6 December 2001


Date: Tue, 04 Dec 2001 15:47:47 -0600
To: cryptography@wasabisystems.com
From: Elaine Barker <elaine.barker@nist.gov>
Subject: AES, etc.

AES: NIST is pleased to announce that the AES was signed on November 26, 
2001. The standard and further information are available at 

http://csrc.nist.gov and http://www.nist.gov/aes. The notice will appear in 
the Federal Register later this week.

Modes of Operation: The initial Recommended Modes of Operation document 
will be available in a few days. The initial modes consist of the ECB, CBC 
CFB, OFB and CTR encryption modes. Other modes will be added at a later time.

Key Management: The presentations and a list of issues that were addressed 
at the Key Management Workshop are available at 

http://csrc.nist.gov/encryption/kms/workshop2-page.html. The AES Key 
Wrapping algorithm is available at http://www.nist.gov/kms.

Elaine Barker
National Institute of Standards and Technology
100 Bureau Dr., Stop 8930
Gaithersburg, MD 20899-8930
Phone: 301-975-2911
Fax: 301-948-1233
Email: ebarker@nist.gov


[Federal Register: December 6, 2001 (Volume 66, Number 235)]
[Page 63369-63371]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]



National Institute of Standards and Technology

[Docket No. 000929280-1201-01]
RIN 0693-ZA42

Announcing Approval of Federal Information Processing Standard 
(FIPS) 197, Advanced Encryption Standard (AES)

AGENCY: National Institute of Standards and Technology (NIST), 

ACTION: Notice.


SUMMARY: The Secretary of Commerce approves FIPS 197, Advanced 
Encryption Standard (AES), and makes it compulsory and binding on 
Federal agencies for the protection of sensitive, unclassified 
information. A new robust encryption algorithm was needed to replace 
the aging Data Encryption Standard (FIPS 46-3), which had been 
developed in the 1970s. In September 1997, NIST issued a Federal 
Register notice soliciting an unclassified, publicly disclosed 
encryption algorithm that would be available royalty-free worldwide. 
Following the submission of 15 candidate algorithms and three publicly 
held conferences to discuss and analyze the candidates, the field was 
narrowed to five candidates. NIST continued to study all available 
information and analyses about the candidate algorithms, and selected 
one of the algorithms, the Rijndael algorithm, to propose for the AES.

[[Page 63370]]

EFFECTIVE DATE: This standard is effective May 26, 2002.

FOR FURTHER INFORMATION CONTACT: Ms. Elaine Barker, (301) 975-2911, 
National Institute of Standards and Technology, 10 Bureau Drive, STOP 
8930, Gaithersburg, MD 20899-8930.
    A copy of FIPS 197 is available electronically from the NIST web 
site at: http://csrc.nist.gov/encryption/aes/index.html/>.

