Table 5.2 Final NIST Evaluation of Riindael (October 2,2000)(page 1 of 2) General Security Rijndael has no known security attacks.Rijndael uses S-boxes as nonlinear components. Rijndael appears to have an adequate security margin,but has received some criticism suggesting that its mathematical structure may lead to attacks.On the other hand,the simple structure may have facilitated its security analysis during the timeframe of the AES development process. Software Implementations Rijndael performs encryption and decryption very well across a variety of platforms, including 8-bit and 64-bit platforms,and DSPs.However,there is a decrease in performance with the higher key sizes because of the increased number of rounds that are performed. Rijndael's high inherent parallelism facilitates the efficient use of processor resources, resulting in very good software performance even when implemented in a mode not capable of interleaving.Rijndael's key setup time is fast. Restricted-Space Environments In general,Rijndael is very well suited for restricted-space environments where either encryption or decryption is implemented(but not both).It has very low RAM and ROM requirements.A drawback is that ROM requirements will increase if both encryption and decryption are implemented simultaneously,although it appears to remain suitable for these environments.The key schedule for decryption is separate from encryption. Hardware Implementations Rijndael has the highest throughput of any of the finalists for feedback modes and second highest for non-feedback modes.For the 192 and 256-bit key sizes,throughput falls in standard and unrolled implementations because of the additional number of rounds.For fully pipelined implementations,the area requirement increases,but the throughput is unaffected. 8/292022/10/9 现代密码学理论与实践05 8/29