Second AES Candidate Conference (AES2)

Last Modified: October 24, 2000

GENERAL

Second AES Candidate Conference (AES2)

Near the end of Round 1 of the AES Development Effort, the Second AES Candidate Conference (AES2) was held on March 22-23, 1999, in Rome, Italy. At AES2, Round 1 technical analysis was presented and discussed, along with views as to which candidates should be selected as finalists for Round 2.

AES2 was followed immediately by the Sixth Fast Software Encryption Workshop (FSE6), at the same location.

The final agenda for AES2 is available.

NIST Presentations

At AES2, NIST made several presentations. Please understand that the results presented at AES2 may vary (especially regarding the Java timings) from the final results obtained by NIST.
- NIST efficiency testing results for Round 1. In addition, NIST is providing the timing harnesses it used to test the ANSI C implementations on the NIST Reference Platform (w/ Borland compiler). Intel Corp. has a helpful document which NIST used when creating the "timingtest.c" files. (Questions about this should be directed to Larry Bassham.)
- A small fraction of the NIST statistical testing results were also presented at AES2.
Slides for several of the presentations are available electronically:
- Instruction-level Parallelism in AES Candidates, Craig Clapp
- Performance Comparison of the AES Submissions, Bruce Schneier
- AES Java^TM Technology Comparisons, Alan Folmsbee
- Implementation of Four AES Candidates on Two Smart Cards, François Koeune
- On the Optimality of SAFER+ Diffusion, James Massey
- Twofish: New Results, Doug Whiting
List of speakers and titles from the Rump Session.
Miles Smid chaired a panel of algorithm submitters, which generated a lot of discussion on various AES issues. This panel included discussion of Intellectual Property (IP) issues.
NIST announced preliminary plans for the Third AES Candidate Conference (AES3). Once again, the AES and FSE conferences will be held back-to-back. More details will be made available in the coming months.
NIST presented future plans for the AES process, including important information for AES submitters about the transition from Round 1 to Round 2.
NIST received feedback from the AES2 attendees, regarding their thoughts on the candidate algorithms.

Papers

Here is the complete set of papers that were submitted to AES2, with a link to the submitters' home page (if provided). Please keep in mind that due to the short time schedule, NIST did not go through several rounds of submissions (i.e., not all papers will be "polished"). Links are provided to submitters' home pages, in case they have updated versions of their submissions.

**AES2 Paper Submissions** (presented in order of submission)
(*) = paper presented during the conference
(R) = paper presented during the "rump" session
Title	Author(s)	Size (KB)	Link
Key Schedule Classification of the AES Candidates	G. Carter, E. Dawson, L. Nielsen	191	.
Pseudorandomness and Maximum Average of Differential Probability of Block Ciphers with SPN-Structures like E2 (*)	M. Sugita, K. Kobara, H. Imai	287	.
Exploratory Candidate Algorithm Performance Characteristics In Commercial Symmetric Multiprocessing (SMP) Environments for the Advanced Encryption Standard (AES)	L. Leibrock	7	.
An Observation on the Key Schedule of Twofish (*)	F. Mirza, S. Murphy	57	.
The DFC Cipher: an attack on careless implementations (R)	I. Harvey	28	.
Future Resiliency: A Possible New AES Evaluation Criterion (R)	D. Johnson	51	.
Weaknesses in LOKI97 (*)	L. Knudsen, V. Rijmen	158	.
On the Optimality of SAFER+ Diffusion (*)	J. Massey	180	.
Report on the AES Candidates (*)	O. Baudron, H. Gilbert, L. Granboulan, H. Handschuh, A. Joux, P. Nguyen, F. Noilhan, D. Pointcheval, T. Pornin, G. Poupard, J. Stern, S. Vaudenay	234	.
DFC Update (*)	O. Baudron, H. Gilbert, L. Granboulan, H. Handschuh, R. Harley, A. Joux, P. Nguyen, F. Noilhan, D. Pointcheval, T. Pornin, G. Poupard, J. Stern, S. Vaudenay	218	.
Key Schedule Weaknesses in SAFER+ (*)	J. Kelsey, B. Schneier, D. Wagner	245
Performance Comparison of the AES Submissions (*)	B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson	257
New Results on the Twofish Encryption Algorithm (*)	(Same as previous paper)	275
AES Candidates: A Survey of Implementations	H. Lipmaa	43	.
Optimized Software Implementations of E2 (R)	K. Aoki, H. Ueda	130	.
Cryptanalysis of Magenta (*)	E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir	71	.
A Note on Comparing the AES Candidates (*)	E. Biham	134	.
Implementation Experience with AES Candidate Algorithms (* invited, but could not attend)	B. Gladman	46	.
Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals (*)	J. Daemen, V. Rijmen	183	.
Power Analysis of the Key Scheduling of the AES Candidates (*)	E. Biham, A. Shamir	111	.
cAESar results: Implementation of Four AES Candidates on Two Smart Cards (*)	G. Hachez, F. Koeune, J.-J. Quisquater	208	.
A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards (*)	S. Chari, C. Jutla, J.R. Rao, P. Rohatgi	280	.
On Differential Properties of Data-Dependent Rotations and Their Use in MARS and RC6 (*)	S. Contini, Y.L. Yin	195	.
An Analysis of Serpent-p and Serpent-p-ns (R)	O. Dunkelman	150	.
Cryptanalysis of Frog (*)	D. Wagner, N. Ferguson, B. Schneier	219
Instruction-level Parallelism in AES Candidates (*)	C. Clapp	86	.
Performance Analysis of AES candidates on the 6805 CPU core (*)	G. Keating	26
AES Java^TM Technology Comparisons (*)	A. Folmsbee	308	.

Technical contact: Morris Dworkin
Administrative/process questions: Elaine Barker, Bill Burr