Cryptography Reference
In-Depth Information
Vincent Rijmen, of Belgium, was named as the future advanced encryption
standard (cf. [NIST]).
1
Rijndael is a successor of the block cipher “Square,”
published earlier by the same authors (cf. [Squa]), which, however, had proved to
be not as powerful. Rijndael was especially strengthened to attack the weaknesses
of Square. The AES report of NIST gives the following basis for its decision.
1.
Security
All candidates fulfill the requirements of the AES with respect to security
against all known attacks. In comparison to the other candidates, the
implementations of Serpent and Rijndael can at the least cost be protected
against attacks that are based on measurements of the time behavior of
the hardware (so-called timing attacks) or changes in electrical current use
(so-called power or differential power analysis attacks).
2
The degradation in
performance associated with such protective measures is least for Rijndael,
Serpent, and Twofish, with a greater advantage to Rijndael.
2.
Speed
Rijndael is among the candidates that permit the most rapid implemen-
tation, and it is distinguished by equally good performance across all
platforms considered, such as 32-bit processors, 8-bit microcontrollers,
smart cards, and implementations in hardware (see below). Of all the
candidates Rijndael allows the most rapid calculation of round keys.
3.
Memory requirement
Rijndael makes use of very limited resources of RAM and ROM memory and
is thus an excellent candidate for use in restricted-resource environments.
In particular, the algorithm offers the possibility to calculate round
keys separately “on the fly” for each round. These properties have great
significance for applications on microcontrollers such as used in smart
cards. Due to the structure of the algorithm, the requirements on ROM
storage are least when only one direction, that is, either encryption or
decryption, is realized, and they increase when both functions are needed.
Nonetheless, with respect to resource requirements Rijndael is not beaten
by any of the other four contestants.
4.
Implementation in hardware
1
The name “Rijndael” is a portmanteau word derived from the names of the authors. Sources
tell me that the correct pronunciation is somewhere between “rain doll” and “Rhine dahl.” Per-
haps NIST should include in the standard a pronunciation key in the international phonetic
alphabet.
2
Power analysis attacks (simple PA/differential PA) are based on correlations between indi-
vidual bits or groups of bits of a secret cryptographic key and the average consumption of
electricity for the execution of individual instructions or code sequences depending on the
key (see, for example, [KoJJ], [CJRR], [GoPa]).
