AES评估准 车 15 一 般安全性 依赖于密码学界的公共安全分析 软件实现 。软件执行速度, 跨平台执行能力及密钥长度改变时速度变化 ● 受限空间环境 。在诸如智能卡中的应用 ● 硬件实现 硬件执行提高执行速度或缩短代码长度 对执行的攻击 。抵御密码分析攻击 加密与解密 ● 密钥灵活性 。快速改变密钥长度的能力 其他的多功能性和灵活性 ● 指令级并行执行的潜力 题三 平四 2022/10/9 现代密码学理论与实践05 7/29
2022/10/9 现代密码学理论与实践05 7/29 AES评估准则 ⚫ 一般安全性 ⚫ 依赖于密码学界的公共安全分析 ⚫ 软件实现 ⚫ 软件执行速度,跨平台执行能力及密钥长度改变时速度变化 ⚫ 受限空间环境 ⚫ 在诸如智能卡中的应用 ⚫ 硬件实现 ⚫ 硬件执行提高执行速度或缩短代码长度 ⚫ 对执行的攻击 ⚫ 抵御密码分析攻击 ⚫ 加密与解密 ⚫ 密钥灵活性 ⚫ 快速改变密钥长度的能力 ⚫ 其他的多功能性和灵活性 ⚫ 指令级并行执行的潜力
Table 5.2 Final NIST Evaluation of Riindael (October 2,2000)(page 1 of 2) General Security Rijndael has no known security attacks.Rijndael uses S-boxes as nonlinear components. Rijndael appears to have an adequate security margin,but has received some criticism suggesting that its mathematical structure may lead to attacks.On the other hand,the simple structure may have facilitated its security analysis during the timeframe of the AES development process. Software Implementations Rijndael performs encryption and decryption very well across a variety of platforms, including 8-bit and 64-bit platforms,and DSPs.However,there is a decrease in performance with the higher key sizes because of the increased number of rounds that are performed. Rijndael's high inherent parallelism facilitates the efficient use of processor resources, resulting in very good software performance even when implemented in a mode not capable of interleaving.Rijndael's key setup time is fast. Restricted-Space Environments In general,Rijndael is very well suited for restricted-space environments where either encryption or decryption is implemented(but not both).It has very low RAM and ROM requirements.A drawback is that ROM requirements will increase if both encryption and decryption are implemented simultaneously,although it appears to remain suitable for these environments.The key schedule for decryption is separate from encryption. Hardware Implementations Rijndael has the highest throughput of any of the finalists for feedback modes and second highest for non-feedback modes.For the 192 and 256-bit key sizes,throughput falls in standard and unrolled implementations because of the additional number of rounds.For fully pipelined implementations,the area requirement increases,but the throughput is unaffected. 8/29
2022/10/9 现代密码学理论与实践05 8/29
Table 5.2 Final NIST Evaluation of Rijndael (October 2,2000)(page 2 of 2) Attacks on Implementations The operations used by Rijndael are among the easiest to defend against power and timing attacks.The use of masking techniques to provide Rijndael with some defense against these attacks does not cause significant performance degradation relative to the other finalists,and its RAM requirement remains reasonable.Rijndael appears to gain a major speed advantage over its competitors when such protections are considered. Encryption vs.Decryption The encryption and decryption functions in Rijndael differ.One FPGA study reports that the implementation of both encryption and decryption takes about 60%more space than the implementation of encryption alone.Rijndael's speed does not vary significantly between encryption and decryption,although the key setup performance is slower for decryption than for encryption. Key Agility Rijndael supports on-the-fly subkey computation for encryption.Rijndael requires a one-time execution of the key schedule to generate all subkeys prior to the first decryption with a specific key.This places a slight resource burden on the key agility of Rijndael. Other Versatility and Flexibility Rijndael fully supports block sizes and key sizes of 128 bits,192 bits and 256 bits,in any combination.In principle,the Rijndael structure can accommodate any block sizes and key sizes that are multiples of 32,as well as changes in the number of rounds that are specified. Potential for Instruction-Level Parallelism Rijndael has an excellent potential for parallelism for a single block encryption
2022/10/9 现代密码学理论与实践05 9/29
◆养不 NIST对AES的要求 15 。对称密钥分组密码 ·128位分组,密钥长度可以分别是128/192/256位 ·要求比Triple-DES更安全和更快 ·至少能够安全工作20-30年 ·提供完整的规范说明和设计细节 ·能够用C或Java实现 NIST公布了所有提交的算法和不保密的分析资料, 最终通过评估,选择了Riindael 甲A四两 2022/10/9 现代密码学理论与实践05 10/29
2022/10/9 现代密码学理论与实践05 10/29 NIST对AES的要求 ⚫ 对称密钥分组密码 ⚫ 128位分组,密钥长度可以分别是128/192/256位 ⚫ 要求比Triple-DES更安全和更快 ⚫ 至少能够安全工作20-30年 ⚫ 提供完整的规范说明和设计细节 ⚫ 能够用C或Java实现 ⚫ NIST公布了所有提交的算法和不保密的分析资料, 最终通过评估,选择了Rijndael
车长 AES密码 15 ·AES的分组长度为128位,密钥长度可以是 128/192/256的任意一种 ·未采用Feistel密码结构而是用迭代方式 。数据分成4组,每组4字节 ·每一轮对整个分组进行操作 ·Riindael具有如下特性 对所有已知的攻击具有免疫性 在各种CPU平台上其执行速度快且代码紧凑 设计简单 甲A四两 2022/10/9 现代密码学理论与实践05 11/29
2022/10/9 现代密码学理论与实践05 11/29 AES密码 ⚫ AES的分组长度为128位,密钥长度可以是 128/192/256的任意一种 ⚫ 未采用Feistel密码结构而是用迭代方式 ⚫ 数据分成4组,每组4字节 ⚫ 每一轮对整个分组进行操作 ⚫ Rijndael具有如下特性 ⚫ 对所有已知的攻击具有免疫性 ⚫ 在各种CPU平台上其执行速度快且代码紧凑 ⚫ 设计简单