Serpent, AES Submission by Anderson, Biham, Knudsen

Cryptome DVDs. Donate $25 for two DVDs of the Cryptome collection of 47,000 files from June 1996 to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, cryptome.info, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,100 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.

To: cypherpunks@cyberpass.net
Subject: AES Candidate: Serpent
Date: Mon, 15 Jun 1998 18:42:26 +0000
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>

Ross Anderson, Eli Biham, and Lars Knudsen have designed the Serpent
algorithm as a contribution to the AES contest. The paper is available
on

  http://www.cl.cam.ac.uk/ftp/users/rja14/serpent.pdf

An Ada95 reference implementation can be downloaded from

  http://www.cl.cam.ac.uk/~mgk25/download/serpent-ada.tar.gz

and the full AES submission package with all the NIST required material
is available from

  http://www.cl.cam.ac.uk/ftp/users/rja14/serpent.tar.gz

Serpent is a very conservative design heavily based on the experience
with attacking DES in order to make an analysis and review easier.
Serpent has been especially designed to be implementable in the
bit-slice mode that was used in some of the recent DES key-searches.

In case you have seen the old Serpent paper submitted to the 1998 Fast
Software Encryption workshop (Bruce Schneier quoted that one in his
Twofish paper): The final version submitted to NIST has been slightly
modified. The final Serpent version is not using the DES s-boxes any more,
but newly generated ones for which the algorithm that generated them
has been published (to kill NSA DES backdoor theories and give better
safety margins against linear cryptanalysis). The final version also
replaced the interleaved s-box application in the key schedule by a
sequential one to reduce the gate count in hardware implementations.

Serpent uses 32-rounds for a very paranoid level of security, although
the authors consider a (twice as fast) 16 round version to be resistant
against all known attack techniques.

Happy cryptanalysing ...

Markus

-- 

Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK
email: mkuhn at acm.org,  home page: <http://www.cl.cam.ac.uk/~mgk25/>