[ [Page 49091] ]
ACTION: Notice; Request for comments.
SUMMARY: A process to develop a Federal Information Processing Standard (FIPS) for Advanced Encryption Standard (AES) specifying an Advanced Encryption Algorithm (AEA) has been initiated by the National Institute of Standards and Technology (NIST). Earlier this year, candidate algorithms were nominated to NIST for consideration for inclusion in the AES. Those candidate algorithms meeting the minimum acceptability criteria have been announced by NIST and are available electronically at the address listed below.
This notice solicits comments on the candidate algorithms from the public, and academic and research communities, manufacturers, voluntary standards organizations, and Federal, state, and local government organizations. These comments will assist NIST in narrowing the field of AES candidates to five or fewer for more detailed examintation.
It is intended that the AES will specify an unclassified, publicly disclosed encryption algorithm available royalty-free worldwide that is capable of protecting sensitive government information well into the next century.
DATES: Public comments are due April 15, 1999.
Authors who wish to be considered to be invited to brief their papers at the Second AES Candidate Conference must submit their papers by February 1, 1999.
ADDRESS: Comments on the candidate algorithms should be sent to:
Comments may also be sent electronically to AESFirstRound@nist.gov.
Specifications of the candidate algorithms are available electronically, as is information on how to obtain software implementations of the candidate algorithms (for evaluation and analysis purposes) and information on the Second AES Candidate Conference.
Comments received in response to this notice will be made part of the public record and will be made available for inspection and copying in the Central Records and Reference Inspection Facility, Room 6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and Constitution Avenues, NW, Washington, DC, 20230. Electronic comments received by NIST will be made available electronically [at the AES Home Page].
FOR FURTHER INFORMATION CONTACT: For general information, contact: Edward Roback, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930; telephone 301-975-3696 or via fax at 301-948-1233.
Technical questions and questions related to a specific submission package may be made by contacting either Miles Smid at (301) 975-2938, or Jim Foti at (301) 975-5237.
Specifications of the candidate algorithms are available electronically at the AES home page. That site also contains information on ordering two CDROMs containing the AES candidate-related information. The first CDROM contains the same descriptions of the algorighm candidates available on the web site. The second CDROM contains the ANSI C and JavaTM referenced and optimized implementations which are available for algorithm testing purposes.
The second CDROM (candidate algorithm implementations) is subject to U.S. export controls for destinations outside the U.S. and Canada. Information is available on the web site regarding how interested parties outside the U.S. and Canada can obtain a copy of the second CDROM.
Note that, with a few exceptions, the submitters of candidate algorithms have only made their candidate algorithms publicly available for AES testing and evaluation purposes. Unless otherwise specified by the submitter, these algorithms are protected and may not be otherwise used (e.g., in commercial or non-commercial products).
Written comments on the candidate algorithms are solicited by NIST in this ``Round 1'' technical evaluation in order to help NIST reduce the field of AES candidates to five or fewer for the ``Round 2'' technical analysis. It is envisioned that this narrowing will primarily be based on security, efficiency, and intellectual property considerations. Comments are specifically sought on: (1) specific security, efficiency, intellectual property, and other aspects of individual AES candidate algorithms; and, (2) cross-cutting analyses of all candidates. As discussed below, NIST particularly would appreciate receiving recommendations (with supporting justification) for the specific five (or fewer) algorithms which should be considered for Round 2 analysis. To facilitate review of the comments, it would be useful if those submitting comments would clearly indicate the particular algorithm(s) to which their comments apply.
NIST will accept both: 1) general comments; and, 2) formal analysis/papers which will be considered for presentation at the ``Second AES Candidate Conference.''
Since comments submitted will be made available to the public, they must not contain proprietary information.
Comments and analysis are sought on any aspect of the candidate algorithms, including, but not limited to:
In the call for AES candidate algorithms (Federal Register, September 12, 1997 [Volume 62, Number 177], pages 48051-48058), NIST published evaluation criteria for use in reviewing candidate algorithms. For reference purposes, these are reproduced below. Comments are sought on the candidate algorithms and all aspects of the evaluation criteria.
Algorithms will be judged on the following factors:
Claimed attacks will be evaluated for practicality.
Computational efficiency essentially refers to the speed of the algorithm. NIST's analysis of computational efficiency will be made using each submission's mathematically optimized implementations on the platform specified under Round 1 Technical Evaluation below. Public comments on each algorithm's efficiency (particularly for various platforms and applications) will also be taken into consideration by NIST.
Memory requirements will include such factors as gate counts for hardware implementations, and code size and RAM requirements for software implementations.
Some examples of ``flexibility'' may include (but are not limited to) the following:
Comments are also sought specifically regarding any patents (particularly any not otherwise identified by the submitter of each candidate) that may be infringed by the practice of each nominated candidate algorithm.
Analysis comparing the entire field of candidates in a consistent manner for particular characteristics would be useful. Example of this type of analysis might include: (1) Comparisons of implementations of all algorithms written in the same programming language for memory use, timings for encryption/decryption/key setup/key change, and so forth; (2) comparisons of all algorithms against a particular cryptologic attack; or (3) comparison of all algorithms for infringement against a particular patent.
When all factors are considered, which candidate algorithms should be selected for the next round of evaluation and why? (Since NIST intends to select five or few algorithms for Round 2, it would be useful to identify five or fewer in this regard.) Also, conversely, identification and justification of which algorithms should NOT be selected for the next round of evaluation. Such comments (with supporting justifications) will be of great use to NIST and help assure timely progress of the AES selection process.
An open public conference is being planned for the spring of 1999 to discuss analyses of the candidate algorithms. Those individuals who have submitted particularly insightful and useful comments may be invited by NIST to present their papers at the conference. Panels may also be organized around individual algorithms or cross-cutting analysis topics. Also, submitters of candidate algorithms will be invited to attend and engage in discussions responding to comments regarding their candidates. Because of the anticipated volume of comments, not all authors of comments can be invited to participate on the official program. At the conference, NIST intends to provide a briefing of the results of its efficiency testing of the candidate algorithm implementations, along with any other testing it may have completed.
In order to allow for timely conference preparation, authors who wish to be considered on the official program of the Second AES Candidate Conference must have their papers submitted to NIST by February 1, 1999. (They are to be sent to the same address as the general comments but should also be annotated as ``conference paper candidate.'' They will automatically be entered into the public record of AES candidate comments.)
As details and registration procedures are finalized, they will be posted to [the AES home page].
For information regarding NIST's plans to test the candidate algorithms, the overall AES selection process, and the call for candidate algorithms, see NIST's notice in the Federal Register, September 12, 1997 (Volume 62, Number 177), pages 48051-48058, Announcing Request for Candidate Algorithm Nominations for the Advanced Encryption Standard (AES).
Dated: September 4, 1998.
Robert E. Hebner,
Acting Deputy Director.
[FR Doc. 98-24560 Filed 9-11-98; 8:45 am]
BILLING CODE 3510-CN-M
Last Modified: January 26, 2001
Technical contact: Morris Dworkin
Administrative/process questions: Elaine Barker, Bill Burr