Hubbry Logo
Advanced Encryption Standard processAdvanced Encryption Standard processMain
Open search
Advanced Encryption Standard process
Community hub
Advanced Encryption Standard process
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Advanced Encryption Standard process
Advanced Encryption Standard process
Advanced Encryption Standard process
View on Wikipedia
from Wikipedia

The Advanced Encryption Standard (AES), the symmetric block cipher ratified as a standard by National Institute of Standards and Technology of the United States (NIST), was chosen using a process lasting from 1997 to 2000 that was markedly more open and transparent than its predecessor, the Data Encryption Standard (DES). This process won praise from the open cryptographic community, and helped to increase confidence in the security of the winning algorithm from those who were suspicious of backdoors in the predecessor, DES.

A new standard was needed primarily because DES had a relatively small 56-bit key which was becoming vulnerable to brute-force attacks. In addition, the DES was designed primarily for hardware and was relatively slow when implemented in software.[1] While Triple-DES avoids the problem of a small key size, it is very slow even in hardware, it is unsuitable for limited-resource platforms, and it may be affected by potential security issues connected with the (today comparatively small) block size of 64 bits.

Start of the process

[edit]

On January 2, 1997, NIST announced that they wished to choose a successor to DES to be known as AES. Like DES, this was to be "an unclassified, publicly disclosed encryption algorithm capable of protecting sensitive government information well into the next century."[2] However, rather than simply publishing a successor, NIST asked for input from interested parties on how the successor should be chosen. Interest from the open cryptographic community was immediately intense, and NIST received a great many submissions during the three-month comment period.

The result of this feedback was a call for new algorithms on September 12, 1997.[3] The algorithms were all to be block ciphers, supporting a block size of 128 bits and key sizes of 128, 192, and 256 bits. Such ciphers were rare at the time of the announcement; the best known was probably Square.

Rounds one, two, and three

[edit]

In the nine months that followed, fifteen designs were created and submitted from several countries. They were, in alphabetical order: CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish.

In the ensuing debate, many advantages and disadvantages of the candidates were investigated by cryptographers; they were assessed not only on security, but also on performance in a variety of settings (PCs of various architectures, smart cards, hardware implementations) and on their feasibility in limited environments (smart cards with very limited memory, low gate count implementations, FPGAs).

Some designs fell due to cryptanalysis that ranged from minor flaws to significant attacks, while others lost favour due to poor performance in various environments or through having little to offer over other candidates. NIST held two conferences to discuss the submissions (AES1, August 1998 and AES2, March 1999[4][5][6]), and in August 1999 they announced[7] that they were narrowing the field from fifteen to five: MARS, RC6, Rijndael, Serpent, and Twofish. All five algorithms, commonly referred to as "AES finalists", were designed by cryptographers considered well-known and respected in the community. The AES2 conference votes were as follows:[8]

  • Rijndael: 77 positive, 1 negative
  • RC6: 79 positive, 6 negative
  • Twofish: 64 positive, 3 negative
  • MARS: 58 positive, 6 negative
  • Serpent: 52 positive, 7 negative
  • E2: 27 positive, 13 negative
  • CAST-256: 16 positive, 18 negative
  • SAFER+: 20 positive, 24 negative
  • DFC: 22 positive, 27 negative
  • Crypton: 16 positive, 31 negative
  • DEAL: 1 positive, 71 negative
  • HPC: 1 positive, 78 negative
  • MAGENTA: 1 positive, 84 negative
  • Frog: 1 positive, 86 negative
  • LOKI97: 1 positive, 86 negative

A further round of intense analysis and cryptanalysis followed, culminating in the AES3 conference in April 2000, at which a representative of each of the final five teams made a presentation arguing why their design should be chosen as the AES. The AES3 conference votes were as follows:[9]

  • Rijndael: 86 positive, 10 negative
  • Serpent: 59 positive, 7 negative
  • Twofish: 31 positive, 21 negative
  • RC6: 23 positive, 37 negative
  • MARS: 13 positive, 84 negative

Selection of the winner

[edit]

On October 2, 2000, NIST announced[10] that Rijndael had been selected as the proposed AES and started the process of making it the official standard by publishing an announcement in the Federal Register[11] on February 28, 2001 for the draft FIPS to solicit comments. On November 26, 2001, NIST announced that AES was approved as FIPS PUB 197.

