Public Comments on AES Candidate Algorithms - Round 1

Last Modified: January 11, 2001

GENERAL

button AES Home Page

button Rijndael Information

button Modes of Operation

button Discussion Forum

button Recent News

ROUND 2
(8/1999-5/2000)

button Finalist Algorithms

button Round 2 Analysis

button Round 2 Comments

button 3^rd AES Conference

ROUND 1
(8/1998-4/1999)

button R1 Algorithms

button R1 Announcement

button R1 Comments

button 2^nd AES Conference

button 1^st AES Conference

Pre-ROUND 1
(1/1997-7/1998)

button Call for Candidates

button AES Beginnings

Overview
On August 20, 1998, at the First AES Candidate Conference, NIST announced the fifteen AES candidates for Round 1 evaluation, and called for public comments on those candidates. NIST also called for comments in the Federal Register of Sept. 14, 1998. These public comments could be submitted electronically to NIST.
Other, non-official discussions, have also been taking place at NIST's AES Forum. Discussions at that site should be AES-specific.
The Round 1 comment period closed on April 15, 1999, and NIST would like to thank the many people and organizations who contributed their resources to analyzing and providing comments on the candidates.

Comments Received

NIST received more than 56 sets of comments (plus papers submitted to the AES2 conference), all of which are available here. The comments are divided into several categories:

E-mail comments (PDF; 200 KB) - All public comments that were contained in the body of an e-mail message. (Comments were last updated on April 21, 1999. Note that all comments added to this file are located at the end of the file.)

General Papers and Letters - Electronically submitted papers and letters have been converted to PDF format. For convenience, all of these comments are provided in three zip files (File1, File2, and File3).

TITLE AUTHOR(s) Size (KB)

Weak Keys of CRYPTON Johan Borst,
Katholieke Universiteit Leuven 146

[LETTER] Akyman Financial Services Pty. Ltd. 33

The Need for Multiple AES Winners Brian Gladman 15

[LETTER] John Graff,
Deloitte & Touche Security Services 38

Decorrelated Fast Cipher: an AES Candidate well suited for low cost smart cards applications Guillaume Poupard and Serge Vaudenay,
CNRS 194

[LETTER] Charles S. Williams,
Cylink Corporation 18

AES Public Comment from the Rijndael Team Joan Daemen (Proton World), and Vincent Rijmen (KULeuven) 75

A Note Regarding the Hash Function Use of MARS and RC6
Caution: this document may load extremely slowly when viewing in a browser. We recommend that you download it and then view it. Markku-Juhani O. Saarinen,
SSH Communications Security Ltd. 427

Some Comments on the First Round AES Evaluation of RC6 Scott Contini, Ronald L. Rivest, M.J.B. Robshaw, Yiqun Lisa Yin 223

Serpent and Smartcards Ross Anderson, Eli Biham, Lars Knudsen 152

Some Observations on the 1st Round of the AES Selection Process Bart Preneel,
Katholieke Universiteit Leuven 89

Comparison of the Randomness Provided by Some AES Candidates Serge Vaudenay (Ecole Normale Superieure - CNRS), Shiho Moriai (NTT Laboratories) 121

Yet Another Performance Analysis of the AES Candidates Gary Graunke,
Intel Corp. 9

Performance Analysis of AES candidates on the 6805 CPU core Geoffrey Keating,
Australian National University 36

Comments on NIST's Efficiency Testing for Round1 AES Candidates Kazumaro Aoki,
NTT Laboratories 44

Optimized Software Implementations of E2 Kazumaro Aoki and Hiroki Ueda,
NTT Laboratories 145

Software Implementation Results of E2 Kazumaro Aoki and Hiroki Ueda,
NTT Laboratories 59

Search for Impossible Differential on E2 Kazumaro Aoki and Masayuki Kanda,
NTT Laboratories 74

Java Performance of AES Candidates NTT Laboratories (contact: Kazumaro Aoki) 341

AES: Analysis of the RefCode and OptCCode submissions Louis Granboulan,
CNRS 177

Some thoughts on the AES process Lars R. Knudsen,
University of Bergen 125

Comments on Hardware Implementation of E2 NTT Corporation (contact: Masayuki Kanda) 48

A Bit Naming Convention for Cryptographic ALgorithms Markus G. Kuhn,
University of Cambridge 74

