Comparison AES-Rijndael/Serpent
23
Comparison AES-Rijndael/ Serpent 2G1704: Internet Security and Privacy Weltz Max
description
Comparison AES-Rijndael/Serpent. 2G1704: Internet Security and Privacy Weltz Max. Outline. Historical perspective Description of AES-Rijndael Description of Serpent Comparison. Historical perspective. 1998 Advanced Encryption Standard contest - PowerPoint PPT Presentation
Transcript of Comparison AES-Rijndael/Serpent
ComparisonAES-Rijndael/
Serpent
ComparisonAES-Rijndael/
Serpent
2G1704: Internet Security and Privacy
Weltz Max
2G1704: Internet Security and Privacy
Weltz Max
OutlineOutline
• Historical perspective• Description of AES-Rijndael• Description of Serpent• Comparison
• Historical perspective• Description of AES-Rijndael• Description of Serpent• Comparison
Historical perspectiveHistorical perspective
• 1998 Advanced Encryption Standard contest
• 1999 Serpent and Rijndael among the last 5 finalist algorithms– Along with Mars, RC6 and Twofish
• 2000 Rijndael selected as AES algorithm
• 1998 Advanced Encryption Standard contest
• 1999 Serpent and Rijndael among the last 5 finalist algorithms– Along with Mars, RC6 and Twofish
• 2000 Rijndael selected as AES algorithm
• Main elements– Parameters
• Key size: 128, 160, 192, 224, 256bits• Block size: 128, 160, 192, 224,
256bits• Number of rounds: 6+max(Bs,Ks)
– Operations • Two substitutions tables• Rearrangement of octets• Key schedule
• Main elements– Parameters
• Key size: 128, 160, 192, 224, 256bits• Block size: 128, 160, 192, 224,
256bits• Number of rounds: 6+max(Bs,Ks)
– Operations • Two substitutions tables• Rearrangement of octets• Key schedule
Description of RijndaelDescription of Rijndael
------------------------------3232
Description of RijndaelDescription of Rijndael• State array
– Size of Bs– Organized in 4-octet columns
• State array– Size of Bs– Organized in 4-octet columns
Description of RijndaelDescription of Rijndael
• Rounds1. Octets through
the S-Box2. Rows shifted3. Columns mixed
• Rounds1. Octets through
the S-Box2. Rows shifted3. Columns mixed
Description of
Rijndael
Description of
Rijndael
• Key expansion– As many round as required
– Obtain (Nr+1)Bs/32 columns
• Key expansion– As many round as required
– Obtain (Nr+1)Bs/32 columns
What is AES-Rijndael?What is AES-Rijndael?
• AES’ recommendations for Rijndael– Block size:
•128-bits
– Key size:•128bits -> AES-128 -> 10 rounds•196bits -> AES-196 -> 12 rounds•256bits -> AES-256 -> 14 rounds
• AES’ recommendations for Rijndael– Block size:
•128-bits
– Key size:•128bits -> AES-128 -> 10 rounds•196bits -> AES-196 -> 12 rounds•256bits -> AES-256 -> 14 rounds
Description of SerpentDescription of Serpent
• Parameters– Key size: 128, 192, 256bits
• 128 and 192bit keys are padded with 100…
– Block size: 128bits– Number of rounds: 32
• 16 rounds are supposedly enough
• Operations – 8 substitution tables (S-boxes)– Linear transformation– Key schedule
• Parameters– Key size: 128, 192, 256bits
• 128 and 192bit keys are padded with 100…
– Block size: 128bits– Number of rounds: 32
• 16 rounds are supposedly enough
• Operations – 8 substitution tables (S-boxes)– Linear transformation– Key schedule
Description of SerpentDescription of Serpent
• Process– Initial permutation
– 32 Rounds– Final permutation
• Permutations– Statically defined
– Simplifying the optimized implementation
• Process– Initial permutation
– 32 Rounds– Final permutation
• Permutations– Statically defined
– Simplifying the optimized implementation
Description of SerpentDescription of Serpent
• Rounds1. Key mixing2. Pass through S-
box3. Linear
transformation• Except for the
last round– ( 33rd subkey)
• Rounds1. Key mixing2. Pass through S-
box3. Linear
transformation• Except for the
last round– ( 33rd subkey)
Descriptionof SerpentDescriptionof Serpent• Linear transformation– Left-rotations ’ing– Left-shifts
• Linear transformation– Left-rotations ’ing– Left-shifts
Source: Wikipedia
Descriptionof SerpentDescriptionof Serpent• Key expansion
– Padding (100…)– Affine expansion
– S-boxes– Collapsing
• Key expansion– Padding (100…)– Affine expansion
– S-boxes– Collapsing
ComparisonComparison
• Process• Security• Hardware performance• Software performance
• Process• Security• Hardware performance• Software performance
Comparison: ProcessComparison: Process
Rijndael Serpent
Round10x12x14x
•S-boxes•Raw shifting•Columns mixed Round Key
31x
•Key mixing•S-boxes•Linear t.
Final t.
