A Candidate Block Cipher for the Advanced Encryption Standard

Serpent is a 128-bit block cipher designed by Ross Anderson, Eli Biham and Lars Knudsen as a candidate for the Advanced Encryption Standard. It was a finalist in the AES competition. The winner, Rijndael, got 86 votes at the last AES conference while Serpent got 59 votes, Twofish 31 votes, RC6 23 votes and MARS 13 votes. So NIST's choice of Rijndael as the AES was not surprising, and we had to content ourselves with silver in the `encryption olympics'. Serpent and Rijndael are somewhat similar; the main difference is that Rijndael is faster (having fewer rounds) but Serpent is more secure.

We designed Serpent to provide users with the highest practical level of assurance that no shortcut attack will be found. To achieve this, we limited ourselves to well understood mechanisms, so that we could rely on the existing experience of block cipher cryptanalysis. We also used twice as many rounds as are sufficient to block all currently known shortcut attacks. We believed this to be prudent practice for a cipher that might have a service life of a century or more.

Despite these exacting design constraints, Serpent is much faster than DES. Its design supports a very efficient bitslice implementation, and the fastest version at the time of the competition ran at over 45 Mbit/sec on a 200MHz Pentium (compared with about 15 Mbit/sec for DES).

You can download both documentation and code. The papers we offer are:

The following implementations can be downloaded:

Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know!

A paper by Courtois and Pieprzyk claimed an attack on Serpent (and on Rijndael), for which they got some publicity. They toned down their claims here. However, see the comments on their alleged attack by Coppersmith and Moh.

The GNU project has issued OIDs for Serpent; they are maintained here.

Eli Biham's Serpent Page has some further test vectors in the NESSIE format.