Cryptography Reference
In-Depth Information
The requirements for AES specified by the NIST were formulated in public discus-
sion, including a workshop on April 15, 1997. Here are a few selected criteria:
•
AES shall be a symmetric block algorithm.
•
The algorithm shall use a block length of at least 128 bits and be capable of
using keys 128, 192, and 256 bits long.
•
It shall be suitable for most different purposes of use, e.g., it shall be equally
implementable in hardware and software.
•
AES shall resist all methods known in cryptanalysis.
•
It shall especially resist power analyses and timing attacks.
•
It shall have excellent performance both in hardware and software.
•
It shall have computational efficiency especially for use in smartcards (small
code length, minimum memory requirement).
•
The algorithm shall be free from patents and freely available to everybody.
Figure 5.17:
NIST requirements for AES.
conference held in March 1999, these algorithms were studied and cryptan-
alyzed thoroughly. If there was even the slightest doubt about its security,
a candidate would not be short-listed. The Magenta method submitted by
Deutsche Telekom was one of the candidates that did not make it to the
shortlist.
The most capable cryptanalysts in the world dealt with the five candidates that
survived the thorough and numerous analyses, and ended up in stalemate: all
the algorithms were found to be excellent and hard to compare. Each one of
them could have become the new standard, and no flaws were found in any of
them. Each had different benefits, but which properties should be considered
to be the decisive ones?
In two of his contributions to the third AES conference, Don B. Johnson of
Certicom asked: 'Does there have to be a best method?' After all, modern soft-
ware implements a standardized crypto-interface anyhow, and normally offers
several methods to choose from. None of the five AES candidates was that big
a program that all of them together would blast the volume of crypto-software
(this looks different in hardware).