NIST won praises from the cryptographic community for the openness and care with which they ran the standards process. Bruce Schneier, one of the authors of the losing Twofish algorithm, wrote after the competition was over that "I have nothing but good things to say about NIST and the AES process."[12]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Advanced Encryption Standard process

View on Grokipedia
from Grokipedia
The (AES) is a symmetric approved by the U.S. National Institute of Standards and Technology (NIST) for securing electronic data through and decryption, operating on fixed 128-bit blocks with variable key lengths of 128, 192, or 256 bits. Based on the Rijndael algorithm developed by Joan Daemen and , AES was selected in 2000 following a public competition initiated by NIST in 1997 to replace the aging (DES). The process involved a call for algorithm proposals in 1997, initial screening of 15 candidates in 1998, two rounds of detailed analysis in 1999 reducing to five finalists, and a final round of scrutiny in 2000 that confirmed Rijndael's security and performance advantages. It was formally published as Federal Information Processing Standard (FIPS) 197 in November 2001. The AES selection demonstrated robust resistance to known cryptanalytic attacks, such as differential and , as evaluated during the competition rounds, making it suitable for government and commercial applications.

Background and Initiation

Need for Replacing DES

The (DES), adopted by the National Institute of Standards and Technology (NIST) in 1977 as Federal Information Processing Standard (FIPS) 46, served as the primary symmetric-key for protecting unclassified but sensitive U.S. government data for nearly two decades. However, DES's 56-bit key length, which provided only about 2^56 possible keys, became increasingly vulnerable to brute-force attacks as computational power advanced rapidly in the , with specialized hardware enabling exhaustive key searches that were once deemed impractical. A pivotal demonstration of DES's insecurity came from the (EFF), which initiated its DES cracker project in 1997 and successfully broke a DES-encrypted message in 56 hours on July 15, 1998, using a custom-built machine costing under $250,000 that searched 88 billion keys per second. This event underscored the practical feasibility of cracking DES with off-the-shelf technology, accelerating calls for a successor algorithm. As an interim solution pending the development of AES, NIST approved the use of the Triple Data Encryption Algorithm (3DES) in 1999 through FIPS 46-3, which mitigates DES's weaknesses by encrypting data three times with different keys, providing an effective 168-bit key length. In response to these growing threats, NIST began serious planning for a DES replacement in 1996, formally recognizing by 1997 the urgent need for a more robust symmetric to safeguard federal information systems against emerging computational capabilities. The agency emphasized that DES no longer provided adequate protection for unclassified but sensitive data in an era of escalating processing speeds and resources. To address these limitations and ensure long-term security, NIST specified that the new standard must support a 128-bit block size and key lengths of 128, 192, or 256 bits, offering exponentially greater resistance to brute-force and other attacks compared to DES. These requirements aimed to the algorithm against anticipated advances in hardware and cryptanalytic techniques for at least several decades.

Announcement of the AES Program

In response to the growing vulnerabilities of the (DES), particularly its 56-bit key length, the National Institute of Standards and Technology (NIST) initiated the development of a successor encryption standard. On January 2, 1997, NIST published a notice in the announcing its intent to establish the (AES) program as a replacement for DES, soliciting public input to guide the process. This announcement marked the formal launch of the AES development effort under NIST's Computer Security Division, with the primary goal of creating a voluntary Federal Information Processing Standard (FIPS) to protect sensitive unclassified government information well into the . Building on the feedback received, NIST issued a formal call for algorithm nominations on September 12, 1997, also published in the , emphasizing an open and transparent public evaluation process that encouraged international participation. The program outlined initial broad criteria for candidate algorithms, requiring them to be symmetric block ciphers available in the or freely licensable without royalty fees, and designed for efficient implementation in both software and hardware environments.