Comparative Analysis of the Advanced Encryption Standard Candidate Algorithms Peter M.B. Mokros,
Macalester College 67

Security of E2 against Truncated Differential Cryptanalysis (in progress) NTT Laboratories (contact: Shiho Moriai) 114

Comment on Selecting the Ciphers for the AES Second Round Eli Biham,
Technion 87

A Note on Comparing the AES Candidates Eli Biham,
Technion 114

A Note on Comparing the AES Candidates (slides) Eli Biham,
Technion 105

AES2 Papers
Twenty-eight (28) papers were submitted for the Second AES Candidate Conference (March 22-23, 1999), and those submissions are considered as Round 1 public comments, too. Here is the complete set of papers that were submitted, with a link to the submitters' home page (if provided). Please keep in mind that due to the short time schedule, NIST did not go through several rounds of submissions (i.e., not all papers will be "polished"). Links are provided to submitters' home pages, in case they have updated versions of their submissions.

AES2 Paper Submissions (presented in order of submission)
(*) = paper presented during the conference
(R) = paper presented during the "rump" session
TITLE AUTHOR(s) Size (KB) Link

Key Schedule Classification of the AES Candidates G. Carter, E. Dawson, L. Nielsen 191 .

Pseudorandomness and Maximum Average of Differential Probability of Block Ciphers with SPN-Structures like E2 (*) M. Sugita, K. Kobara, H. Imai 287 .

Exploratory Candidate Algorithm Performance Characteristics In Commercial Symmetric Multiprocessing (SMP) Environments for the Advanced Encryption Standard (AES) L. Leibrock 7 .

An Observation on the Key Schedule of Twofish (*) F. Mirza, S. Murphy 57 .

The DFC Cipher: an attack on careless implementations (R) I. Harvey 28 .

Future Resiliency: A Possible New AES Evaluation Criterion (R) D. Johnson 51 .

Weaknesses in LOKI97 (*) L. Knudsen, V. Rijmen 158 .

On the Optimality of SAFER+ Diffusion (*) J. Massey 180 .

Report on the AES Candidates (*) O. Baudron, H. Gilbert, L. Granboulan, H. Handschuh, A. Joux, P. Nguyen, F. Noilhan, D. Pointcheval, T. Pornin, G. Poupard, J. Stern, S. Vaudenay 234 .

DFC Update (*) O. Baudron, H. Gilbert, L. Granboulan, H. Handschuh, R. Harley, A. Joux, P. Nguyen, F. Noilhan, D. Pointcheval, T. Pornin, G. Poupard, J. Stern, S. Vaudenay 218 .

Key Schedule Weaknesses in SAFER+ (*) J. Kelsey, B. Schneier, D. Wagner 245

Performance Comparison of the AES Submissions (*) B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson 257

New Results on the Twofish Encryption Algorithm (*) (Same as previous paper) 275

AES Candidates: A Survey of Implementations H. Lipmaa 43 .

Optimized Software Implementations of E2 (R) K. Aoki, H. Ueda 130 .

Cryptanalysis of Magenta (*) E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir 71 .

A Note on Comparing the AES Candidates (*) E. Biham 134 .

Implementation Experience with AES Candidate Algorithms (* invited, but could not attend) B. Gladman 46 .

Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals (*) J. Daemen, V. Rijmen 183 .

Power Analysis of the Key Scheduling of the AES Candidates (*) E. Biham, A. Shamir 111 .

cAESar results: Implementation of Four AES Candidates on Two Smart Cards (*) G. Hachez, F. Koeune, J.-J. Quisquater 208 .

A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards (*) S. Chari, C. Jutla, J.R. Rao, P. Rohatgi 280 .

On Differential Properties of Data-Dependent Rotations and Their Use in MARS and RC6 (*) S. Contini, Y.L. Yin 195 .

An Analysis of Serpent-p and Serpent-p-ns (R) O. Dunkelman 150 .

Cryptanalysis of Frog (*) D. Wagner, N. Ferguson, B. Schneier 219

Instruction-level Parallelism in AES Candidates (*) C. Clapp 86 .

Performance Analysis of AES candidates on the 6805 CPU core (*) G. Keating 26

AES Java^TM Technology Comparisons (*) A. Folmsbee 308 .

Technical contact: Morris Dworkin
Administrative/process questions: Elaine Barker, Bill Burr