Cryptography Reference
In-Depth Information
needed in modern communication systems, such as data compression or signal pro-
cessing schemes.
4.7 Discussion and Further Reading
AES Algorithm and Security
A detailed description of the design principles of
AES can be found in [52]. This topic by the Rijndael inventors describes the design
of the block cipher. Recent research in context to AES can be found online in the
AES Lounge
[68]. This website is a dissemination effort within ECRYPT, the Net-
work of Excellence in Cryptology, and is a rich resource of activities around AES.
It gives many links to further information and papers regarding implementation and
theoretical aspects of AES.
There is currently no analytical attack against AES known which has a com-
plexity less than a brute-force attack. An elegant algebraic description was found
[122], which in turn triggered speculations that this could lead to attacks. Subse-
quent research showed that an attack is, in fact, not feasible. By now, the common
assumption is that the approach will not threaten AES. A good summary on alge-
braic attacks can be found in [43]. In addition, there have been proposals for many
other attacks, including square attack, impossible differential attack or related key
attack. Again, a good source for further references is the
AES Lounge
.
The standard reference for the mathematics of finite fields is [110]. A very acces-
sible but brief introduction is also given in [19]. The International Workshop on the
Arithmetic of Finite Fields (WAIFI), a relatively new workshop series, is concerned
with both the applications and the theory of Galois fields [171].
Implementation
As mentioned in Sect. 4.6, in most software implementations on
modern CPUs special lookup tables are being used (T-Boxes). An early detailed de-
scription of the construction of T-Boxes can be found in [51, Sect. 5]. A description
of a high-speed software implementation on modern 32-bit and 64-bit CPUs is given
in [116, 115]. The bit slicing technique which was developed in the context of DES
is also applicable to AES and can lead to very fast code as shown in [117].
A strong indication for the importance of AES was the recent introduction of
special AES instructions by Intel in CPUs starting in 2008. The instructions allow
these machines to compute the round operation particularly quickly.
There is wealth of literature dealing with hardware implementation of AES.
A good introduction to the area of AES hardware architectures is given in [104,
Chap. 10]. As an example of the variety of AES implementations, reference [86] de-
scribes a very small FPGA implementation with 2.2Mbit/s and a very fast pipelined
FPGA implementation with 25Gbit/s. It is also possible to use the DSP blocks (i.e.,
fast arithmetic units) available on modern FPGAs for AES, which can also yield
throughputs beyond 50Mbit/s [63]. The basic idea in all high-speed architectures is
to process several plaintext blocks in parallel by means of pipelining. On the other
end of the performance spectrum are lightweight architectures which are optimized
