230 likes | 293 Views
Comparison AES-Rijndael/Serpent. 2G1704: Internet Security and Privacy Weltz Max. Outline. Historical perspective Description of AES-Rijndael Description of Serpent Comparison. Historical perspective. 1998 Advanced Encryption Standard contest
E N D
ComparisonAES-Rijndael/Serpent 2G1704: Internet Security and Privacy Weltz Max
Outline • Historical perspective • Description of AES-Rijndael • Description of Serpent • Comparison
Historical perspective • 1998 Advanced Encryption Standard contest • 1999 Serpent and Rijndael among the last 5 finalist algorithms • Along with Mars, RC6 and Twofish • 2000 Rijndael selected as AES algorithm
--------------- 32 Description of Rijndael • Main elements • Parameters • Key size: 128, 160, 192, 224, 256bits • Block size: 128, 160, 192, 224, 256bits • Number of rounds: 6+max(Bs,Ks) • Operations • • Two substitutions tables • Rearrangement of octets • Key schedule
Description of Rijndael • State array • Size of Bs • Organized in 4-octet columns
Description of Rijndael • Rounds • Octets through the S-Box • Rows shifted • Columns mixed
Description of Rijndael • Key expansion • As many round as required • Obtain (Nr+1)Bs/32 columns
What is AES-Rijndael? • AES’ recommendations for Rijndael • Block size: • 128-bits • Key size: • 128bits -> AES-128 -> 10 rounds • 196bits -> AES-196 -> 12 rounds • 256bits -> AES-256 -> 14 rounds
Description of Serpent • Parameters • Key size: 128, 192, 256bits • 128 and 192bit keys are padded with 100… • Block size: 128bits • Number of rounds: 32 • 16 rounds are supposedly enough • Operations • • 8 substitution tables (S-boxes) • Linear transformation • Key schedule
Description of Serpent • Process • Initial permutation • 32 Rounds • Final permutation • Permutations • Statically defined • Simplifying the optimized implementation
Description of Serpent • Rounds • Key mixing • Pass through S-box • Linear transformation • Except for the last round • ( 33rd subkey)
Source: Wikipedia Descriptionof Serpent • Linear transformation • Left-rotations • ’ing • Left-shifts
Descriptionof Serpent • Key expansion • Padding (100…) • Affine expansion • S-boxes • Collapsing
Comparison • Process • Security • Hardware performance • Software performance
Adapted from [Lutz02] Comparison: Process
Rijndael 2.26Gbit/s @ 88.5MHz Assets Small number Of rounds Of subkeys Identical rounds Drawbacks Variable number of rounds Key length matters Large S-boxes Serpent 1.96Gbit/s @ 122.9MHz Assets Fixed number of rounds Key lengths does not matter Small S-boxes Drawbacks Different S-Box types Larger number Of rounds Of subkeys No hardware shared between encryption and decryption Comparison: Hardware
Comparison: Software • Performance(see figures) • Serpent • 2 to 6 times slower • Non-symmetrical performances • But stable performances when changing architecture Pentium 133Mhz MMX | Pentium Pro C/Pentium Pro ASM
Conclusion • Rijndael chosen by AES: why? • Fastest for small blocks and hashes encryption • Second fastest for bulk encryption • But • Security issues • In 1999, Schneier et al. claimed there was no possible timing attacks against Rijndael… • In 2006, a timing attack is found • Serpent is more secure if you are ready to spend more time
Network Security, Private Communication in a Public World, C. Kaufman, R. Perlman, M. Speciner, 2002 Wikipedia’s articles (French and English) on Rijndael, Bitwise operators, AES process and Serpent Cryptographic Hardware and Embedded Systems, Pawel Chodowiec, 2002 Serpent, a Proposal for the AES, R. Anderson, E. Biham, L. Knudsen, 1998 Serpent homepage www.cl.cam.ac.uk/~rja14/serpent.html [Lutz02]2Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis, Lutz, Treichler, Gürkaynak, Kaeslin, Basler, Erni, Reichmuth, Rommens, Oetiker, Fichtner, 2002 Sources
A Note on Comparing AES Candidates (Revised), Biham, 1998 (?) Performance Comparison of the AES Submissions, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, 1999 Performance Evaluation fo the AES Finalists on the High-End Smart Card, F. Sano, M. Koike, S. Kawamura, M. Shiba, 2000 Performance Comparison of 5 AES Candidates with New Performance Evaluation Tool, M. Takenaka, N. Torii, K. Itoh, J. Yajima, 2000 Instruction-level Parallelism in AES Candidates, C.S.K. Clapp, 1999 How Well Are High-End DSPs Suites for the AES Algorithms, T. J. Wollinger, M. Wang, J. Guajardo, C. Paar, 2000 Sources (cont.)
Comments • Non-exhaustive listing and extracts of sources are available here: • http://www.google.com/notebook/public/02330310943113180415/BDRkjSwoQiJ-sle4h • Interesting links for both Serpent and Rijndael (and others) can be found here: • http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html • Figures where realized specially for this presentation, except stated otherwise