The Case for Serpent Ross Anderson, Eli Biham and Lars Knudsen 24th March 2000 Summary Serpent should be chosen because it is the most secure of the AES finalists. Not only does it have ample safety margin, but its simple structure enables us to be sure that none of the currently known attacks will work. It is also simple to check that an implementation is correct. Although Serpent is not as fast as the other finalists on the 200 MHz Pentium machine used for round 1 benchmarking, this disadvantage largely disappears when we consider the likely platforms and applications of the 21st century. In hardware, for example, Serpent has easily the best performance, while on IA64 it’s second. 1 Security The most important requirement is stated succinctly in the AES announce- ment [7]: ‘The security provided by an algorithm is the most important factor in the evaluation.’ From the day in September 1997 when we started designing Serpent, we asked ourselves what protection requirements we were trying to meet. We concluded that AES needed to last for a useful service lifetime plus a human lifetime after that. That means at least a century. So we like the AES motto of a ‘crypto algorithm for the twenty-first century’. Also, if Moore’s Law runs out sometime this century, then the AES might never be replaced. So the selectors should consider how their choice will look in the twenty-second century and beyond. 1.1 Advances in mathematics An algorithm may break if someone comes up with a powerful new theory. We do not believe that the history of cryptanalysis is over. Although we have no real idea what the next hundred (or five hundred) years of mathematics will bring, there are three things we can do to future-proof a design. First, a block cipher should be simple and easy to analyse. The DES algorithm had such a complex description that until the late 1980’s no-one appears to have tried seriously to attack it. When they did, differential [5] and then linear [9] attacks were found – both of which can now be explained to bright students in a single 50-minute lecture. Second, a block cipher should have more rounds than are needed to block today’s attacks. Improvements in cryptanalysis usually increase the number of rounds required.