(On November 2, 1998, the following information was distributed to all submitters, and posted under the "Miscellaneous Issues" Forum at http://aes.nist.gov.) Subject: Revisions to AES Candidates? At the First AES Conference - and more recently, too - questions have been raised about submitters who are supposedly changing their algorithm specifications. This note is an attempt to clarify that situation, and make both submitters and evaluators aware of NIST position on that topic. *** The algorithms as they appear on NIST's CD-ROMs and AES home page are the OFFICIAL ROUND 1 versions. If weaknesses are discovered in an algorithm, and they can be addressed with a minor modification, then certainly a submitter may INFORMALLY propose such a modification on our AES electronic forum (http://aes.nist.gov). Note that this proposal will NOT be considered as part of the OFFICIAL ROUND 1 version of the algorithm. NIST will take into account such proposals - and all other information about each algorithm - as it narrows down the field of candidates for Round 2. NIST stated that "substantial redesigns" would be unacceptable, and several examples of such redesigns include the major restructuring of key schedules and/or round functions. To determine whether or not a proposed modification is acceptable for Round 2, NIST will have to examine each proposal on a case-by-case basis, and weigh public comments regarding the acceptability of such a proposal. *** The Sept. 12, 1997 call for candidate AES algorithms clearly addresses this issue in Section 6, "Plans for Candidate Evaluation Process" (Note that asterisks have been added for emphasis.): "During the Round 1 public review, NIST intends to technically evaluate the candidate algorithms as outlined in the Round 1 Technical Evaluation section below. Note that NIST does not intend to conduct its own cryptanalysis, but, rather it will review the public evaluations of the candidate algorithms' cryptographic strengths and weaknesses, and NIST will use these in determining if an algorithm meets the objectives of the AES. ***Because of limited resources, and also to avoid moving evaluation targets (i.e., modifying the submitted algorithms undergoing public review), NIST will ***not*** accept modifications to the submitted algorithms during Round 1.*** . . . [Discussion of Second AES Candidate Conference and narrowing of the field to approximately five candidates.] . . . Before the start of Round 2 evaluation, submitters have the option of providing updated mathematically optimized implementations for use during the second phase of evaluation (for those algorithms remaining in the Round 2 evaluation). ***During the course of Round 1 evaluations it is conceivable that some small deficiencies may be identified in even some of the most promising candidates. Therefore, for the Round 2 evaluations, small modifications to the submitted algorithms will be permitted for either security or efficiency purposes. Submitters may submit minor changes (no substantial redesigns) along with a supporting explanation/justification (see below) which must be received by NIST prior to the beginning of Round 2. (Submitters will be notified by NIST of the exact deadline.)*** " [For the complete text, please see .]