Zong-Cing Lin
2007/10/31

Algorithm Description

Why chose Rijndael

Reference


Rijndael, designed by Joan Daemen and Vincent
Rijmen.
A call for proposals for a new Advanced
Encryption Standard issued in 1997 by National
Institute of Standards and Technology.
Published as FIPS PUB 197 in November, 2001.

Key Size
128 bits
192 bits
256 bits
128 bits
128 bits
128 bits
10
12
14
Round key size
128 bits
128 bits
128 bits
Expanded key
size
176
bytes
Plaintext block
size
Number of
rounds
208 bytes (with
additional 2 round keys)
240 bytes (with
additional 2 round keys)

Use S-box byte by byte

S-box construction:
◦ Initialization: 1st row: {00}, {01}, {02}, · · ·, {0F};
2nd row: {10}, {11}, {12}, · · ·, {1F}; etc.
◦ Replace each byte with its multiplicative inverse in
GF( ); the value {00} is mapped to itself.
◦ Apply the following (invertible) transformation:



XOR operation
Round key length 128 bits
Round key construction
◦ 1st round key is from original key (for 128 bits key
length)
◦ Other round keys:
 First word is produced from previous round key’s last
word: w[i]=sbox(byteRotation(w[i-1]))^Rcon[i/4]
 Other word: w[i]=w[i-4]^(First word)
 Rcon[j]=(RC[j],0,0,0), with RC[1]=1, RC[j]=2RC[j-1]


Written by Vincent Rijmen, Antoon Bosselaers,
and Paulo Barreto
Used by OpenSSL 0.9.8e
Provide loop-unrolling flag.
In order to reduce computation time, duplicate many edition for original, 2
times, 3 times
Te0[x] = S [x].[02, 01, 01, 03];
Te1[x] = S [x].[03, 02, 01, 01];
Te2[x] = S [x].[01, 03, 02, 01];
Te3[x] = S [x].[01, 01, 03, 02];
Te4[x] = S [x].[01, 01, 01, 01];
t0 = Te0[s0 >> 24] ^ Te1[(s1
Te3[s3 & 0xff] ^ rk[ 4];
t1 = Te0[s1 >> 24] ^ Te1[(s2
Te3[s0 & 0xff] ^ rk[ 5];
t2 = Te0[s2 >> 24] ^ Te1[(s3
Te3[s1 & 0xff] ^ rk[ 6];
t3 = Te0[s3 >> 24] ^ Te1[(s0
Te3[s2 & 0xff] ^ rk[ 7];
>> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
>> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
>> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^
>> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^

Other AES candidate:

It was considered in:
◦ Round one: CAST-256, CRYPTON, DEAL, DFC, E2, FROG,
HPC, LOKI97, MAGENTA, MARS, RC6, SAFER+, Serpent,
and Twofish.
◦ Final round: MARS, RC6, Serpent,and Twofish.
◦
◦
◦
◦
◦
◦
◦
◦
General security
Software implementation
Restricted-space environment
Hardware implementation
Attack on implementation
Encryption VS decryption
Key agility
Potential for instruction level parallelism

No known security attacks based on the
security analysis to-date.

Adequate security margin
◦ MARS, Serpent, and Twofish have high security
margins

Some comments criticized Rijndael for its
math structure. (about Galois Field)



Rijndael’s key setup
performance is the
fastest.
With longer key size,
Rijndael need more
round keys.
Decryption’s key
setup time is more
than encryption’s.
Algorithm
Clocks
Norm
MARS
4934
0.26
4997
0.26
5171
0.25
2278
0.57
2403
0.54
2514
0.51
1289(1724)
1.00(0.75)
2000(2553)
0.64(0.50)
2591(3255)
0.50(0.40)
6944
0.19
8853
0.15
10668
0.12
9263
0.14
12722
0.10
17954
0.07
RC6
Rijndael
Serpent
Twofish
Key setup under Intel Pentium III 600MHz

RC6 and Rijndael
generally demonstrate
above average speed for
128 bit keys.
Algorithm
Clocks
Norm
MARS
656
0.48
RC6
318
1.00
Rijndael
805
0.40
981
0.32
1155
0.28
1261
0.25
Serpent

Twofish
780
0.41
Rijndael’s performanceEncryption
under Intel Pentium III 600MHz
for encryption and
Algorithm
Clocks
Norm
decryption decreases
MARS
569
0.53
with higher key sizes
RC6
307
1.00
◦ While MARS, RC6, and
Serpent exhibit consistent
performance for all key
sizes.
Rijndael
784
0.39
955
0.32
1121
0.23
Serpent
1104
0.28
Twofish
613
0.50
Decryption under Intel Pentium III 600MHz

Rijndael has very
low RAM and ROM
requirements and is
very well suited to
restricted-space
environments.
◦ MARS is not well
suited for restrictedspace environments
due to its ROM
requirement.
Algorith
m
RAM
ROM
EN
C
KEY
TIME
MARS
572
5468
45
21
67
RC6
156
1060
34
138
173
Rijndael
66
980
25
10
35
Serpent
164
3937
71
147
219
Twofish
90
2808
31
28
60
A smart card study on Toshiba’s
T6N55 chip equipped with Z80
micro-proecessor, 2000.

Serpent and
Rijndael have the
best hardware
throughput of the
finalist.
◦ Serpent offers the
highest throughput
in non-feedback
modes.
◦ Rijndael in feedback
modes.

Rijndael and Serpent use operations that are
among the easiest to defend against power
and timing attacks
◦ RC6 and MARS are the most difficult to defend
against timing and power attacks. (due to their use
of multiplications, variable rotations, and additions)

Rijndael, Serpent, and Twofish are impacted
significantly less than that of MARS and RC6
when masking techniques used.

The encryption and decryption functions are
nearly identical for Twofish, while the
functions are similar for MARS and RC6
◦ Rijndael’s and Serpent’s encryption and decryption
are different.


All of the finalists show very little speed
variation between encryption and decryption
functions for a given key size.
Rijndael’s key setup performance is slower
for decryption than for encryption.


It refers to the ability to change keys quickly
and with minimum resources.
Rijndael supports on-the-fly subkey
computation for encryption, but requires a
one-time execution of the entire key
schedule prior to the first decryption with a
particular key.

Rijndael and Serpent are substitution-linear
transformation networks.
◦ They have more potential to benefit from ILP.

MARS, RC6, and Twofish are Festal structure.
◦ They have less potential to benefit from ILP.

Rijndael’s combination of security, performance,
efficiency, implementability, and flexibility make
it an appropriate selection for the AES for use in
the technology of today and in the future.
◦
◦
◦
◦
◦
◦
◦
◦
General security
Software implementation
normal
normal
Attack on implementation
Encryption VS decryption
Key agility
very good
bad
normal
Restricted-space environment
Hardware implementation
Potential for instruction level parallelism
very good
very good
very good


William Stallings “Cryptography and Network Security:
principles and practices” 3rd edition, 2003.
James Nechvatal, Elaine Barker, Lawrence Bassham, William
Burr, Morris Dworkin, James Foti, and Edward Roback “Report
on the Development of the Advanced Encryption Standard”
Journal of Research of the National Institute of Standards and
Technology, 2001.