AES); Cryptography; Cryptanaly- the Candidates

AES); Cryptography; Cryptanaly- the Candidates

Volume 104, Number 5, September–October 1999 Journal of Research of the National Institute of Standards and Technology [J. Res. Natl. Inst. Stand. Technol. 104, 435 (1999)] Status Report on the First Round of the Development of the Advanced Encryption Standard Volume 104 Number 5 September–October 1999 James Nechvatal, Elaine Barker, In 1997, the National Institute of Standards (MARS, RC6, Rijndael, Serpent and Donna Dodson, Morris Dworkin, and Technology (NIST) initiated a pro- Twofish) as finalists. The research results James Foti, and Edward Roback cess to select a symmetric-key encryption and rationale for the selection of the fi- algorithm to be used to protect sensitive nalists are documented in this report. National Institute of Standards and (unclassified) Federal information in The five finalists will be the subject of furtherance of NIST’s statutory responsi- further study before the selection of one or Technology, bilities. In 1998, NIST announced the more of these algorithms for inclusion in Gaithersburg, MD 20899-0001 acceptance of 15 candidate algorithms the Advanced Encryption Standard. and requested the assistance of the crypto- Key words: Advanced Encryption graphic research community in analyzing Standard (AES); cryptography; cryptanaly- the candidates. This analysis included an sis; cryptographic algorithms; initial examination of the security and encryption. efficiency characteristics for each al- gorithm. NIST has reviewed the results Accepted: August 11, 1999 of this research and selected five algorithms Available online: http://www.nist.gov/jres Contents 2.4.1.2 Other Architectural Issues ...........442 1. Overview of the Development Process for the Advanced 2.4.1.3 Software .........................442 Encryption Standard and Summary of Round 1 2.4.2 Measured Speed on General Platforms.........442 Evaluations ....................................... 436 2.4.3 Fair Speed ...............................443 1.1 Evaluation Criteria ..............................436 2.4.4 Memory Usage ...........................443 1.2 Results From Round 1 ...........................437 2.4.5 Encryption vs Decryption ...................443 1.3 Selection Process Prior to Round 2 .................437 2.4.6 Key Computation Options ...................443 1.4 Round 2 Finalists ...............................438 2.4.7 Other Versatility and Flexibility ..............444 1.5 Next Steps .....................................438 2.4.8 Key Agility ..............................444 2. Technical Details of the Round 1 Analysis ...............439 2.4.9 Variation of Speed with Key Length...........444 2.1 Abbreviations ..................................439 2.4.10 Potential for Parallelism/Optimal Theoretical 2.2 Organization of Sec. 2 ...........................439 Performance ..............................444 2.3 General Security................................439 2.5 Smart Card Implementations ......................445 2.3.1 Major Attacks ............................439 2.5.1 Low-End Suitability........................445 2.3.2 Lesser Attacks ............................439 2.5.2 Vulnerability of Operations to Timing and 2.3.3 Minimal Rounds and Security Margin .........440 Power Attacks ............................445 2.3.4 Provable Security Claims ...................440 2.5.3 Implicit Key Schedule Weaknesses............446 2.3.5 Design Paradigms, Ancestry, and Prior Art .....440 2.5.3.1 A Power Analysis Variant............446 2.3.6 Simplicity, Cleanness, and Confidence.........441 2.5.3.2 Another Power Analysis Variant.......447 2.4 Efficiency .....................................441 2.5.4 Some Possible Defenses ....................447 2.4.1 Platforms ................................441 2.5.5 Performance ..............................447 2.4.1.1 Machine Word Size ................441 2.5.6 Related Environments ......................448 435 Volume 104, Number 5, September–October 1999 Journal of Research of the National Institute of Standards and Technology 2.6 Profiles of the Candidates ........................448 published notice [18], NIST solicited public comments 2.6.1 CAST-256 ...............................448 on the candidates. A Second AES Candidate Confer- 2.6.2 CRYPTON ...............................448 2.6.3 DEAL...................................449 ence (AES2) was held in March 1999 to discuss the 2.6.4 DFC ....................................449 results of the analysis conducted by the global crypto- 2.6.5 E2 ......................................449 graphic community on the candidate algorithms. The 2.6.6 FROG ...................................449 public comment period on the initial review of the 2.6.7 HPC ....................................449 algorithms closed on April 15, 1999. 