NIST started thinking about the need to replace the Data Encryption Standard, or DES, in the early 1990s.
We publicly indicated that a replacement might be developed as early as the 1993 reaffirmation of DES.
Serious planning at NIST began in 1996, culminating in a public call for comments on draft AES requirements in January, 1997.
We held a public workshop just a few months later, which was significant because it helped to solidify the key sizes for AES at 128, 192 and 256 bits.
DES has a key size of 56 bits.
Also, almost all of the workshop participants agreed that the AES should be available on a royalty-free basis.
We published a call for candidate algorithms three years ago this month, and the response from the global cryptography community has been truly gratifying.
Leading cryptographers from around the world attended our conferences in California, Rome and New York. They contributed invaluably to the selection process.
We have received a great deal of help from individuals, academics, industry and government.
It has not been a short process.
But this was necessary in order to build trust in the encryption algorithm, because there is no simple way to determine if an algorithm is secure.
Of the original 15 candidate algorithms, five were primarily of American origin and the rest were from overseas.
We received submissions from places as diverse as Costa Rica, France, Japan, Korea and Norway.
NIST received comments from people in more than 40 countries during the AES public analysis period.
Each of the submitters provided a detailed description of their algorithm, and implementations in both the ANSI C and Java computer programming languages.
NIST made these available to reviewers worldwide, consistent with prevailing export regulations.
Each submitter also agreed in writing to make their algorithm available on a royalty free basis if it were selected for inclusion in the AES.
Many decided to make their inventions free regardless.
We ended up with five excellent candidates, any one of which could have provided the security we require for AES.
More than 800 pages of public analysis of these candidates is posted on our Web site at www.nist.gov/aes.
Our Information Technology Laboratory formed a cross-disciplinary team to review the comments.
The team has drafted a lengthy technical paper describing the selection process and the reasons for our selection. This paper will go up on our Web site later today.
The performance of the candidates varied considerably, depending on whether it was implemented in hardware, software or on platforms with limited processing and memory capabilities, such as smart cards.
We have remained carefully objective.
This process has been an amazing, truly global competition, reflecting the worldwide nature of information security needs.
And it is a reflection of our long tradition of work in the computer security arena.
In the next month or so, we will formally publish a draft of the AES standard in the Federal Register for public review and comment.
We expect analysis of the encryption algorithm to continue, a process which should help to build even more public confidence in the standard.
Now, with great appreciation, I would like to thank Joan Daemen and Vincent Rijmen of Belgium for their submission of the winning algorithm.
Even though they have only recently learned of their selection, if this "old" telephone technology works, I would like to offer them the chance to say a few words.