AES Round 2 Information

Last Modified: October 24, 2000


GENERAL
button AES Home Page
button Rijndael Information
button Modes of Operation
button Discussion Forum
button Recent News
ROUND 2
(8/1999-5/2000)
button Finalist Algorithms
button Round 2 Analysis
button Round 2 Comments
button 3rd AES Conference
ROUND 1
(8/1998-4/1999)
button R1 Algorithms
button R1 Announcement
button R1 Comments
button 2nd AES Conference
button 1st AES Conference
Pre-ROUND 1
(1/1997-7/1998)
button Call for Candidates
button AES Beginnings

AES Round 2 Finalists

Algorithm Name Submitter Name(s)
MARS IBM (represented by Nevenko Zunic)
RC6TM RSA Laboratories (represented by Burt Kaliski)
Rijndael Joan Daemen, Vincent Rijmen
Serpent Ross Anderson, Eli Biham, Lars Knudsen
Twofish Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson


Round 2 Analysis

More information is available regarding Round 2 analysis of the finalists.


Round 2 Public Comments

On September 15, 1999, a Federal Register announcement called for public comments on the AES finalists. That announcement also presented some suggested topics for public comments.

NIST has also developed a white paper [PDF] to promote discussion of important Round 2 issues.

Beginning December 8, 1999, NIST made available all public comments received-to-date, in order to generate more analysis and discussion during Round 2.


AES3 Conference

The Third AES Candidate Conference (AES3) was held in New York City, 13-14 April 2000, near the end of Round 2.


NIST's Round 1 Report

NIST developed a document, Status Report on the First Round of the Development of the Advanced Encryption Standard [PDF] which summarized Round 1 analysis and presents NIST's selection of the finalists for Round 2. (Addenda [PDF] for the Round 1 Report are also available. Last updated October 1, 1999.)

Here is an abstract for the status report:

Abstract: In 1997, the National Institute of Standards and Technology (NIST) initiated a process to select a symmetric-key encryption algorithm to be used to protect sensitive (unclassified) Federal information in furtherance of NIST's statutory responsibilities. In 1998, NIST announced the acceptance of fifteen candidate algorithms and requested the assistance of the cryptographic research community in analyzing the candidates. This analysis included an initial examination of the security and efficiency characteristics for each algorithm. NIST has reviewed the results of this research and selected five algorithms (5) as finalists. The research results and rationale for the selection of the finalists are documented in this report. The five finalists will be the subject of further study before the selection of one or more of these algorithms for inclusion in the Advanced Encryption Standard.

Results of NIST's Round 1 Testing

Although NIST relied primarily on public analysis and comments to make its selection of the Round 2 finalists, it did perform some testing of its own during Round 1, using the code that was originally provided by the submitters.


Proposed Modifications ("Tweaks")

Submitters of only four (4) of the fifteen (15) Round 1 algorithms proposed modifications to their algorithms. For a brief summary of those proposals, and NIST's assessment of those proposals, please read Section 2.8 of NIST's Round 1 Report.

Modifications were proposed by the submitters of the following four algorithms (available as ZIP files):


Additional Round 2 Information


Questions?
Press Contacts

Computer Security Division
National Institute of Standards and Technology