Call for Proposals and Submissions

Published Criteria for Algorithms

In September 1997, following the January 1997 announcement and an April workshop to refine draft requirements based on public comments, NIST published a detailed solicitation in the Federal Register calling for nominations of candidate algorithms for the Advanced Encryption Standard (AES). This solicitation specified that algorithms must be symmetric block ciphers with a fixed 128-bit block size and support for key lengths of 128, 192, and 256 bits, with optional support for additional key sizes to ensure flexibility in security levels. The mandatory criteria required algorithms to provide high resistance against all known cryptanalytic attacks, including differential, linear, and related-key attacks, with submitters obligated to provide a detailed of the algorithm's work factor and any potential weaknesses. Performance was a key , demanding efficient across diverse platforms, such as high-end software environments (e.g., on Intel processors), limited-resource hardware like 8-bit microprocessors and smart cards, and both /decryption operations, with emphasis on throughput, usage, and power consumption where applicable. Additionally, designs had to be simple and elegant to facilitate independent cryptanalytic review, avoiding unnecessary complexity while supporting variable key lengths without mode-specific dependencies. Procedural rules for submissions were stringent to promote transparency and openness: each nomination package had to include a complete technical specification, reference and optimized implementations in and , comprehensive test vectors for validation, performance estimates across specified platforms, and a formal statement affirming that the algorithm was unencumbered by patents or other restrictions, available worldwide under terms consistent with U.S. government use. NIST encouraged submitters to design algorithms amenable to by the cryptographic , committing to a multi-round public evaluation process involving open conferences, independent expert reviews, and iterative rounds of testing over approximately three to four years, culminating in the selection of a single standard by 2000.

Receipt and Initial Screening of Proposals

The call for proposals for the (AES) culminated in a submission deadline of June 15, 1998, by which NIST received 21 algorithm packages from contributors in 12 countries. These submissions represented a diverse international effort, with proposals originating from academic, industry, and independent researchers responding to NIST's public solicitation for royalty-free, unclassified symmetric block ciphers meeting specified security and performance criteria. Following receipt, NIST's internal AES review team conducted an initial screening to assess each submission for completeness, compliance with the published criteria (including support for 128-bit blocks and variable key sizes of 128, 192, and 256 bits), and basic validity, such as verifiable reference implementations and legal agreements ensuring status. Six proposals were rejected primarily due to incompleteness—such as missing documentation, non-compiling code, or failure to provide all required components—or issues like potential restrictions that violated the requirement. The remaining 15 algorithms were accepted as official candidates, advancing them to the first round of public evaluation. On August 20, 1998, NIST announced the 15 accepted candidates during the First AES Candidate Conference (AES1) in , inviting broader cryptographic community input to inform subsequent analyses. The selected algorithms, listed in alphabetical order, were:
  • CAST-256
  • CRYPTON
  • DEAL
  • DFC
  • E2
  • HPC (Hasty Pudding Cipher)
  • LOKI97
  • MARS
  • Rijndael
  • SAFER+
  • Serpent
This initial vetting by NIST's team, combined with the open submission process, ensured a rigorous starting pool focused on potential for , , and flexibility.

