Comparison

AES-
Rijndael/Serpent
2G1704: Internet Security and
Privacy
Weltz Max
Outline
• Historical perspective
• Description of AES-Rijndael
• Description of Serpent
• Comparison
Historical perspective
• 1998 Advanced Encryption
Standard contest
• 1999 Serpent and Rijndael
among the last 5 finalist
algorithms
– Along with Mars, RC6 and Twofish
• 2000 Rijndael selected as AES
algorithm
Description of
Rijndael
• Main elements
– Parameters
• Key size: 128, 160, 192, 224,
256bits
• Block size: 128, 160, 192, 224,
256bits ---------
32
• Number of rounds: ------
6+max(Bs,Ks)
– Operations
∀ ⊕
• Two substitutions tables
• Rearrangement of octets
• Key schedule
Description of
Rijndael
• State array
– Size of Bs
– Organized in 4-
octet columns
Description of
Rijndael
• Rounds
– Octets through
the S-Box
– Rows shifted
– Columns mixed
Descriptio
n of
Rijndael

• Key expansion
– As many round
as required
– Obtain
(Nr+1)Bs/32
What is AES-Rijndael?
• AES’ recommendations for
Rijndael
– Block size:
• 128-bits
– Key size:
• 128bits -> AES-128 -> 10 rounds
• 196bits -> AES-196 -> 12 rounds
• 256bits -> AES-256 -> 14 rounds
Description of Serpent
• Parameters
– Key size: 128, 192, 256bits
• 128 and 192bit keys are padded with 100…
– Block size: 128bits
– Number of rounds: 32
• 16 rounds are supposedly enough
• Operations
⊕
– 8 substitution tables (S-boxes)
– Linear transformation
– Key schedule
 Description of Serpent
• Process
– Initial
permutation
– 32 Rounds
– Final
permutation
• Permutations
– Statically
defined
– Simplifying the
optimized
Description of Serpent
• Rounds
– Key mixing
– Pass through S-
box
– Linear
transformation
• Except for the
last round
– (⊕ 33rd subkey)
Source: Wikipedia

Description
of Serpent
• Linear
transformation
– Left-rotations
⊕’ing
– Left-shifts
Description
of Serpent
• Key expansion
– Padding (100…)
– Affine
expansion
– S-boxes
– Collapsing
Comparison
• Process
• Security
• Hardware performance
• Software performance
Adapted from [Lutz02]

Comparison: Process
Rijndael Serpent
•S-boxes •Key
10x •Raw shifting mixing
31
Round 12x •Columns •S-boxes
x
14x mixed •Linear
∀⊕ Round Key t.
•Key mixing
Final
•S-boxes
t.
•Key mixing
Comparison: Security
Rijndael Serpent
AES Authors
•6 insecure •15 •16:
Margins insecure secure
•10/12/14
(rounds) suggested •17 •32
suggeste suggeste
d d
Best known
attacks 7/8/9 rounds 11 rounds
(2006)
•Better than or
equivalent to any
Known side channel other 128bit block
Comments attacks (timing) cipher
•Old design
 Comparison: Hardware
• Rijndael • Serpent
– 2.26Gbit/s @ 88.5MHz – 1.96Gbit/s @ 122.9MHz
– Assets
– Assets • Fixed number of rounds
• Small number • Key lengths does not matter
– Of rounds • Small S-boxes
– Of subkeys – Drawbacks
• Identical rounds • Different S-Box types
– Drawbacks • Larger number
• Variable number of – Of rounds
rounds – Of subkeys
• No hardware shared
• Key length matters
between encryption and
• Large S-boxes decryption
 Comparison: Software
• Performance (see figures)

– Serpent
• 2 to 6 times slower
• Non-symmetrical performances
• But stable performances when changing
architecture

Rijndael Serpent
1276 | 1800 |
Encryption
440/291 1030/900
Decryption 1276 2102
Pentium 133Mhz MMX | Pentium Pro C/Pentium Pro ASM
Conclusion
• Rijndael chosen by AES: why?
– Fastest for small blocks and hashes
encryption
– Second fastest for bulk encryption
• But
– Security issues
• In 1999, Schneier et al. claimed there was
no possible timing attacks against
Rijndael…
• In 2006, a timing attack is found
– Serpent is more secure if you are
ready to spend more time
 • Questions
• Opposition
 Sources
• Network Security, • Serpent, a Proposal
Private for the AES, R.
Communication in a Anderson, E. Biham,
Public World, C. L. Knudsen, 1998
Kaufman, R. Perlman, • Serpent homepage www.cl
M. Speciner, 2002 .cam.ac.uk/~rja14/serpent.html

• Wikipedia’s articles • [Lutz02]2Gbit/s Hardware

(French and English) Realizations of RIJNDAEL
on Rijndael, Bitwise and SERPENT: A
operators, AES Comparative Analysis,
process and Serpent Lutz, Treichler, Gürkaynak,
• Cryptographic Kaeslin, Basler, Erni,
Reichmuth, Rommens,
Hardware and
Oetiker, Fichtner, 2002
Embedded Systems,
 Sources (cont.)
• A Note on Comparing AES • Performance Comparison of 5
Candidates (Revised), AES Candidates with New
Biham, 1998 (?) Performance Evaluation Tool, M.
• Performance Comparison Takenaka, N. Torii, K. Itoh, J.
of the AES Submissions, Yajima, 2000
B. Schneier, J. Kelsey, • Instruction-level Parallelism
D. Whiting, D. Wagner, in AES Candidates, C.S.K.
C. Hall, N. Ferguson,
1999 Clapp, 1999
• Performance Evaluation • How Well Are High-End
fo the AES Finalists on DSPs Suites for the AES
the High-End Smart Card, Algorithms, T. J. Wollinger,
F. Sano, M. Koike, S. M. Wang, J. Guajardo, C.
Kawamura, M. Shiba, 2000
Paar, 2000
Comments
• Non-exhaustive listing and extracts of
sources are available here:
– http://www.google
.com/notebook/public/02330310943113180415/BDRkjSwoQiJ-sle4h

• Interesting links for both Serpent and

Rijndael (and others) can be found
here:
– http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html

• Figures where realized specially for

this presentation, except stated
otherwise