Report on the Development of the Advanced Encryption Standard - AES

Journal of Research of the National Institute of Standards and Technology, May-June, 2001 by James Nechvatal, Elaine Barker, Lawrence Bassham, William Burr, Morris Dworkin, James Foti, Edward Roback

Security: Sects. 3.2 and 3.6.

Cost: Sects. 3.3, 3.4, 3.5, 3.7, 3.8, 3.10, and 4.

Algorithm Characteristics: Sects. 3.3, 3.4, 3.5, 3.6, 3.8, 3.9, and 3.10.

1.4 Results from Round 2

The Round 2 public review extended from the official announcement of the five AES finalists on August 20, 1999 until the official close of the comment period on May 15, 2000. During Round 2, many members of the global cryptographic community supported the AES development effort by analyzing and testing the five AES finalists.

NIST facilitated and focused the analysis of the finalists by providing an electronic discussion forum and home page. The public and NIST used the electronic forum [1] to discuss the finalists and relevant AES issues, inform the public of new analysis results, etc. The AES home page [2] served as a tool to disseminate information such as algorithm specifications and source code, AES3 papers, and other Round 2 public comments.

Thirty-seven papers were submitted to NIST for consideration for AES3. Twenty-four of those papers were presented at AES3 as part of the formal program, and one of the remaining papers was presented during an informal session at AES3. All of the submitted papers were posted on the AES home page [2] several weeks prior to AES3 in order to promote informed discussions at the conference.

AES3 gave members of the international cryptographic community an opportunity to present and discuss Round 2 analysis and other important topics relevant to the AES development effort. A summary of AES3 presentations and discussions will be available in Ref.[29]. In addition to the AES3 papers, NIST received 136 sets of public comments on the finalists during Round 2 in the form of submitted papers, email comments and letters. All of these comments were made publicly available on the AES home page [2] on April 19, 2000.

NIST performed an analysis of mathematically optimized ANSI C and Java[TM] implementations[2] of the candidate algorithms that were provided by the submitters prior to the beginning of Round 1. NIST's testing of ANSI C implementations focused on the speed of the candidates on various desktop systems, using different combinations of processors, operating systems, and compilers. The submitters' Java[TM] code was tested for speed and memory usage on a desktop system. NIST's TM testing results for the ANSI C and Java[TM] code are presented in Refs. [7] and [28], respectively. Additionally, extensive statistical testing was performed by NIST on the candidates, and results are presented in Ref.[88].

1.5 The Selection Process

A team of NIST security personnel convened a series of meetings in order to establish the strategy for AES algorithm selection (see Sec. 2). The team then proceeded to evaluate the papers and comments received during the AES development process, compare the results of the numerous studies made of the finalists and finally make the selection of the proposed AES algorithm. There is a consensus by the team that the selected algorithm will provide good security for the foreseeable future, is reasonably efficient and suitable for various platforms and environments, and provides sufficient flexibility to accommodate future requirements.