[Federal Register Volume 63, Number 177 (Monday, September 14, 1998)]
[Notices]
[Pages 49091-49093]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-24560]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology
[Docket No. 970725180-8168-02]
RIN 0693-ZA16


Request for Comments on Candidate Algorithms for the Advanced 
Encryption Standard (AES)

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice; Request for comments.

-----------------------------------------------------------------------

SUMMARY: A process to develop a Federal Information Processing Standard 
(FIPS) for Advanced Encryption Standard (AES) specifying an Advanced 
Encryption Algorithm (AEA) has been initiated by the National Institute 
of Standards and Technology (NIST). Earlier this year, candidate 
algorithms were nominated to NIST for consideration for inclusion in 
the AES. Those candidate algorithms meeting the minimum acceptability 
criteria have been announced by NIST and are available electronically 
at the address listed below.
    This notice solicits comments on the candidate algorithms from the 
public, and academic and research communities, manufacturers, voluntary 
standards organizations, and Federal, state, and local government 
organizations. These comments will

[[Page 49092]]

assist NIST in narrowing the field of AES candidates to five or fewer 
for more detailed examination.
    It is intended that the AES will specify an unclassified, publicly 
disclosed encryption algorithm available royalty-free worldwide that is 
capable of protecting sensitive government information well into the 
next century.

DATES: Public comments are due April 15, 1999.
    Authors who wish to be considered to be invited to brief their 
papers at the Second AES Candidate Conference must submit their papers 
by February 1, 1999.

ADDRESSES: Comments on the candidate algorithms should be sent to 
Information Technology Laboratory, Attn: AES Candidate Comments, 
Building 820, Room 562, National Institute of Standards and Technology, 
Gaithersburg, MD 20899.
    Comments may also be sent electronically to [email protected]
    Specifications of the candidate algorithms are available 
electronically at <http://csrc.nist.gov/encryption/aes/aes__home.htm> 
as if information on how to obtain software implementations of the 
candidate algorithms (for evaluation and analysis purposes) and 
information on the Second AES Candidate Conference.
    Comments received in response to this notice will be made part of 
the public record and will be made available for inspection and copying 
in the Central Records and Reference Inspection Facility, Room 6020, 
Herbert C. Hoover Building, 14th Street between Pennsylvania and 
Constitution Avenues, NW, Washington, DC, 20230.
    Electronic comments received by NIST will be made available 
electronically at <http://csrc.nist.gov/encryption/aes/aes__home.htm>

FOR FURTHER INFORMATION CONTACT:
For general information, contact: Edward Roback, National Institute of 
Standards and Technology, Building 820, Room 426, Gaithersburg, MD 
20899; telephone 301-975-3696 or va fax at 301-948-1233.
    Technical questions may be made by contacting either Miles Smid at 
(301) 975-2938, or Jim Foti at (301) 975-5237.

SUPPLEMENTARY INFORMATION: 

I. Availability of AES Candidate Algorithm Specifications/
Implementations

    Specifications of the candidate algorithms are available 
electronically at <http://csrc.nist.gov/encryption/aes/aes__home.htm>. 
That site also contains information on ordering two CDROMs containing 
the AES candidate-related information. The first CDROM contains the 
same descriptions of the algorighm candidates available on the web 
site. The second CDROM contains the ANSI C and JavaTM 
referenced and optimized implementations which are available for 
algorithm testing purposes.
    The second CDROM (candidate algorithm implementations) is subject 
to U.S. export controls for destinations outside the U.S. and Canada. 
Information is available on the web site regarding how interested 
parties outside the U.S. and Canada can obtain a copy of the second 
CDROM.
    Note that, with a few exceptions, the submitters of candidate 
algorithms have only made their candidate algorithms publicly available 
for AES testing and evaluation purposes. Unless otherwise specified by 
the submitter, these algorithms are protected and may not be otherwise 
used (e.g., in commercial or non-commercial products).