First Round Evaluation

The 15 Candidate Algorithms

In August 1998, NIST announced the selection of 15 candidate algorithms for the first round of evaluation in the (AES) development process. These candidates shared common traits as symmetric-key block ciphers, all supporting a minimum 128-bit block size and key sizes of 128, 192, and 256 bits, with designs originating from diverse academic, industry, and international teams across 12 countries. Each submission package included detailed specifications, reference implementations in multiple programming languages, test vectors, and commitments to ongoing analysis by the submitters. The candidates encompassed a variety of architectural approaches, including Feistel networks, substitution-permutation networks (SPNs), and hybrid structures. Below are concise overviews of their designs:
  • CAST-256, submitted by Carlisle Adams and Stafford Tavares of Entrust Technologies (Canada), employs an extended Feistel network with 48 rounds, incorporating fixed and variable rotations, table lookups, and modular additions/subtractions for diffusion.
  • CRYPTON, proposed by Chae Hoon Lim of Korea Advanced Institute of Science and Technology (South Korea), uses an SPN structure with 12 rounds, featuring data-dependent rotations, Boolean functions, and S-box lookups to promote parallelism.
  • DEAL, developed by Lars Knudsen of Katholieke Universiteit Leuven (Belgium), adopts a balanced Feistel network processing 128-bit blocks in 64-bit sub-blocks over 18 rounds (6 rounds per key size variant), relying on DES-like operations including XOR and modular addition.
  • DFC, from Jacques Patarin and the CNRS team (France), features a Feistel-like structure with 8 rounds, utilizing 64-bit multiplications for key mixing and linear feedback shift registers for enhanced diffusion.
  • E2, submitted by NTT (Japan), implements a 12-round SPN with data whitening, employing cyclic shifts, XOR operations, and key-dependent transformations to support efficient parallel processing.
  • FROG, by the TecApro team (Denmark), employs a non-standard 8-round structure with key-dependent permutations and substitution tables, emphasizing simplicity in its round function design.
  • HPC (Hasty Pudding Cipher), designed by Richard Schroeppel of the University of Illinois (USA), uses a variable-round (typically 72 for 256-bit keys) pipeline structure with quadratic residues for key scheduling and multiplications for core mixing.
  • LOKI97, proposed by Lawrie Brown, Josef Pieprzyk, and Jennifer Seberry of the University of Wollongong (Australia), follows a 16-round Feistel network with fixed S-boxes, rotations, and linear feedback functions for key expansion.
  • MAGENTA, from Michael Jacobson Jr., Lutz Brandt, and Klaus Huber of MDR AG (Germany), utilizes an unbalanced 18-round Feistel structure with modular arithmetic and key-dependent rotations to achieve diffusion.
  • MARS, developed by the IBM team led by Don Coppersmith (USA), combines a 32-round hybrid of Feistel and SPN layers, incorporating S-boxes, multiplications, and data-dependent rotations alongside key whitening.
  • RC6, submitted by Ron Rivest, Matt Robshaw, Ray Schneider, and Theo Schuster of RSA Laboratories (USA), employs a 20-round Feistel-like network with four parallel registers, featuring data-dependent rotations and 32-bit multiplications.
  • Rijndael, by Joan Daemen and Vincent Rijmen (Belgium), adopts an SPN with variable rounds (10 for 128-bit keys, 12 for 192-bit, 14 for 256-bit), using byte-oriented substitutions, row shifts, column mixing, and key addition for wide-trail diffusion.
  • SAFER+, proposed by James Massey and the Cylink team (Switzerland/USA), implements an 8-round SPN with linear and nonlinear layers, relying on 8-bit additions, XORs, and key-dependent expansions for simplicity.
  • Serpent, designed by Ross Anderson (UK), Eli Biham (Israel), and Lars Knudsen (Denmark/Norway), features a 32-round SPN with 8-bit S-boxes in a bit-slicing approach, horizontal and vertical mixing via linear transformations and key XORs.
  • Twofish, from Bruce Schneier and the Counterpane team (USA), uses a 16-round Feistel network with a pre- and post-whitening, incorporating key-dependent S-boxes, MDS matrices, and pseudohadamard transforms for flexibility.

Analysis Methods and AES1 Conference

The first round of the AES evaluation process spanned from August 20, 1998, to April 15, 1999, with a primary emphasis on assessing the basic and of the candidate algorithms across diverse platforms. Security analysis centered on resistance to known attacks, particularly differential and , while performance evaluations measured speed, usage, and efficiency. NIST encouraged public by the global cryptographic community, providing vectors to validate algorithm correctness and properties. These vectors enabled independent verification and helped identify implementation flaws early. For performance, NIST and submitters conducted benchmarks on representative hardware and software platforms, including 32-bit processors like the Intel Pentium II, 64-bit systems such as the , and resource-constrained environments like 8-bit microcontrollers and smart cards. Metrics focused on throughput in cycles per byte for and key setup, with results highlighting variations in efficiency; for instance, some algorithms achieved over 1000 cycles per block on embedded devices, underscoring scalability challenges. Unlike later rounds, no formal elimination occurred; instead, the process provided feedback to algorithm designers for potential refinements based on preliminary findings. The inaugural AES Candidate Conference (AES1), held August 20-22, 1998, in , marked the official start of Round 1 evaluations and drew over 200 attendees from the international cryptographic community. Sponsored by NIST, the event featured presentations from algorithm submitters detailing their designs, underlying principles, and initial arguments. Discussions emphasized early strengths and potential weaknesses, fostering open dialogue on evaluation criteria and encouraging collaborative . At the , NIST formally announced acceptance of the 15 candidate s that had passed initial screening. Key outcomes from Round 1 and AES1 included the identification of minor security issues in several candidates, such as weak keys in CRYPTON and related-key attacks on SAFER+, which prompted submitter responses but did not disqualify any proposals. For , early analyses revealed structural weaknesses in its diffusion mechanism, particularly during decryption, rendering it vulnerable to certain differential attacks despite its innovative design. Overall, the round produced valuable preliminary data on security margins and performance trade-offs, with no major breaks discovered, allowing all 15 candidates to advance to the second round for deeper scrutiny. This open process strengthened community trust in the selection and highlighted the algorithms' general robustness against basic threats.

