All publicly known attacks are computationally infeasible, and none of them affect the full 32-round Serpent. A 2011 attack breaks 11 round Serpent (all key sizes) with 2116 known plaintexts, 2107.5 time and 2104 memory (as described in[1]). The same paper also describes two attacks which break 12 rounds of Serpent-256. The first requires 2118 known plaintexts, 2228.8 time and 2228 memory. The other attack requires 2116 known plaintexts and 2121 memory but also requires 2237.5 time.
Like other AES submissions, Serpent has a block size of 128 bits and supports a key size of 128, 192, or 256 bits.[4] The cipher is a 32-round substitution–permutation network operating on a block of four 32-bit words. Each round applies one of eight 4-bit to 4-bit S-boxes 32 times in parallel. Serpent was designed so that all operations can be executed in parallel, using 32 bit slices. This maximizes parallelism but also allows use of the extensive cryptanalysis work performed on DES.
Serpent took a conservative approach to security, opting for a large security margin: the designers deemed 16 rounds to be sufficient against known types of attack but specified 32 rounds as insurance against future discoveries in cryptanalysis.[5] The official NIST report on AES competition classified Serpent as having a high security margin like MARS and Twofish and in contrast to the adequate security margin of RC6 and Rijndael (currently AES).[2] In final voting, Serpent had the fewest negative votes among the finalists but ranked in second place overall because Rijndael had substantially more positive votes, the deciding factor being that Rijndael allowed for a far more efficient software implementation.[citation needed]
The Serpent cipher algorithm is in the public domain and has not been patented.[6] The reference code is public domain software, and the optimized code is licensed under the GPL.[7] There are no restrictions or encumbrances regarding its use. As a result, anyone is free to incorporate Serpent in their software (or in hardware implementations) without paying license fees.
Key Schedule
The Serpent key schedule consists of 3 main stages. In the first stage the key is initialized by adding padding if necessary. This is done in order to make short keys map to long keys of 256-bits, one "1" bit is appended to the end of the short key followed by "0" bits until the short key is mapped to a long key length.[4]
In the next phase, the "prekeys" are derived using the previously initialized key. 32-bit key parts XORed, the FRAC which is the fraction of the Golden ratio and the round index is XORed with the key parts, the result of the XOR operation is rotated to left by 11. The FRAC and round index were added to achieve an even distribution of the keys bits during the rounds.[4]
Finally the "subkeys" are derived from the previously generated "prekeys". This results in a total of 33 128-bit "subkeys".[4]
At the end the round key or "subkey" are placed in the "initial permutation IP" to place the key bits in the correct column.[4]
Key Schedule in C++
#define FRAC 0x9e3779b9 // fractional part of the golden ratio#define ROTL(A, n) ((A) << n | (A) >> 32-n)uint32_tkey[8];// key provided by useruint32_tsubkey[33][4];// roundkeysconstuint8_tS[8][16]={};// S-boxes/* key schedule: get prekeys */voidget_pre(uint32_tw[4*33],constuint32_tk[8]){uint32_tx[4*33+8];for(inti=0;i<8;i++)x[i]=k[i];for(inti=8;i<140;i++){x[i]=ROTL(x[i-8]^x[i-5]^x[i-3]^x[i-1]^FRAC^(i-8),11);w[i-8]=x[i];}}/* key schedule: get subkeys */voidget_sk(constuint32_tw[4*33],uint32_t(*sk)[4]){uint8_ti,p,j,s,k;for(i=0;i<33;i++){p=32+3-i;for(j=0;j<4;j++)sk[i][j]=0;for(k=0;k<32;k++){s=S[p%8][((w[4*i+0]>>k)&0x1)<<0|((w[4*i+1]>>k)&0x1)<<1|((w[4*i+2]>>k)&0x1)<<2|((w[4*i+3]>>k)&0x1)<<3];for(j=0;j<4;j++){sk[i][j]|=((s>>j)&0x1)<<k;}}}}voidkey_schedule(){uint32_tw[4*33];get_pre(w,key);get_sk(w,subkey);}
S-Boxes
The Serpent s-boxes are 4-bit permutations, and subject to the following properties:
a 1-bit input difference will never lead to a 1-bit output difference, a differential characteristic has a probability of 1:4 or less.[8]
linear characteristics have a probability between 1:2 and 1:4, linear relationship between input and output bits has a probability between 1:2 and 1:8.[8]
the nonlinear order of the output bits as function of the input bits is 3. However there have been output bits found which in function of the input bits have an order of only 2.[8]
The Serpent s-boxes have been constructed based on the 32 rows of the DES s-boxes. These were transformed by swapping entries, resulting arrays with desired properties were stored as the Serpent s-boxes. This process was repeated until a total of 8 s-boxes were found. The following key was used in this process: "sboxesforserpent".[4]
Permutations and Transformations
Initial permutation (IP)
The initial permutation works on 128 bits at a time moving bits around.
foriin0..127swap(bit(i),bit((32*i)%127))
Final permutation (FP)
The final permutation works on 128 bits at a time moving bits around.
foriin0..127swap(bit(i),bit((4*i)%127))
Linear transformation (LT)
Consists of XOR, S-Box, bit shift left and bit rotate left operations. These operations are performed on 4 32-bit words.