II. Comments Solicited on AES Candiate Algorithms

    Written comments on the candidate algorithms are solicited by NIST 
in this ``Round 1'' technical evaluation in order to help NIST reduce 
the field of AES candidates to five or fewer for the ``Round 2'' 
technical analysis. It is envisioned that this narrowing will primarily 
be based on security, efficiency, and intellectual property 
considerations. Comments are specifically sought on: (1) specific 
security, efficiency, intellectual property, and other aspects of 
individual AES candidate algorithms; and, (2) cross-cutting analyses of 
all candidates. As discussed below, NIST particularly would appreciate 
receiving recommendations (with supporting justification) for the 
specific five (or fewer) algorithms which should be considered for 
Round 2 analysis. To facilitate review of the comments, it would be 
useful if those submitting comments would clearly indicate the 
particular algorithm(s) to which their comments apply.
    NIST will accept both: 1) general comments; and, 2) formal 
analysis/papers which will be considered for presentation at the 
``Second AES Candidate Conference.''
    Since comments submitted will be made available to the public, they 
must not contain proprietary information.
    Comments and analysis are sought on any aspect of the candidate 
algorithms, including, but not limited to:

1. Comments on Candidate Algorithms Based Upon AES Evaluation Criteria

    In the call for AES candidate algorithms (Federal Register, 
September 12, 1997 [Volume 62, Number 177], pages 48051-48058), NIST 
published evaluation criteria for use in reviewing candidate 
algorithms. For reference purposes, these are reproduced below. 
Comments are sought on the candidate algorithms and all aspects of the 
evaluation criteria.

    Evaluation Criteria (as published September 12, 1997).
    Security (i.e., the effort required to cryptanalyze):
    The security provided by an algorithm is the most important 
factor in the evaluation.
    Algorithms will be judged on the following factors:
    i. Actual security of the algorithm compared to other submitted 
algorithms (at the same key and block size).
    ii. The extent to which the algorithm output is 
indistinguishable from a random permutation on the input block.
    iii. Soundness of the mathematical basis for the algorithm's 
security.
    iv. Other security factors raised by the public during the 
evaluation process, including any attacks which demonstrate that the 
actual security of the algorithm is less than the strength claimed 
by the submitter.
    Claimed attacks will be evaluated for practicality.

Cost

    i. Licensing requirements: NIST intends that when the AES is 
issued, the algorithm(s) specified in the AES shall be available on 
a worldwide, non-exclusive, royalty-free basis.
    ii. Computational efficiency: The evaluation of computational 
efficiency will be applicable to both hardware and software 
implementations. Round 1 analysis by NIST will focus primarily on 
software implementations and specifically on one key-block size 
combination (128-128); more attention will be paid to hardware 
implementations and other supported key-block size combinations 
(particularly those required in the Minimum Acceptability 
Requirement section) during Round 2 analysis.
    Computational efficiency essentially refers to the speed of the 
algorithm. NIST's analysis of computational efficiency will be made 
using each submission's mathematically optimized implementations on 
the platform specified under Round 1 Technical Evaluation below. 
Public comments on each algorithm's efficiency (particularly for 
various platforms and applications) will also be taken into 
consideration by NIST.
    iii. Memory requirements: The memory required to implement a 
candidate algorithm--for both hardware and software implementations 
of the algorithm--will also be considered during the evaluation 
process. Round 1 analysis by NIST will focus primarily on software 
implementations; more attention will be paid to hardware 
implementations during Round 2.
    Memory requirements will include such factors as gate counts for 
hardware

[[Page 49093]]

implementations, and code size and RAM requirements for software 
implementations.
    Testing will be performed by NIST using the mathematically 
optimized implementations provided in the submission package. Memory 
requirement estimates (for different platforms and environments) 
that are included in the submission package will also be taken into 
consideration by NIST. Input from public evaluations of each 
algorithm's memory requirements (particularly for various platforms 
and applications) will also be taken into consideration by NIST.

