1702:
permutation to simplify an optimized implementation. The round function in
Rijndael consists of three parts: a nonlinear layer, a linear mixing layer, and a key-mixing XOR layer. The round function in Serpent consists of key-mixing XOR, thirty-two parallel applications of the same 4Ă—4 S-box, and a linear transformation, except in the last round, wherein another key-mixing XOR replaces the linear transformation. The nonlinear layer in Rijndael uses an 8Ă—8 S-box whereas Serpent uses eight different 4Ă—4 S-boxes. The 32 rounds mean that Serpent has a higher security margin than Rijndael; however, Rijndael with 10 rounds is faster and easier to implement for small blocks. Hence, Rijndael was selected as the winner in the AES competition.
2290:
24:
3652:
2019:"Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know!"
227:
Serpent took a conservative approach to security, opting for a large security margin: the designers deemed 16 rounds to be sufficient against known types of attack but specified 32 rounds as insurance against future discoveries in cryptanalysis. The official NIST report on AES competition classified
264:
The
Serpent key schedule consists of 3 main stages. In the first stage the key is initialized by adding padding if necessary. This is done in order to make short keys map to long keys of 256-bits, one "1" bit is appended to the end of the short key followed by "0" bits until the short key is mapped
236:
and in contrast to the adequate security margin of RC6 and
Rijndael (currently AES). In final voting, Serpent had the fewest negative votes among the finalists but ranked in second place overall because Rijndael had substantially more positive votes, the deciding factor being that Rijndael allowed
1701:
is a substitution-linear transformation network with ten, twelve, or fourteen rounds, depending on the key size, and with key sizes of 128 bits, 192 bits, or 256 bits, independently specified. Serpent is a substitution–permutation network which has thirty-two rounds, plus an initial and a final
140:
All publicly known attacks are computationally infeasible, and none of them affect the full 32-round
Serpent. A 2011 attack breaks 11 round Serpent (all key sizes) with 2 known plaintexts, 2 time and 2 memory (as described in). The same paper also describes two attacks which break 12 rounds of
1128:
s-boxes. These were transformed by swapping entries, resulting arrays with desired properties were stored as the
Serpent s-boxes. This process was repeated until a total of 8 s-boxes were found. The following key was used in this process:
1777:
The same paper also describes two attacks which break 12 rounds of
Serpent-256. The first requires 2 known plaintexts, 2 time and 2 memory. The other attack requires 2 known plaintexts and 2 memory but also requires 2 time.
256:. There are no restrictions or encumbrances regarding its use. As a result, anyone is free to incorporate Serpent in their software (or in hardware implementations) without paying license fees.
1120:
the nonlinear order of the output bits as function of the input bits is 3. However there have been output bits found which in function of the input bits have an order of only 2.
1774:
A 2011 attack by
Hongjun Wu, Huaxiong Wang and Phuong Ha Nguyen, also using linear cryptanalysis, breaks 11 rounds of Serpent-128 with 2 known plaintexts, 2 time and 2 memory.
1714:, but a somewhat tweaked version, Serpent-1, was submitted to the AES competition. The AES submission paper discusses the changes, which include key-scheduling differences.
3632:
3462:
141:
Serpent-256. The first requires 2 known plaintexts, 2 time and 2 memory. The other attack requires 2 known plaintexts and 2 memory but also requires 2 time.
1768:
attack that breaks 10 of 32 rounds of
Serpent-128 with 2 known plaintexts and 2 time, and 11 rounds of Serpent-192/256 with 2 known plaintexts and 2 time.
1771:
A 2009 paper has noticed that the nonlinear order of
Serpent S-boxes were not 3 as was claimed by the designers. Specifically, four elements had order 2.
1812:
1115:
linear characteristics have a probability between 1:2 and 1:4, linear relationship between input and output bits has a probability between 1:2 and 1:8.
3315:
3250:
2331:
1959:
1110:
a 1-bit input difference will never lead to a 1-bit output difference, a differential characteristic has a probability of 1:4 or less.
2231:
3077:
2433:
3067:
2561:
1835:
290:
At the end the round key or "subkey" are placed in the "initial permutation IP" to place the key bits in the correct column.
287:
Finally the "subkeys" are derived from the previously generated "prekeys". This results in a total of 33 128-bit "subkeys".
