Cryptographic competitions
Introduction
Secret-key cryptography
Disasters
Features
Focused competitions:
AES
eSTREAM
SHA-3
PHC
CAESAR
Broader evaluations:
CRYPTREC
NESSIE
CAESAR details:
Submissions
Call for submissions
Call draft 5
Call draft 4
Call draft 3
Call draft 2
Call draft 1
Committee
Frequently asked questions

AES: the Advanced Encryption Standard

The goal of the Advanced Encryption Standard (AES) competition was to specify "an unclassified, publicly disclosed encryption algorithm capable of protecting sensitive government information well into the next century". The AES competition was organized by the United States National Institute of Standards and Technology (NIST).

Requirements

Each AES submission was required to be a block cipher supporting a block length of 128 bits and key lengths of 128, 192, and 256 bits. The call for proposals specified the following evaluation criteria:

  • Security ("the most important factor in the evaluation"):
    • "Actual security of the algorithm compared to other submitted algorithms";
    • "The extent to which the algorithm output is indistinguishable from a random permutation on the input block";
    • "Soundness of the mathematical basis for the algorithm's security";
    • "Other security factors raised by the public during the evaluation process, including any attacks which demonstrate that the actual security of the algorithm is less than the strength claimed by the submitter".
  • Cost:
    • "Licensing requirements" ("AES shall be available on a worldwide, non-exclusive, royalty-free basis");
    • "Computational efficiency";
    • "Memory requirements".
  • "Algorithm and implementation characteristics":
    • "Flexibility" (e.g., additional key sizes, additional block sizes, wide variety of platforms, stream cipher, MAC generator, PRNG, hash);
    • "Hardware and software suitability";
    • "Simplicity".

Timeline

  • M-17, 1997.01.02: NIST announces AES competition.
  • M-14, 1997.04.15: AES Evaluation Criteria/Submission Requirements Workshop. Gaithersburg.
  • M-9, 1997.09.12: NIST issues call for algorithms.
  • M0, 1998.06.15: Deadline for submissions.
  • M2, 1998.08.20: First AES Candidate Conference. NIST announces 15 AES candidates.
  • M9, 1999.03.22–23: Second AES Candidate Conference.
  • M14, 1999.08.09: NIST announces its selection of 5 AES finalists.
  • M22, 2000.04.13–14: Third AES Candidate Conference.
  • M23, 2000.05.15: End of comment period.
  • M28, 2000.10.02: NIST announces its selection of AES.

Candidates

winner

finalist

round 1

candidate

designers

yes

yes

yes

Rijndael

Vincent Rijmen, Joan Daemen

yes

yes

MARS

Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas, Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunic

yes

yes

RC6

Ron Rivest, Matt Robshaw, Ray Sidney, Yiqun Lisa Yin

yes

yes

Serpent

Ross Anderson, Eli Biham, Lars Knudsen

yes

yes

Twofish

Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson

yes

CAST-256

Carlisle Adams, Stafford Tavares, Howard Heys, Michael Wiener

yes

CRYPTON

Chae Hoon Lim

yes

DEAL

Lars Knudsen

yes

DFC

Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay

yes

E2

Masayuki Kanda, Shiho Moriai, Kazumaro Aoki, Hiroki Ueda, Miyako Ohkubo, Youichi Takashima, Kazuo Ohta, Tsutomu Matsumoto

yes

FROG

Dianelos Georgoudis, Damian Leroux, Billy Simón Chaves

yes

HPC

Richard Schroeppel

yes

LOKI97

Lawrence Brown, Josef Pieprzyk, Jennifer Seberry

yes

MAGENTA

Michael Jacobson Jr., Klaus Huber

yes

SAFER+

James Massey, Gurgen Khachatrian, Melsik Kuregian

Version: This is version 2014.01.27 of the aes.html web page.