Serpent: A Proposal for the
Advanced Encryption Standard
Ross Anderson
1
Eli Biham
2
Lars Knudsen
3
1
Cambridge University, England; email rja14@cl.cam.ac.uk
2
Technion, Haifa, Israel; email biham@cs.technion.ac.il
3
University of Bergen, Norway; email lars.knudsen@ii.uib.no
Abstract. We propose a new block cipher as a candidate for the Ad-
vanced Encryption Standard. Its design is highly conservative, yet still
allows a very efficient implementation. It uses S-boxes similar to those
of DES in a new structure that simultaneously allows a more rapid
avalanche, a more efficient bitslice implementation, and an easy anal-
ysis that enables us to demonstrate its security against all known types
of attack. With a 128-bit block size and a 256-bit key, it is as fast as DES
on the market leading Intel Pentium/MMX platforms (and at least as
fast on many others); yet we believe it to be more secure than three-key
triple-DES.
1 Introduction
For many applications, the Data Encryption Standard algorithm is nearing the
end of its useful life. Its 56-bit key is too small, as shown by a recent distributed
key search exercise [28]. Although triple-DES can solve the key length problem,
the DES algorithm was also designed primarily for hardware encryption, yet the
great majority of applications that use it today implement it in software, where
it is relatively inefficient.
For these reasons, the US National Institute of Standards and Technology
has issued a call for a successor algorithm, to be called the Advanced Encryption
Standard or AES. The essential requirement is that AES should be both faster
than triple DES and at least as secure: it should have a 128 bit block length and
a 256 bit key length (though keys of 128 and 192 bits must also be supported).
In this paper, we present a candidate for AES. Our design philosophy has
been highly conservative; we did not feel it appropriate to use novel and untested
ideas in a cipher which, if accepted after a short review period, will be used to
protect enormous volumes of financial transactions, health records and govern-
ment information over a period of decades.
We initially decided to use the S-boxes from DES, which have been studied
intensely for many years and whose properties are thus well understood, in a new
structure optimized for efficient implementation on modern processors while si-
multaneously allowing us to apply the extensive analysis already done on DES.
The resulting design gave an algorithm (to which we will refer as Serpent-0) that