•Key mixing•S-boxes•Key mixing
Adapted from [Lutz02]
Comparison: SecurityComparison: SecurityRijndael Serpent
Margins (rounds)
•6 insecure•10/12/14 suggested
AES•15 insecure•17 suggested
Authors•16: secure•32 suggested
Best known attacks (2006)
7/8/9 rounds 11 rounds
Comments Known side channel attacks (timing)
•Better than or equivalent to any other 128bit block cipher•Old design
Comparison: HardwareComparison: Hardware
• Rijndael– 2.26Gbit/s @ 88.5MHz– Assets
• Small number– Of rounds– Of subkeys
• Identical rounds
– Drawbacks• Variable number of
rounds• Key length matters• Large S-boxes
• Rijndael– 2.26Gbit/s @ 88.5MHz– Assets
• Small number– Of rounds– Of subkeys
• Identical rounds
– Drawbacks• Variable number of
rounds• Key length matters• Large S-boxes
• Serpent– 1.96Gbit/s @ 122.9MHz– Assets
• Fixed number of rounds• Key lengths does not matter• Small S-boxes
– Drawbacks• Different S-Box types• Larger number
– Of rounds– Of subkeys
• No hardware shared between encryption and decryption
• Serpent– 1.96Gbit/s @ 122.9MHz– Assets
• Fixed number of rounds• Key lengths does not matter• Small S-boxes
– Drawbacks• Different S-Box types• Larger number
– Of rounds– Of subkeys
• No hardware shared between encryption and decryption
Comparison: SoftwareComparison: Software
Rijndael Serpent
Encryption1276 | 440/291
1800 | 1030/900
Decryption 1276 2102
• Performance (see figures)
– Serpent• 2 to 6 times slower• Non-symmetrical performances• But stable performances when changing architecture
• Performance (see figures)
– Serpent• 2 to 6 times slower• Non-symmetrical performances• But stable performances when changing architecture
Pentium 133Mhz MMX | Pentium Pro C/Pentium Pro ASM
ConclusionConclusion
• Rijndael chosen by AES: why?– Fastest for small blocks and hashes encryption
– Second fastest for bulk encryption
• But– Security issues
• In 1999, Schneier et al. claimed there was no possible timing attacks against Rijndael…
• In 2006, a timing attack is found
– Serpent is more secure if you are ready to spend more time
• Rijndael chosen by AES: why?– Fastest for small blocks and hashes encryption
– Second fastest for bulk encryption
• But– Security issues
• In 1999, Schneier et al. claimed there was no possible timing attacks against Rijndael…
• In 2006, a timing attack is found
– Serpent is more secure if you are ready to spend more time
• Questions• Opposition• Questions
• Opposition
SourcesSources
• Network Security, Private Communication in a Public World, C. Kaufman, R. Perlman, M. Speciner, 2002
• Wikipedia’s articles (French and English) on Rijndael, Bitwise operators, AES process and Serpent
• Cryptographic Hardware and Embedded Systems, Pawel Chodowiec, 2002
• Network Security, Private Communication in a Public World, C. Kaufman, R. Perlman, M. Speciner, 2002
• Wikipedia’s articles (French and English) on Rijndael, Bitwise operators, AES process and Serpent
• Cryptographic Hardware and Embedded Systems, Pawel Chodowiec, 2002
• Serpent, a Proposal for the AES, R. Anderson, E. Biham, L. Knudsen, 1998
• Serpent homepage www.cl.cam.ac.uk/~rja14/serpent.html
• [Lutz02]2Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis, Lutz, Treichler, Gürkaynak, Kaeslin, Basler, Erni, Reichmuth, Rommens, Oetiker, Fichtner, 2002
• Serpent, a Proposal for the AES, R. Anderson, E. Biham, L. Knudsen, 1998
• Serpent homepage www.cl.cam.ac.uk/~rja14/serpent.html
• [Lutz02]2Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis, Lutz, Treichler, Gürkaynak, Kaeslin, Basler, Erni, Reichmuth, Rommens, Oetiker, Fichtner, 2002
Sources (cont.)Sources (cont.)
• A Note on Comparing AES Candidates (Revised), Biham, 1998 (?)
• Performance Comparison of the AES Submissions, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, 1999
• Performance Evaluation fo the AES Finalists on the High-End Smart Card, F. Sano, M. Koike, S. Kawamura, M. Shiba, 2000
• A Note on Comparing AES Candidates (Revised), Biham, 1998 (?)
• Performance Comparison of the AES Submissions, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, 1999
• Performance Evaluation fo the AES Finalists on the High-End Smart Card, F. Sano, M. Koike, S. Kawamura, M. Shiba, 2000
• Performance Comparison of 5 AES Candidates with New Performance Evaluation Tool, M. Takenaka, N. Torii, K. Itoh, J. Yajima, 2000
• Instruction-level Parallelism in AES Candidates, C.S.K. Clapp, 1999
• How Well Are High-End DSPs Suites for the AES Algorithms, T. J. Wollinger, M. Wang, J. Guajardo, C. Paar, 2000
• Performance Comparison of 5 AES Candidates with New Performance Evaluation Tool, M. Takenaka, N. Torii, K. Itoh, J. Yajima, 2000
• Instruction-level Parallelism in AES Candidates, C.S.K. Clapp, 1999
• How Well Are High-End DSPs Suites for the AES Algorithms, T. J. Wollinger, M. Wang, J. Guajardo, C. Paar, 2000
CommentsComments• Non-exhaustive listing and extracts of sources are available here: – http://www.google.com/notebook/public/02330310943113180415/BDRkjSwoQiJ-sle4h
• Interesting links for both Serpent and Rijndael (and others) can be found here:– http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html
• Figures where realized specially for this presentation, except stated otherwise
• Non-exhaustive listing and extracts of sources are available here: – http://www.google.com/notebook/public/02330310943113180415/BDRkjSwoQiJ-sle4h
• Interesting links for both Serpent and Rijndael (and others) can be found here:– http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html
• Figures where realized specially for this presentation, except stated otherwise
