Академический Документы
Профессиональный Документы
Культура Документы
Outline
Historical perspective Description of AES-Rijndael Description of Serpent Comparison
Historical perspective
1998 Advanced Encryption Standard contest 1999 Serpent and Rijndael among the last 5 finalist algorithms
Along with Mars, RC6 and Twofish
Description of Rijndael
Main elements
Parameters
Key size: 128, 160, 192, 224, 256bits Block size: 128, 160, 192, 224, 256bits Number of rounds: 6+max(Bs,Ks) -------------- Operations 32 Two substitutions tables Rearrangement of octets Key schedule
Description of Rijndael
State array
Size of Bs Organized in 4octet columns
Description of Rijndael
Rounds
1. Octets through the S-Box 2. Rows shifted 3. Columns mixed
Description of Rijndael
Key expansion
As many round as required Obtain (Nr+1)Bs/32 columns
What is AES-Rijndael?
AES recommendations for Rijndael
Block size:
128-bits
Key size:
128bits -> AES-128 -> 10 rounds 196bits -> AES-196 -> 12 rounds 256bits -> AES-256 -> 14 rounds
Description of Serpent
Parameters
Key size: 128, 192, 256bits
128 and 192bit keys are padded with 100
Operations
8 substitution tables (S-boxes) Linear transformation Key schedule
Description of Serpent
Process
Initial permutation 32 Rounds Final permutation
Permutations
Statically defined Simplifying the optimized implementation
Description of Serpent
Rounds
1. Key mixing 2. Pass through S-box 3. Linear transformation
Except for the last round
( 33rd subkey)
Source: Wikipedia
Description of Serpent
Linear transformation
Left-rotations ing Left-shifts
Description of Serpent
Key expansion
Padding (100) Affine expansion S-boxes Collapsing
Comparison
Process Security Hardware performance Software performance
Comparison: Process
Rijndael Serpent
S-boxes 10x Key mixing Raw shifting Round 12x 31x S-boxes Columns mixed 14x Linear t. Round Key Key mixing Final t. S-boxes Key mixing
Comparison: Security
Rijndael
Margins (rounds) Best known attacks (2006) Comments
6 insecure 10/12/14 suggested
Serpent
AES 15 insecure 17 suggested Authors 16: secure 32 suggested
7/8/9 rounds
Known side channel attacks (timing)
11 rounds
Better than or equivalent to any other 128bit block cipher Old design
Comparison: Hardware
Rijndael
2.26Gbit/s @ 88.5MHz Assets
Small number
Of rounds Of subkeys
Serpent
1.96Gbit/s @ 122.9MHz Assets
Fixed number of rounds Key lengths does not matter Small S-boxes
Identical rounds
Drawbacks
Different S-Box types Larger number
Of rounds Of subkeys
Drawbacks
Variable number of rounds Key length matters Large S-boxes
Comparison: Software
Performance (see figures)
Serpent
2 to 6 times slower Non-symmetrical performances But stable performances when changing architecture
Rijndael
Decryption 1276
Serpent
2102
Conclusion
Rijndael chosen by AES: why?
Fastest for small blocks and hashes encryption Second fastest for bulk encryption
But
Security issues
In 1999, Schneier et al. claimed there was no possible timing attacks against Rijndael In 2006, a timing attack is found
Questions Opposition
Sources
Network Security, Private Communication in a Public World, C. Kaufman, R. Perlman, M. Speciner, 2002 Wikipedias articles (French and English) on Rijndael, Bitwise operators, AES process and Serpent Cryptographic Hardware and Embedded Systems, Pawel Chodowiec, 2002 Serpent, a Proposal for the AES, R. Anderson, E. Biham, L. Knudsen, 1998 Serpent homepage
www.cl.cam.ac.uk/~rja14/serpent.html
[Lutz02]2Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis, Lutz, Treichler, Grkaynak, Kaeslin, Basler, Erni, Reichmuth, Rommens, Oetiker, Fichtner, 2002
Sources (cont.)
A Note on Comparing AES Candidates (Revised), Biham, 1998 (?) Performance Comparison of the AES Submissions, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, 1999 Performance Evaluation fo the AES Finalists on the HighEnd Smart Card, F. Sano, M. Koike, S. Kawamura, M. Shiba, 2000 Performance Comparison of 5 AES Candidates with New Performance Evaluation Tool, M. Takenaka, N. Torii, K. Itoh, J. Yajima, 2000
Instruction-level Parallelism in AES Candidates, C.S.K. Clapp, 1999 How Well Are High-End DSPs Suites for the AES Algorithms, T. J. Wollinger, M. Wang, J. Guajardo, C. Paar, 2000
Comments
Non-exhaustive listing and extracts of sources are available here:
http://www.google.com/notebook/public/02330310943113180415/B DRkjSwoQiJ-sle4h
Interesting links for both Serpent and Rijndael (and others) can be found here:
http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html
Figures where realized specially for this presentation, except stated otherwise