Report on the Development of the Advanced Encryption Standard (AES)

Report on the Development of the Advanced Encryption Standard (AES)

Volume 106, Number 3, May–June 2001 Journal of Research of the National Institute of Standards and Technology [J. Res. Natl. Inst. Stand. Technol. 106, 511–577 (2001)] Report on the Development of the Advanced Encryption Standard (AES) Volume 106 Number 3 May–June 2001 James Nechvatal, Elaine Barker, In 1997, the National Institute of Standards NIST has decided to propose Rijndael as Lawrence Bassham, William and Technology (NIST) initiated a pro- the Advanced Encryption Standard Burr, Morris Dworkin, James cess to select a symmetric-key encryption (AES). The research results and rationale algorithm to be used to protect sensitive for this selection are documented in this Foti, and Edward Roback (unclassified) Federal information in report. furtherance of NIST’s statutory responsi- National Institute of Standards and bilities. In 1998, NIST announced the Technology, acceptance of 15 candidate algorithms Key words: Advanced Encryption Gaithersburg, MD 20899-8930 and requested the assistance of the Standard (AES); cryptography; cryptanaly- cryptographic research community in sis; cryptographic algorithms; encryption; analyzing the candidates. This analysis Rijndael. [email protected] included an initial examination of the [email protected] security and efficiency characteristics for [email protected] each algorithm. NIST reviewed the results of this preliminary research and Accepted: March 2, 2001 [email protected] selected MARS, RC, Rijndael, Serpent [email protected] and Twofish as finalists. Having reviewed [email protected] further public analysis of the finalists, Available online: http://www.nist.gov/jres Contents 1. Overview of the Development Process for the Advanced Encryption Standard and Summary of Round 2 Evaluations ........................ 515 1.1 Background................................................. 515 1.2 Overview of the Finalists...................................... 515 1.3 Evaluation Criteria ........................................... 516 1.4 Results from Round 2 ........................................ 517 1.5 The Selection Process......................................... 518 1.6 Organization of this Report .................................... 518 2. Selection Issues and Methodology ................................... 518 2.1 Approach to Selection ........................................ 518 2.2 Quantitative vs Qualitative Review .............................. 518 2.3 Number of AES Algorithms ................................... 518 2.4 Backup Algorithm ........................................... 519 2.5 Modifying the Algorithms ..................................... 520 511 Volume 106, Number 3, May–June 2001 Journal of Research of the National Institute of Standards and Technology 3. Technical Details of the Round 2 Analysis ............................ 520 3.1 Notes on Section............................................. 520 3.2 General Security ............................................. 520 3.2.1 Attacks on Reduced-Round Variants....................... 522 3.2.1.1 MARS ....................................... 522 3.2.1.2 RC6 ......................................... 523 3.2.1.3 Rijndael ...................................... 523 3.2.1.4 Serpent ....................................... 523 3.2.1.5 Twofish ...................................... 523 3.2.2 Security Margin ....................................... 524 3.2.3 Design Paradigms and Ancestry .......................... 525 3.2.4 Simplicity ............................................ 526 3.2.5 Statistical Testing ...................................... 526 3.2.6 Other Security Observations ............................. 526 3.2.7 Summary of Security Characteristics of the Finalists.......... 528 3.3 Software Implementations ..................................... 529 3.3.1 Machine Word Size .................................... 529 3.3.2 Other Architectural Issues ............................... 529 3.3.3 Software Implementation Languages....................... 529 3.3.4 Variation of Speed with Key Size ......................... 530 3.3.5 Summary of Speed on General Software Platforms ........... 530 3.3.6 Variation of Speed with Mode............................ 531 3.4 Restricted-Space Environments ................................. 532 3.4.1 A Case Study ......................................... 532 3.4.1.1 Notes on the Finalists ........................... 532 3.4.1.2 Comparison of the Finalists ...................... 533 3.4.2 A Second Case Study................................... 534 3.4.2.1 Notes on the Finalists ........................... 534 3.4.2.2 Comparison of the Finalists ...................... 535 3.5 Hardware Implementations..................................... 