3230:
3204:
3072:
2968:
197:
158:
115:
2078:
2077:
Bruce
Schneier; John Kelsey; Doug Whiting; David Wagner; Chris Hall. Niels Fergusonk; Tadayoshi Kohno; Mike Stay (2000).
1302:
Consists of XOR, S-Box, bit shift left and bit rotate left operations. These operations are performed on 4 32-bit words.
3045:
3308:
1738:
believe that once implementation considerations are taken into account the XSL attack would be more expensive than a
3214:
2324:
3093:
3511:
3271:
268:
In the next phase, the "prekeys" are derived using the previously initialized key. 32-bit key parts XORed, the
1841:
3301:
2361:
1731:
201:
181:
3627:
3582:
3395:
3157:
2317:
3506:
3174:
3084:
3062:
2375:
1750:
3622:
3179:
3035:
2988:
2463:
2004:
Serpent Holds the Key to Internet Security – Finalists in world-wide encryption competition announced
1746:
185:
102:
2203:
2153:
2117:
2063:
3612:
3602:
3457:
3245:
3127:
3002:
2371:
2181:
2172:
1711:
1125:
221:
3607:
3597:
3400:
3360:
3353:
3343:
3338:
3184:
2973:
2344:
2252:
1869:
Nechvatal, J.; Barker, E.; Bassham, L.; Burr, W.; Dworkin, M.; Foti, J.; Roback, E. (May 2001).
3680:
3348:
3276:
3152:
3147:
3099:
2176:
284:
and round index were added to achieve an even distribution of the keys bits during the rounds.
249:
3685:
3655:
3501:
3447:
3266:
3089:
2948:
2526:
2190:
2140:
2104:
2050:
3617:
3541:
3169:
3052:
2978:
2661:
2641:
2222:
1787:
1765:
122:
8:
3380:
3132:
3109:
2428:
229:
2289:
2235:
3486:
3470:
3417:
3117:
3025:
2737:
2666:
2636:
2581:
2257:
1903:
1739:
209:
3546:
3536:
3407:
2837:
2536:
2496:
2491:
2458:
2418:
2366:
1980:
1908:
1890:
1831:
208:
32 times in parallel. Serpent was designed so that all operations can be executed in
3481:
3209:
3104:
2983:
2842:
2722:
2691:
2295:
2085:
1951:
1898:
1882:
1823:
166:
44:
2132:
3056:
3040:
3029:
2963:
2922:
2887:
2817:
2797:
2671:
2551:
2546:
2501:
2076:
1822:. Lecture Notes in Computer Science. Vol. 6812. ACISP 2011. pp. 61–74.
70:
2003:
1827:
3556:
3476:
3437:
3385:
3370:
3194:
3142:
2953:
2938:
2877:
2872:
2757:
2506:
1926:
2283:
2015:
1955:
3674:
3637:
3592:
3551:
3531:
3427:
3390:
3365:
3189:
3137:
3016:
2998:
2787:
2762:
2752:
2576:
2566:
2413:
2171:& Nathan Keller (2001). "Linear Cryptanalysis of Reduced Round Serpent".
2168:
1894:
1761:
1735:
241:
217:
151:
133:
1726:, if effective, would weaken Serpent (though not as much as it would weaken
3587:
3432:
3422:
3412:
3375:
3324:
3122:
2943:
2907:
2772:
2651:
2606:
2438:
2390:
2340:
2267:
2223:"Cryptography – 256 bit ciphers: Reference (AES submission) implementation"
1912:
277:
273:
174:
154:
80:
52:
2037:
3566:
2732:
2727:
2611:
1886:
1875:
Journal of Research of the National Institute of Standards and Technology
1810:
1103:
23:
2130:
2016:
SERPENT – A Candidate Block Cipher for the Advanced Encryption Standard
1956:"Serpent: A Candidate Block Cipher for the Advanced Encryption Standard"
3526:
3496:
3491:
3452:
3164:
2882:
2822:
2706:
2701:
2646:
2516:
2379:
2039:
1870:
1723:
1146:
The initial permutation works on 128 bits at a time moving bits around.
1710:
The original Serpent, Serpent-0, was presented at the 5th workshop on
1124:
The Serpent s-boxes have been constructed based on the 32 rows of the
3516:
2897:
2892:
2782:
2696:
2591:
2571:
2166:
1871:"Report on the development of the Advanced Encryption Standard (AES)"
1757:
1224:
The final permutation works on 128 bits at a time moving bits around.
