Zong-Cing Lin 2007/10/31

 Algorithm Description  Why chose Rijndael  Reference

 Rijndael, designed by Joan Daemen and Vincent Rijmen.  A call for proposals for a new Advanced Encryption Standard issued in 1997 by National Institute of Standards and Technology.  Published as FIPS PUB 197 in November, Key Size128 bits192 bits256 bits Plaintext block size 128 bits Number of rounds Round key size128 bits Expanded key size 176 bytes 208 bytes (with additional 2 round keys) 240 bytes (with additional 2 round keys)

 Use S-box byte by byte

 S-box construction: ◦ Initialization: 1st row: {00}, {01}, {02}, · · ·, {0F}; 2nd row: {10}, {11}, {12}, · · ·, {1F}; etc. ◦ Replace each byte with its multiplicative inverse in GF( ); the value {00} is mapped to itself. ◦ Apply the following (invertible) transformation:

 XOR operation  Round key length 128 bits  Round key construction ◦ 1 st round key is from original key (for 128 bits key length) ◦ Other round keys:  First word is produced from previous round key’s last word: w[i]=sbox(byteRotation(w[i-1]))^Rcon[i/4]  Other word: w[i]=w[i-4]^(First word)  Rcon[j]=(RC[j],0,0,0), with RC[1]=1, RC[j]=2RC[j-1]

 Written by Vincent Rijmen, Antoon Bosselaers, and Paulo Barreto  Used by OpenSSL 0.9.8e

t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7]; Provide loop-unrolling flag. In order to reduce computation time, duplicate many edition for original, 2 times, 3 times Te0[x] = S [x].[02, 01, 01, 03]; Te1[x] = S [x].[03, 02, 01, 01]; Te2[x] = S [x].[01, 03, 02, 01]; Te3[x] = S [x].[01, 01, 03, 02]; Te4[x] = S [x].[01, 01, 01, 01];

 Other AES candidate: ◦ Round one: CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, SAFER+, Serpent, and Twofish.CAST-256CRYPTONDEALDFCE2FROG HPCLOKI97MAGENTAMARSRC6SAFER+SerpentTwofish ◦ Final round: MARS, RC6, Serpent,and Twofish.MARSRC6SerpentTwofish  It was considered in: ◦ General security ◦ Software implementation ◦ Restricted-space environment ◦ Hardware implementation ◦ Attack on implementation ◦ Encryption VS decryption ◦ Key agility ◦ Potential for instruction level parallelism

 No known security attacks based on the security analysis to-date.  Adequate security margin ◦ MARS, Serpent, and Twofish have high security margins  Some comments criticized Rijndael for its math structure. (about Galois Field)

 Rijndael’s key setup performance is the fastest.  With longer key size, Rijndael need more round keys.  Decryption’s key setup time is more than encryption’s. AlgorithmClocksNorm MARS RC Rijndael1289(1724)1.00(0.75) 2000(2553)0.64(0.50) 2591(3255)0.50(0.40) Serpent Twofish Key setup under Intel Pentium III 600MHz

 RC6 and Rijndael generally demonstrate above average speed for 128 bit keys.  Rijndael’s performance for encryption and decryption decreases with higher key sizes ◦ While MARS, RC6, and Serpent exhibit consistent performance for all key sizes. AlgorithmClocksNorm MARS RC Rijndael Serpent Twofish AlgorithmClocksNorm MARS RC Rijndael Serpent Twofish Encryption under Intel Pentium III 600MHz Decryption under Intel Pentium III 600MHz

 Rijndael has very low RAM and ROM requirements and is very well suited to restricted-space environments. ◦ MARS is not well suited for restricted- space environments due to its ROM requirement. Algorith m RAMROMEN C KEYTIME MARS RC Rijndael Serpent Twofish A smart card study on Toshiba’s T6N55 chip equipped with Z80 micro-proecessor, 2000.

 Serpent and Rijndael have the best hardware throughput of the finalist. ◦ Serpent offers the highest throughput in non-feedback modes. ◦ Rijndael in feedback modes.

 Rijndael and Serpent use operations that are among the easiest to defend against power and timing attacks ◦ RC6 and MARS are the most difficult to defend against timing and power attacks. (due to their use of multiplications, variable rotations, and additions)  Rijndael, Serpent, and Twofish are impacted significantly less than that of MARS and RC6 when masking techniques used.

 The encryption and decryption functions are nearly identical for Twofish, while the functions are similar for MARS and RC6 ◦ Rijndael’s and Serpent’s encryption and decryption are different.  All of the finalists show very little speed variation between encryption and decryption functions for a given key size.  Rijndael’s key setup performance is slower for decryption than for encryption.

 It refers to the ability to change keys quickly and with minimum resources.  Rijndael supports on-the-fly subkey computation for encryption, but requires a one-time execution of the entire key schedule prior to the first decryption with a particular key.

 Rijndael and Serpent are substitution-linear transformation networks. ◦ They have more potential to benefit from ILP.  MARS, RC6, and Twofish are Festal structure. ◦ They have less potential to benefit from ILP.

 Rijndael’s combination of security, performance, efficiency, implementability, and flexibility make it an appropriate selection for the AES for use in the technology of today and in the future. ◦ General securitynormal ◦ Software implementationnormal ◦ Restricted-space environmentvery good ◦ Hardware implementationvery good ◦ Attack on implementationvery good ◦ Encryption VS decryptionbad ◦ Key agilitynormal ◦ Potential for instruction level parallelismvery good

 William Stallings “Cryptography and Network Security: principles and practices” 3 rd edition,  James Nechvatal, Elaine Barker, Lawrence Bassham, William Burr, Morris Dworkin, James Foti, and Edward Roback “Report on the Development of the Advanced Encryption Standard” Journal of Research of the National Institute of Standards and Technology, 2001.