• Bruce Schneier
  • ZDNet
  • August 1999

A version of this essay appeared on

AES is the Advanced Encryption Standard, the encryption algorithm that will eventually replace DES. In 1997, the U.S. government (NIST, actually), solicited candidate algorithms for this standard. By June 1998 (the submission deadline), NIST received fifteen submissions. NIST asked for comments on these algorithms, with the intention of pruning the list to five finalists. NIST held an AES conference in Rome in April (this was the second AES conference, the first was the previous August in California), the comment deadline was in June, and last Monday NIST announced the finalists.

They are:

Mars, submitted by a large team at IBM.
RC6, from RSA Data Security (including Ron Rivest) Rijndael, from a team of excellent Belgian cryptographers
Serpent, by three very respected cryptographers, Ross Anderson, Eli Biham, and Lars Knudsen
Twofish, from Counterpane Systems, including myself

NIST didn’t just announce the five finalists. They published a 52-page report explaining their rationale—why they chose the algorithms they did and why they did not chose the algorithms they didn’t—and it is worth reading to peek at their decision process. It’s at…

The next step is to choose among the finalists. NIST is again soliciting comments on the algorithms, and there will be a third AES Candidate Conference in New York in April 2000, held in conjunction with the 7th Fast Software Encryption workshop. Comments are due by 15 May 2000, and then NIST will propose a standard. The AES will then go through the formal government approvals process and become a Federal Information Processing Standard (FIPS), and presumably will become the standard encryption algorithm for all sorts of international applications. Expect all this to happen by the summer of 2001; the government moves slowly.

Cryptographers are busily analyzing the submissions for security. It’s tempting to think of the process as a big demolition derby: everyone submits their algorithms and then attacks all the others…the last one standing wins. Really, it won’t be like that.

At the end of the analysis period, I don’t expect serious weaknesses to be found in any of the finalists. The winner will be chosen based on other factors: performance, flexibility, suitability.

This means that we need your input into this process. I know you’re not cryptographers, and you won’t be able to comment on the mathematics of the various submissions. But you can comment on your encryption requirements, and whether the algorithms will suit your needs.

AES will have to work in a variety of current and future applications, doing all sorts of different encryption tasks: 32-bit microprocessors, 64-bit microprocessors, small 8-bit smart cards, DSPs, FPGAs, custom ASICs, and everything else we can’t even imagine yet.

Choosing a single algorithm for all these applications is not easy, but that’s what we have to do. It might make more sense to have a family of algorithms, each tuned to a particular application, but there will be only one AES. And when AES becomes a standard, customers will want their encryption products to be “buzzword compliant.” They’ll demand it in hardware, in desktop computer software, on smart cards, in electronic-commerce terminals, and other places we never thought it would be used. Anything we pick for AES has to work in all those applications.

So how do you comment? NIST is accepting formal comments either on paper or by email. See for instructions. Be sure to identify who you represent and what cryptography interests you have. Remember, AES is going to be your cryptography standard for the 21st century. We need your help.

NIST Round 2 page:

FSE 2000:

Performance comparison of AES candidates:

Categories: Computer and Information Security, National Security Policy

Sidebar photo of Bruce Schneier by Joe MacInnis.