Comparison AES-Rijndael/Serpent

1
ComparisonAES-Rijndael/Serpent

• 2G1704 Internet Security and Privacy
• Weltz Max

2
Outline

• Historical perspective
• Description of AES-Rijndael
• Description of Serpent
• Comparison

3
Historical perspective

• 1998 Advanced Encryption Standard contest
• 1999 Serpent and Rijndael among the last 5
  finalist algorithms
• Along with Mars, RC6 and Twofish
• 2000 Rijndael selected as AES algorithm

4
Description of Rijndael

• Main elements
• Parameters
• Key size 128, 160, 192, 224, 256bits
• Block size 128, 160, 192, 224, 256bits
• Number of rounds 6max(Bs,Ks)
• Operations
• ?
• Two substitutions tables
• Rearrangement of octets
• Key schedule

5
Description of Rijndael

• State array
• Size of Bs
• Organized in 4-octet columns

6
Description of Rijndael

• Rounds
• Octets through the S-Box
• Rows shifted
• Columns mixed

7
Description of Rijndael

• Key expansion
• As many round as required
• Obtain (Nr1)Bs/32 columns

8
What is AES-Rijndael?

• AES recommendations for Rijndael
• Block size
• 128-bits
• Key size
• 128bits -gt AES-128 -gt 10 rounds
• 196bits -gt AES-196 -gt 12 rounds
• 256bits -gt AES-256 -gt 14 rounds

9
Description of Serpent

• Parameters
• Key size 128, 192, 256bits
• 128 and 192bit keys are padded with 100
• Block size 128bits
• Number of rounds 32
• 16 rounds are supposedly enough
• Operations
• ?
• 8 substitution tables (S-boxes)
• Linear transformation
• Key schedule

10
Description of Serpent

• Process
• Initial permutation
• 32 Rounds
• Final permutation
• Permutations
• Statically defined
• Simplifying the optimized implementation

11
Description of Serpent

• Rounds
• Key mixing
• Pass through S-box
• Linear transformation
• Except for the last round
• (? 33rd subkey)

12
Descriptionof Serpent
Source Wikipedia

• Linear transformation
• Left-rotations
• ?ing
• Left-shifts

13
Descriptionof Serpent

• Key expansion
• Padding (100)
• Affine expansion
• S-boxes
• Collapsing

14
Comparison

• Process
• Security
• Hardware performance
• Software performance

15
Comparison Process
Adapted from Lutz02
Rijndael Rijndael Serpent Serpent
Round 10x 12x 14x S-boxes Raw shifting Columns mixed ? Round Key 31x Key mixing S-boxes Linear t.
Final t. Key mixing S-boxes Key mixing Key mixing S-boxes Key mixing
16
Comparison Security
Rijndael Serpent Serpent
Margins (rounds) 6 insecure 10/12/14 suggested AES 15 insecure 17 suggested Authors 16 secure 32 suggested
Best known attacks (2006) 7/8/9 rounds 11 rounds 11 rounds
Comments Known side channel attacks (timing) Better than or equivalent to any other 128bit block cipher Old design Better than or equivalent to any other 128bit block cipher Old design
17
Comparison Hardware

• Rijndael
• 2.26Gbit/s _at_ 88.5MHz
• Assets
• Small number
• Of rounds
• Of subkeys
• Identical rounds
• Drawbacks
• Variable number of rounds
• Key length matters
• Large S-boxes

• Serpent
• 1.96Gbit/s _at_ 122.9MHz
• Assets
• Fixed number of rounds
• Key lengths does not matter
• Small S-boxes
• Drawbacks
• Different S-Box types
• Larger number
• Of rounds
• Of subkeys
• No hardware shared between encryption and
  decryption

18
Comparison Software

• Performance (see figures)
• Serpent
• 2 to 6 times slower
• Non-symmetrical performances
• But stable performances when changing architecture

Rijndael Serpent
Encryption 1276 440/291 1800 1030/900
Decryption 1276 2102
Pentium 133Mhz MMX Pentium Pro C/Pentium Pro ASM
19
Conclusion

• Rijndael chosen by AES why?
• Fastest for small blocks and hashes encryption
• Second fastest for bulk encryption
• But
• Security issues
• In 1999, Schneier et al. claimed there was no
  possible timing attacks against Rijndael
• In 2006, a timing attack is found
• Serpent is more secure if you are ready to spend
  more time

20
Questions Opposition
21
Sources

• Network Security, Private Communication in a
  Public World, C. Kaufman, R. Perlman, M.
  Speciner, 2002
• Wikipedias articles (French and English) on
  Rijndael, Bitwise operators, AES process and
  Serpent
• Cryptographic Hardware and Embedded Systems,
  Pawel Chodowiec, 2002

• Serpent, a Proposal for the AES, R. Anderson, E.
  Biham, L. Knudsen, 1998
• Serpent homepage www.cl.cam.ac.uk/rja14/serpent.h
  tml
• Lutz022Gbit/s Hardware Realizations of RIJNDAEL
  and SERPENT A Comparative Analysis, Lutz,
  Treichler, Gürkaynak, Kaeslin, Basler, Erni,
  Reichmuth, Rommens, Oetiker, Fichtner, 2002

22
Sources (cont.)

• A Note on Comparing AES Candidates (Revised),
  Biham, 1998 (?)
• Performance Comparison of the AES Submissions, B.
  Schneier, J. Kelsey, D. Whiting, D. Wagner, C.
  Hall, N. Ferguson, 1999
• Performance Evaluation fo the AES Finalists on
  the High-End Smart Card, F. Sano, M. Koike, S.
  Kawamura, M. Shiba, 2000

• Performance Comparison of 5 AES Candidates with
  New Performance Evaluation Tool, M. Takenaka, N.
  Torii, K. Itoh, J. Yajima, 2000
• Instruction-level Parallelism in AES Candidates,
  C.S.K. Clapp, 1999
• How Well Are High-End DSPs Suites for the AES
  Algorithms, T. J. Wollinger, M. Wang, J.
  Guajardo, C. Paar, 2000

23
Comments

• Non-exhaustive listing and extracts of sources
  are available here
• http//www.google.com/notebook/public/023303109431
  13180415/BDRkjSwoQiJ-sle4h
• Interesting links for both Serpent and Rijndael
  (and others) can be found here
• http//www.users.zetnet.co.uk/hopwood/crypto/scan/
  cs.html
• Figures where realized specially for this
  presentation, except stated otherwise