213:
170:
48:
1813:"Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis"
3561:
3521:
3235:
3199:
2993:
2656:
2531:
2511:
2423:
1727:
1698:
276:
and the round index is XORed with the key parts, the result of the
245:
189:
162:
92:
216:. This maximizes parallelism but also allows use of the extensive
2902:
2852:
2812:
2802:
2747:
2742:
2586:
2395:
233:
3442:
3240:
2862:
2857:
2792:
2777:
2767:
2712:
2686:
2681:
2676:
2556:
2541:
193:
2958:
2917:
2867:
2847:
2832:
2621:
2601:
2521:
2486:
205:
2807:
2716:
2631:
2626:
2616:
2596:
2468:
2453:
2131:
Tadayoshi Kohno; John Kelsey & Bruce Schneier (2000).
1868:
2912:
2827:
2448:
2443:
1811:
Huaxiong Wang, Hongjun Wu & Phuong Ha Nguyen (2011).
253:
2038:
Bhupendra Singh; Lexy Alexander; Sanjay Burman (2009).
306:#define ROTL(A, n) ((A) << n | (A) >> 32-n)
3463:
Cryptographically secure pseudorandom number generator
2339:
2301:
2220:
2133:"Preliminary Cryptanalysis of Reduced-Round Serpent"
2079:"The Twofish Team's Final Comments on AES Selection"
2298:– SERPENT Reference implementation and derived code
1136:
2253:"In Pellicano Case, Lessons in Wiretapping Skills"
2221:Anderson, Ross; Biham, Eli; Knudsen, Lars (1998).
237:for a far more efficient software implementation.
204:. Each round applies one of eight 4-bit to 4-bit
3672:
1950:
2232:"Serpent – A New Block Cipher Proposal for AES"
252:, and the optimized code is licensed under the
2270:. University of Cambridge Computer Laboratory.
228:Serpent as having a high security margin like
3309:
2325:
1297:
2033:
2031:
2029:
2027:
1806:
1804:
1745:In 2000, a paper by Kohno et al. presents a
2160:
2040:"On Algebraic Relations of Serpent S-boxes"
1960:University of Cambridge Computer Laboratory
1141:
1106:, and subject to the following properties:
3316:
3302:
2332:
2318:
2288:
2250:
1705:
159:Advanced Encryption Standard (AES) contest
2180:
2024:
1902:
1801:
1749:against 6 of 32 rounds of Serpent and an
1219:
280:operation is rotated to left by 11. The
2265:
1693:
303:// fractional part of the golden ratio
240:The Serpent cipher algorithm is in the
3673:
293:
3297:
2313:
1946:
1944:
1942:
1940:
1938:
1936:
1864:
1862:
200:operating on a block of four 32-bit
2266:Stajano, Frank (10 February 2006).
1790:– hash function by the same authors
1753:against 9 of 32 rounds in Serpent.
13:
2268:"Serpent reference implementation"
2251:Halbfinger, David M (5 May 2008).
2214:
22:
14:
3697:
2275:
2229:
1933:
1859:
3651:
3650:
3323:
1820:Information Security and Privacy
1137:Permutations and Transformations
198:substitution–permutation network
116:Substitution–permutation network
2124:
573:/* key schedule: get subkeys */
351:/* key schedule: get prekeys */
259:
161:, in which it ranked second to
3512:Information-theoretic security
2070:
2009:
1997:
1973:
1919:
1102:The Serpent s-boxes are 4-bit
192:of 128, 192, or 256 bits. The
1:
1764:and Nathan Keller presents a
272:which is the fraction of the
30:Serpent's linear mixing stage
1794:
300:#define FRAC 0x9e3779b9
7:
3628:Message authentication code
3583:Cryptographic hash function
3396:Cryptographic hash function
1828:10.1007/978-3-642-22497-3_5
1781:
1717:
188:of 128 bits and supports a
184:submissions, Serpent has a
157:that was a finalist in the
10:
3702:
3507:Harvest now, decrypt later
1751:amplified boomerang attack
1298:Linear transformation (LT)
1097:
165:. Serpent was designed by
3646:
3623:Post-quantum cryptography
3575:
3331:
3293:
3259:
3223:
3215:Time/memory/data tradeoff
3012:
2931:
2477:
2404:
2352:
2309:
2305:
1747:meet-in-the-middle attack
139:
131:
121:
111:
101:
91:
86:
76:
66:
58:
40:
35:
21:
3613:Quantum key distribution
3603:Authenticated encryption
3458:Random number generation
3003:Whitening transformation
1712:Fast Software Encryption
1304:
1226:
1148:
1142:Initial permutation (IP)
297:
248:. The reference code is
3608:Public-key cryptography
3598:Symmetric-key algorithm
3401:Key derivation function
3361:Cryptographic primitive
3354:Authentication protocol
3344:Outline of cryptography
3339:History of cryptography
2974:Confusion and diffusion
1706:Serpent-0 vs. Serpent-1
318:// key provided by user
3349:Cryptographic protocol
2198:Cite journal requires
2148:Cite journal requires
2112:Cite journal requires
2058:Cite journal requires
1220:Final permutation (FP)
265:to a long key length.
