Using these criteria, the initial field of 21 candidate
algorithms was reduced first to 15 candidates and then to 5 candidates. By the
time that a final evaluation had been done the evaluation criteria, as described
in [NECH00], had
evolved. The following criteria were used in the final evaluation:
-
General security: To assess general security, NIST relied on the public security analysis conducted by the cryptographic community. During the course of the three-year evaluation process, a number of cryptographers published their analyses of the strengths and weaknesses of the various candidates. There was particular emphasis on analyzing the candidates with respect to known attacks, such as differential and linear cryptanalysis. However, compared to the analysis of DES, the amount of time and the number of cryptographers devoted to analyzing Rijndael are quite limited. Now that a single AES cipher has been chosen, we can expect to see a more extensive security analysis by the cryptographic community.
-
Software implementations: The principal concerns in this category are execution speed, performance across a variety of platforms, and variation of speed with key size.
-
Restricted-space environments: In some applications, such as smart cards, relatively small amounts of random-access memory (RAM) and/or read-only memory (ROM) are available for such purposes as code storage (generally in ROM); representation of data objects such as S-boxes (which could be stored in ROM or RAM, depending on whether pre-computation or Boolean representation is used); and subkey storage (in RAM).
-
Hardware implementations: Like software, hardware implementations can be optimized for speed or for size. However, in the case of hardware, size translates much more directly into cost than is usually the case for software implementations. Doubling the size of an encryption program may make little difference on a general-purpose computer with a large memory, but doubling the area used in a hardware device typically more than doubles the cost of the device.
-
Attacks on implementations: The criterion of general security, discussed in the first bullet, is concerned with cryptanalytic attacks that exploit mathematical properties of the algorithms. There is another class of attacks that use physical measurements conducted during algorithm execution to gather information about quantities such as keys. Such attacks exploit a combination of intrinsic algorithm characteristics and implementation-dependent features. Examples of such attacks are timing attacks and power analysis. Timing attacks are described in Chapter 3. The basic idea behind power analysis [KOCH98, BIHA00] is the observation that the power consumed by a smart card at any particular time during the cryptographic operation is related to the instruction being executed and to the data being processed. For example, multiplication consumes more power than addition, and writing 1s consumes more power than writing 0s.
-
Encryption versus decryption: This criterion deals with several issues related to considerations of both encryption and decryption. If the encryption and decryption algorithms differ, then extra space is needed for the decryption. Also, whether the two algorithms are the same or not, there may be timing differences between encryption and decryption.
-
Key agility: Key agility refers to the ability to change keys quickly and with a minimum of resources. This includes both subkey computation and the ability to switch between different ongoing security associations when subkeys may already be available.
-
Other versatility and flexibility: [NECH00] indicates two areas that fall into this category. Parameter flexibility includes ease of support for other key and block sizes and ease of increasing the number of rounds in order to cope with newly discovered attacks. Implementation flexibility refers to the possibility of optimizing cipher elements for particular environments.
-
Potential for instruction-level parallelism: This criterion refers to the ability to exploit ILP features in current and future processors.
Table 5.2 shows the
assessment that NIST provided for Rijndael based on these criteria.
General Security
|
Rijndael has no known security attacks. Rijndael uses S-boxes
as nonlinear components. Rijndael appears to have an adequate security margin,
but has received some criticism suggesting that its mathematical structure may
lead to attacks. On the other hand, the simple structure may have facilitated
its security analysis during the timeframe of the AES development
process.
|
Software
Implementations
|
Rijndael performs encryption and decryption very well across a
variety of platforms, including 8-bit and 64-bit platforms, and DSPs. However,
there is a decrease in performance with the higher key sizes because of the
increased number of rounds that are performed. Rijndael's high inherent
parallelism facilitates the efficient use of processor resources, resulting in
very good software performance even when implemented in a mode not capable of
interleaving. Rijndael's key setup time is fast.
|
Restricted-Space
Environments
|
In general, Rijndael is very well suited for restricted-space
environments where either encryption or decryption is implemented (but not
both). It has very low RAM and ROM requirements. A drawback is that ROM
requirements will increase if both encryption and decryption are implemented
simultaneously, although it appears to remain suitable for these environments.
The key schedule for decryption is separate from encryption.
|
Hardware
Implementations
|
Rijndael has the highest throughput of any of the finalists for
feedback modes and second highest for non-feedback modes. For the 192 and
256-bit key sizes, throughput falls in standard and unrolled implementations
because of the additional number of rounds. For fully pipelined implementations,
the area requirement increases, but the throughput is unaffected.
|
Attacks on
Implementations
|
The operations used by Rijndael are among the easiest to defend
against power and timing attacks. The use of masking techniques to provide
Rijndael with some defense against these attacks does not cause significant
performance degradation relative to the other finalists, and its RAM requirement
remains reasonable. Rijndael appears to gain a major speed advantage over its
competitors when such protections are considered.
|
The encryption and decryption functions in Rijndael differ. One
FPGA study reports that the implementation of both encryption and decryption
takes about 60% more space than the implementation of encryption alone.
Rijndael's speed does not vary significantly between encryption and decryption,
although the key setup performance is slower for decryption than for
encryption.
|
Key Agility
|
Rijndael supports on-the-fly subkey computation for encryption.
Rijndael requires a one-time execution of the key schedule to generate all
subkeys prior to the first decryption with a specific key. This places a slight
resource burden on the key agility of Rijndael.
|
Other Versatility and
Flexibility
|
Rijndael fully supports block sizes and key sizes of 128 bits,
192 bits and 256 bits, in any combination. In principle, the Rijndael structure
can accommodate any block sizes and key sizes that are multiples of 32, as well
as changes in the number of rounds that are specified.
|
Potential for Instruction-Level
Parallelism
|
Rijndael has an excellent potential for parallelism for a
single block encryption.
|
No comments:
Post a Comment