Advanced Encryption Standard process

On January 2, 1997, NIST announced that they wished to choose a successor to DES to be known as AES. Like DES, this was to be "an unclassified, publicly disclosed encryption algorithm capable of protecting sensitive government information well into the next century."{{Cite web |url=https://csrc.nist.gov/news/1997/announcing-development-of-fips-for-advanced-encryp |title=Announcing Development of a Federal Information Processing Standard for Advanced Encryption Standard |date=1992-01-02 |website=csrc.nist.gov |access-date=2018-10-09}} However, rather than simply publishing a successor, NIST asked for input from interested parties on how the successor should be chosen. Interest from the open cryptographic community was immediately intense, and NIST received a great many submissions during the three-month comment period.

The result of this feedback was a call for new algorithms on September 12, 1997.{{cite web |title=Requesting Candidate Algorithm Nominations for AES |url=https://csrc.nist.gov/news/1997/requesting-candidate-algorithm-nominations-for-aes |website=csrc.nist.gov |access-date=2018-10-09 |date=1997-09-12}} The algorithms were all to be block ciphers, supporting a block size of 128 bits and key sizes of 128, 192, and 256 bits. Such ciphers were rare at the time of the announcement; the best known was probably Square.

In the nine months that followed, fifteen designs were created and submitted from several countries. They were, in alphabetical order: CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish.

In the ensuing debate, many advantages and disadvantages of the candidates were investigated by cryptographers; they were assessed not only on security, but also on performance in a variety of settings (PCs of various architectures, smart cards, hardware implementations) and on their feasibility in limited environments (smart cards with very limited memory, low gate count implementations, FPGAs).

Some designs fell due to cryptanalysis that ranged from minor flaws to significant attacks, while others lost favour due to poor performance in various environments or through having little to offer over other candidates. NIST held two conferences to discuss the submissions (AES1, August 1998 and AES2, March 1999{{cite web |last1=Georgoudis |first1=Dianelos |title=Live from the Second AES Conference, day 1 |url=http://cryptome.org/jya/aes2-day1.htm |website=Cryptome |access-date=7 April 2019}}{{cite web |last1=Georgoudis |first1=Dianelos |title=Live from the Second AES Conference, day 2 |url=http://cryptome.org/jya/aes2-day2.htm |website=Cryptome |access-date=7 April 2019}}{{cite web |last1=Georgoudis |first1=Dianelos |title=Discussion about Second AES Conference|url=https://groups.google.com/forum/#!msg/sci.crypt/vkN8A7ens_8/gLDHOM6Vy9IJ |website=Google Groups|access-date=30 November 2019}}), and in August 1999 they announced{{cite web |title=AES Development - Cryptographic Standards and Guidelines |url=https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/archived-crypto-projects/aes-development |website=csrc.nist.gov |date=December 29, 2016 |access-date=2018-10-09}} that they were narrowing the field from fifteen to five: MARS, RC6, Rijndael, Serpent, and Twofish. All five algorithms, commonly referred to as "AES finalists", were designed by cryptographers considered well-known and respected in the community.

The AES2 conference votes were as follows:{{Cite web |date=2021 |title=Development of the Advanced Encryption Standard |url=https://nvlpubs.nist.gov/nistpubs/jres/126/jres.126.024.pdf |archive-url=https://web.archive.org/web/20210820003022/https://nvlpubs.nist.gov/nistpubs/jres/126/jres.126.024.pdf |archive-date=2021-08-20 |url-status=live |access-date=24 Nov 2023}}

• Rijndael: 77 positive, 1 negative
• RC6: 79 positive, 6 negative
• Twofish: 64 positive, 3 negative
• MARS: 58 positive, 6 negative
• Serpent: 52 positive, 7 negative
• E2: 27 positive, 13 negative
• CAST-256: 16 positive, 18 negative
• SAFER+: 20 positive, 24 negative
• DFC: 22 positive, 27 negative
• Crypton: 16 positive, 31 negative
• DEAL: 1 positive, 71 negative
• HPC: 1 positive, 78 negative
• MAGENTA: 1 positive, 84 negative
• Frog: 1 positive, 86 negative
• LOKI97: 1 positive, 86 negative

A further round of intense analysis and cryptanalysis followed, culminating in the AES3 conference in April 2000, at which a representative of each of the final five teams made a presentation arguing why their design should be chosen as the AES. The AES3 conference votes were as follows:{{Cite web |date=April 28, 2000 |title=AES3 Conference Feedback Form - Summary |url=https://csrc.nist.rip/encryption/aes/round2/conf3/AES3FeedbackForm-summary.pdf |archive-url=https://web.archive.org/web/20231124173420/https://csrc.nist.rip/encryption/aes/round2/conf3/AES3FeedbackForm-summary.pdf |archive-date=2023-11-24 |url-status=live |access-date=24 Nov 2023}}

• Rijndael: 86 positive, 10 negative
• Serpent: 59 positive, 7 negative
• Twofish: 31 positive, 21 negative
• RC6: 23 positive, 37 negative
• MARS: 13 positive, 84 negative

On October 2, 2000, NIST announced{{cite web |last1=Swenson |first1=Gayle |title=Commerce Department Announces Winner of Global Information Security Competition |url=https://www.nist.gov/news-events/news/2000/10/commerce-department-announces-winner-global-information-security |website=NIST |access-date=2018-10-09 |date=2000-10-02}} that Rijndael had been selected as the proposed AES and started the process of making it the official standard by publishing an announcement in the Federal Register{{cite journal |author1=NIST |title=Announcing Draft Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard (AES) and Request for Comments |journal=Federal Register |date=2001-02-28 |volume=66 |page=12762 |url=https://www.gpo.gov/fdsys/pkg/FR-2001-02-28/pdf/01-4886.pdf |archive-url=https://web.archive.org/web/20121022083448/http://www.gpo.gov/fdsys/pkg/FR-2001-02-28/pdf/01-4886.pdf |archive-date=2012-10-22 |url-status=live |access-date=2018-10-09}} on February 28, 2001 for the draft FIPS to solicit comments. On November 26, 2001, NIST announced that AES was approved as FIPS PUB 197.

NIST won praises from the cryptographic community for the openness and care with which they ran the standards process. Bruce Schneier, one of the authors of the losing Twofish algorithm, wrote after the competition was over that "I have nothing but good things to say about NIST and the AES process."{{cite web |title=Crypto-Gram: October 15, 2000 - Schneier on Security |url=http://www.schneier.com/crypto-gram-0010.html#8 |website=www.schneier.com |access-date=2018-10-09 |date=2000-10-15}}

• CAESAR Competition – Competition to design authenticated encryption schemes

• NIST hash function competition
• Post-Quantum Cryptography Standardization

{{reflist}}

• [http://csrc.nist.gov/archive/aes/ A historical overview of the process] can be found on NIST's website.
• On the sci.crypt newsgroup, there are extensive discussions about the AES process.

{{Cryptography navbox|block}}

Category:Cryptography contests

Category:History of cryptography

Category:Advanced Encryption Standard

Category:National Institute of Standards and Technology