# AES competition

Starting in the late 90s, the US National Institute of Standards and Technology (NIST) ran a contest to find a block cipher to replace the Data Encryption Standard, DES. The winning cipher, previously known as Rijndael became the Advanced Encryption Standard, AES. DES had become obsolete because its 56-bit key size was inadequate to resist brute force attacks, given modern technology.

The entire process was completely open; even their requirements document was published and comment or criticism invited before a final version was written, and all of the later work toward the choice of a standard was public as well. The whole process was widely praised by cryptographers as a fine example of taking Kerckhoffs' Principle into account. This was in sharp contrast to some of the criticisms that had been made of the secrecy in the DES standardisation process which was run by NIST's ancestor, the National Bureau of Standards.

The final requirements specified a block cipher with 128-bit block size and support for 128, 192 or 256-bit key sizes. Evaluation criteria included security, performance on a range of platforms from 8-bit CPUs (e.g. in smart cards) up, and ease of implementation in both software and hardware.

Fifteen submissions meeting basic criteria were received, not just from the US but from many other countries as well. All of the entries were iterated block ciphers; in Shannon's terms all were product ciphers. Most used an SP network or Feistel structure, or variations of those. Several had proofs of resistance to various attacks.

In alphabetical order, the fifteen first round candidates were:

- CAST-256, CRYPTON, DEAL, DFC, E2, FROG, Hasty Pudding, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish

All are described below.

NIST succeeded in rounding up a fine group of suspects; many of the world's best-known cryptographers participated in various design teams and others contributed to analysis of candidates. We provide a table listing some of the major players involved.

After much analysis and testing, and two conferences, the field was narrowed to five finalists — Twofish, MARS, Serpent, RC6, and Rjindael. After another year of analysis and testing focused on the finalists, and another conference with all of the finalist teams giving presentations, they chose a winner. In October 2002, Rijndael was chosen to become the Advanced Encryption Standard or AES. See external links for the official standard.

The contest was open and international and extensive work was done on testing and comparing the various candidates. To facilitate this, NIST defined some standard interfaces which everybody used. For almost all candidate ciphers, implementations with these interfaces are readily available; see external links. Many, though not all, of these ciphers have open licenses. This means that anyone implementing AES has the option of adding other ciphers at minimum cost, in particular the other three finalists with open licenses — Twofish, MARS, and Serpent. This gives a cheap insurance policy against the (presumably remote) chance of someone finding a good attack on AES.

Because of the birthday attack, a cryptographic hash needs to provide output of bits to resist attacks as well as a cipher with an -bit key. NIST has therefore issued standards for the SHA-2 family of hashes — SHA-256, SHA-384 and SHA-512 to match the strength of AES, plus SHA-224 to match the 112-bit strength of Triple DES. However, those hashes are all derived from SHA and weaknesses have been shown in that, so in 2008 NIST started a contest similar to the AES contest to design an Advanced Hash Standard which can (if it proves necessary) replace SHA-2 as AES replaced DES.

## AES

The Advanced Encryption Standard or **AES** is the algorithm formerly known as **Rijndael** (pronounced approximately "rhine doll"). It was designed by two Belgians, Joan Daemen and Vincent Rijmen.

It is an iterated block cipher, but not a Feistel cipher; the overall structure is an substitution-permutation network. Nonlinearity is obtained by mixing operations from different algebraic groups. There are four operations.

Two give confusion:

- AddRoundKey: bitwise XOR of 128-bit state and 128-bit round key
- SubBytes: run individual bytes through an 8 by 8 S-box

The other two give diffusion, treating the 128-bit block as a four by four matrix of bytes:

- ShiftRows: cyclicly shift each row by a fixed amount
- MixColumns: treat each column as a polynomial over the Galois field
**GF**(*2*); multiply it by one constant polynomial modulo another^{8}

It encrypts 128-bit blocks with a 128, 192 or 256-bit key. The number of rounds varies with key size: 10 for 128-bit keys, 12 for 192-bit keys and 14 for 256-bit keys. The numbers of rounds were chosen based on an analysis showing that they are enough to give resistance to linear cryptanalysis and differential cryptanalysis.

The cipher is freely available for any use. See external links for much more information.

## Other finalists

There were originally fifteen AES candidates, but that was narrowed to five finalists for the second round of analysis. This section covers the four ciphers that made it into the finals but did not win.

### Twofish

Twofish
^{[1]}
was an AES finalist cipher from Bruce Schneier's company Counterpane. Except for the name, and using key-dependent S-boxes, it has little relationship to Schneier's earlier cipher Blowfish; Twofish was a new design.

Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 16-round Feistel cipher using four key-dependent 8*8 S-boxes.

The cipher is freely available for any use. It has a home page; see external links.

It has a successor named "Threefish", used in the Skein hash algorithm, a candidate in the Advanced Hash Standard contest.

