You are on page 1of 23

Comparison AES-Rijndael/Serpent

2G1704: Internet Security and Privacy Weltz Max

Outline
Historical perspective Description of AES-Rijndael Description of Serpent Comparison

Historical perspective
1998 Advanced Encryption Standard contest 1999 Serpent and Rijndael among the last 5 finalist algorithms
Along with Mars, RC6 and Twofish

2000 Rijndael selected as AES algorithm

Description of Rijndael
Main elements
Parameters
Key size: 128, 160, 192, 224, 256bits Block size: 128, 160, 192, 224, 256bits Number of rounds: 6+max(Bs,Ks) -------------- Operations 32 Two substitutions tables Rearrangement of octets Key schedule

Description of Rijndael
State array
Size of Bs Organized in 4octet columns

Description of Rijndael
Rounds
1. Octets through the S-Box 2. Rows shifted 3. Columns mixed

Description of Rijndael

Key expansion
As many round as required Obtain (Nr+1)Bs/32 columns

What is AES-Rijndael?
AES recommendations for Rijndael
Block size:
128-bits

Key size:
128bits -> AES-128 -> 10 rounds 196bits -> AES-196 -> 12 rounds 256bits -> AES-256 -> 14 rounds

Description of Serpent
Parameters
Key size: 128, 192, 256bits
128 and 192bit keys are padded with 100

Block size: 128bits Number of rounds: 32


16 rounds are supposedly enough

Operations
8 substitution tables (S-boxes) Linear transformation Key schedule

Description of Serpent
Process
Initial permutation 32 Rounds Final permutation

Permutations
Statically defined Simplifying the optimized implementation

Description of Serpent
Rounds
1. Key mixing 2. Pass through S-box 3. Linear transformation
Except for the last round
( 33rd subkey)

Source: Wikipedia

Description of Serpent
Linear transformation
Left-rotations ing Left-shifts

Description of Serpent
Key expansion
Padding (100) Affine expansion S-boxes Collapsing

Comparison
Process Security Hardware performance Software performance

Adapted from [Lutz02]

Comparison: Process
Rijndael Serpent
S-boxes 10x Key mixing Raw shifting Round 12x 31x S-boxes Columns mixed 14x Linear t. Round Key Key mixing Final t. S-boxes Key mixing

Comparison: Security
Rijndael
Margins (rounds) Best known attacks (2006) Comments
6 insecure 10/12/14 suggested

Serpent
AES 15 insecure 17 suggested Authors 16: secure 32 suggested

7/8/9 rounds
Known side channel attacks (timing)

11 rounds
Better than or equivalent to any other 128bit block cipher Old design

Comparison: Hardware
Rijndael
2.26Gbit/s @ 88.5MHz Assets
Small number
Of rounds Of subkeys

Serpent
1.96Gbit/s @ 122.9MHz Assets
Fixed number of rounds Key lengths does not matter Small S-boxes

Identical rounds

Drawbacks
Different S-Box types Larger number
Of rounds Of subkeys

Drawbacks
Variable number of rounds Key length matters Large S-boxes

No hardware shared between encryption and decryption

Comparison: Software
Performance (see figures)
Serpent
2 to 6 times slower Non-symmetrical performances But stable performances when changing architecture

Rijndael
Decryption 1276

Serpent
2102

Encryption 1276 | 440/291 1800 | 1030/900


Pentium 133Mhz MMX | Pentium Pro C/Pentium Pro ASM

Conclusion
Rijndael chosen by AES: why?
Fastest for small blocks and hashes encryption Second fastest for bulk encryption

But
Security issues
In 1999, Schneier et al. claimed there was no possible timing attacks against Rijndael In 2006, a timing attack is found

Serpent is more secure if you are ready to spend more time

Questions Opposition

Sources
Network Security, Private Communication in a Public World, C. Kaufman, R. Perlman, M. Speciner, 2002 Wikipedias articles (French and English) on Rijndael, Bitwise operators, AES process and Serpent Cryptographic Hardware and Embedded Systems, Pawel Chodowiec, 2002 Serpent, a Proposal for the AES, R. Anderson, E. Biham, L. Knudsen, 1998 Serpent homepage
www.cl.cam.ac.uk/~rja14/serpent.html

[Lutz02]2Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis, Lutz, Treichler, Grkaynak, Kaeslin, Basler, Erni, Reichmuth, Rommens, Oetiker, Fichtner, 2002

Sources (cont.)
A Note on Comparing AES Candidates (Revised), Biham, 1998 (?) Performance Comparison of the AES Submissions, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, 1999 Performance Evaluation fo the AES Finalists on the HighEnd Smart Card, F. Sano, M. Koike, S. Kawamura, M. Shiba, 2000 Performance Comparison of 5 AES Candidates with New Performance Evaluation Tool, M. Takenaka, N. Torii, K. Itoh, J. Yajima, 2000

Instruction-level Parallelism in AES Candidates, C.S.K. Clapp, 1999 How Well Are High-End DSPs Suites for the AES Algorithms, T. J. Wollinger, M. Wang, J. Guajardo, C. Paar, 2000

Comments
Non-exhaustive listing and extracts of sources are available here:
http://www.google.com/notebook/public/02330310943113180415/B DRkjSwoQiJ-sle4h

Interesting links for both Serpent and Rijndael (and others) can be found here:
http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html

Figures where realized specially for this presentation, except stated otherwise

You might also like