Algorithm and Implementation Characteristics

    i. Flexibility: Candidate algorithms with greater flexibility 
will meet the needs of more users than less flexible ones, and 
therefore, inter alia, are preferable. However, some extremes of 
functionality are of little practical application (e.g., extremely 
short key lengths)--for the cases, preference will not be given.
    Some examples of ``flexibility'' may include (but are not 
limited to) the following:
    a. The algorithm can accommodate additional key- and block-sizes 
(e.g., 64-bit block sizes, key sizes other than those specified in 
the Minimum Acceptability Requirements section, [e.g., keys between 
128 and 256 that are multiples of 32 bits, etc.])
    b. The algorithm can be implemented securely and efficiently in 
a wide variety of platforms and applications (e.g., 8-bit 
processors, ATM networks, voice & satellite communications, HDTV, B-
ISDN, etc.).
    c. The algorithm can be implemented as a stream cipher, Message 
Authentication Code (MAC) generator, pseudo-random number generator, 
hashing algorithm, etc.
    ii. Hardware and software suitability: A candidate algorithm 
shall not be restrictive in the sense that it can only be 
implemented in hardware. If one can also implement the algorithm 
efficiently in firmware, then this will be an advantage in the area 
of flexibility.
    iii. Simplicity: A candidate algorithm shall be judged according 
to relative simplicity of design.

2. Intellectual Property

    Comments are also sought specifically regarding any patents 
(particularly any not otherwise identified by the submitter of each 
candidate) that may be infringed by the practice of each nominated 
candidate algorithm.

3. Cross-Cutting Analyses

    Analysis comparing the entire field of candidates in a consistent 
manner for particular characteristics would be useful. Example of this 
type of analysis might include: (1) Comparisons of implementations of 
all algorithms written in the same programming language for memory use, 
timings for encryption/decryption/key setup/key change, and so forth; 
(2) comparisons of all algorithms against a particular cryptologic 
attack; or (3) comparison of all algorithms for infringement against a 
particular patent.

4. Overall Recommendations

    When all factors are considered, which candidate algorithms should 
be selected for the next round of evaluation and why? (Since NIST 
intends to select five or few algorithms for Round 2, it would be 
useful to identify five or fewer in this regard.) Also, conversely, 
identification and justification of which algorithms should NOT be 
selected for the next round of evaluation. Such comments (with 
supporting justifications) will be of great use to NIST and help assure 
timely progress of the AES selection process.

III. Initial Planning for the Second AES Candidate Conference

    An open public conference is being planned for the spring of 1999 
to discuss analyses of the candidate algorithms. Those individuals who 
have submitted particularly insightful and useful comments may be 
invited by NIST to present their papers at the conference. Panels may 
also be organized around individual algorithms or cross-cutting 
analysis topics. Also, submitters of candidate algorithms will be 
invited to attend and engage in discussions responding to comments 
regarding their candidates. Because of the anticipated volume of 
comments, not all authors of comments can be invited to participate on 
the official program. At the conference, NIST intends to provide a 
briefing of the results of its efficiency testing of the candidate 
algorithm implementations, along with any other testing it may have 
completed.
    In order to allow for timely conference preparation, authors who 
wish to be considered on the official program of the Second AES 
Candidate Conference must have their papers submitted to NIST by 
February 1, 1999. (They are to be sent to the same address as the 
general comments but should also be annotated as ``conference paper 
candidate.'' They will automatically be entered into the public record 
of AES candidate comments.)
    As details and registration procedures are finalized, they will be 
posted to <http://csrc.nist.gov/encryption/aes/aes__home.htm>.

IV. General AES Development Information

    For information regarding NIST's plans to test the candidate 
algorithms, the overall AES selection process, and the call for 
candidate algorithms, see NIST's notice in the Federal Register, 
September 12, 1997 (Volume 62, Number 177), pages 48051-48058, 
``Announcing Request for Candidate Algorithm Nominations for the 
Advanced Encryption Standard (AES).''

Appreciation

    NIST extends its appreciation to all submitters and those parties 
providing public comments during the AES development process.

    Dated: September 4, 1998.
Robert E. Hebner,
Acting Deputy Director.
[FR Doc. 98-24560 Filed 9-11-98; 8:45 am]
BILLING CODE 3510-CN-M