Advancement to Finalists

Second Round Analysis and AES2 Conference

Following the foundational analyses conducted during the first round, which ended with the public comment period on April 15, 1999, the National Institute of Standards and Technology (NIST) advanced all 15 candidate algorithms for further analysis, as initial reviews revealed no distinguishing weaknesses warranting elimination of any. Unlike typical competitions, no algorithms were eliminated after round 1; all remained under consideration for finalist selection. This additional scrutiny, building on round 1, featured intensified and comprehensive performance assessments, emphasizing deeper evaluation of security properties, including implementation costs, resistance to side-channel attacks, and feedback from international cryptographic experts, with performance metrics gathered across more than 10 hardware and software platforms to assess and . Cryptanalytic efforts advanced beyond differential and linear methods, incorporating novel techniques such as cryptanalysis to probe for structural vulnerabilities in reduced-round versions of the candidates. This phase accumulated a body of attack results, including successful reduced-round breaks on algorithms like LOKI97, where weaknesses in the and round function allowed partial key recovery with feasible computational resources. These findings, combined with hardware simulations and software benchmarks, provided critical data on trade-offs between security margins and practical deployment, informing the narrowing of the candidate pool and the selection of finalists on August 9, 1999. The Second AES Candidate Conference (AES2), held March 22-23, 1999, in , , near the end of round 1, served as a pivotal forum for discussing first-round analyses and insights that informed NIST's subsequent finalist selection. Attended by nearly 200 researchers, the event focused on submitter presentations responding to emerging cryptanalytic concerns, discussions of partial performance data, and strategies for ongoing scrutiny to guide refinement. Proceedings from AES2, including 28 technical papers, highlighted international collaboration and helped prioritize areas like side-channel resilience, setting the stage for the additional analyses that followed. Overall, the conference fostered transparent dialogue, ensuring diverse perspectives shaped the outcomes leading to the finalists.

Selection of the Five Finalists

On August 9, 1999, the National Institute of Standards and Technology (NIST) announced the selection of five finalist algorithms for the (AES) process: MARS, developed by a team at ; RC6, submitted by RSA Laboratories; Rijndael, proposed by Joan Daemen and ; Serpent, created by Ross Anderson, Eli Biham, and Lars Knudsen; and Twofish, designed by a team including . This decision followed the analyses from round 1, including cryptographic scrutiny and performance evaluations presented at the AES2 conference in March 1999, along with additional post-round 1 review. The selection prioritized algorithms with the strongest overall profiles across NIST's established criteria. Security was the primary factor, emphasizing resistance to known and potential cryptanalytic attacks, such as differential and , with an expectation that successful attacks would require computational effort exceeding 2^{100} operations to ensure a substantial margin beyond brute-force feasibility. Secondary considerations included efficiency—measured by speed, memory usage, and performance across diverse software and hardware platforms—and design simplicity, which aids in verification, implementation, and long-term analysis. No quantitative weighting was applied due to the qualitative nature of security assessments, but security dominated the evaluation. The chosen finalists demonstrated no fatal flaws, robust margins, balanced , and sufficient volume of independent , making them suitable for further scrutiny in round 2. In contrast, the other ten candidates were eliminated due to identified weaknesses, insufficient analytical depth, or inadequate trade-offs; for instance, CRYPTON was discarded following discoveries of linear cryptanalytic attacks that compromised its margins. With the finalists identified, NIST initiated round 2 evaluation, a dedicated public review period from August 1999 to May 15, 2000, culminating in the AES3 conference and the ultimate selection of the standard.

