Comparison AESRijndael/Serpent

2G1704: Internet Security and Privacy Weltz Max

Outline
• Historical perspective • Description of AES-Rijndael • Description of Serpent • Comparison

Historical perspective
• 1998 Advanced Encryption Standard contest • 1999 Serpent and Rijndael among the last 5 finalist algorithms

• 2000 Rijndael selected as AES algorithm

– Along with Mars, RC6 and Twofish

Description of Rijndael
• Main elements
– Parameters
• Key size: 128, 160, 192, 224, 256bits • Block size: 128, 160, 192, 224, --------256bits 32 • Number of rounds: -----6+max(Bs,Ks) ∀ • • • ⊕ Two substitutions tables Rearrangement of octets Key schedule

– Operations

Description of Rijndael
• State array
– Size of Bs – Organized in 4octet columns

Description of Rijndael
• Rounds
– Octets through the S-Box – Rows shifted – Columns mixed

Descriptio n of Rijndael

• Key expansion

– As many round as required – Obtain (Nr+1)Bs/32

What is AES-Rijndael?
• AES’ recommendations for Rijndael
– Block size: – Key size:
• 128-bits

• 128bits -> AES-128 -> 10 rounds • 196bits -> AES-196 -> 12 rounds • 256bits -> AES-256 -> 14 rounds

Description of Serpent
• Parameters
– Key size: 128, 192, 256bits – Block size: 128bits – Number of rounds: 32
• 128 and 192bit keys are padded with 100…

• Operations

• 16 rounds are supposedly enough

⊕ – 8 substitution tables (S-boxes) – Linear transformation – Key schedule

Description of Serpent
• Process
– Initial permutation – 32 Rounds – Final permutation

• Permutations

– Statically defined – Simplifying the optimized

Description of Serpent
• Rounds
– Key mixing – Pass through Sbox – Linear transformation
• Except for the last round
– (⊕ 33rd subkey)

Source: Wikipedia

Description of Serpent
• Linear transformation
– Left-rotations ⊕’ing – Left-shifts

Description of Serpent
• Key expansion
– Padding (100…) – Affine expansion – S-boxes – Collapsing

Comparison
• Process • Security • Hardware performance • Software performance

Adapted from [Lutz02]

Comparison: Process
•S-boxes 10x •Raw shifting Round 12x •Columns 14x mixed ∀⊕ Round Key Final t.

Rijndael

•Key mixing 31 •S-boxes x •Linear t. •Key mixing •S-boxes •Key mixing

Serpent

Comparison: Security
Rijndael
Margins (rounds)
•6 insecure •10/12/14 suggested AES •15 insecure •17 suggeste d

Serpent

Best known attacks 7/8/9 rounds (2006) Comments

Authors •16: secure •32 suggeste d

11 rounds

•Better than or equivalent to any Known side channel other 128bit block attacks (timing) cipher •Old design

Comparison: Hardware
• Rijndael
• Serpent – 2.26Gbit/s @ 88.5MHz – Assets
• Small number
– Of rounds – Of subkeys

– 1.96Gbit/s @ 122.9MHz – Assets
• Fixed number of rounds • Key lengths does not matter • Small S-boxes

• Identical rounds

– Drawbacks
• Different S-Box types • Larger number
– Of rounds – Of subkeys

– Drawbacks
• Variable number of rounds • Key length matters • Large S-boxes

• No hardware shared between encryption and decryption

Comparison: Software
• Performance
– Serpent
(see figures)

• 2 to 6 times slower • Non-symmetrical performances • But stable performances when changing architecture

Rijndael
Encryption Decryption 1276 | 440/291 1276

Serpent
1800 | 1030/900 2102

Pentium 133Mhz MMX | Pentium Pro C/Pentium Pro ASM

Conclusion
• Rijndael chosen by AES: why?
– Fastest for small blocks and hashes encryption – Second fastest for bulk encryption – Security issues

• But

– Serpent is more secure if you are ready to spend more time

• In 1999, Schneier et al. claimed there was no possible timing attacks against Rijndael… • In 2006, a timing attack is found

• Questions • Opposition

Sources
• Network Security, Private Communication in a Public World, C. Kaufman, R. Perlman, M. Speciner, 2002 • Wikipedia’s articles (French and English) on Rijndael, Bitwise operators, AES process and Serpent • Cryptographic Hardware and Embedded Systems, • Serpent, a Proposal for the AES, R. Anderson, E. Biham, L. Knudsen, 1998 • Serpent homepage www.cl
.cam.ac.uk/~rja14/serpent.html

• [Lutz02]2Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis, Lutz, Treichler, Gürkaynak, Kaeslin, Basler, Erni, Reichmuth, Rommens, Oetiker, Fichtner, 2002

Sources (cont.)
• A Note on Comparing AES Candidates (Revised), Biham, 1998 (?) • Performance Comparison of the AES Submissions, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, 1999 • Performance Evaluation fo the AES Finalists on the High-End Smart Card, F. Sano, M. Koike, S. Kawamura, M. Shiba, 2000 • Performance Comparison of 5 AES Candidates with New Performance Evaluation Tool, M. Takenaka, N. Torii, K. Itoh, J. Yajima, 2000

• Instruction-level Parallelism in AES Candidates, C.S.K. Clapp, 1999 • How Well Are High-End DSPs Suites for the AES Algorithms, T. J. Wollinger, M. Wang, J. Guajardo, C. Paar, 2000

Comments
• Non-exhaustive listing and extracts of sources are available here: • Interesting links for both Serpent and Rijndael (and others) can be found here: • Figures where realized specially for this presentation, except stated otherwise
– http://www.google .com/notebook/public/02330310943113180415/BDRkjSwoQiJ-sle4h

– http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.