Second AES Candidate Conference (AES2)

GENERAL AES Home Page Rijndael Information Modes of Operation Discussion Forum Recent News ROUND 2 (8/1999-5/2000) Finalist Algorithms Round 2 Analysis Round 2 Comments 3rd AES Conference ROUND 1 (8/1998-4/1999) R1 Algorithms R1 Announcement R1 Comments 2nd AES Conference 1st AES Conference Pre-ROUND 1 (1/1997-7/1998) Call for Candidates AES Beginnings

Second AES Candidate Conference (AES2) Near the end of Round 1 of the AES Development Effort, the Second AES Candidate Conference (AES2) was held on March 22-23, 1999, in Rome, Italy. At AES2, Round 1 technical analysis was presented and discussed, along with views as to which candidates should be selected as finalists for Round 2. AES2 was followed immediately by the Sixth Fast Software Encryption Workshop (FSE6), at the same location. The final agenda for AES2 is available. NIST Presentations At AES2, NIST made several presentations. Please understand that the results presented at AES2 may vary (especially regarding the Java timings) from the final results obtained by NIST. NIST efficiency testing results for Round 1. In addition, NIST is providing the timing harnesses it used to test the ANSI C implementations on the NIST Reference Platform (w/ Borland compiler). Intel Corp. has a helpful document which NIST used when creating the "timingtest.c" files. (Questions about this should be directed to Larry Bassham.) A small fraction of the NIST statistical testing results were also presented at AES2. Slides for several of the presentations are available electronically: Instruction-level Parallelism in AES Candidates, Craig Clapp Performance Comparison of the AES Submissions, Bruce Schneier AES JavaTM Technology Comparisons, Alan Folmsbee Implementation of Four AES Candidates on Two Smart Cards, François Koeune On the Optimality of SAFER+ Diffusion, James Massey Twofish: New Results, Doug Whiting List of speakers and titles from the Rump Session. Miles Smid chaired a panel of algorithm submitters, which generated a lot of discussion on various AES issues. This panel included discussion of Intellectual Property (IP) issues. NIST announced preliminary plans for the Third AES Candidate Conference (AES3). Once again, the AES and FSE conferences will be held back-to-back. More details will be made available in the coming months. NIST presented future plans for the AES process, including important information for AES submitters about the transition from Round 1 to Round 2. NIST received feedback from the AES2 attendees, regarding their thoughts on the candidate algorithms. Papers Here is the complete set of papers that were submitted to AES2, with a link to the submitters' home page (if provided). Please keep in mind that due to the short time schedule, NIST did not go through several rounds of submissions (i.e., not all papers will be "polished"). Links are provided to submitters' home pages, in case they have updated versions of their submissions. AES2 Paper Submissions (presented in order of submission) (*) = paper presented during the conference (R) = paper presented during the "rump" session Title Author(s) Size  (KB) Link Key Schedule Classification of the AES Candidates G. Carter, E. Dawson, L. Nielsen  191 . Pseudorandomness and Maximum Average of Differential Probability of Block Ciphers with SPN-Structures like E2 (*) M. Sugita, K. Kobara, H. Imai 287 . Exploratory Candidate Algorithm Performance Characteristics In Commercial Symmetric Multiprocessing (SMP) Environments for the Advanced Encryption Standard (AES) L. Leibrock 7 . An Observation on the Key Schedule of Twofish (*) F. Mirza, S. Murphy 57 . The DFC Cipher:  an attack on careless implementations (R) I. Harvey 28 . Future Resiliency:  A Possible New AES Evaluation Criterion (R) D. Johnson 51 . Weaknesses in LOKI97 (*) L. Knudsen, V. Rijmen 158 . On the Optimality of SAFER+ Diffusion (*) J. Massey 180 . Report on the AES Candidates (*) O. Baudron, H. Gilbert, L. Granboulan, H. Handschuh, A. Joux, P. Nguyen, F. Noilhan, D. Pointcheval, T. Pornin, G. Poupard, J. Stern, S. Vaudenay 234 . DFC Update (*) O. Baudron, H. Gilbert, L. Granboulan, H. Handschuh, R. Harley, A. Joux, P. Nguyen, F. Noilhan, D. Pointcheval, T. Pornin, G. Poupard, J. Stern, S. Vaudenay 218 . Key Schedule Weaknesses in SAFER+ (*) J. Kelsey, B. Schneier, D. Wagner 245 Performance Comparison of the AES Submissions (*) B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson 257 New Results on the Twofish Encryption Algorithm (*) (Same as previous paper) 275 AES Candidates:  A Survey of Implementations H. Lipmaa 43 . Optimized Software Implementations of E2 (R) K. Aoki, H. Ueda 130 . Cryptanalysis of Magenta (*) E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir 71 . A Note on Comparing the AES Candidates (*) E. Biham 134 . Implementation Experience with AES Candidate Algorithms (* invited, but could not attend) B. Gladman 46 . Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals (*) J. Daemen, V. Rijmen 183 . Power Analysis of the Key Scheduling of the AES Candidates (*) E. Biham, A. Shamir 111 . cAESar results: Implementation of Four AES Candidates on Two Smart Cards (*) G. Hachez, F. Koeune, J.-J. Quisquater 208 . A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards (*) S. Chari, C. Jutla, J.R. Rao, P. Rohatgi 280 . On Differential Properties of Data-Dependent Rotations and Their Use in MARS and RC6 (*) S. Contini, Y.L. Yin 195 . An Analysis of Serpent-p and Serpent-p-ns (R) O. Dunkelman 150 . Cryptanalysis of Frog (*) D. Wagner, N. Ferguson, B. Schneier 219 Instruction-level Parallelism in AES Candidates (*) C. Clapp 86 . Performance Analysis of AES candidates on the 6805 CPU core (*) G. Keating 26 AES JavaTM Technology Comparisons (*) A. Folmsbee 308 .

Technical contact: Morris Dworkin
Administrative/process questions: Elaine Barker, Bill Burr