Serpent home page
SERPENT
A Candidate Block Cipher for the
Advanced Encryption Standard
Serpent is a 128-bit block cipher designed by
Ross Anderson
Eli Biham
and
Lars Knudsen
as a candidate for the
Advanced Encryption Standard
. It was a
finalist in the AES competition. The winner,
Rijndael
, got 86
votes at the last AES conference while Serpent got 59 votes, Twofish 31 votes,
RC6 23 votes and MARS 13 votes. So NIST's choice of Rijndael as the AES was not
surprising, and we had to content ourselves with silver in the `encryption
olympics'. Serpent and Rijndael are somewhat similar; the main difference is
that Rijndael is faster (having fewer rounds) but Serpent is more secure.
We designed Serpent to provide users with the highest practical level of
assurance that no shortcut attack will be found. To achieve this, we limited
ourselves to well understood mechanisms, so that we could rely on the existing
experience of block cipher cryptanalysis. We also used twice as many rounds as
are sufficient to block all currently known shortcut attacks. We believed this
to be prudent practice for a cipher that might have a service life of a century
or more.
Despite these exacting design constraints, Serpent is much faster than DES.
Its design supports a very efficient bitslice implementation, and the fastest
version at the time of the competition ran at over 45 Mbit/sec on a 200MHz
Pentium (compared with about 15 Mbit/sec for DES).
You can download both documentation and code. The papers we offer are:
The Case
for Serpent
is our submitter paper for the
Third AES
Candidate Conference
. It sets out why we believe Serpent should be chosen
as the winner. You can also get our presentation slides from the conference,
in
colour
(1.6Mb) or
black and
white
(227K);
The algorithm
specification
short
paper
on Serpent which was presented at the
First AES
Candidate Conference
paper
on the
implementation of Serpent, and other AES candidate algorithms, on low-cost
smartcards which we presented at Cardis 98. (The final procedings version is
here
);
An
earlier
version
of the algorithm specification, which appeared at the
5th workshop on Fast Software Encryption
First round comments by each of my coauthors:
Some thoughts on the
AES process
by Lars, and
Comment on
Selecting the Ciphers for the AES Second Round
by Eli;
The
slides
from Eli Biham's talk at Asiacrypt 98 on the relative merits of the AES
submissions;
The university's
press release
following Serpent's selection as a finalist, as well as the
press release
put out by the US government. There was also a lot of press coverage in
Norway
The following implementations can be downloaded:
The full
submission package
, which contains the algorithm specification, a reference
implementation in C, an optimised implementation in C and an optimised
implementation in Java;
The fastest optimised code so far uses novel register optimisation
techniques developed by
Dag Arne
Osvik
. An
assembler
version
by Brian Gladman runs at 45 Mbit/sec on the 200 MHz Pentium 2 used
as a benchmark machine, while an
Ada
implementation
which uses these, coded by Gisle Sælensminde, claims
the speed record for Ada at over 32 Mbit/sec;
An
implementation in 8051 assembler
by Vincent Journot;
Other implementations including
Ada
by
Markus Kuhn
and, appropriately
enough, a version in
Python
by
Frank Stajano
Serpent is now completely in the public domain, and we impose no restrictions
on its use. This was announced on the 21st August at the
First AES
Candidate Conference
. The optimised implementations in the submission
package are now under the General Public License (GPL), although some comments
in the code still say otherwise. You are welcome to use Serpent for any
application. If you do use it, we would appreciate it if you would let us know!
paper by Courtois and Pieprzyk
claimed an attack on Serpent (and on Rijndael), for which they got some
publicity
. They toned down their claims
here
. However, see the comments on
their alleged attack by
Coppersmith
and
Moh
The GNU project has issued OIDs for Serpent; they are maintained
here
Eli Biham's
Serpent Page
has some further test vectors in the NESSIE format.