AES Round 2 Information

Last Modified: October 24, 2000

GENERAL
AES Home Page
Rijndael Information
Modes of Operation
Discussion Forum
Recent News
ROUND 2
(8/1999-5/2000)
Finalist Algorithms
Round 2 Analysis
Round 2 Comments
3rd AES Conference
ROUND 1
(8/1998-4/1999)
R1 Algorithms
R1 Announcement
R1 Comments
2nd AES Conference
1st AES Conference
Pre-ROUND 1
(1/1997-7/1998)
Call for Candidates
AES Beginnings

AES Round 2 Finalists

Algorithm Name Submitter Name(s)
MARS IBM (represented by Nevenko Zunic)
RC6TM RSA Laboratories (represented by Burt Kaliski)
Rijndael Joan Daemen, Vincent Rijmen
Serpent Ross Anderson, Eli Biham, Lars Knudsen
Twofish Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson


Round 2 Analysis

More information is available regarding Round 2 analysis of the finalists.


Round 2 Public Comments

On September 15, 1999, a Federal Register announcement called for public comments on the AES finalists. That announcement also presented some suggested topics for public comments.

NIST has also developed a white paper [PDF] to promote discussion of important Round 2 issues.

Beginning December 8, 1999, NIST made available all public comments received-to-date, in order to generate more analysis and discussion during Round 2.


AES3 Conference

The Third AES Candidate Conference (AES3) was held in New York City, 13-14 April 2000, near the end of Round 2.


NIST's Round 1 Report

NIST developed a document, Status Report on the First Round of the Development of the Advanced Encryption Standard [PDF] which summarized Round 1 analysis and presents NIST's selection of the finalists for Round 2. (Addenda [PDF] for the Round 1 Report are also available. Last updated October 1, 1999.)

Here is an abstract for the status report:

Abstract: In 1997, the National Institute of Standards and Technology (NIST) initiated a process to select a symmetric-key encryption algorithm to be used to protect sensitive (unclassified) Federal information in furtherance of NIST's statutory responsibilities. In 1998, NIST announced the acceptance of fifteen candidate algorithms and requested the assistance of the cryptographic research community in analyzing the candidates. This analysis included an initial examination of the security and efficiency characteristics for each algorithm. NIST has reviewed the results of this research and selected five algorithms (5) as finalists. The research results and rationale for the selection of the finalists are documented in this report. The five finalists will be the subject of further study before the selection of one or more of these algorithms for inclusion in the Advanced Encryption Standard.

Results of NIST's Round 1 Testing

Although NIST relied primarily on public analysis and comments to make its selection of the Round 2 finalists, it did perform some testing of its own during Round 1, using the code that was originally provided by the submitters.


Proposed Modifications ("Tweaks")

Submitters of only four (4) of the fifteen (15) Round 1 algorithms proposed modifications to their algorithms. For a brief summary of those proposals, and NIST's assessment of those proposals, please read Section 2.8 of NIST's Round 1 Report.

Modifications were proposed by the submitters of the following four algorithms (available as ZIP files):


Additional Round 2 Information


Questions?
Press Contacts

Computer Security Division
National Institute of Standards and Technology