Final Evaluation and Selection

Third Round Scrutiny and AES3 Conference

The third round of the AES evaluation process, focusing on the five finalist algorithms—MARS, RC6, Rijndael, Serpent, and Twofish—began in August 1999 and extended through May 2000, emphasizing exhaustive cryptanalysis and performance benchmarking across diverse platforms. During this period, numerous cryptanalysts from the global cryptographic community contributed analyses, with NIST soliciting formal public comments on security, implementation, and intellectual property issues until May 15, 2000. The evaluation prioritized full-round security assessments, including differential and impossible differential attacks, as well as real-world viability through tests on software environments like 32-bit and 64-bit CPUs, PA-RISC, IA-64 processors, ANSI C, and Java implementations. Hardware benchmarks were conducted on Xilinx FPGAs (Virtex and XC4000 families) using VHDL, and CMOS ASIC libraries such as Mitsubishi's 0.35-micron process, measuring metrics like throughput, critical path delay, and area efficiency in iterative, unrolled, and pipelined architectures. Cryptanalytic efforts revealed vulnerabilities in reduced-round versions of the finalists but no complete breaks of the full algorithms. For instance, an impossible differential attack was demonstrated on , targeting up to 15 rounds with a complexity of approximately 2^170 operations. Rijndael faced collision attacks on 7 rounds requiring 2^32 chosen plaintexts for 192- and 256-bit keys, alongside attacks on 8 rounds (out of 10-14 total rounds depending on key size). endured related-key attacks on 6 rounds, while Serpent showed resilience with no effective attacks beyond 9 rounds (out of 32 total rounds), maintaining a substantially higher margin than other finalists, as classified by NIST as "high" in contrast to Rijndael's "adequate" margin where attacks affected a more proportional number of rounds. MARS was susceptible to amplified attacks on 11-round cores using 2^65 chosen plaintexts. These analyses, often presented at cryptanalysis retreats in San Jose and in fall 1999, underscored the algorithms' robustness against known attacks while highlighting margins for potential future threats. Post-selection, AES (Rijndael) has undergone further theoretical scrutiny, exemplified by the 2011 biclique attack on full AES-128, which marginally reduces brute-force complexity from 2^128 to 2^126.1 operations but remains impractical. The AES3 Conference, held April 13-14, 2000, in , served as the culminating public forum for these evaluations, attracting over 230 attendees from at least 26 countries, including algorithm submitters, NIST staff, and researchers from organizations like the NSA and Electric. Sessions featured presentations on cryptanalytic results, such as impossible differentials on and reduced-round attacks on Rijndael and , alongside hardware and software performance data from platforms including smart cards and DSPs. Submitters provided statements on their algorithms' designs, and panel discussions addressed key agility, flexibility for varying block and key sizes, and implementation challenges. While no formal voting occurred, attendee feedback emphasized preferences for algorithms balancing security and efficiency, with debates focusing on long-term viability rather than immediate breaks. Overall, the third round confirmed that none of the finalists suffered a full-round break, affirming their security for the long-term protection intended by NIST (approximately 20-30 years from selection). These insights, drawn from global contributions and the , informed NIST's final deliberations without identifying any disqualifying weaknesses. though trade-offs emerged in discussions: Serpent offered the highest security margin but at the cost of slower performance, while Rijndael demonstrated superior speed and adaptability across hardware and software environments.

