Serpent Holds the Key to Internet Security

The US National Institute for Standards and Technology has today announced the finalists in a competition for an encryption algorithm for the 21st century. One of the five finalists is Serpent, designed in an international collaborative effort by Ross Anderson at the Cambridge University Computer Laboratory, Eli Biham of the Computer Science Department at the Technion, Haifa, and Lars Knudsen of the Institutt for Informatikk at the University of Bergen, Norway.

At present, billions of pounds=D5 worth of electronic transactions are protected using the Data Encryption Standard (DES), which was developed in the 1970s. DES is no longer secure enough for important applications as the keys are too short and it is possible to break the cipher using just a few thousand personal computers for a few weeks. As computers become faster, attacks are becoming easier and more systems will be at risk of fraud. DES is currently used in a huge range of systems, including operating emergency traffic bollards, protecting electronic transactions between banks and authenticating cash machine transactions.

The US government began a competition several years ago to find a replacement for DES, to be called the Advanced Encryption Standard or AES. The first round had fifteen candidate algorithms, proposed by a range of computer companies and academic researchers. After a period in which the world's best code-breakers have been attacking the candidates, finding flaws in many of them, five remaining candidates now enter the second round. One of them is Serpent. Serpent has been designed to provide users with the highest possible level of assurance that no attack will be found and is aimed to protect information for a hundred years. As more and more business is done on the net, data encryption mechanisms will become more and more critical.

Serpent designer Ross Anderson said: `Encryption may well be one of the key enabling technologies for the information age. We are delighted that our algorithm, Serpent, has been chosen as a finalist in the competition to find the next generation encryption standard. We believe it is the most secure of all the candidates.'

Notes for Editors

• The final winner of the AES competition will be announced in the year 2000. For more information, see the AES home page.
• Serpent has been placed in the public domain, and the authors place no restrictions on its use. The name `Serpent' is a biblical reference (Amos 5.19). Ross Anderson and Eli Biham previously designed two ciphers called `Bear' and `Lion', whose significance was their contribution to cryptographic theory. The Serpent home page is here.
• Dr Ross Anderson leads the computer security research team at the Cambridge University Computer Laboratory. Dr Eli Biham is an associate professor at the Technion, Haifa, Israel while Dr Lars Knudsen is an associate professor at the University of Bergen, Norway.
• EU proposals to apply export licensing controls to intangible transfers of technology would, if implemented, mean that in future such international collaborations would require export licences, which would make them substantially more difficult. More on this subject here.
• The US government press release, which describes the AES competition as `the Olympics of Information Scrambling' can be found here.

For further information, please contact Ross Anderson.

(ends)