14 September 1998 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ------------------------------------------------------------------------- [Federal Register: September 14, 1998 (Volume 63, Number 177)] [Notices] [Page 49091-49093] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr14se98-37] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 970725180-8168-02] RIN 0693-ZA16 Request for Comments on Candidate Algorithms for the Advanced Encryption Standard (AES) AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice; Request for comments. ----------------------------------------------------------------------- SUMMARY: A process to develop a Federal Information Processing Standard (FIPS) for Advanced Encryption Standard (AES) specifying an Advanced Encryption Algorithm (AEA) has been initiated by the National Institute of Standards and Technology (NIST). Earlier this year, candidate algorithms were nominated to NIST for consideration for inclusion in the AES. Those candidate algorithms meeting the minimum acceptability criteria have been announced by NIST and are available electronically at the address listed below. This notice solicits comments on the candidate algorithms from the public, and academic and research communities, manufacturers, voluntary standards organizations, and Federal, state, and local government organizations. These comments will [[Page 49092]] assist NIST in narrowing the field of AES candidates to five or fewer for more detailed examination. It is intended that the AES will specify an unclassified, publicly disclosed encryption algorithm available royalty-free worldwide that is capable of protecting sensitive government information well into the next century. DATES: Public comments are due April 15, 1999. Authors who wish to be considered to be invited to brief their papers at the Second AES Candidate Conference must submit their papers by February 1, 1999. ADDRESSES: Comments on the candidate algorithms should be sent to Information Technology Laboratory, Attn: AES Candidate Comments, Building 820, Room 562, National Institute of Standards and Technology, Gaithersburg, MD 20899. Comments may also be sent electronically to AESFIRSTROUND@NIST.GOV Specifications of the candidate algorithms are available electronically at as if information on how to obtain software implementations of the candidate algorithms (for evaluation and analysis purposes) and information on the Second AES Candidate Conference. Comments received in response to this notice will be made part of the public record and will be made available for inspection and copying in the Central Records and Reference Inspection Facility, Room 6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and Constitution Avenues, NW, Washington, DC, 20230. Electronic comments received by NIST will be made available electronically at FOR FURTHER INFORMATION CONTACT: For general information, contact: Edward Roback, National Institute of Standards and Technology, Building 820, Room 426, Gaithersburg, MD 20899; telephone 301-975-3696 or va fax at 301-948-1233. Technical questions may be made by contacting either Miles Smid at (301) 975-2938, or Jim Foti at (301) 975-5237. SUPPLEMENTARY INFORMATION: I. Availability of AES Candidate Algorithm Specifications/ Implementations Specifications of the candidate algorithms are available electronically at . That site also contains information on ordering two CDROMs containing the AES candidate-related information. The first CDROM contains the same descriptions of the algorighm candidates available on the web site. The second CDROM contains the ANSI C and JavaTM referenced and optimized implementations which are available for algorithm testing purposes. The second CDROM (candidate algorithm implementations) is subject to U.S. export controls for destinations outside the U.S. and Canada. Information is available on the web site regarding how interested parties outside the U.S. and Canada can obtain a copy of the second CDROM. Note that, with a few exceptions, the submitters of candidate algorithms have only made their candidate algorithms publicly available for AES testing and evaluation purposes. Unless otherwise specified by the submitter, these algorithms are protected and may not be otherwise used (e.g., in commercial or non-commercial products). II. Comments Solicited on AES Candiate Algorithms Written comments on the candidate algorithms are solicited by NIST in this ``Round 1'' technical evaluation in order to help NIST reduce the field of AES candidates to five or fewer for the ``Round 2'' technical analysis. It is envisioned that this narrowing will primarily be based on security, efficiency, and intellectual property considerations. Comments are specifically sought on: (1) specific security, efficiency, intellectual property, and other aspects of individual AES candidate algorithms; and, (2) cross-cutting analyses of all candidates. As discussed below, NIST particularly would appreciate receiving recommendations (with supporting justification) for the specific five (or fewer) algorithms which should be considered for Round 2 analysis. To facilitate review of the comments, it would be useful if those submitting comments would clearly indicate the particular algorithm(s) to which their comments apply. NIST will accept both: 1) general comments; and, 2) formal analysis/papers which will be considered for presentation at the ``Second AES Candidate Conference.'' Since comments submitted will be made available to the public, they must not contain proprietary information. Comments and analysis are sought on any aspect of the candidate algorithms, including, but not limited to: 1. Comments on Candidate Algorithms Based Upon AES Evaluation Criteria In the call for AES candidate algorithms (Federal Register, September 12, 1997 [Volume 62, Number 177], pages 48051-48058), NIST published evaluation criteria for use in reviewing candidate algorithms. For reference purposes, these are reproduced below. Comments are sought on the candidate algorithms and all aspects of the evaluation criteria. Evaluation Criteria (as published September 12, 1997). Security (i.e., the effort required to cryptanalyze): The security provided by an algorithm is the most important factor in the evaluation. Algorithms will be judged on the following factors: i. Actual security of the algorithm compared to other submitted algorithms (at the same key and block size). ii. The extent to which the algorithm output is indistinguishable from a random permutation on the input block. iii. Soundness of the mathematical basis for the algorithm's security. iv. Other security factors raised by the public during the evaluation process, including any attacks which demonstrate that the actual security of the algorithm is less than the strength claimed by the submitter. Claimed attacks will