CINXE.COM

<html> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("http://www.cl.cam.ac.uk/~rja14/serpent.html","20130113104543","https://web.archive.org/","web","/_static/", "1358073943"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" />  <title>Serpent home page</title> </head><body bgcolor="#FFFFFF"> <center> <br> <h1> SERPENT</h1> <img src="https://web.archive.org/web/20130113104543im_/http://www.cl.cam.ac.uk/~rja14/Papers/serpent2.gif"> <h2> A Candidate Block Cipher for the Advanced Encryption Standard </h2> </center> Serpent is a 128-bit block cipher designed by <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/">Ross Anderson</a>, <a href="https://web.archive.org/web/20130113104543/http://www.cs.technion.ac.il/~biham">Eli Biham</a> and <a href="https://web.archive.org/web/20130113104543/http://www.ii.uib.no/~larsr/">Lars Knudsen</a> as a candidate for the <a href="https://web.archive.org/web/20130113104543/http://www.nist.gov/aes">Advanced Encryption Standard</a>. It was a finalist in the AES competition. The winner, <a href="https://web.archive.org/web/20130113104543/http://csrc.nist.gov/CryptoToolkit/aes/rijndael/">Rijndael</a>, got 86 votes at the last AES conference while Serpent got 59 votes, Twofish 31 votes, RC6 23 votes and MARS 13 votes. So NIST's choice of Rijndael as the AES was not surprising, and we had to content ourselves with silver in the `encryption olympics'. Serpent and Rijndael are somewhat similar; the main difference is that Rijndael is faster (having fewer rounds) but Serpent is more secure. <p> We designed Serpent to provide users with the highest practical level of assurance that no shortcut attack will be found. To achieve this, we limited ourselves to well understood mechanisms, so that we could rely on the existing experience of block cipher cryptanalysis. We also used twice as many rounds as are sufficient to block all currently known shortcut attacks. We believed this to be prudent practice for a cipher that might have a service life of a century or more. <p> Despite these exacting design constraints, Serpent is much faster than DES. Its design supports a very efficient bitslice implementation, and the fastest version at the time of the competition ran at over 45 Mbit/sec on a 200MHz Pentium (compared with about 15 Mbit/sec for DES). <p> You can download both documentation and code. The papers we offer are: <ul> <li><a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/serpentcase.pdf">The Case for Serpent</a> is our submitter paper for the <a href="https://web.archive.org/web/20130113104543/http://csrc.nist.gov/encryption/aes/round2/conf3/aes3conf.htm">Third AES Candidate Conference</a>. It sets out why we believe Serpent should be chosen as the winner. You can also get our presentation slides from the conference, in <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/serpentslides.pdf">colour</a> (1.6Mb) or <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/serpentslides-bw.pdf">black and white</a> (227K);</li> <li>The algorithm <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf">specification</a>; </li> <li> A <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/ventura.pdf">short paper</a> on Serpent which was presented at the <a href="https://web.archive.org/web/20130113104543/http://csrc.nist.gov/encryption/aes/round1/conf1/aes1conf.htm">First AES Candidate Conference</a>;</li> <li> A <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/serpent_card.pdf">paper</a> on the implementation of Serpent, and other AES candidate algorithms, on low-cost smartcards which we presented at Cardis 98. (The final procedings version is <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/serpent_card_final.pdf">here</a>); </li> <li> An <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/serpent0.pdf">earlier version</a> of the algorithm specification, which appeared at the <a href="https://web.archive.org/web/20130113104543/http://web.archive.org/web/19991011095039/http://www.dmi.ens.fr/users/vaudenay/fse5/">5th workshop on Fast Software Encryption</a>;</li> <li> First round comments by each of my coauthors: <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/aes-lars.pdf">Some thoughts on the AES process</a> by Lars, and <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/aes-comment-to-nist.pdf">Comment on Selecting the Ciphers for the AES Second Round</a> by Eli;</li> <li> The <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/asiacrypt98-slides-c.pdf">slides</a> from Eli Biham's talk at Asiacrypt 98 on the relative merits of the AES submissions;</li> <li> The university's <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/serpentpr.html">press release</a> following Serpent's selection as a finalist, as well as the <a href="https://web.archive.org/web/20130113104543/http://csrc.nist.gov/encryption/aes/round2/AESpressrelease-990809.pdf">press release</a> put out by the US government. There was also a lot of press coverage in <a href="https://web.archive.org/web/20130113104543/http://web.archive.org/web/20021225064208/http://www.ii.uib.no/~larsr/press/serpent2.html">Norway</a>.</li> </ul> <p> The following implementations can be downloaded: <ul> <li> <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~rja14/Papers/serpent.tar.gz">The full submission package</a>, which contains the algorithm specification, a reference implementation in C, an optimised implementation in C and an optimised implementation in Java;</li> <li>The fastest optimised code so far uses novel register optimisation techniques developed by <a href="https://web.archive.org/web/20130113104543/http://www.ii.uib.no/~osvik/">Dag Arne Osvik</a>. An <a href="https://web.archive.org/web/20130113104543/http://fp.gladman.plus.com/cryptography_technology/serpent/">assembler version</a> by Brian Gladman runs at 45 Mbit/sec on the 200 MHz Pentium 2 used as a benchmark machine, while an <a href="https://web.archive.org/web/20130113104543/http://web.archive.org/web/*/http://www.ii.uib.no/~gisle/serpent.html">Ada implementation</a> which uses these, coded by Gisle Sælensminde, claims the speed record for Ada at over 32 Mbit/sec;</li> <li>An <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~mgk25/download/serpent-8051.tar.gz">implementation in 8051 assembler</a> by Vincent Journot;</li> <li> Other implementations including <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~mgk25/download/serpent-ada.tar.gz">Ada</a> by <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~mgk25">Markus Kuhn</a> and, appropriately enough, a version in <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~fms27/serpent">Python</a> by <a href="https://web.archive.org/web/20130113104543/http://www.cl.cam.ac.uk/~fms27">Frank Stajano</a>.</li> </ul> <p> Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the <a href="https://web.archive.org/web/20130113104543/http://csrc.nist.gov/encryption/aes/round1/conf1/aes1conf.htm">First AES Candidate Conference</a>. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know! <p> A <a href="https://web.archive.org/web/20130113104543/http://eprint.iacr.org/2002/044/">paper by Courtois and Pieprzyk</a> claimed an attack on Serpent (and on Rijndael), for which they got some <a href="https://web.archive.org/web/20130113104543/http://slashdot.org/articles/02/09/16/0653224.shtml?tid=93">publicity</a>. They toned down their claims <a href="https://web.archive.org/web/20130113104543/http://www.cryptosystem.net/aes/">here</a>. However, see the comments on their alleged attack by <a href="https://web.archive.org/web/20130113104543/http://aes.nist.gov/aes/FMPro?-token=S021&-DB=discufm.fp3&-lay=detail&-Format=Detail.htm&-op=eq&ThreadID=100000627&ActiveMessages=x&-Skip=1&-Max=1&-sortfield=ThreadID&-sortorder=descending&-sortfield=MessageID&-sortorder=ascending&-Find"">Coppersmith</a> and <a href="https://web.archive.org/web/20130113104543/http://www.usdsi.com/aes.html">Moh</a>. <p> The GNU project has issued OIDs for Serpent; they are maintained <a href="https://web.archive.org/web/20130113104543/http://www.gnupg.org/oids.html">here</a>. <p> Eli Biham's <a href="https://web.archive.org/web/20130113104543/http://www.cs.technion.ac.il/~biham/Reports/Serpent/">Serpent Page</a> has some further test vectors in the NESSIE format.<hr> </body> </html>