Talk:Serpent (cipher)

Cryptanalysis
Does anyone know of any current cryptanalysis for Serpent?

I came across this white paper Preliminary Cryptanalysis of Reduced-Round Serpent stating something about "...recover the key for Serpent up to nine rounds." and "...how to break six rounds of Serpent..." Zer0Nin3r (talk) 10:43, 9 June 2008 (UTC)

This should go in the article, but I believe the best current known attack against Serpent is for an 11-round reduced variant, see: (The full version has 32 rounds...) &mdash; Matt Crypto 11:34, 9 June 2008 (UTC)

Actually, there are now two separate sets of claimed attacks against 12 round Serpent (distinguished by the linear approximations they use) - and even at the time of your post there was a better attack on 11-round Serpent than the FSE 2003 paper.

The best attack so far is described in "Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis" (Huaxiong Wang et al, ACISP 2011) using linear approximations which build on the ones in:

(see also their description of the linear approximations used at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.95.522&rep=rep1&type=pdf)

Collard et al's paper contained an attack on 11-round Serpent (albeit with worse complexity than that claimed for the FSE 2003 attack). Their subsequent work ("Improving the Time Complexity of Matsui’s Linear Cryptanalysis" (ICISC 2007)) improved the complexity of this attack to achieve the best attack on 11-round Serpent at the time. Wang et al built on this to achieve an attack on 12-round Serpent and improved attacks on 11-round. (This was explicitly stated to outperform the attack on 12-round Serpent published in 2008 by Dunkelman, Indesteege and Keller).

So we have two classes of attacks - those based on Collard et al's linear approximations, and those based on Dunkelman, Keller et al's. Now, this is where things are going to get controversial. Bihan, Dunkelman and Keller presented a linear attack on 11-round Serpent in "Linear Cryptanalysis of Reduced Round Serpent" (FSE 2001), before improving on that in the FSE 2003 paper you cite above, and in 2008 Dunkelman, Indesteege and Keller published the first attack on 12-round Serpent in "A Differential-Linear Attack on 12-Round Serpent" (Indocrypt 2008). However, I believe that all three of these papers contain errors in their descriptions of the approximations contained therein.

In the FSE 2001 paper, after S6 is applied, bit 30 becomes active. After the diffusion layer, bits 101, 103 and 80 are supposed to become active. But none of these diffusion layer output bits are supposed to be affected by input bit 30. Moreover, the number of bits that would have to have been active in the previous round for them to be the xor of said bits is too high for this just to be a typo.

In the FSE 2003 paper and the Indocrypt 2008 paper, that's bit 28 instead of bit 30, but everything else I've said above still applies.

I doubt that anyone reading this has time to check this for themselves - the Serpent diffusion layer is a bit confusing - but if anyone does I'd love to hear from them. Anyway, with the improved attacks based on Collard et al's linear approximations claiming the best complexity so far, it's a bit of a moot point. 144.32.170.32 (talk) 22:04, 2 September 2011 (UTC)

*********************************

THE NEW YORK TIMES The article from the Times in "External References" can only be read by "logging in". Should this be deleted? What is the policy for restricted references? — Preceding unsigned comment added by 68.56.74.5 (talk) 03:39, 5 April 2012 (UTC)

Security of Serpent
The statement that Serpent is *more secure* than Rijndael is a bit too strong, especially without a formal definition of security. The NIST evaluation papers, as well as Ross Anderson himself in his book speak of Serpent having "a higher security margin", which roughly means that it is less likely to be broken. —Preceding unsigned comment added by 79.17.131.38 (talk) 17:54, 23 November 2008 (UTC)

Roughly speaking, the strength of the cipher in resisting differential and linear attacks is estimated by the propagating ratio (prop-ration) and input-output correlation receptively. The values of both factors is calculated for only one round and multiplied in the number of rounds. As the Serpent has 32 rounds against 14 rounds(max) in the case of the AES, it ca be concluded that the Serpent cipher demonstrates better resistance to differential and linear attacks.

Speed of execution
In the article it is stated that Rijndael is faster than Serpent because of the number of rounds used in Rijndael. Here http://www.cl.cam.ac.uk/~rja14/Papers/serpentcase.pdf, Page 3 is is stated that Serpent is much faster when implmented in Hardware. If nobody has contradictory information, I'll change that part of the comparison. -- uhu01

is this a SPN?
according to the Substitution–permutation network article, the P in SPN means a simple reshuffling of bits. in serpent, the linear mixing is more complex. in this sense, rijndael is also a SPN. Krisztián Pintér (talk) 11:20, 3 December 2015 (UTC)