535 3.5.1 Architectural Options ................................... 535 3.5.1.1 The Basic Architecture .......................... 535 3.5.1.2 Internal Pipelinine .............................. 536 3.5.1.3 Loop Unrolling ................................ 536 3.5.1.4 External Pipelining ............................. 536 3.5.1.5 Hybrid Pipelining .............................. 536 3.5.2 Design Methodologies and Goals ......................... 536 3.5.3 Field Programmable Gate Arrays ......................... 536 3.5.3.1 Operations and Their Implementation .............. 537 3.5.3.2 A Case Study.................................. 537 3.5.3.2.1 Notes on the Four Finalists Implemented. 538 3.5.3.2.2 Comparison of the Four Implemented Finalists ............................. 539 3.5.3.3 A Second Case Study ........................... 540 3.5.3.3.1 Notes on the Finalists .................. 540 3.5.3.3.2 Comparison of the Finalists ............. 541 3.5.3.4 A Third Case Study............................. 542 3.5.3.4.1 Notes on the Finalists .................. 542 3.5.3.4.2 Comparison of the Finalists ............. 543 3.5.3.5 A Fourth Case Study............................ 543 3.5.3.5.1 Notes on the Finalists .................. 544 3.5.3.5.2 Comparison of the Finalists ............. 544 3.5.3.6 Overall Summary of FPGA Implementations ........ 544 512 Volume 106, Number 3, May–June 2001 Journal of Research of the National Institute of Standards and Technology 3.5.4 Application Specific Integrated Circuits .................... 545 3.5.4.1 A Case Study.................................. 545 3.5.4.1.1 Notes on the Finalists .................. 545 3.5.4.1.2 Comparison of the Finalists ............. 546 3.5.4.2 A Second Case Study ........................... 546 3.5.4.2.1 Notes on the Finalists .................. 547 3.5.4.2.2 Comparison of the Finalists ............. 547 3.5.5 Comparison of All Hardware Results ...................... 547 3.6 Attacks on Implementations.................................... 548 3.6.1 Timing and Power Attacks............................... 549 3.6.2 The Role of Operations ................................. 549 3.6.3 Implicit Key Schedule Weaknesses........................ 550 3.6.3.1 A Power Analysis Variant ....................... 550 3.6.3.2 A Second Power Analysis Variant ................. 550 3.6.4 Defenses Against Implementation-Dependent Attacks ......... 550 3.6.4.1 A Case Study in Defense ........................ 551 3.6.4.1.1 Notes on the Finalists .................. 551 3.6.4.1.2 Comparison of the Finalists ............. 552 3.7 Encryption vs Decryption...................................... 552 3.8 Key Agility ............ 553 3.9 Other Versatility and Flexibility ................................ 554 3.9.1 Parameter Flexibility ................................... 554 3.9.2 Implementation Flexibility ............................... 554 3.10 Potential for Instruction-Level Parallelism ........................ 555 4. Intellectual Property Issues ......................................... 556 5. Finalist Profiles .................................................. 557 5.1 MARS ..................................................... 557 5.1.1 General Security ....................................... 557 5.1.2 Software Implementations ............................... 557 5.1.3 Restricted-Space Environments ........................... 557 5.1.4 Hardware Implementations............................... 557 5.1.5 Attacks on Implementations.............................. 557 5.1.6 Encryption vs Decryption................................ 557 5.1.7 Key Agility ........................................... 557 5.1.8 Other Versatility and Flexibility .......................... 557 5.1.9 Potential for Instruction-Level Parallelism .................. 557 5.2 RC6....................................................... 558 5.2.1 General Security ....................................... 558 5.2.2 Software Implementations ............................... 558 5.2.3 Restricted-Space Environments ........................... 558 5.2.4 Hardware Implementations............................... 558 5.2.5 Attacks on Implementations.............................. 558 5.2.6 Encryption vs Decryption................................ 558 5.2.7 Key Agility ........................................... 558 5.2.8 Other Versatility and Flexibility .......................... 558 5.2.9 Potential for Instruction-Level Parallelism .................. 558 5.3 Rijndael.................................................... 558 5.3.1 General Security ....................................... 558 5.3.2 Software Implementations ............................... 558 5.3.3 Restricted-Space Environments ........................... 559 5.3.4 Hardware Implementations..............................

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    66 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us