Advanced Encryption Standard process

Last updated November 25, 2023

The Advanced Encryption Standard (AES), the symmetric block cipher ratified as a standard by National Institute of Standards and Technology of the United States (NIST), was chosen using a process lasting from 1997 to 2000 that was markedly more open and transparent than its predecessor, the Data Encryption Standard (DES). This process won praise from the open cryptographic community, and helped to increase confidence in the security of the winning algorithm from those who were suspicious of backdoors in the predecessor, DES.

A new standard was needed primarily because DES had a relatively small 56-bit key which was becoming vulnerable to brute-force attacks. In addition, the DES was designed primarily for hardware and was relatively slow when implemented in software.^[1] While Triple-DES avoids the problem of a small key size, it is very slow even in hardware, it is unsuitable for limited-resource platforms, and it may be affected by potential security issues connected with the (today comparatively small) block size of 64 bits.

Start of the process

On January 2, 1997, NIST announced that they wished to choose a successor to DES to be known as AES. Like DES, this was to be "an unclassified, publicly disclosed encryption algorithm capable of protecting sensitive government information well into the next century."^[2] However, rather than simply publishing a successor, NIST asked for input from interested parties on how the successor should be chosen. Interest from the open cryptographic community was immediately intense, and NIST received a great many submissions during the three-month comment period.

The result of this feedback was a call for new algorithms on September 12, 1997.^[3] The algorithms were all to be block ciphers, supporting a block size of 128 bits and key sizes of 128, 192, and 256 bits. Such ciphers were rare at the time of the announcement; the best known was probably Square.

Rounds one, two, and three

In the nine months that followed, fifteen designs were created and submitted from several countries. They were, in alphabetical order: CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish.

In the ensuing debate, many advantages and disadvantages of the candidates were investigated by cryptographers; they were assessed not only on security, but also on performance in a variety of settings (PCs of various architectures, smart cards, hardware implementations) and on their feasibility in limited environments (smart cards with very limited memory, low gate count implementations, FPGAs).

Some designs fell due to cryptanalysis that ranged from minor flaws to significant attacks, while others lost favour due to poor performance in various environments or through having little to offer over other candidates. NIST held two conferences to discuss the submissions (AES1, August 1998 and AES2, March 1999^[4]^[5]^[6]), and in August 1999 they announced^[7] that they were narrowing the field from fifteen to five: MARS, RC6, Rijndael, Serpent, and Twofish. All five algorithms, commonly referred to as "AES finalists", were designed by cryptographers considered well-known and respected in the community. The AES2 conference votes were as follows:^[8]

Rijndael: 77 positive, 1 negative
RC6: 79 positive, 6 negative
Twofish: 64 positive, 3 negative
MARS: 58 positive, 6 negative
Serpent: 52 positive, 7 negative
E2: 27 positive, 13 negative
CAST-256: 16 positive, 18 negative
SAFER+: 20 positive, 24 negative
DFC: 22 positive, 27 negative
Crypton: 16 positive, 31 negative
DEAL: 1 positive, 71 negative
HPC: 1 positive, 78 negative
MAGENTA: 1 positive, 84 negative
Frog: 1 positive, 86 negative
LOKI97: 1 positive, 86 negative

A further round of intense analysis and cryptanalysis followed, culminating in the AES3 conference in April 2000, at which a representative of each of the final five teams made a presentation arguing why their design should be chosen as the AES. The AES3 conference votes were as follows:^[9]

Rijndael: 86 positive, 10 negative
Serpent: 59 positive, 7 negative
Twofish: 31 positive, 21 negative
RC6: 23 positive, 37 negative
MARS: 13 positive, 84 negative

Selection of the winner

On October 2, 2000, NIST announced^[10] that Rijndael had been selected as the proposed AES and started the process of making it the official standard by publishing an announcement in the Federal Register ^[11] on February 28, 2001 for the draft FIPS to solicit comments. On November 26, 2001, NIST announced that AES was approved as FIPS PUB 197.

NIST won praises from the cryptographic community for the openness and care with which they ran the standards process. Bruce Schneier, one of the authors of the losing Twofish algorithm, wrote after the competition was over that "I have nothing but good things to say about NIST and the AES process."^[12]

Related Research Articles

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shannon's property of confusion. Mathematically, an S-box is a nonlinear vectorial Boolean function.

<span class="mw-page-title-main">Serpent (cipher)</span>

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, in which it ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency (NSA). Initially classified, it was originally intended for use in the controversial Clipper chip. Subsequently, the algorithm was declassified.

MARS is a block cipher that was IBM's submission to the Advanced Encryption Standard process. MARS was selected as an AES finalist in August 1999, after the AES2 conference in March 1999, where it was voted as the fifth and last finalist algorithm.

In cryptography, MAGENTA is a symmetric key block cipher developed by Michael Jacobson Jr. and Klaus Huber for Deutsche Telekom. The name MAGENTA is an acronym for Multifunctional Algorithm for General-purpose Encryption and Network Telecommunication Applications. The cipher was submitted to the Advanced Encryption Standard process, but did not advance beyond the first round; cryptographic weaknesses were discovered and it was found to be one of the slower ciphers submitted.

