``Round 1 Technical Evaluation'' below.
Public comments on each algorithm's efficiency (particularly for
various platforms and applications) will also be taken into
consideration by NIST.
iii. Memory requirements: The memory required to implement a
candidate algorithm--for both hardware and software implementations
of the algorithm--will also be considered during the evaluation
process. Round 1 analysis by NIST will focus primarily on software
implementations; more attention will be paid to hardware
implementations during Round 2.
Memory requirements will include such factors as gate counts for
hardware implementations, and code size and RAM requirements for
software implementations.
Testing will be performed by NIST using the mathematically
optimized implementations provided in the submission package. Memory
requirement estimates (for different platforms and environments)
that are included in the submission package will also be taken into
consideration by NIST. Input from public evaluations of each
algorithm's memory requirements (particularly for various platforms
and applicants) will also be taken into consideration by NIST.
Algorithm and Implementation Characteristics
i. Flexibility: Candidate algorithms with greater flexibility
will meet the needs of more users than less flexible ones, and,
therefore, inter alia, are preferable. However, some extremes of
functionality are of little practical application (e.g., extremely
short key lengths)--for those cases, preference will not be given.
Some examples of ``flexibility'' may include (but are not
limited to) the following:
a. The algorithm can accommodate additional key- and block-sizes
(e.g., 64-bit block sizes, key sizes other than those specified in
the Minimum Acceptability Requirements section, [e.g., keys between
128 and 256 that are multiples of 32 bits, etc.]).
b. The algorithm can be implemented securely and efficiently in
a wide variety of platforms and applications (e.g., 8-bit
processors, ATM networks, voice & satellite communications, HDTV, B-
ISDN, etc.).
c. The algorithm can be implemented as a stream cipher, Message
Authentication Code (MAC) generator, pseudo-random number generator,
hashing algorithm, etc.
ii. Hardware and software suitability: A candidate algorithm
shall not be restrictive in the sense that it can only be
implemented in hardware. If one can also implement the algorithm
efficiency in firmware, then this will be an advantage in the area
of flexibility.
iii. Simplicity: A candidate algorithm shall be judged according
to relative simplicity of design.
[End of excerpt]
5. Initial Planning for the Third AES Candidate Conference (AES3)
Near the end of Round 2, NIST will sponsor the Third AES Candidate
Conference (AES3)--another open, public forum that will be used to
discuss analyses of the AES finalists. Additionally, submitters of the
AES finalists will be invited to attend and engage in discussions
regarding comments on their algorithms.
AES3 will be held April 13-14, 2000, at the Hilton New York and
Towers, in New York City. The AES home page contains registration and
logistical information, in addition to information on other nearby
hotels. As for AES2 (March 22-23, 1999), AES3 will be held during the
same week and at the same location as the Fast Software Encryption
(FSE) Workshop (a link to FSE information will be available on the AES
home page).
Paper submissions for AES3 should be sent to AESround2@nist.gov as
an official comment, with a note indicating that the paper is being
submitted for AES3. The deadline for AES3 submissions is January 15,
2000. All papers must be submitted in one of the following formats:
Adobe PDF, Postscript, Rich Text Format (RTF), or Microsoft Word97.
(For Adobe PDF and Postscript submissions, please embed all necessary
fonts within the document.) All papers received for AES3--regardless of
their acceptance for presentation at AES3--will be made available on
the AES home page prior to the conference.
Appreciation
NIST extends its appreciation to all AES candidate algorithm
submitters--both those submitters whose algorithms did and did not
quality for Round 2--and those people providing public comments during
the AES development process.
Dated: September 9, 1999.
Karen Brown,
Deputy Director, NIST.
[FR Doc. 99-24014 Filed 9-14-99; 8:45 am]
BILLING CODE 3510-CN-M'
