Differential-Linear Cryptanalysis of Serpent
Serpent is a 128-bit SP-Network block cipher consisting of 32 rounds with variable key length (up to 256 bits long). It was selected as one of the 5 AES finalists. The best known attack so far is a linear attack on an 11-round reduced variant.
In this paper we apply the enhanced differential-linear cryptanalysis to Serpent. The resulting attack is the best known attack on 11-round Serpent. It requires 2125.3 chosen plaintexts and has time complexity of 2139.2. We also present the first known attack on 10-round 128-bit key Serpent. These attacks demonstrate the strength of the enhanced differential-linear cryptanalysis technique.
KeywordsTime Complexity Block Cipher Advance Encryption Standard Linear Cryptanalysis Linear Attack
- 1.Anderson, R., Biham, E., Knudsen, L.R.: Serpent: A Proposal for the Advanced Encryption Standard, NIST AES Proposal (1998)Google Scholar
- 8.Dunkelman, O.: An Analysis of Serpent-p and Serpent-p-ns. Presented at the rump session of the Second AES Candidate Conference (1999), Available on-line, at http://vipe.technion.ac.il/~orrd/crypt/
- 10.Langford, S.K., Hellman, M.E.: Differential-Linear Cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994)Google Scholar
- 11.Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
- 12.NESSIE, Performance of Optimized Implementations of the NESSIE Primitives, NES/DOC/TEC/WP6/D21/a, Available on-line, at http://www.nessie.eu.org/nessie
- 13.NIST, A Request for Candidate Algorithm Nominations for the AES, Available on-line at http://www.nist.gov/aes/