### Serpent

Serpent was an AES finalist cipher from an international team of well-known researchers — Ross Anderson (UK), Eli Biham (Israel), and Lars Knudsen (Norway). Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.

Serpent is an SP network with 32 rounds. It uses eight 4 by 4 S-boxes, but unlike other ciphers it does not use them all in each round. Instead each round uses eight copies of the same S-box, so that 32-bit computer instructions can do eight 4-bit operations in parallel. Each of the eight S-boxes is used in four different rounds,

The cipher is freely available for any use. It has a home page; see external links.

### RC6

RC6 was an AES finalist cipher from a team led by Ron Rivest. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.

Like RC5, RC6 made extensive use of data-dependent rotations. RSA Security have a page describing both ciphers; see external links.

RC6 is the only one of the five finalists which does not have a completely open license; it is still proprietary to RSA Security.

### MARS

MARS was an AES finalist cipher from IBM. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.

It uses a variant of the Feistel structure which they call a "type 3 Feistel network"; the 128-bit block is treated as four 32-bit sub-blocks; each round uses one sub-block as input and modifies all of the other three sub-blocks. Like RC6, it uses data-dependent rotations. One 9*32 S-box is used; for some operations it is treated as two 8*32 S-boxes.

The cipher is now freely available. It has a home page; see external links.

## Unconventional AES candidates

This section covers two AES candidate ciphers that introduced new design ideas. Neither was chosen for consideration in the final round.

### Hasty Pudding

The Hasty Pudding Cipher or **HPC**, from Rich Schroeppel was, in some ways, the most interesting of the AES candidates. It did not make it into the finals.

Hasty Pudding is a **variable size block cipher**; blocks can be any size the application requires. It therefore might be ideal for things like encrypting disk blocks; see large block ciphers. Also, quoting the home page "Arbitrary sets, such as dates, or the printable subset of ascii, or the 20-bit primes, can be encrypted to themselves." Key size is also variable; any integer number of bits. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits.

Hasty Pudding is also a tweakable block cipher, though it was designed before that term came into use. What is now called the "tweak" is called "spice" in Hasty Pudding.

The cipher is freely available for any use. It has a home page; see external links.

### FROG

FROG
^{[2]}
was an AES candidate cipher; it did not make it into the finals.

Like Hasty Pudding, FROG is a variable size block cipher and a rather unorthodox design. It supports block sizes from 8 to 128 bytes and key sizes from 5 to 125 bytes. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits.

FROG introduced a novel design principle. Most block ciphers use round keys as data, thereby making each round different, but each round uses exactly the same sequence of operations. FROG uses data derived from the primary key as a program for an interpreter, so that each round can use a different sequence of operations. Eight rounds are used. Encryption and decryption are fast, but the key schedule is rather slow because it has to build a program for the interpreter.

While it was generally agreed that FROG was an interesting bit of work, it was found to have some weaknesses
^{[3]}.

## Theory-based candidates

All the candidate designs took account of research in cryptanalysis and cryptography, and many had proofs of resistance to various attacks,

However, two had exceptionally direct links to theory. Both were designed based on research work, by the people who did the research, and both had proofs of resistance to both differential cryptanalysis and linear cryptanalysis.

### CAST-256

CAST-256
^{[4]}
was an AES candidate cipher from a Canadian team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.

It is a Feistel-like cipher extended to four 32-bit sub-blocks instead of the two sub-blocks used in CAST-128 for 64-bit blocks. In the terms used by the MARS team, it is a "type one Feistel network"; each round takes one 32-bit sub-block as input and alters one 32-bit sub-block; 48 rounds are used. The F function and S-boxes are from CAST-128.

It is freely available for any use. There is an RFC describing it; see external links.

### DFC

DFC or **De-correlated Fast Cipher**
^{[5]}
^{[6]}
was an AES candidate cipher from a French team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a six-round Feistel cipher using a single 6 by 32 S-box.

This cipher was based on Serge Vaudenay's theoretical work on decorrelation theory. That theory gives methods of constructing ciphers which are provably immune to differential cryptanalysis, linear cryptanalysis, and any other attacks that meet some fairly broad assumptions.

However, some attacks on DFC were found by going outside those assumptions, timing attacks on some implementations
^{[7]}
and a more general attack using a variant of differential analysis
^{[8]}.

## Other AES candidates

This section covers the other ciphers that were proposed as AES candidates but not chosen for consideration in the final round.

### CRYPTON

**CRYPTON**
^{[9]}
^{[10]}
was an AES candidate cipher from a Korean team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.

CRYPTON uses an SP network with 12 rounds, does byte-level substitutions, and for some operations treats the 128-bit text as a four-by-four array of bytes. Overall, the design is rather similar to AES though some of the operations are different.

### DEAL

**DEAL**, the **Data Encryption Algorithm with Larger blocks**
was an AES candidate cipher; it did not make it into the finals. No-one really expected it to; it was entered mainly to provide a baseline for comparison to other ciphers. DEAL has approximately the overheads of Triple DES, making it too slow to be a competitive candidate for AES.

