Comparison
AES-Rijndael/Serpent
2G1704: Internet Security and Privacy
Weltz Max
Outline
• Historical perspective
• Description of AES-Rijndael
• Description of Serpent
• Comparison
Historical perspective
• 1998 Advanced Encryption
Standard contest
• 1999 Serpent and Rijndael among
the last 5 finalist algorithms
– Along with Mars, RC6 and Twofish
• 2000 Rijndael selected as AES
algorithm
Description of Rijndael
• Main elements
–
Parameters
• Key size: 128, 160, 192, 224, 256bits
• Block size: 128, 160, 192, 224, 256bits
• Number of rounds: 6+max(Bs,Ks)
--------------– Operations
32
• 
• Two substitutions tables
• Rearrangement of octets
• Key schedule
Description of Rijndael
• State array
– Size of Bs
– Organized in 4octet columns
Description of Rijndael
• Rounds
1. Octets through
the S-Box
2. Rows shifted
3. Columns mixed
Description
of Rijndael
• Key expansion
– As many round as
required
– Obtain (Nr+1)Bs/32
columns
What is AES-Rijndael?
• AES’ recommendations for Rijndael
– Block size:
• 128-bits
– Key size:
• 128bits -> AES-128 -> 10 rounds
• 196bits -> AES-196 -> 12 rounds
• 256bits -> AES-256 -> 14 rounds
Description of Serpent
• Parameters
– Key size: 128, 192, 256bits
• 128 and 192bit keys are padded with 100…
– Block size: 128bits
– Number of rounds: 32
• 16 rounds are supposedly enough
• Operations
–
–
–
–

8 substitution tables (S-boxes)
Linear transformation
Key schedule
Description of Serpent
• Process
– Initial permutation
– 32 Rounds
– Final permutation
• Permutations
– Statically defined
– Simplifying the
optimized
implementation
Description of Serpent
• Rounds
1. Key mixing
2. Pass through S-box
3. Linear
transformation
• Except for the last
round
–
( 33rd subkey)
Source: Wikipedia
Description
of Serpent
• Linear
transformation
– Left-rotations
– ’ing
– Left-shifts
Description
of Serpent
• Key expansion
–
–
–
–
Padding (100…)
Affine expansion
S-boxes
Collapsing
Comparison
• Process
• Security
• Hardware performance
• Software performance
Adapted from [Lutz02]
Comparison: Process
Rijndael
Serpent
•S-boxes
10x
•Key mixing
•Raw shifting
Round 12x
31x •S-boxes
•Columns mixed
14x
•Linear t.
• Round Key
•Key mixing
Final t.
•S-boxes
•Key mixing
Comparison: Security
Rijndael
Margins
(rounds)
Best known
attacks (2006)
Comments
•6 insecure
•10/12/14 suggested
7/8/9 rounds
Known side channel
attacks (timing)
Serpent
AES
•15
insecure
•17
suggested
Authors
•16:
secure
•32
suggested
11 rounds
•Better than or
equivalent to any
other 128bit block
cipher
•Old design
Comparison: Hardware
• Rijndael
– 2.26Gbit/s @ 88.5MHz
– Assets
• Small number
– Of rounds
– Of subkeys
• Identical rounds
– Drawbacks
• Variable number of
rounds
• Key length matters
• Large S-boxes
• Serpent
– 1.96Gbit/s @ 122.9MHz
– Assets
• Fixed number of rounds
• Key lengths does not matter
• Small S-boxes
– Drawbacks
• Different S-Box types
• Larger number
– Of rounds
– Of subkeys
• No hardware shared
between encryption and
decryption
Comparison: Software
• Performance (see figures)
– Serpent
• 2 to 6 times slower
• Non-symmetrical performances
• But stable performances when changing architecture
Rijndael
Serpent
Encryption 1276 | 440/291 1800 | 1030/900
Decryption
1276
Pentium 133Mhz MMX | Pentium Pro C/Pentium Pro ASM
2102
Conclusion
• Rijndael chosen by AES: why?
– Fastest for small blocks and hashes encryption
– Second fastest for bulk encryption
• But
– Security issues
• In 1999, Schneier et al. claimed there was no
possible timing attacks against Rijndael…
• In 2006, a timing attack is found
– Serpent is more secure if you are ready to
spend more time
• Questions
• Opposition
Sources
• Network Security, Private
Communication in a
Public World, C.
Kaufman, R. Perlman, M.
Speciner, 2002
• Wikipedia’s articles
(French and English) on
Rijndael, Bitwise
operators, AES process
and Serpent
• Cryptographic
Hardware and
Embedded Systems,
Pawel Chodowiec, 2002
• Serpent, a Proposal for
the AES, R. Anderson, E.
Biham, L. Knudsen, 1998
• Serpent homepage
www.cl.cam.ac.uk/~rja14/serpent.html
• [Lutz02]2Gbit/s Hardware
Realizations of RIJNDAEL
and SERPENT: A
Comparative Analysis,
Lutz, Treichler, Gürkaynak,
Kaeslin, Basler, Erni,
Reichmuth, Rommens,
Oetiker, Fichtner, 2002
Sources (cont.)
• A Note on Comparing AES
Candidates (Revised), Biham,
1998 (?)
• Performance Comparison of
the AES Submissions, B.
Schneier, J. Kelsey, D.
Whiting, D. Wagner, C. Hall,
N. Ferguson, 1999
• Performance Evaluation fo
the AES Finalists on the HighEnd Smart Card, F. Sano, M.
Koike, S. Kawamura, M.
Shiba, 2000
• Performance Comparison of 5
AES Candidates with New
Performance Evaluation Tool, M.
Takenaka, N. Torii, K. Itoh, J.
Yajima, 2000
• Instruction-level Parallelism
in AES Candidates, C.S.K.
Clapp, 1999
• How Well Are High-End
DSPs Suites for the AES
Algorithms, T. J. Wollinger,
M. Wang, J. Guajardo, C.
Paar, 2000
Comments
• Non-exhaustive listing and extracts of sources
are available here:
– http://www.google.com/notebook/public/02330310943113180415/B
DRkjSwoQiJ-sle4h
• Interesting links for both Serpent and Rijndael
(and others) can be found here:
– http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html
• Figures where realized specially for this
presentation, except stated otherwise