250:public domain software
27:
3502:End-to-end encryption
3448:Cryptojacking malware
3267:Initialization vector
26:
3618:Quantum cryptography
3542:Trusted timestamping
3046:3-subset MITM attack
2662:Intel Cascade Cipher
2642:Hasty Pudding cipher
1887:10.6028/jres.106.023
1766:linear cryptanalysis
1694:Rijndael vs. Serpent
97:128, 192 or 256 bits
3381:Cryptographic nonce
3085:Differential-linear
1954:(23 October 2006).
1927:"Serpent Home Page"
294:Key Schedule in C++
18:
3487:Subliminal channel
3471:Pseudorandom noise
3418:Key (cryptography)
3158:Differential-fault
2376:internal mechanics
2258:The New York Times
1740:brute force attack
1131:"sboxesforserpent"
220:work performed on
28:
16:
3668:
3667:
3664:
3663:
3547:Key-based routing
3537:Trapdoor function
3408:Digital signature
3289:
3288:
3285:
3284:
3272:Mode of operation
2949:Lai–Massey scheme
2091:on 2 January 2010
1837:978-3-642-22496-6
1756:A 2001 attack by
1734:). However, many
244:and has not been
145:
144:
3693:
3654:
3653:
3482:Insecure channel
3318:
3311:
3304:
3295:
3294:
3143:Power-monitoring
2984:Avalanche effect
2692:Khufu and Khafre
2345:security summary
2334:
2327:
2320:
2311:
2310:
2307:
2306:
2303:
2302:
2292:
2287:
2286:
2284:Official website
2271:
2262:
2247:
2245:
2243:
2234:. Archived from
2226:
2208:
2207:
2201:
2196:
2194:
2186:
2184:
2164:
2158:
2157:
2151:
2146:
2144:
2136:
2128:
2122:
2121:
2115:
2110:
2108:
2100:
2098:
2096:
2090:
2084:. Archived from
2083:
2074:
2068:
2067:
2061:
2056:
2054:
2046:
2044:
2035:
2022:
2013:
2007:
2001:
1995:
1994:
1992:
1990:
1985:
1977:
1971:
1970:
1968:
1966:
1952:Ross J. Anderson
1948:
1931:
1930:
1923:
1917:
1916:
1906:
1866:
1857:
1856:
1854:
1852:
1847:on 14 April 2017
1846:
1840:. Archived from
1817:
1808:
1689:
1686:
1683:
1680:
1677:
1674:
1671:
1668:
1665:
1662:
1659:
1656:
1653:
1650:
1647:
1644:
1641:
1638:
1635:
1632:
1629:
1626:
1623:
1620:
1617:
1614:
1611:
1608:
1605:
1602:
1599:
1596:
1593:
1590:
1587:
1584:
1581:
1578:
1575:
1572:
1569:
1566:
1563:
1560:
1557:
1554:
1551:
1548:
1545:
1542:
1539:
1536:
1533:
1530:
1527:
1524:
1521:
1518:
1515:
1512:
1509:
1506:
1503:
1500:
1497:
1494:
1491:
1488:
1485:
1482:
1479:
1476:
1473:
1470:
1467:
1464:
1461:
1458:
1455:
1452:
1449:
1446:
1443:
1440:
1437:
1434:
1431:
1428:
1425:
1422:
1419:
1416:
1413:
1410:
1407:
1404:
1401:
1398:
1395:
1392:
1389:
1386:
1383:
1380:
1377:
1374:
1371:
1368:
1365:
1362:
1359:
1356:
1353:
1350:
