Report on the Development of the Advanced Encryption Standard - AES

Journal of Research of the National Institute of Standards and Technology, May-June, 2001 by James Nechvatal, Elaine Barker, Lawrence Bassham, William Burr, Morris Dworkin, James Foti, Edward Roback

The following issues and concerns were expressed during the team's discussions:

* For some algorithms, it is not clear how the algorithm would be fully defined (e.g., the key schedule) with a different number of rounds, or how such a change would impact the security analysis.

* Changing the number of rounds would impact the large amount of performance analysis from Rounds 1 and 2. All performance data for the modified algorithm would need to be either estimated or performed again. In some cases, especially in hardware and in memory-restricted environments, estimating algorithm performance for the new number of rounds would not be a straightforward process.

* There was a lack of agreement in the public comments regarding the number of rounds to be added, and which algorithms should be altered.

* The submitters had confidence in the algorithms as submitted, and there were no post-Round 1 "tweaked" proposals for an increased numbers of rounds.

After much discussion, and given the factors listed above, the team decided that it would be most appropriate to make its recommendation for the AES based on the algorithms as submitted (i.e., without changing the number of rounds).

3. Technical Details of the Round 2 Analysis

3.1 Notes on Sec. 3

The analyses presented in this paper were performed using the original specifications submitted for the finalists prior to the beginning of Round 2. Most of the analysis of MARS considered the Round 2 version [15], in which modifications had been made to the original submitted specifications [100]. Some of the studies--including the NIST software performance analyses [7] [28]--used algorithm source code that was provided by the submitters themselves.

While NIST does not vouch for any particular data items that were submitted, all data was taken into account. In some cases, the data from one study may not be consistent with that of other studies. This may be due, for example, to different assumptions made for the various studies. NIST considered these differences into account and attempted to determine the general trend of the information provided. For the various case studies presented in Sec. 3, this report summarizes some of these analyses and results, but the reader should consult the appropriate references for more complete details.

3.2 General Security

Security was the foremost concern in evaluating the finalists. As stated in the original call for candidates [32], NIST relied on the public security analysis conducted by the cryptographic community. No attacks have been reported against any of the finalists, and no other properties have been reported that would disqualify any of them.

The only attacks that have been reported to data are against simplified variants of the algorithms: the number of rounds is reduced or simplified in other ways. A summary of these attacks against reduced-round variants, and the resources of processing, memory, and information that they require, is discussed in Sec. 3.2.1 and presented in Table 1.