be evaluated for practicality. Cost i. Licensing requirements: NIST intends that when the AES is issued, the algorithm(s) specified in the AES shall be available on a worldwide, non-exclusive, royalty-free basis. ii. Computational efficiency: The evaluation of computational efficiency will be applicable to both hardware and software implementations. Round 1 analysis by NIST will focus primarily on software implementations and specifically on one key-block size combination (128-128); more attention will be paid to hardware implementations and other supported key-block size combinations (particularly those required in the Minimum Acceptability Requirement section) during Round 2 analysis. Computational efficiency essentially refers to the speed of the algorithm. NIST's analysis of computational efficiency will be made using each submission's mathematically optimized implementations on the platform specified under Round 1 Technical Evaluation below. Public comments on each algorithm's efficiency (particularly for various platforms and applications) will also be taken into consideration by NIST. iii. Memory requirements: The memory required to implement a candidate algorithm--for both hardware and software implementations of the algorithm--will also be considered during the evaluation process. Round 1 analysis by NIST will focus primarily on software implementations; more attention will be paid to hardware implementations during Round 2. Memory requirements will include such factors as gate counts for hardware [[Page 49093]] implementations, and code size and RAM requirements for software implementations. Testing will be performed by NIST using the mathematically optimized implementations provided in the submission package. Memory requirement estimates (for different platforms and environments) that are included in the submission package will also be taken into consideration by NIST. Input from public evaluations of each algorithm's memory requirements (particularly for various platforms and applications) will also be taken into consideration by NIST. Algorithm and Implementation Characteristics i. Flexibility: Candidate algorithms with greater flexibility will meet the needs of more users than less flexible ones, and therefore, inter alia, are preferable. However, some extremes of functionality are of little practical application (e.g., extremely short key lengths)--for the cases, preference will not be given. Some examples of ``flexibility'' may include (but are not limited to) the following: a. The algorithm can accommodate additional key- and block-sizes (e.g., 64-bit block sizes, key sizes other than those specified in the Minimum Acceptability Requirements section, [e.g., keys between 128 and 256 that are multiples of 32 bits, etc.]) b. The algorithm can be implemented securely and efficiently in a wide variety of platforms and applications (e.g., 8-bit processors, ATM networks, voice & satellite communications, HDTV, B- ISDN, etc.). c. The algorithm can be implemented as a stream cipher, Message Authentication Code (MAC) generator, pseudo-random number generator, hashing algorithm, etc. ii. Hardware and software suitability: A candidate algorithm shall not be restrictive in the sense that it can only be implemented in hardware. If one can also implement the algorithm efficiently in firmware, then this will be an advantage in the area of flexibility. iii. Simplicity: A candidate algorithm shall be judged according to relative simplicity of design. 2. Intellectual Property Comments are also sought specifically regarding any patents (particularly any not otherwise identified by the submitter of each candidate) that may be infringed by the practice of each nominated candidate algorithm. 3. Cross-Cutting Analyses Analysis comparing the entire field of candidates in a consistent manner for particular characteristics would be useful. Example of this type of analysis might include: (1) Comparisons of implementations of all algorithms written in the same programming language for memory use, timings for encryption/decryption/key setup/key change, and so forth; (2) comparisons of all algorithms against a particular cryptologic attack; or (3) comparison of all algorithms for infringement against a particular patent. 4. Overall Recommendations When all factors are considered, which candidate algorithms should be selected for the next round of evaluation and why? (Since NIST intends to select five or few algorithms for Round 2, it would be useful to identify five or fewer in this regard.) Also, conversely, identification and justification of which algorithms should NOT be selected for the next round of evaluation. Such comments (with supporting justifications) will be of great use to NIST and help assure timely progress of the AES selection process. III. Initial Planning for the Second AES Candidate Conference An open public conference is being planned for the spring of 1999 to discuss analyses of the candidate algorithms. Those individuals who have submitted particularly insightful and useful comments may be invited by NIST to present their papers at the conference. Panels may also be organized around individual algorithms or cross-cutting analysis topics. Also, submitters of candidate algorithms will be invited to attend and engage in discussions responding to comments regarding their candidates. Because of the anticipated volume of comments, not all authors of comments can be invited to participate on the official program. At the conference, NIST intends to provide a briefing of the results of its efficiency testing of the candidate algorithm implementations, along with any other testing it may have completed. In order to allow for timely conference preparation, authors who wish to be considered on the official program of the Second AES Candidate Conference must have their papers submitted to NIST by February 1, 1999. (They are to be sent to the same address as the general comments but should also be annotated as ``conference paper candidate.'' They will automatically be entered into the public record of AES candidate comments.) As details and registration procedures are finalized, they will be posted to . IV. General AES Development Information For information regarding NIST's plans to test the candidate algorithms, the overall AES selection process, and the call for candidate algorithms, see NIST's notice in the Federal Register, September 12, 1997 (Volume 62, Number 177), pages 48051-48058, ``Announcing Request for Candidate Algorithm Nominations for the Advanced Encryption Standard (AES).'' Appreciation NIST extends its appreciation to all submitters and those parties providing public comments during the AES development process. Dated: September 4, 1998. Robert E. Hebner, Acting Deputy Director. [FR Doc. 98-24560 Filed 9-11-98; 8:45 am] BILLING CODE 3510-CN-M