1347:
1344:
1341:
1338:
1335:
1332:
1329:
1326:
1323:
1320:
1317:
1314:
1311:
1308:
1293:
1290:
1287:
1284:
1281:
1278:
1275:
1272:
1269:
1266:
1263:
1260:
1257:
1254:
1251:
1248:
1245:
1242:
1239:
1236:
1233:
1230:
1215:
1212:
1209:
1206:
1203:
1200:
1197:
1194:
1191:
1188:
1185:
1182:
1179:
1176:
1173:
1170:
1167:
1164:
1161:
1158:
1155:
1152:
1132:
1093:
1090:
1087:
1084:
1081:
1078:
1075:
1072:
1069:
1066:
1063:
1060:
1057:
1054:
1051:
1048:
1045:
1042:
1039:
1036:
1033:
1030:
1027:
1024:
1021:
1018:
1015:
1012:
1009:
1006:
1003:
1000:
997:
994:
991:
988:
985:
982:
979:
976:
973:
970:
967:
964:
961:
958:
955:
952:
949:
946:
943:
940:
937:
934:
931:
928:
925:
922:
919:
916:
913:
910:
907:
904:
901:
898:
895:
892:
889:
886:
883:
880:
877:
874:
871:
868:
865:
862:
859:
856:
853:
850:
847:
844:
841:
838:
835:
832:
829:
826:
823:
820:
817:
814:
811:
808:
805:
802:
799:
796:
793:
790:
787:
784:
781:
778:
775:
772:
769:
766:
763:
760:
757:
754:
751:
748:
745:
742:
739:
736:
733:
730:
727:
724:
721:
718:
715:
712:
709:
706:
703:
700:
697:
694:
691:
688:
685:
682:
679:
676:
673:
670:
667:
664:
661:
658:
655:
652:
649:
646:
643:
640:
637:
634:
631:
628:
625:
622:
619:
616:
613:
610:
607:
604:
601:
598:
595:
592:
589:
586:
583:
580:
577:
574:
571:
568:
565:
562:
559:
556:
553:
550:
547:
544:
541:
538:
535:
532:
529:
526:
523:
520:
517:
514:
511:
508:
505:
502:
499:
496:
493:
490:
487:
484:
481:
478:
475:
472:
469:
466:
463:
460:
457:
454:
451:
448:
445:
442:
439:
436:
433:
430:
427:
424:
421:
418:
415:
412:
409:
406:
403:
400:
397:
394:
391:
388:
385:
382:
379:
376:
373:
370:
367:
364:
361:
358:
355:
352:
349:
346:
343:
340:
337:
334:
331:
328:
325:
322:
319:
316:
313:
310:
307:
304:
301:
19:
15:
3701:
3700:
3696:
3695:
3694:
3692:
3691:
3690:
3671:
3670:
3669:
3660:
3642:
3571:
3327:
3322:
3281:
3255:
3224:Standardization
3219:
3148:Electromagnetic
3100:Integral/Square
3057:Piling-up lemma
3041:Biclique attack
3030:EFF DES cracker
3014:
3008:
2939:Feistel network
2927:
2552:CIPHERUNICORN-E
2547:CIPHERUNICORN-A
2479:
2473:
2406:
2400:
2354:
2348:
2338:
2296:256 bit ciphers
2282:
2281:
2278:
2241:
2239:
2238:on 17 June 2014
2217:
2215:Further reading
2212:
2211:
2199:
2197:
2188:
2187:
2165:
2161:
2149:
2147:
2138:
2137:
2129:
2125:
2113:
2111:
2102:
2101:
2094:
2092:
2088:
2081:
2075:
2071:
2059:
2057:
2048:
2047:
2042:
2036:
2025:
2014:
2010:
2002:
1998:
1988:
1986:
1983:
1979:
1978:
1974:
1964:
1962:
1949:
1934:
1925:
1924:
1920:
1867:
1860:
1850:
1848:
1844:
1838:
1815:
1809:
1802:
1797:
1784:
1730:, which became
1720:
1708:
1696:
1691:
1690:
1687:
1684:
1681:
1678:
1675:
1672:
1669:
1666:
1663:
1660:
1657:
1654:
1651:
1648:
1645:
1642:
1639:
1636:
1633:
1630:
1627:
1624:
1621:
1618:
1615:
1612:
1609:
1606:
1603:
1600:
1597:
1594:
1591:
1588:
1585:
1582:
1579:
1576:
1573:
1570:
1567:
1564:
1561:
1558:
1555:
1552:
1549:
1546:
1543:
1540:
1537:
1534:
1531:
1528:
1525:
1522:
1519:
1516:
1513:
1510:
1507:
1504:
1501:
1498:
1495:
1492:
1489:
1486:
1483:
1480:
1477:
1474:
1471:
1468:
1465:
1462:
1459:
1456:
1453:
1450:
1447:
1444:
1441:
1438:
1435:
1432:
1429:
1426:
1423:
1420:
1417:
1414:
1411:
1408:
1405:
1402:
1399:
1396:
1393:
1390:
1387:
1384:
1381:
1378:
1375:
1372:
1369:
1366:
1363:
1360:
1357:
1354:
1351:
1348:
1345:
1342:
1339:
1336:
1333:
1330:
1327:
1324:
1321:
1318:
1315:
1312:
1309:
1306:
1300:
1295:
1294:
1291:
1288:
1285:
1282:
1279:
1276:
1273:
1270:
1267:
1264:
1261:
1258:
1255:
1252:
1249:
1246:
1243:
1240:
1237:
1234:
1231:
1228:
1222:
1217:
1216:
1213:
1210:
1207:
1204:
1201:
1198:
1195:
1192:
1189:
1186:
1183:
1180:
1177:
1174:
1171:
1168:
1165:
1162:
1159:
1156:
1153:
1150:
1144:
1139:
1130:
1100:
1095:
1094:
1091:
1088:
1085:
1082:
1079:
1076:
1073:
1070:
1067:
1064:
1061:
1058:
1055:
1052:
1049:
1046:
1043:
1040:
1037:
1034:
1031:
1028:
1025:
1022:
1019:
1016:
1013:
1010:
1007:
1004:
1001:
998:
995:
992:
989:
986:
983:
980:
977:
974:
971:
968:
965:
962:
959:
956:
953:
950:
947:
944:
941:
938:
935:
932:
929:
926:
923:
920:
917:
914:
911:
908:
905:
902:
899:
896:
893:
890:
887:
884:
881:
878:
875:
872:
869:
866:
863:
860:
857:
854:
851:
848:
845:
842:
839:
836:
833:
830:
827:
824:
821:
818:
815:
812:
809:
806:
803:
800:
797:
794:
791:
788:
785:
782:
779:
776:
773:
770:
767:
764:
761:
758:
755:
752:
749:
746:
743:
740:
737:
734:
731:
728:
725:
722:
719:
716:
713:
710:
707:
704:
701:
698:
695:
692:
689:
686:
683:
680:
677:
674:
671:
668:
665:
662:
659:
656:
653:
650:
647:
644:
641:
638:
635:
632:
629:
626:
623:
620:
617:
614:
611:
608:
605:
602:
599:
596:
593:
590:
587:
584:
581:
578:
575:
572:
569:
566:
563:
560:
557:
554:
551:
548:
545:
542:
539:
536:
533:
530:
527:
524:
521:
518:
515:
512:
509:
506:
503:
500:
497:
494:
491:
488:
485:
482:
479:
476:
473:
470:
467:
464:
461:
458:
455:
452:
449:
446:
443:
440:
437:
434:
431:
428:
425:
422:
419:
416:
413:
410:
407:
404:
