Serpent reference implementation

Serpent is a new block cipher designed by Eli Biham, Ross Anderson and Lars Knudsen as a candidate for the Advanced Encryption Standard, the planned replacement for DES.

While the cipher was being developed, I wrote a reference implementation of it; first in Python, to get it right, then in C, for the benefit of the majority of programmers not familiar with Python. Later, NIST specified an API for the AES candidates, so I rewrote the C reference version to comply with that. Meanwhile, the algorithm itself was improved by, among other things, the adoption of new S-boxes: the old version (Python, C), now obsolete, was renamed Serpent-0, to keep the official name of Serpent for the final version that was shipped to NIST. The final submission, which I helped put together, contains my new C reference version but not my new Python version. (The listing of the final C version is not browsable online because it's a multi-file affair with a makefile and all that: get the whole submission if you're interested, where you will also find optimised C and Java versions coded by Eli Biham, as well as documentation and lots of test vectors.)

All versions were written for the human reader more than for the machine and as such were optimised for clarity rather than for speed. The story, including an explanation of why it was a jolly good idea to write Serpent in Python to begin with (besides the fact that snakes of all denominations go well together) was presented at the 7th international Python conference. The colour poster was designed for A1 paper, but the A4 version available here, despite being 8 times smaller, will still print reasonably well on a 600 dpi black and white laser. You can also view the abstract (or PDF) that appeared in the proceedings of the conference.

As an aid to other implementers of Serpent, the code has extensive facilities for selectively displaying the intermediate results of all the calculations. With notations corresponding to those used in the paper, you can select which observer tags to turn on in order to print out the corresponding results at each round. This can be very useful while debugging a new implementation.

The Python reference version implements both the traditional algorithm and its bitslice variant. It can thus be used to inspect the intermediate results for either. The C reference version only implements the traditional algorithm.

Back to Frank Stajano's home page

CSS Valid HTML 4.0! validated (recheck) Python powered