Comparison between AES-Rijndael and Serpent
23
Comparison AES-Rijndael/ Serpent 2G1704: Internet Security and Privacy Weltz Max
description
Comparison of Rijndael (AES) and Serpent algorithm for encryption. Software, hardware and security issues are covered on those slides.
Transcript of Comparison between AES-Rijndael and Serpent
ComparisonAES-Rijndael/
Serpent
ComparisonAES-Rijndael/
Serpent
2G1704: Internet Security and Privacy
Weltz Max
2G1704: Internet Security and Privacy
Weltz Max
OutlineOutline
• Historical perspective• Description of AES-Rijndael• Description of Serpent• Comparison
• Historical perspective• Description of AES-Rijndael• Description of Serpent• Comparison
Historical perspectiveHistorical perspective
• 1998 Advanced Encryption Standard contest
• 1999 Serpent and Rijndael among the last 5 finalist algorithms– Along with Mars, RC6 and Twofish
• 2000 Rijndael selected as AES algorithm
• 1998 Advanced Encryption Standard contest
• 1999 Serpent and Rijndael among the last 5 finalist algorithms– Along with Mars, RC6 and Twofish
• 2000 Rijndael selected as AES algorithm
• Main elements– Parameters
• Key size: 128, 160, 192, 224, 256bits• Block size: 128, 160, 192, 224,
256bits• Number of rounds: 6+max(Bs,Ks)
– Operations • Two substitutions tables• Rearrangement of octets• Key schedule
• Main elements– Parameters
• Key size: 128, 160, 192, 224, 256bits• Block size: 128, 160, 192, 224,
256bits• Number of rounds: 6+max(Bs,Ks)
– Operations • Two substitutions tables• Rearrangement of octets• Key schedule
Description of RijndaelDescription of Rijndael
------------------------------3232
Description of RijndaelDescription of Rijndael• State array
– Size of Bs– Organized in 4-octet columns
• State array– Size of Bs– Organized in 4-octet columns
Description of RijndaelDescription of Rijndael
• Rounds1. Octets through
the S-Box2. Rows shifted3. Columns mixed
• Rounds1. Octets through
the S-Box2. Rows shifted3. Columns mixed
Description of
Rijndael
Description of
Rijndael
• Key expansion– As many round as required
– Obtain (Nr+1)Bs/32 columns
• Key expansion– As many round as required
– Obtain (Nr+1)Bs/32 columns
What is AES-Rijndael?What is AES-Rijndael?
• AES’ recommendations for Rijndael– Block size:
•128-bits
– Key size:•128bits -> AES-128 -> 10 rounds•196bits -> AES-196 -> 12 rounds•256bits -> AES-256 -> 14 rounds
• AES’ recommendations for Rijndael– Block size:
•128-bits
– Key size:•128bits -> AES-128 -> 10 rounds•196bits -> AES-196 -> 12 rounds•256bits -> AES-256 -> 14 rounds
Description of SerpentDescription of Serpent
• Parameters– Key size: 128, 192, 256bits
• 128 and 192bit keys are padded with 100…
– Block size: 128bits– Number of rounds: 32
• 16 rounds are supposedly enough
• Operations – 8 substitution tables (S-boxes)– Linear transformation– Key schedule
• Parameters– Key size: 128, 192, 256bits
• 128 and 192bit keys are padded with 100…
– Block size: 128bits– Number of rounds: 32
• 16 rounds are supposedly enough
• Operations – 8 substitution tables (S-boxes)– Linear transformation– Key schedule
Description of SerpentDescription of Serpent
• Process– Initial permutation
– 32 Rounds– Final permutation
• Permutations– Statically defined
– Simplifying the optimized implementation
• Process– Initial permutation
– 32 Rounds– Final permutation
• Permutations– Statically defined
– Simplifying the optimized implementation
Description of SerpentDescription of Serpent
• Rounds1. Key mixing2. Pass through S-
box3. Linear
transformation• Except for the
last round– ( 33rd subkey)
• Rounds1. Key mixing2. Pass through S-
box3. Linear
transformation• Except for the
last round– ( 33rd subkey)
Descriptionof SerpentDescriptionof Serpent• Linear transformation– Left-rotations ’ing– Left-shifts
• Linear transformation– Left-rotations ’ing– Left-shifts
Source: Wikipedia
Descriptionof SerpentDescriptionof Serpent• Key expansion
– Padding (100…)– Affine expansion
– S-boxes– Collapsing
• Key expansion– Padding (100…)– Affine expansion
– S-boxes– Collapsing
ComparisonComparison
• Process• Security• Hardware performance• Software performance
• Process• Security• Hardware performance• Software performance
Comparison: ProcessComparison: Process
Rijndael Serpent
Round10x12x14x
•S-boxes•Raw shifting•Columns mixed Round Key
31x
•Key mixing•S-boxes•Linear t.
Final t.