SUPPLEMENTARY INFORMATION: A notice was published in the Federal 
Register (Volume 66, Number 40, pp. 12762-3) on February 28, 2001, 
announcing the proposed FIPS for Advanced Encryption Standard for 
public review and comment. The Federal Register notice solicited 
comments from the public, academic and research communities, 
manufacturers, voluntary standards organizations, and Federal, state, 
and local government organizations. In addition to be published in the 
Federal Register, the notice was posted on the NIST Web pages; 
information was provided about the submission of electronic comments. 
Comments and responses were received from 21 private sector 
organizations, individuals, and groups of individuals, and from one 
federal government organization. None of the comments opposed the 
adoption of the AES as a Federal Information Processing Standard. 
Comments supported the selection of the algorithm and commended the 
clear, well-written presentation of the standard. Some comments offered 
editorial suggestions, pointed out perceived inconsistencies in the 
text, and requested clarifications. All of the editorial 
recommendations were carefully reviewed, and changes were made to the 
standard where appropriate.
    Following is an analysis of the technical and related comments 
    Comment: The FIPS for AES should include support for additional 
block and key sizes. This would take advantage of the AES algorithm's 
built-in flexibility, making it better suited for use in a hashing mode 
and with communications applications that require minimal overhead 
    Response: NIST recognizes that one of the AES algorithm's strengths 
is its inherent support for additional block and key sizes. However, 
other block and key sizes have not been subjected to the same public 
analyses as those sizes that are provided for in the recommended FIPS. 
As a result, NIST believes that it would not be appropriate to include 
the additional sizes at this time. The block and key sizes are 
specified as parameters in the recommended FIPS, and could be modified 
to include other block and key sizes in the future if needed. The 
recommended standard explains that the use of parameters in the 
specification is intended to encourage AES implementers to build their 
applications and systems with future flexibility and adaptability in 
mind. NIST will monitor future developments, and will consider adding 
more parameters to the specification if needed in the future.
    Comment: For added security, and to meet the needs for extremely 
long-term security, NIST should increase the number of rounds that are 
specified by the AES algorithm (i.e., the amount of processing used for 
encryption and decryption). Since new techniques to break the algorithm 
may evolve, the margin of security offered by the algorithm should be 
    Response: Prior to its evaluation of the five finalist candidate 
algorithms, NIST's AES selection team discussed the issue of whether 
the number of rounds should be changed for one or more of the 
algorithms; the selection team decided to consider only the algorithms 
as initially submitted. Changing the number of prescribed rounds would 
change the way that the algorithm was defined (e.g., its key schedule), 
and the process of proposing, reviewing, and evaluating an algorithm 
would have to start over from the beginning. If the number of rounds 
were changed, many of the security and performance analyses that had 
already been performed on the candidate algorithms would no longer be 
    Furthermore, throughout the development and review of the 
recommended FIPS, there was little agreement on which key sizes should 
have more rounds, and less agreement on how many rounds to add. Some 
who commented on the Draft FIPS proposed adding just two rounds, while 
another comment suggested adding 114 rounds.
    NIST is not aware of advances in cryptographic techniques that 
would threaten the security provided by the recommended FIPS, but will 
continue to follow developments, to reevaluate the standard, and to 
consider changes or additions that might be needed. As with its other 
cryptographic standards, NIST will review the recommended FIPS every 
five years to consider whether the standard should be reaffirmed, 
amended, or withdrawn.
    Comment: Since the AES algorithm allows three different key sizes, 
NIST should provide guidance to users regarding how and for what 
purpose(s) the different keys should be used.
    Response: NIST is currently developing a guideline that will 
address numerous key management issues, including considerations for 
selecting from among multiple key sizes. Details on the content and 
development of that guideline are available on NIST's web pages http://
    Comment: Statements in the FIPS are unclear and ambiguous regarding 
validation requirements for AES implementations. Additionally, many of 
these statements refer to FIPS 140-2, which has not been approved and 
which has a transition period when both FIPS 140-1 and FIPS 140-2 are 
in effect.
    Response: FIPS 140-2 was approved in May 2001, and became effective 
on November 25, 2001. However, references to FIPS 140-2 have been 
removed in order to limit any misunderstandings.
    Following approval of this recommended FIPS, vendors may request 
that their AES implementation be tested and validated either for 
conference to the AES specification or in conjunction with a 
cryptographic module validation test (i.e., validation testing for FIPS 
140-2). The process is the same for all testing of implementations of 
FIPS-approved algorithms under the Cryptographic Module Validation 
    Comment: Comments indicated concern about the padding to be used 
when the length of the data to be encrypted was not an even multiple of 
the block size. Other comments proposed more optimal specifications of 
the algorithm.
    Response: NIST considers padding and optimization to be outside the 
scope of this standard. Padding will be addressed in a standard or 
recommendation to be developed on the modes of operation for the AES, 
and in the applications and protocols that use the AES.
    It is expected that many optimization of the AES will be developed 
over time. NIST plans to post information that it receives on 
optimization issues on its web pages with the permission of the 
    Comment: One comment recommended the selections of a different 
algorithm, one that had not been submitted during the AES development 
    Response: NIST conducted an open process to solicit and evaluate 
algorithms for consideration for the AES. All candidate algorithms have 
been thoroughly reviewed and analyzed by the international 
cryptographic community.

    Authority: Under section 5131 of the Information Technology 
Management Reform

[[Page 63371]]

Act of 1996 and the Computer Security Act of 1987, the Secretary of 
Commerce is authorized to approve standards and guidelines for the 
cost effective security and privacy of sensitive information 
processed by federal computer systems.

    Executive Order 12866: This notice has been determined not to be 
significant for the purposes of E. O. 12866.

    Dated: November 28, 2001.
Karen H. Brown,
Acting Director, National Institute of Standards and Technology.
[FR Doc. 01-30232 Filed 12-5-01; 8:45 am]