3.3.2 What were some candidates for the AES?
(Revised January 2003)
There was considerable interest in the AES initiative and 15 candidates were accepted for consideration in the first round. Among these were close variants of some of the more popular and trusted algorithms currently available, such as RC5 (see Question 3.6.4), CAST, and SAFER-SK (see Question 3.6.7). Other good candidates from well-respected cryptographers were also submitted. One of the reasons for close variants being proposed rather than the original ciphers is that one of the criteria for the AES submission is the ability to support 128-bit blocks of plaintext. Most ciphers were developed with an eye to providing a drop-in replacement for DES and, as a result, were often limited to having a 64-bit block size.
Among the fifteen candidates, five candidates qualified for a second round. Here is a short presentation of the five candidates.
Submitted by IBM (United States). As opposed to its competitors, IBM has constructed an AES candidate that is novel in its design. MARS accepts key sizes up to 448 bits and consists of 16 rounds - the cryptographic core - wrapped with two 8-round mixing layers. The purpose of the mixing rounds is to obtain diffusion, while the cryptographic core is designed to resist against all well-known attacks. Basic components in the rounds are common operations such as integer and bitwise addition and rotation. Its performance is good or excellent on most platforms with some reservations concerning smart card implementations. MARS differs from the other AES finalists in that it is not based on a well-reputed algorithm that has been around for several years. Due to this fact and the alleged complexity of the algorithm, the security of MARS has been claimed to be difficult to estimate.
Submitted by RSA Laboratories (United States). RC6 is a parameterized, fast and simple algorithm based on the well-trusted RC5 cipher. The AES submission consists of 20 rounds, which has been claimed to be a bit low; however, no security gaps have been discovered thus far. The algorithm might be less suitable on certain platforms due to its use of 32-bit variable rotations and integer multiplications, but when such operations are supported, RC6 is faster than any other candidate. RC6 is described in more detail in the answer to Question 3.6.4.
Submitted by Joan Daemen and Vincent Rijmen (Belgium). Rijndael is based on the algorithm Square and received excellent reviews from NIST in the Round 1 status report - the algorithm is fast, simple, secure, versatile, and well-suited for smart card implementations. For the moment, Rijndael appears to have no major disadvantages in comparison with the other candidates. Rijndael is unconventional in that its blocks are matrices of elements in GF(28) (see Appendix A), that is, arrays of bytes. In the 128-bit version, Rijndael consists of ten rounds, and in each round the individual bytes are transformed, the rows are rotated, and the columns are multiplied to a constant matrix. Each round is concluded with an XORing of the resulting array to a round key. (Rijndael was ultimately selected as the AES algorithm.)
Submitted by Ross Anderson (United Kingdom), Eli Biham (Israel), and Lars Knudsen (Norway). The keywords for Serpent are conservatism and security rather than novelty and speed; the algorithm contains eight S-boxes based on the S-boxes in DES, and the 32 rounds are arguably twice as many as needed to meet the AES security requirements. This makes Serpent easy to trust, but the price the algorithm has to pay is a weaker performance compared to the other AES finalists. However, due to small memory requirements, Serpent is well-suited for smart card implementations. This property helped Serpent knocking out CAST-256 (see Question 3.6.7), which is similar in performance and security.
Submitted by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson (United States). Twofish is based on Schneier's algorithm Blowfish (see Question 3.6.7). Twofish is a fast and versatile Feistel network that does not require much memory. Yet, the structure of the cipher is very complex and hence difficult to analyze. This makes Twofish similar to MARS, but Twofish has the advantage of being based on an already well-studied and well-trusted algorithm.