Report on the Development of the Advanced Encryption Standard - AES

Journal of Research of the National Institute of Standards and Technology, May-June, 2001 by James Nechvatal, Elaine Barker, Lawrence Bassham, William Burr, Morris Dworkin, James Foti, Edward Roback

1.6 Organization of this Report

This report is organized as follows. Section 2 provides details on NIST's approach to making its selection, and discusses some of the more critical issues that were considered prior to evaluating the algorithms. Section 3 presents the various factors and analysis results that were taken into consideration during the algorithms' evaluation by NIST; this section presents a number of specific case studies. Section 4 summarizes the intellectual property issue. In Section 5, candidate algorithm profiles summarize the salient information that NIST accrued for each finalist, based on the results summarized in Section 3. Section 6 takes the information from the algorithm profiles and draws comparisons and contrasts, in terms of the advantages and disadvantages identified for each algorithm. Finally, Sec. 7 presents NIST's conclusion for its selection of Rijndael. Section 8 indicates some of the next steps that will occur in the AES development effort.

2. Selection Issues and Methodology

2.1 Approach to Selection

As the public comment period neared its closing date of May 15, 2000, NIST reconstituted its AES selection team (hereafter called the "team") that was used for the Round 1 selection of the finalists. This team was comprised of cross-disciplinary NIST security staff. The team reviewed the public comments, drafted this selection report and selected the algorithms to propose as the AES.

A few fundamental decisions confronted the team at the beginning of the selection process. Specifically, the team considered whether to:

* Take a quantitative or qualitative approach to selection;

The following sections briefly address these issues.

* Select one or multiple algorithms;

* Select a backup algorithm(s); and

* Consider public proposals to modify the algorithms.

2.2 Quantitative vs Qualitative Review

At one of its first meetings to plan for the post Round 2 activities, the team reviewed the possibility of conducting a quantitative approach as proposed in Ref. [87]. Using this process, each algorithm and combination of algorithms would receive a score based on the evaluation criteria [32]. If such a quantitative approach were feasible, it could provide an explicit assignment of values and allow a comparison of the algorithms. The quantitative approach would also provide explicit weighting of each AES selection factor. However, the consensus of the team was that the degree of subjectivity of many of the criteria would result in numeric figures that would be debatable. Moreover, the issue of quantitative review had been raised by the public at various times during the AES development effort (most recently at AES3), and there seemed to be little agreement regarding how different factors should be weighted and scored. Team members also expressed concern that determining a quantitative scoring system without si gnificant public discussion would give the impression that the system was unfair. For those reasons, the team concluded that a quantitative approach to selection was not workable, and decided to proceed as they did after Round 1. Namely, the team decided to review the algorithms' security, performance, implementation, and other characteristics, and to make a decision based upon an overall assessment of each algorithm--keeping in mind that security considerations were of foremost concern.