401:
398:
395:
392:
389:
386:
383:
380:
377:
374:
371:
368:
365:
362:
359:
356:
353:
350:
347:
344:
341:
338:
335:
332:
329:
326:
323:
320:
317:
314:
311:
308:
305:
302:
299:
296:
262:
59:First published
31:
12:
11:
5:
3699:
3689:
3688:
3683:
3666:
3665:
3662:
3661:
3659:
3658:
3647:
3644:
3643:
3641:
3640:
3635:
3633:Random numbers
3630:
3625:
3620:
3615:
3610:
3605:
3600:
3595:
3590:
3585:
3579:
3577:
3573:
3572:
3570:
3569:
3564:
3559:
3557:Garlic routing
3554:
3549:
3544:
3539:
3534:
3529:
3524:
3519:
3514:
3509:
3504:
3499:
3494:
3489:
3484:
3479:
3477:Secure channel
3474:
3468:
3467:
3466:
3455:
3450:
3445:
3440:
3438:Key stretching
3435:
3430:
3425:
3420:
3415:
3410:
3405:
3404:
3403:
3398:
3388:
3386:Cryptovirology
3383:
3378:
3373:
3371:Cryptocurrency
3368:
3363:
3358:
3357:
3356:
3346:
3341:
3335:
3333:
3329:
3328:
3321:
3320:
3313:
3306:
3298:
3291:
3290:
3287:
3286:
3283:
3282:
3280:
3279:
3274:
3269:
3263:
3261:
3257:
3256:
3254:
3253:
3248:
3243:
3238:
3233:
3227:
3225:
3221:
3220:
3218:
3217:
3212:
3207:
3202:
3197:
3192:
3187:
3182:
3177:
3172:
3167:
3162:
3161:
3160:
3155:
3150:
3145:
3140:
3130:
3125:
3120:
3115:
3107:
3102:
3097:
3090:Distinguishing
3087:
3082:
3081:
3080:
3075:
3070:
3060:
3050:
3049:
3048:
3043:
3033:
3022:
3020:
3010:
3009:
3007:
3006:
2996:
2991:
2986:
2981:
2976:
2971:
2966:
2961:
2956:
2954:Product cipher
2951:
2946:
2941:
2935:
2933:
2929:
2928:
2926:
2925:
2920:
2915:
2910:
2905:
2900:
2895:
2890:
2885:
2880:
2875:
2870:
2865:
2860:
2855:
2850:
2845:
2840:
2835:
2830:
2825:
2820:
2815:
2810:
2805:
2800:
2795:
2790:
2785:
2780:
2775:
2770:
2765:
2760:
2755:
2750:
2745:
2740:
2735:
2730:
2725:
2720:
2709:
2704:
2699:
2694:
2689:
2684:
2679:
2674:
2669:
2664:
2659:
2654:
2649:
2644:
2639:
2634:
2629:
2624:
2619:
2614:
2609:
2604:
2599:
2594:
2589:
2584:
2582:Cryptomeria/C2
2579:
2574:
2569:
2564:
2559:
2554:
2549:
2544:
2539:
2534:
2529:
2524:
2519:
2514:
2509:
2504:
2499:
2494:
2489:
2483:
2481:
2475:
2474:
2472:
2471:
2466:
2461:
2456:
2451:
2446:
2441:
2436:
2431:
2426:
2421:
2416:
2410:
2408:
2402:
2401:
2399:
2398:
2393:
2388:
2383:
2369:
2364:
2358:
2356:
2350:
2349:
2337:
2336:
2329:
2322:
2314:
2300:
2299:
2293:
2277:
2276:External links
2274:
2273:
2272:
2263:
2248:
2227:
2216:
2213:
2210:
2209:
2200:|journal=
2182:10.1.1.78.6148
2159:
2150:|journal=
2123:
2114:|journal=
2069:
2060:|journal=
2023:
2008:
1996:
1972:
1932:
1918:
1881:(3): 511–577.
