We designed Serpent to provide users with the highest practical level of assurance that no shortcut attack will be found. To achieve this, we limited ourselves to well understood mechanisms, so that we could rely on the existing experience of block cipher cryptanalysis. We also used twice as many rounds as are sufficient to block all currently known shortcut attacks. We believed this to be prudent practice for a cipher that might have a service life of a century or more.
Despite these exacting design constraints, Serpent is much faster than DES. Its design supports a very efficient bitslice implementation, and the fastest version at the time of the competition ran at over 45 Mbit/sec on a 200MHz Pentium (compared with about 15 Mbit/sec for DES).
You can download both documentation and code. The papers we offer are:
The following implementations can be downloaded:
Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know!
A paper by Courtois and Pieprzyk claimed an attack on Serpent (and on Rijndael), for which they got some publicity. They toned down their claims here. However, see the comments on their alleged attack by Coppersmith and Moh.
The GNU project has issued OIDs for Serpent; they are maintained here.
Eli Biham's Serpent Page has some further test vectors in the NESSIE format.