NIST has got its web site working again. The rationale document at
http://csrc.nist.gov/encryption/aes/round2/r2report.pdf has some
troubling aspects.
Pure cipher strength actually played very little role in the selection.
All the ciphers were judged adequately strong. Rijndael's main advantages
were in practical implementation issues, plus resistance to various
hardware failures.
Section 3.2 analyzes cipher strength. The results are summarized
in section 3.2.2. NIST explicitly rejects simple measures of cipher
strength which compare number of rounds attacked/broken against total
numbers of rounds. This single number is not always meaningful, but
it does give an idea of overall strength. NIST judged MARS, Serpent
and Twofish to have "high" security margin, and RC6 and Rijndael to
have "adequate" security margin.
Rijndael has attacks on 6 or 7 out of the 10 rounds for 128 bits keys;
7 out of 12 rounds for 192 bit keys; and 7, 8 or 9 out of 14 rounds for
256 bit keys (Rijndael uses more rounds for larger keys). The attacks
against larger numbers of rounds require prohibitive levels of work.
Apparently, NIST judged all ciphers adequately strong on this basis.
The decision as to which to pick was made on other grounds. Rijndael is
fast, easy to implement in hardware, and lightweight. These traits seem
to be what led to its choice.
For those whose primary interest in AES is high security, the emphasis
might have been placed elsewhere. Rather than choosing a cipher with
merely an "adequate" level of security, they would prefer that the
choice had been made from among those ciphers judged highest in security:
MARS, Twofish and Serpent. Choosing from among these ciphers by similar
criteria of efficiency would probably have led to Twofish.
Rijndael appears to be a compromise between security and efficiency.
This leaves us in an unhappy and uncomfortable position. It may well be
that Twofish and perhaps Serpent continue to be widely used alternatives
to AES.
