Published in the January 2, 1997 issue of the Federal Register: DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 960924272-6272-01] RIN 0693-ZA13 ANNOUNCING DEVELOPMENT OF A FEDERAL INFORMATION PROCESSING STANDARD FOR ADVANCED ENCRYPTION STANDARD AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice; Request for comments. SUMMARY: A process to develop a Federal Information Processing Standard (FIPS) for Advanced Encryption Standard (AES) incorporating an Advanced Encryption Algorithm (AEA) is being initiated by the National Institute of Standards and Technology (NIST). As the first step in this process, draft minimum acceptability requirements and draft criteria to evaluate candidate algorithms are being published for comment. Also announced for comment are draft submission requirements. An open, public workshop on the draft minimum acceptability requirements, evaluation criteria and submission requirements has also been scheduled. It is intended that the AES will specify an unclassified, publicly disclosed encryption algorithm capable of protecting sensitive government information well into the next century. The purpose of this notice is to solicit views from the public, manufacturers, voluntary standards organizations, and Federal, state, and local government users so that their needs can be considered in the process of developing the AES. DATES: Comments must be received on or before April 2, 1997. The AES Evaluation Criteria/Submission Requirements Workshop will be held on April 15, 1997, from 9:00 a.m. to 4:00 p.m. ADDRESSES: Written comments should be sent to Director, Computer Systems Laboratory, Attn: FIPS for AES Comments, Technology Building, Room A231, National Institute of Standards and Technology, Gaithersburg, MD 20899. Electronic comments may be sent to AES@nist.gov. Comments received in response to this notice will be made part of the public record and will be made available for inspection and copying in the Central Records and Reference Inspection Facility, Room 6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and Constitution Avenues, NW, Washington, DC, 20230. The AES Criteria Workshop will be held at the Green Auditorium, Administration Building, National Institute of Standards and Technology, Gaithersburg, Maryland. Copies of the comments submitted will be available at the Workshop. For planning purposes, advance registration is encouraged. To register, please fax your name, address, telephone, fax and e-mail address to 301-948-1233 (Attn: AES Criteria Workshop) by April 10, 1997. Registration will also be available at the door. The workshop will be open to the public. FOR FURTHER INFORMATION CONTACT: Edward Roback, National Institute of Standards and Technology, Building 820, Room 426, Gaithersburg, MD 20899; telephone 301-975-3696 or via fax at 301-948-1233. Technical inquiries regarding the proposed draft evaluation criteria and draft submission requirements should be addressed to Miles Smid, National Institute of Standards and Technology, Building 820, Room 426, Gaithersburg, MD 20899; telephone 301-975-2938 or via fax at 301-948-1233. SUPPLEMENTARY INFORMATION: This work effort is being initiated pursuant to NIST's responsibilities under the Computer Security Act of 1987, the Information Technology Management Reform Act of 1996, Executive Order 13011, and OMB Circular A-130. NIST recognizes that many institutions, both within and outside the Federal Government, have considerable investments in their current installed base of encryption equipment implementing the Data Encryption Algorithm, specified in the Data Encryption Standard (DES, Federal Information Processing Standard 46-2). DES was first approved in 1977 and was most recently reaffirmed by the Secretary in 1993, until December 1998. In 1993 the following statement was included in the standard: "At the next review (1998), the algorithm specified in this standard will be over twenty years old. NIST will consider alternatives which offer a higher level of security. One of these alternatives may be proposed as a replacement standard at the 1998 review." It is NIST's view that a multi-year transition period will be necessary to move toward any new encryption standard and that DES will continue to be of sufficient strength for many applications. NIST will consult with all interested parties so that a smooth transition can be accomplished. In order to provide a basis for the evaluation of encryption algorithms submitted to be considered as the AEA for incorporation into the FIPS for AES, evaluation criteria will be used to review submitted algorithms. Comments on the draft criteria (and, at the appropriate time, of candidate algorithms) from voluntary consensus standards organizations are particularly encouraged. PROPOSED DRAFT MINIMUM ACCEPTABILITY REQUIREMENTS AND EVALUATION CRITERIA The draft minimum acceptability requirements and evaluation criteria are: A.1 AES shall be publicly defined. A.2 AES shall be a symmetric block cipher. A.3 AES shall be designed so that the key length may be increased as needed. A.4 AES shall be implementable in both hardware and software. A.5 AES shall either be a) freely available or b) available under terms consistent with the American National Standards Institute (ANSI) patent policy. A.6 Algorithms which meet the above requirements will be judged based on the following factors: a) security (i.e., the effort required to cryptanalyze), b) computational efficiency, c) memory requirements, d) hardware and software suitability, e) simplicity, f) flexibility, and g) licensing requirements. Comments are being sought on these draft minimum acceptability criteria and evaluation criteria, suggestions for other criteria, and relative importance of each individual criterion in the evaluation process. Criteria will be finalized by NIST following the criteria workshop. PROPOSED DRAFT SUBMISSION REQUIREMENTS In order to provide for an orderly, fair, and timely evaluation of candidate algorithm proposals, submission requirements will specify the procedures and supporting documentation necessary to submit a candidate algorithm. B.1 A complete written specification of the algorithm including all necessary mathematical equations, tables, and parameters needed to implement the algorithm. B.2 Software implementation and source code, in ANSI C code, which will compile on a personal computer. This code will be used to compare software performance and memory requirements with respect to other algorithms. B.3 Statement of estimated computational efficiency in hardware and software. B.4 Encryption example mapping a specified plaintext value into ciphertext. B.5 Statement of licensing requirements and patents which may be infringed by implementations of this algorithm. B.6 An analysis of the algorithm with respect to known attacks. B.7 Statement of advantages and limitations of the submitted algorithm. (end of draft submission requirements) Since both the evaluation criteria and submission requirements have not yet been set, candidate algorithms should NOT be submitted at this time. Samuel Kramer, Associate Director Date: December 16, 1996