DEAL was originally proposed
^{[11]}
by Lars Knudsen, but the AES submission was from Richard Outerbridge. Knudsen was a member of the Serpent team for AES.

DEAL is a Feistel cipher using DES as the F function. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. Six rounds were used with a 128-bit or 192-bit key and 8 rounds with a 256-bit key.

There were some cryptanalytic results
^{[12]}
^{[13]}
against the cipher.

### E2

**E2** was an AES candidate cipher from Nippon Telephone and Telegraph; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 12-round Feistel network using a single 8 by 8 S-box.

There has been no published cryptanalysis of the full E2, but there is an attack on a reduced-round version
^{[14]}.

Camellia shares some design features with E2 and has largely replaced it.

### LOKI97

**LOKI97** was an AES candidate cipher from an Australian group; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. LOKI97 is one of several LOKI ciphers designed by the same group. It is a 16-round Feistel cipher with an F function that is basically two rounds of an SP network. This contrasts with DES where the F function is a single SP round.

The cipher is freely available for any use. It has a home page; see external links.

### MAGENTA

**MAGENTA** or **Multifunctional Algorithm for General-purpose Encryption and Network Telecommunication Applications** was Deutsche Telekom's entry in the AES competition. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a Feistel cipher with six or eight rounds.

MAGENTA
^{[15]}
is often cited as an example of Kerckhoffs' Principle, a demonstration of why unpublished and therefore unanalysed ciphers cannot be trusted. Of the 15 AES candidates, 14 were made public before the first AES conference. The MAGENTA team were the one exception; they made nothing public until their conference presentation. That presentation was given one morning, to an audience that included many of the world's top cryptographers. Some saw flaws, and there was intense discussion over lunch. By that evening, a draft paper on breaking the cipher was circulating and the final version
^{[16]}
was presented at the second AES conference. The attackers included members of both the Twofish and Serpent teams, plus others.

### SAFER+

**SAFER+** was an AES candidate cipher; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is an SP network using two S-boxes. 8 rounds are used with a 128-bit key, 12 for a 192-bit key, and 15 for a 256-bit key.

Safer+ is one of a family of SAFER or **Secure and Fast Encryption Routine** ciphers designed by James Massey and co-workers for Cylink Corporation. All of these ciphers are unpatented and freely available for any use. There have been published attacks on some of them, but later versions have modifications to block those attacks.

## References

- ↑ Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson (1998),
*Twofish: A 128-Bit Block Cipher* - ↑ Dianelos Georgoudis, Damian Leroux and Billy Simón Chaves (June 15, 1998),
*The FROG Encryption Algorithm* - ↑ D. Wagner, N. Ferguson, and B. Schneier (1999),
*Cryptanalysis of FROG* - ↑ C. Adams & J. Gilchrist (June 1999),
*The CAST-256 Encryption Algorithm*, IETF, RFC2612 - ↑ H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay (May 1998),
*Decorrelated Fast Cipher: an AES candidate* - ↑ Louis Granboulan, Phong Q. Nguyen, Fabrice Noilhan, Serge Vaudenay (2000),
*DFCv2*, Springer-Verlag, at 57-71 - ↑ Ian Harvey (March 1999),
*The DFC Cipher: An Attack on Careless Implementations*, DOI:10.1.1.42.3196 - ↑ Lars Knudsen & Vincent Rijmen,
*On the Decorrelated Fast Cipher (DFC) and Its Theory*, Springer-Verlag, at pp.81–94 - ↑ Chae Hoon Lim, Hyo Sun Hwang,
*CRYPTON: A New 128-bit Block Cipher - Specification and Analysis (Version 1.0)* - ↑ Eunjong Hong, Jai-Hoon Chung, Chae Hoon Lim,
*Hardware Design and Performance Estimation of The 128-bit Block Cipher CRYPTON* - ↑ Lars Knudsen,
*DEAL - A 128-bit Block Cipher* - ↑ John Kelsey & Bruce Schneier (August 1999),
*Key-Schedule Cryptanalysis of DEAL*, Springer-Verlag, at 118-134 - ↑ Stefan Lucks (1999),
*On Security of the 128-Bit Block Cipher DEAL*[ booktitle = Fast Software Encryption (FSE '99)*, at 60-70* - ↑ Mitsuru Matsui, Toshio Tokita (March 1999),
*Cryptanalysis of a Reduced Version of the Block Cipher E2*, Springer-Verlag, at 71-80 - ↑ M J Jacobson Jr & K Huber,
*The MAGENTA Block Cipher Algorithm* - ↑ Eli Biham, Alex Biryukov, Niels Ferguson, Lars Knudsen, Bruce Schneier and Adi Shamir (April 1999),
*Cryptanalysis of Magenta*