Serpent: A New Block Cipher Proposal

  • Eli Biham
  • Ross Anderson
  • Lars Knudsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1372)


We propose a new block cipher as a candidate for the Advan- ced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses the well-understood DES S-boxes in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy analysis that enables us to demonstrate its security against all known types of attack. With a 128-bit block size and a 256-bit key, it is almost as fast as DES on a wide range of platforms, yet conjectured to be at least as secure as three-key triple-DES.


Block Cipher Advance Encryption Standard Linear Cryptanalysis Dictionary Attack Collision Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    DG Abraham, GM Dolan, GP Double, JV Stevens, “Transaction Security System”, in IBM Systems Journal v 30 no 2 (1991) pp 206–229CrossRefGoogle Scholar
  2. 2.
    RJ Anderson, MG Kuhn, “Tamper Resistance — a Cautionary Note”, in The Second USENIX Workshop on Electronic Commerce Proceedings (Nov 1996) pp 1–11Google Scholar
  3. 3.
    RJ Anderson, MG Kuhn, “Low Cost Attacks on Tamper Resistant Devices”, to appear in proceedings of Security Protocols 97Google Scholar
  4. 4.
    E Biham, ‘Higher Order Differential Cryptanalysis’, unpublished paper, 1994Google Scholar
  5. 5.
    E Biham, How to Forge DES-Encrypted Messages in 228 Steps, Technical Report CS884, Technion, August 1996Google Scholar
  6. 6.
    E Biham, A Biryukov, “An Improvement of Davies’ Attack on DES”, in Journal of Cryptology v 10 no 3 (Summer 97) pp 195–205Google Scholar
  7. 7.
    E Biham, A Shamir, ‘Differential Cryptanalysis of the Data Encryption Standard’ (Springer 1993)Google Scholar
  8. 8.
    E Biham, “New Types of Cryptanalytic Attacks Using Related Keys”, in Journal of Cryptology v 7 (1994) no 4 pp 229–246zbMATHCrossRefGoogle Scholar
  9. 9.
    E Biham, “A Fast New DES Implementation in Software”, in Fast Software Encryption — 4th International Workshop, FSE’ 97, Springer LNCS v 1267 pp 260–271CrossRefGoogle Scholar
  10. 10.
    E Biham, A Shamir, “Differential Fault Analysis of Secret Key Cryptosystems”, in Advances in Cryptology — Crypto 97, Springer LNCS v 1294 pp 513–525CrossRefGoogle Scholar
  11. 11.
    D Boneh, RA DeMillo, RJ Lipton, “On the Importance of Checking Cryptographic Protocols for Faults”, in Advances in Cryptology — Eurocrypt 97, Springer LNCS v 1233 pp 37–51Google Scholar
  12. 12.
    DW Davies, ‘Investigation of a Potential Weakness in the DES Algorithm’, private communication (1987)Google Scholar
  13. 13.
    D Davies, Murphy, “Pairs and Triplets of DES S Boxes”, in Journal of Cryptology v 8 no 1 (1995) pp 1–25zbMATHCrossRefGoogle Scholar
  14. 14.
    C Harpes, JL Massey, “Partitioning Cryptanalysis”, in Fast Software Encryption — 4th International Workshop, FSE’ 97, Springer LNCS v 1267 pp 13–27CrossRefGoogle Scholar
  15. 15.
    J Kelsey, B Schneier, D Wagner, “Key-Schedule Cryptanalysis of IDEA, GDES, GOST, SAFER and Triple-DES”, in Advances in Cryptology — Crypto 96, Springer LNCS v 1109 pp 237–251Google Scholar
  16. 16.
    LR Knudsen, “Cyptanalysis of LOKI91”, in Advances in Cryptology — Auscrypt’92 Springer LNCSGoogle Scholar
  17. 17.
    LR Knudsen, “Truncated and Higher-Order Differentials”, in Fast Software Encryption — 2nd International Workshop, FSE’ 94, Springer LNCS v 1008 pp 196–211Google Scholar
  18. 18.
    L.R. Knudsen, Block Ciphers — Analysis, Design and Applications, Ph.D. Thesis, Aarhus University, Denmark, 1994.Google Scholar
  19. 19.
    X.J. Lai, ‘Higher Order Derivative and Differential Cryptanalysis’, in Communication and Cryptography, Two Sides of one tapestry, R. Blahut (editor), Kluwer Academic Publishers, 1994 communication, September 30, 1993.Google Scholar
  20. 20.
    M Matsui, “Linear Cryptanalysis Method for DES Cipher”, in Advances in Cryptology — Eurocrypt 93, Springer LNCS v 765 pp 386–397Google Scholar
  21. 21.
    RSA Data Security Inc.,
  22. 22.
    S Vaudenay, “An Experiment on DES Statistical Cryptanalysis”, in 3rd ACM Conference on Computer and Communications Security, March 14–16, 96, New Delhi, India; proceedings published by ACM pp 139–147Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Eli Biham
    • 1
  • Ross Anderson
    • 2
  • Lars Knudsen
    • 3
  1. 1.TechnionHaifaIsrael
  2. 2.Cambridge UniversityEngland
  3. 3.University of BergenNorway

Personalised recommendations