2.6.8 LOKI97 .................................450 2.6.9 MAGENTA ..............................450 Using the analyses and comments received, NIST 2.6.10 MARS ..................................450 selected 5 finalist algorithms from the 15. The selected 2.6.11 RC6 ....................................450 algorithms are MARS, RC6, Rijndael, Serpent and 2.6.12 Rijndael .................................451 Twofish. These algorithms will receive further analysis 2.6.13 SAFER+.................................451 during a second, more in-depth review period prior to 2.6.14 Serpent ..................................451 2.6.15 Twofish .................................451 the selection of the final AES algorithm(s). 2.7 Assessments of the Candidates ....................452 The remainder of Sec. 1 summarizes the evaluation 2.7.1 Candidates with Major Security Attacks .......452 process and briefly describes the selected algorithms. 2.7.2 Candidates without Major Security Attacks.....452 Section 2 of this report contains the technical details of 2.7.3 Candidates Selected for Round 2 .............453 the analyses conducted during Round 1. 2.8 Modified Versions...............................454 2.8.1 CRYPTON ...............................454 2.8.2 HPC ....................................454 1.1 Evaluation Criteria 2.8.3 MARS ..................................454 2.8.4 SAFER+.................................455 In the call for candidate algorithms [17], NIST speci- 2.9 Conclusion ....................................455 fied the evaluation criteria that would be used to com- 3. Appendix A. Tables .................................455 4. References.........................................458 pare the candidate algorithms. These criteria were developed from public comments to [16] and from the discussions at a public AES workshop held on April 15, 1. Overview of the Development Process 1997 at NIST. for the Advanced Encryption Standard The evaluation criteria are divided into three major and Summary of Round 1 Evaluations categories: 1) Security, 2) Cost, and 3) Algorithm and Implementation Characteristics. Security is the most The National Institute of Standards and Technology important factor in the evaluation, and it encompasses (NIST) has been working with industry and the crypto- features such as: resistance of the algorithm to crypt- graphic community to develop an Advanced Encryption analysis, soundness of its mathematical basis, random- Standard (AES). The overall goal is to develop a ness of the algorithm output, and relative security as Federal Information Processing Standard (FIPS) that compared to other candidates. specifies an encryption algorithm(s) capable of protect- Cost is a second important area of evaluation that ing sensitive (unclassified) government information encompasses licensing requirements, computational well into the next century. The algorithm(s) is expected efficiency (speed) on various platforms, and memory to be used by the U.S. Government and, on a voluntary requirements. Since one of NIST’s goals is that the final basis, by the private sector. AES algorithm(s) be available worldwide on a royalty- On January 2, 1997, NIST announced the initiation of free basis, intellectual property claims and potential an effort to develop the AES [16] and made a formal conflicts must be considered in the selection process. call for algorithms on September 12, 1997 [17]. The call The speed of the algorithms on a wide variety of plat- stipulated that the AES would specify an unclassified, forms must also be considered. During Round 1, the publicly disclosed encryption algorithm(s), available focus was primarily on the speed associated with royalty-free, worldwide. In addition, the algorithm(s) 128 bit keys. Additionally, memory requirements must implement symmetric key cryptography as a and constraints for software implementations of the block cipher and (at a minimum) support a block size candidates are important considerations. of 128 bits and key sizes of 128 bits, 192 bits, and The third area of evaluation is algorithm and imple- 256 bits. mentation characteristics such as flexibility, hardware On August 20, 1998, NIST announced its acceptance and software suitability, and algorithm simplicity. of 15 AES candidate algorithms at the First AES Candi- Flexibility includes the ability of an algorithm: 1) to date Conference (AES1). These algorithms had been handle key and block sizes beyond the minimum that submitted by members of the cryptographic community must be supported, 2) to be implemented securely and from around the world. At that conference and in a efficiently in many different types of environments, and 436 Volume 104, Number 5, September–October 1999 Journal of Research of the National Institute of Standards and Technology

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    25 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us