SERPENT

A Candidate Block Cipher for the Advanced Encryption Standard

We designed Serpent to provide users with the highest practical level of assurance that no shortcut attack will be found. To achieve this, we limited ourselves to well understood mechanisms, so that we could rely on the existing experience of block cipher cryptanalysis. We also used twice as many rounds as are sufficient to block all currently known shortcut attacks. We believed this to be prudent practice for a cipher that might have a service life of a century or more.

Despite these exacting design constraints, Serpent is much faster than DES. Its design supports a very efficient bitslice implementation, and the fastest version at the time of the competition ran at over 45 Mbit/sec on a 200MHz Pentium (compared with about 15 Mbit/sec for DES).

You can download both documentation and code. The papers we offer are:

• The Case for Serpent is our submitter paper for the Third AES Candidate Conference. It sets out why we believe Serpent should be chosen as the winner. You can also get our presentation slides from the conference, in colour (1.6Mb) or black and white (227K);
• The algorithm specification;
• A short paper on Serpent which was presented at the First AES Candidate Conference;
• A paper on the implementation of Serpent, and other AES candidate algorithms, on low-cost smartcards which we presented at Cardis 98. (The final procedings version is here);
• An earlier version of the algorithm specification, which appeared at the 5th workshop on Fast Software Encryption;
• First round comments by each of my coauthors: Some thoughts on the AES process by Lars, and Comment on Selecting the Ciphers for the AES Second Round by Eli;
• The slides from Eli Biham's talk at Asiacrypt 98 on the relative merits of the AES submissions;
• The university's press release following Serpent's selection as a finalist, as well as the press release put out by the US government. There was also a lot of press coverage in Norway.

The following implementations can be downloaded:

• The full submission package, which contains the algorithm specification, a reference implementation in C, an optimised implementation in C and an optimised implementation in Java;
• The fastest optimised code so far uses novel register optimisation techniques developed by Dag Arne Osvik. An assembler version by Brian Gladman runs at 45 Mbit/sec on the 200 MHz Pentium 2 used as a benchmark machine, while an Ada implementation which uses these, coded by Gisle Sælensminde, claims the speed record for Ada at over 32 Mbit/sec;
• An implementation in 8051 assembler by Vincent Journot;
• Other implementations including Ada by Markus Kuhn and, appropriately enough, a version in Python by Frank Stajano.

Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know!

A paper by Courtois and Pieprzyk claimed an attack on Serpent (and on Rijndael), for which they got some publicity. They toned down their claims here. However, see the comments on their alleged attack by Coppersmith and Moh.

The GNU project has issued OIDs for Serpent; they are maintained here.

Eli Biham's Serpent Page has some further test vectors in the NESSIE format.