Rijndael is a substitution-linear transformation network with ten, twelve, or fourteen rounds, depending on the key size, and with key sizes of 128 bits, 192 bits, or 256 bits, independently specified. Serpent is a substitution–permutation network which has thirty-two rounds, plus an initial and a final permutation to simplify an optimized implementation. The round function in Rijndael consists of three parts: a nonlinear layer, a linear mixing layer, and a key-mixing XOR layer. The round function in Serpent consists of key-mixing XOR, thirty-two parallel applications of the same 4×4 S-box, and a linear transformation, except in the last round, wherein another key-mixing XOR replaces the linear transformation. The nonlinear layer in Rijndael uses an 8×8 S-box whereas Serpent uses eight different 4×4 S-boxes. The 32 rounds mean that Serpent has a higher security margin than Rijndael; however, Rijndael with 10 rounds is faster and easier to implement for small blocks.[9] Hence, Rijndael was selected as the winner in the AES competition.
Serpent-0 vs. Serpent-1
The original Serpent, Serpent-0, was presented at the 5th workshop on Fast Software Encryption, but a somewhat tweaked version, Serpent-1, was submitted to the AES competition. The AES submission paper discusses the changes, which include key-scheduling differences.
Security
The XSL attack, if effective, would weaken Serpent (though not as much as it would weaken Rijndael, which became AES). However, many cryptanalysts believe that once implementation considerations are taken into account the XSL attack would be more expensive than a brute force attack.[citation needed]
A 2001 attack by Eli Biham, Orr Dunkelman and Nathan Keller presents a linear cryptanalysis attack that breaks 10 of 32 rounds of Serpent-128 with 2118 known plaintexts and 289 time, and 11 rounds of Serpent-192/256 with 2118 known plaintexts and 2187 time.[11]
A 2009 paper has noticed that the nonlinear order of Serpent S-boxes were not 3 as was claimed by the designers. Specifically, four elements had order 2.[8]
A 2011 attack by Hongjun Wu, Huaxiong Wang and Phuong Ha Nguyen, also using linear cryptanalysis, breaks 11 rounds of Serpent-128 with 2116 known plaintexts, 2107.5 time and 2104 memory.[1]
The same paper also describes two attacks which break 12 rounds of Serpent-256. The first requires 2118 known plaintexts, 2228.8 time and 2228 memory. The other attack requires 2116 known plaintexts and 2121 memory but also requires 2237.5 time.
↑ SERPENT – A Candidate Block Cipher for the Advanced Encryption Standard "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know!" (1999)
The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications.
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.
The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.
In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher, the Proposed Encryption Standard (PES).
In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.
In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shannon's property of confusion. Mathematically, an S-box is a nonlinear vectorial Boolean function.
In cryptography, Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM. Lucifer was a direct precursor to the Data Encryption Standard. One version, alternatively named DTD-1, saw commercial use in the 1970s for electronic banking.
In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code. It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory; it was first presented at the Fast Software Encryption workshop in Leuven in 1994, and first published in the proceedings of that workshop.
In cryptography, confusion and diffusion are two properties of the operation of a secure cipher identified by Claude Shannon in his 1945 classified report A Mathematical Theory of Cryptography. These properties, when present, work together to thwart the application of statistics and other methods of cryptanalysis.
In cryptography, DES-X is a variant on the DES symmetric-key block cipher intended to increase the complexity of a brute-force attack. The technique used to increase the complexity is called key whitening.
In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu.
In cryptography, Madryga is a block cipher published in 1984 by W. E. Madryga. It was designed to be easy and efficient for implementation in software. Serious weaknesses have since been found in the algorithm, but it was one of the first encryption algorithms to make use of data-dependent rotations, later used in other ciphers, such as RC5 and RC6.
In cryptography, NewDES is a symmetric key block cipher. It was created in 1984–1985 by Robert Scott as a potential DES replacement.
In cryptography, ICE is a symmetric-key block cipher published by Matthew Kwan in 1997. The algorithm is similar in structure to DES, but with the addition of a key-dependent bit permutation in the round function. The key-dependent bit permutation is implemented efficiently in software. The ICE algorithm is not subject to patents, and the source code has been placed into the public domain.
Py is a stream cipher submitted to eSTREAM by Eli Biham and Jennifer Seberry. It is one of the fastest eSTREAM candidates at around 2.6 cycles per byte on some platforms. It has a structure a little like RC4, but adds an array of 260 32-bit words which are indexed using a permutation of bytes, and produces 64 bits in each round.
In cryptography, Q is a block cipher invented by Leslie McBride. It was submitted to the NESSIE project, but was not selected.
In cryptography, Hierocrypt-L1 and Hierocrypt-3 are block ciphers created by Toshiba in 2000. They were submitted to the NESSIE project, but were not selected. Both algorithms were among the cryptographic techniques recommended for Japanese government use by CRYPTREC in 2003, however, both have been dropped to "candidate" by CRYPTREC revision in 2013.
In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.
This page is based on this Wikipedia article Text is available under the CC BY-SA 4.0 license; additional terms may apply. Images, videos and audio are available under their respective licenses.