In cryptography, the eXtended Sparse Linearization (XSL) attack is a method of cryptanalysis for block ciphers. The attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk. It has caused some controversy as it was claimed to have the potential to break the Advanced Encryption Standard (AES) cipher, also known as Rijndael, faster than an exhaustive search. Since AES is already widely used in commerce and government for the transmission of secret information, finding a technique that can shorten the amount of time it takes to retrieve the secret message without having the key could have wide implications.

<span class="mw-page-title-main">DEAL</span> Block cipher

In cryptography, DEAL is a symmetric block cipher derived from the Data Encryption Standard (DES). Its design was presented Lars Knudsen at the SAC conference in 1997, and submitted as a proposal to the AES contest in 1998 by Richard Outerbridge.

In cryptography, key whitening is a technique intended to increase the security of an iterated block cipher. It consists of steps that combine the data with portions of the key.

In cryptography, impossible differential cryptanalysis is a form of differential cryptanalysis for block ciphers. While ordinary differential cryptanalysis tracks differences that propagate through the cipher with greater than expected probability, impossible differential cryptanalysis exploits differences that are impossible at some intermediate state of the cipher algorithm.

In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:

The following outline is provided as an overview of and topical guide to cryptography:

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

<span class="mw-page-title-main">Twofish</span> Block cipher

In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.

This article summarizes publicly known attacks against block ciphers and stream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.

The tables below compare cryptography libraries that deal with cryptography algorithms and have API function calls to each of the supported features.

References

↑ "cryptology:: The Data Encryption Standard and the Advanced Encryption Standard". Britannica.com. Archived from the original on May 14, 2014. Retrieved October 9, 2018.
↑ "Announcing Development of a Federal Information Processing Standard for Advanced Encryption Standard". csrc.nist.gov. January 2, 1992. Retrieved October 9, 2018.
↑ "Requesting Candidate Algorithm Nominations for AES". csrc.nist.gov. September 12, 1997. Retrieved October 9, 2018.
↑ Georgoudis, Dianelos. "Live from the Second AES Conference, day 1". Cryptome. Retrieved April 7, 2019.
↑ Georgoudis, Dianelos. "Live from the Second AES Conference, day 2". Cryptome. Retrieved April 7, 2019.
↑ Georgoudis, Dianelos. "Discussion about Second AES Conference". Google Groups. Retrieved November 30, 2019.
↑ "AES Development - Cryptographic Standards and Guidelines". csrc.nist.gov. December 29, 2016. Retrieved October 9, 2018.
↑ "Development of the Advanced Encryption Standard" (PDF). 2021. Retrieved November 24, 2023.{{cite web}}: CS1 maint: url-status (link)
↑ "AES3 Conference Feedback Form - Summary" (PDF). April 28, 2000. Retrieved November 24, 2023.{{cite web}}: CS1 maint: url-status (link)
↑ Swenson, Gayle (October 2, 2000). "Commerce Department Announces Winner of Global Information Security Competition". NIST. Retrieved October 9, 2018.
↑ NIST (February 28, 2001). "Announcing Draft Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard (AES) and Request for Comments" (PDF). Federal Register. 66: 12762. Retrieved October 9, 2018.
↑ "Crypto-Gram: October 15, 2000 - Schneier on Security". www.schneier.com. October 15, 2000. Retrieved October 9, 2018.

External links

A historical overview of the process can be found on NIST's website.
On the sci.crypt newsgroup, there are extensive discussions about the AES process.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "cryptology:: The Data Encryption Standard and the Advanced Encryption Standard". Britannica.com. Archived from the original on May 14, 2014. Retrieved October 9, 2018.

[2] "Announcing Development of a Federal Information Processing Standard for Advanced Encryption Standard". csrc.nist.gov. January 2, 1992. Retrieved October 9, 2018.

[3] "Requesting Candidate Algorithm Nominations for AES". csrc.nist.gov. September 12, 1997. Retrieved October 9, 2018.

[4] Georgoudis, Dianelos. "Live from the Second AES Conference, day 1". Cryptome. Retrieved April 7, 2019.

[5] Georgoudis, Dianelos. "Live from the Second AES Conference, day 2". Cryptome. Retrieved April 7, 2019.

[6] Georgoudis, Dianelos. "Discussion about Second AES Conference". Google Groups. Retrieved November 30, 2019.

[7] "AES Development - Cryptographic Standards and Guidelines". csrc.nist.gov. December 29, 2016. Retrieved October 9, 2018.

[8] "Development of the Advanced Encryption Standard" (PDF). 2021. Retrieved November 24, 2023.{{cite web}}: CS1 maint: url-status (link)

[9] "AES3 Conference Feedback Form - Summary" (PDF). April 28, 2000. Retrieved November 24, 2023.{{cite web}}: CS1 maint: url-status (link)

[10] Swenson, Gayle (October 2, 2000). "Commerce Department Announces Winner of Global Information Security Competition". NIST. Retrieved October 9, 2018.

[11] NIST (February 28, 2001). "Announcing Draft Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard (AES) and Request for Comments" (PDF). Federal Register. 66: 12762. Retrieved October 9, 2018.

[12] "Crypto-Gram: October 15, 2000 - Schneier on Security". www.schneier.com. October 15, 2000. Retrieved October 9, 2018.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]