•Key mixing•S-boxes•Key mixing
Adapted from [Lutz02]
Comparison: SecurityComparison: SecurityRijndael Serpent
Margins (rounds)
•6 insecure•10/12/14 suggested
AES•15 insecure•17 suggested
Authors•16: secure•32 suggested
Best known attacks (2006)
7/8/9 rounds 11 rounds
Comments Known side channel attacks (timing)
•Better than or equivalent to any other 128bit block cipher•Old design
Comparison: HardwareComparison: Hardware
• Rijndael– 2.26Gbit/s @ 88.5MHz– Assets
• Small number– Of rounds– Of subkeys
• Identical rounds
– Drawbacks• Variable number of
rounds• Key length matters• Large S-boxes
• Rijndael– 2.26Gbit/s @ 88.5MHz– Assets
• Small number– Of rounds– Of subkeys
• Identical rounds
– Drawbacks• Variable number of
rounds• Key length matters• Large S-boxes
• Serpent– 1.96Gbit/s @ 122.9MHz– Assets
• Fixed number of rounds• Key lengths does not matter• Small S-boxes
– Drawbacks• Different S-Box types• Larger number
– Of rounds– Of subkeys
• No hardware shared between encryption and decryption
• Serpent– 1.96Gbit/s @ 122.9MHz– Assets
• Fixed number of rounds• Key lengths does not matter• Small S-boxes
– Drawbacks• Different S-Box types• Larger number
– Of rounds– Of subkeys
• No hardware shared between encryption and decryption
Comparison: SoftwareComparison: Software
Rijndael Serpent
Encryption1276 | 440/291
1800 | 1030/900
Decryption 1276 2102
• Performance (see figures)
– Serpent• 2 to 6 times slower• Non-symmetrical performances• But stable performances when changing architecture
• Performance (see figures)
– Serpent• 2 to 6 times slower• Non-symmetrical performances• But stable performances when changing architecture
Pentium 133Mhz MMX | Pentium Pro C/Pentium Pro ASM
ConclusionConclusion
• Rijndael chosen by AES: why?– Fastest for small blocks and hashes encryption
– Second fastest for bulk encryption
• But– Security issues
• In 1999, Schneier et al. claimed there was no possible timing attacks against Rijndael…
• In 2006, a timing attack is found
– Serpent is more secure if you are ready to spend more time
• Rijndael chosen by AES: why?– Fastest for small blocks and hashes encryption
– Second fastest for bulk encryption
• But– Security issues
• In 1999, Schneier et al. claimed there was no possible timing attacks against Rijndael…
• In 2006, a timing attack is found
– Serpent is more secure if you are ready to spend more time
• Questions• Opposition• Questions
• Opposition
SourcesSources
• Network Security, Private Communication in a Public World, C. Kaufman, R. Perlman, M. Speciner, 2002
• Wikipedia’s articles (French and English) on Rijndael, Bitwise operators, AES process and Serpent
• Cryptographic Hardware and Embedded Systems, Pawel Chodowiec, 2002
• Network Security, Private Communication in a Public World, C. Kaufman, R. Perlman, M. Speciner, 2002
• Wikipedia’s articles (French and English) on Rijndael, Bitwise operators, AES process and Serpent
• Cryptographic Hardware and Embedded Systems, Pawel Chodowiec, 2002
• Serpent, a Proposal for the AES, R. Anderson, E. Biham, L. Knudsen, 1998
• Serpent homepage www.cl.cam.ac.uk/~rja14/serpent.html
• [Lutz02]2Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis, Lutz, Treichler, Gürkaynak, Kaeslin, Basler, Erni, Reichmuth, Rommens, Oetiker, Fichtner, 2002
• Serpent, a Proposal for the AES, R. Anderson, E. Biham, L. Knudsen, 1998
• Serpent homepage www.cl.cam.ac.uk/~rja14/serpent.html
• [Lutz02]2Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis, Lutz, Treichler, Gürkaynak, Kaeslin, Basler, Erni, Reichmuth, Rommens, Oetiker, Fichtner, 2002
Sources (cont.)Sources (cont.)
• A Note on Comparing AES Candidates (Revised), Biham, 1998 (?)
• Performance Comparison of the AES Submissions, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, 1999
• Performance Evaluation fo the AES Finalists on the High-End Smart Card, F. Sano, M. Koike, S. Kawamura, M. Shiba, 2000
• A Note on Comparing AES Candidates (Revised), Biham, 1998 (?)
• Performance Comparison of the AES Submissions, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, 1999
• Performance Evaluation fo the AES Finalists on the High-End Smart Card, F. Sano, M. Koike, S. Kawamura, M. Shiba, 2000
• Performance Comparison of 5 AES Candidates with New Performance Evaluation Tool, M. Takenaka, N. Torii, K. Itoh, J. Yajima, 2000
• Instruction-level Parallelism in AES Candidates, C.S.K. Clapp, 1999
• How Well Are High-End DSPs Suites for the AES Algorithms, T. J. Wollinger, M. Wang, J. Guajardo, C. Paar, 2000
• Performance Comparison of 5 AES Candidates with New Performance Evaluation Tool, M. Takenaka, N. Torii, K. Itoh, J. Yajima, 2000
• Instruction-level Parallelism in AES Candidates, C.S.K. Clapp, 1999
• How Well Are High-End DSPs Suites for the AES Algorithms, T. J. Wollinger, M. Wang, J. Guajardo, C. Paar, 2000
CommentsComments• Non-exhaustive listing and extracts of sources are available here: – http://www.google.com/notebook/public/02330310943113180415/BDRkjSwoQiJ-sle4h
• Interesting links for both Serpent and Rijndael (and others) can be found here:– http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html
• Figures where realized specially for this presentation, except stated otherwise
• Non-exhaustive listing and extracts of sources are available here: – http://www.google.com/notebook/public/02330310943113180415/BDRkjSwoQiJ-sle4h
• Interesting links for both Serpent and Rijndael (and others) can be found here:– http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html
• Figures where realized specially for this presentation, except stated otherwise