Criteria for Winner and Choice of Rijndael

The final criteria for selecting the winner of the (AES) competition prioritized above all else, requiring that the algorithm demonstrate resistance to all known cryptanalytic attacks with a substantial margin, while exhibiting no practical vulnerabilities that could be exploited in real-world applications. Secondary considerations included computational efficiency and cost across diverse platforms—such as software on general-purpose processors, hardware implementations in and FPGAs, and resource-constrained environments—along with flexibility in supporting multiple key lengths (128, 192, and 256 bits) and ease of implementation to minimize errors and side-channel vulnerabilities. These criteria were applied holistically to the five finalists (MARS, , Rijndael, Serpent, and ) based on third-round evaluations, emphasizing an optimal balance rather than dominance in any single area. On October 2, 2000, the National Institute of Standards and Technology (NIST) announced the selection of Rijndael, developed by Belgian cryptographers Joan Daemen and , as the proposed AES algorithm. This choice was made after extensive public scrutiny of the finalists, including analyses presented at the AES3 conference, confirming Rijndael's superior overall suitability without any ties or significant controversies among the candidates. As part of the adaptation for standardization, NIST introduced minor modifications to Rijndael, such as renaming certain component functions for improved readability in the specification and restricting the block size to 128 bits while retaining the variable key lengths. Rijndael was chosen for its exceptional balance of security and performance: it provided robust protection against differential and (with only 6 to 9 of its 10 to 14 rounds vulnerable in theoretical attacks, leaving a wide but adequate margin as classified by NIST), while achieving top-tier software speeds (e.g., over 400 Mbit/s throughput on benchmark processors) and versatile hardware implementations (e.g., 443 Mbit/s in basic with moderate area usage of 46 mm²). In comparison, Serpent offered a higher theoretical security margin due to its conservative design with 32 rounds (versus AES-256's 14 rounds) and smaller S-boxes, making it more resistant to certain classes of attacks; NIST classified Serpent as having a "high" security margin, with attacks affecting 6-9 out of 32 rounds, proportionally fewer than on Rijndael. Both ciphers remain unbroken in practice—no known practical attacks exist on full-round versions of either for standard key sizes (128/192/256 bits)—though AES has faced more scrutiny and theoretical attacks (e.g., the biclique attack on AES-128, which marginally reduces brute-force effort but remains impractical). Cryptographers describe Serpent as having greater resistance to future unknown attacks. However, this came at the cost of slower software performance and higher implementation complexity, while provided good versatility in modes but lagged in overall efficiency across platforms. Rijndael's also excelled in key agility and resistance to timing and attacks with minimal performance overhead, making it ideal for broad adoption in both feedback and non-feedback modes. Ultimately, no single criterion outweighed the others; Rijndael's combination of these attributes ensured its selection as the most suitable for widespread, long-term use in securing sensitive data.

Post-Selection Standardization

Formal Approval as FIPS 197

Following the selection of the Rijndael algorithm in October 2000, the National Institute of Standards and Technology (NIST) developed a draft specification for its standardization as the Advanced Encryption Standard (AES). On February 28, 2001, NIST published this draft in the Federal Register and solicited public comments to refine the document. The agency incorporated feedback from the comment period, which addressed aspects such as clarity, modes of operation references, and implementation considerations, before finalizing the specification. On November 26, 2001, NIST published Publication (FIPS PUB) 197, officially specifying AES as a symmetric renamed from Rijndael, with a fixed 128-bit block size and variable key lengths of 128, 192, or 256 bits corresponding to 10, 12, or 14 rounds, respectively. The standard includes detailed descriptions of the cipher's structure, such as block diagrams illustrating the round transformations (including SubBytes, ShiftRows, MixColumns, and AddRoundKey operations) and definitions of key components like the substitution tables in format. However, FIPS 197 provides only the algorithmic specification without mandating specific implementation methods, hardware, or software approaches, allowing flexibility for vendors and users. The standard became effective on May 26, 2002, making it compulsory for protecting sensitive unclassified federal information in non-national security systems. Regarding , the developers of Rijndael, Joan Daemen and , explicitly stated their commitment to royalty-free use, agreeing not to impose any restrictions and ensuring the algorithm's availability on a worldwide, non-exclusive basis. This waiver aligned with NIST's goal of promoting broad, unencumbered adoption of the standard.

Implementation and Legacy of the Process

Following its selection in 2000 and formal standardization as FIPS 197 in , the (AES) saw rapid integration into major cryptographic protocols and systems. By , AES was incorporated into the Internet Protocol Security (IPsec) framework through RFC 3602, which specified its use in Cipher Block Chaining (CBC) mode for securing network communications. Similarly, AES cipher suites were defined for the (TLS) protocol in RFC 3268 that same year, enabling its deployment for protecting web traffic and other internet applications. This swift adoption reflected the algorithm's design efficiency and the cryptographic community's confidence in its security, leading to widespread implementation in software libraries, hardware accelerators, and standards bodies worldwide. In 2003, the (NSA) approved AES for protecting top-secret information as part of its Cryptographic Modernization Program, marking a significant endorsement for classified use and further accelerating its proliferation in government and defense sectors. A retrospective economic analysis by the National Institute of Standards and Technology (NIST) estimates that the AES program's development and adoption generated over $250 billion in net social benefits to the U.S. economy from 1996 to 2017, primarily through enhanced data protection, reduced cybersecurity risks, and gains across industries. These impacts were amplified by international participation in the selection process, which included submissions from cryptographers in 12 countries and fostered collaborative analysis from global experts, aspects that received limited attention during the original competition but are now highlighted in evaluative studies for their role in building broad trust. The AES selection process established a model of open, transparent competition that influenced subsequent NIST standardization efforts, such as the SHA-3 hash function competition launched in 2007, which explicitly mirrored AES's public call for submissions, multi-round evaluations, and community workshops. This approach not only avoided perceptions of bias—through rigorous, peer-reviewed scrutiny of 15 candidate algorithms—but also cultivated a vibrant international cryptanalysis community, encouraging ongoing research and knowledge sharing. As of 2025, AES has withstood over two decades of intensive cryptanalytic efforts with no major breaks discovered, maintaining its status as a cornerstone of symmetric encryption despite theoretical vulnerabilities. Ongoing research addresses potential quantum threats, particularly , which could reduce AES-128's effective security to approximately 64 bits by enabling a quadratic in key searches; however, practical implementations remain infeasible with current and near-term quantum hardware, prompting recommendations for AES-256 in high-security contexts. The process's legacy endures in its demonstration of collaborative, bias-free standardization, serving as a blueprint for modern cryptographic competitions while underscoring the value of global input and economic foresight in retrospective analyses.

References

  1. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf
  2. https://csrc.nist.gov/projects/aes
  3. https://csrc.nist.gov/nist-cyber-history/cryptography/chapter
  4. https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/
  5. https://csrc.nist.gov/publications/detail/fips/46/3/final
  6. https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html
  7. https://www.nist.gov/speech-testimony/advanced-encryption-standard-announcement
  8. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf
  9. https://www.federalregister.gov/documents/1997/01/02/96-32494/announcing-development-of-a-federal-information-processing-standard-for-advanced-encryption-standard
  10. https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/archived-crypto-projects/aes-development
  11. https://www.federalregister.gov/documents/1997/09/12/97-24214/requesting-candidate-algorithm-nominations-for-the-advanced-encryption-standard
  12. https://www.govinfo.gov/content/pkg/FR-1997-09-12/pdf/97-24214.pdf
  13. https://www.govinfo.gov/content/pkg/FR-1997-01-02/pdf/96-32494.pdf
  14. https://nvlpubs.nist.gov/nistpubs/jres/126/jres.126.024.pdf
  15. https://www.ieee-security.org/Cipher/ConfReports/conf-rep-aes.html
  16. https://nvlpubs.nist.gov/nistpubs/jres/104/5/j45nec.pdf
  17. https://www.nist.gov/publications/conference-report-first-advanced-encryption-standard-aes-candidate-conference-ventura
  18. https://doi.org/10.6028/jres.104.027
  19. https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/nsa-aesfinalreport.pdf
  20. https://www.nist.gov/publications/second-advanced-encryption-standard-candidate-conference
  21. https://csrc.nist.gov/publications/detail/sp/800-31/rev-1/final
  22. https://www.nist.gov/news-events/news/1999/08/nist-announces-encryption-standard-finalists
  23. https://csrc.nist.gov/csrc/media/publications/shared/documents/itl-bulletin/itlbul1999-08.pdf
  24. https://nvlpubs.nist.gov/nistpubs/jres/106/3/j63nec.pdf
  25. https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/aes-development/aes3report.pdf
  26. https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/aes3proceedings.pdf
  27. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=151226
  28. https://eprint.iacr.org/2011/449.pdf
  29. https://www.federalregister.gov/documents/1997/09/12/97-24217/announcement-of-security-algorithm-selection-for-the-advanced-encryption-standard-aes
  30. https://www.nist.gov/news-events/news/2000/10/commerce-department-announces-winner-global-information-security
  31. https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
  32. https://www.federalregister.gov/documents/2001/02/28/01-4886/announcing-draft-federal-information-processing-standard-fips-for-the-advanced-encryption-standard
  33. https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips197-draft-comments-received.pdf
  34. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
  35. https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ip.pdf
  36. https://nvlpubs.nist.gov/nistpubs/gcr/2018/NIST.GCR.18-017.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.