1858:
1836:
1799:
1798:
1796:
1793:
1792:
1791:
1783:
1780:
1719:
1716:
1707:
1704:
1695:
1692:
1305:
1299:
1296:
1227:
1221:
1218:
1149:
1143:
1140:
1138:
1135:
1122:
1121:
1117:
1116:
1112:
1111:
1099:
1096:
298:
295:
292:
261:
258:
196:is a 32-round
143:
142:
137:
136:
129:
128:
125:
119:
118:
113:
109:
108:
105:
99:
98:
95:
89:
88:
84:
83:
78:
74:
73:
68:
64:
63:
60:
56:
55:
42:
38:
37:
33:
32:
29:
9:
6:
4:
3:
2:
3698:
3687:
3684:
3682:
3681:Block ciphers
3679:
3678:
3676:
3657:
3649:
3648:
3645:
3639:
3638:Steganography
3636:
3634:
3631:
3629:
3626:
3624:
3621:
3619:
3616:
3614:
3611:
3609:
3606:
3604:
3601:
3599:
3596:
3594:
3593:Stream cipher
3591:
3589:
3586:
3584:
3581:
3580:
3578:
3574:
3568:
3565:
3563:
3560:
3558:
3555:
3553:
3552:Onion routing
3550:
3548:
3545:
3543:
3540:
3538:
3535:
3533:
3532:Shared secret
3530:
3528:
3525:
3523:
3520:
3518:
3515:
3513:
3510:
3508:
3505:
3503:
3500:
3498:
3495:
3493:
3490:
3488:
3485:
3483:
3480:
3478:
3475:
3472:
3469:
3464:
3461:
3460:
3459:
3456:
3454:
3451:
3449:
3446:
3444:
3441:
3439:
3436:
3434:
3431:
3429:
3428:Key generator
3426:
3424:
3421:
3419:
3416:
3414:
3411:
3409:
3406:
3402:
3399:
3397:
3394:
3393:
3392:
3391:Hash function
3389:
3387:
3384:
3382:
3379:
3377:
3374:
3372:
3369:
3367:
3366:Cryptanalysis
3364:
3362:
3359:
3355:
3352:
3351:
3350:
3347:
3345:
3342:
3340:
3337:
3336:
3334:
3330:
3326:
3319:
3314:
3312:
3307:
3305:
3300:
3299:
3296:
3292:
3278:
3275:
3273:
3270:
3268:
3265:
3264:
3262:
3258:
3252:
3249:
3247:
3244:
3242:
3239:
3237:
3234:
3232:
3229:
3228:
3226:
3222:
3216:
3213:
3211:
3208:
3206:
3203:
3201:
3198:
3196:
3193:
3191:
3188:
3186:
3183:
3181:
3178:
3176:
3173:
3171:
3170:Interpolation
3168:
3166:
3163:
3159:
3156:
3154:
3151:
3149:
3146:
3144:
3141:
3139:
3136:
3135:
3134:
3131:
3129:
3126:
3124:
3121:
3119:
3116:
3114:
3113:
3108:
3106:
3103:
3101:
3098:
3095:
3091:
3088:
3086:
3083:
3079:
3076:
3074:
3071:
3069:
3066:
3065:
3064:
3061:
3058:
3054:
3051:
3047:
3044:
3042:
3039:
3038:
3037:
3034:
3031:
3027:
3024:
3023:
3021:
3018:
3017:cryptanalysis
3011:
3004:
3000:
2999:Key whitening
2997:
2995:
2992:
2990:
2987:
2985:
2982:
2980:
2977:
2975:
2972:
2970:
2967:
2965:
2962:
2960:
2957:
2955:
2952:
2950:
2947:
2945:
2942:
2940:
2937:
2936:
2934:
2930:
2924:
2921:
2919:
2916:
2914:
2911:
2909:
2906:
2904:
2901:
2899:
2896:
2894:
2891:
2889:
2886:
2884:
2881:
2879:
2876:
2874:
2871:
2869:
2866:
2864:
2861:
2859:
2856:
2854:
2851:
2849:
2846:
2844:
2841:
2839:
2836:
2834:
2831:
2829:
2826:
2824:
2821:
2819:
2816:
2814:
2811:
2809:
2806:
2804:
2801:
2799:
2796:
2794:
2791:
2789:
2788:New Data Seal
2786:
2784:
2781:
2779:
2776:
2774:
2771:
2769:
2766:
2764:
2761:
2759:
2756:
2754:
2751:
2749:
2746:
2744:
2741:
2739:
2736:
2734:
2731:
2729:
2726:
2724:
2721:
2718:
2714:
2710:
2708:
2705:
2703:
2700:
2698:
2695:
2693:
2690:
2688:
2685:
2683:
2680:
2678:
2675:
2673:
2670:
2668:
2665:
2663:
2660:
2658:
2655:
2653:
2650:
2648:
2645:
2643:
2640:
2638:
2635:
2633:
2630:
2628:
2625:
2623:
2620:
2618:
2615:
2613:
2610:
2608:
2605:
2603:
2600:
2598:
2595:
2593:
2590:
2588:
2585:
2583:
2580:
2578:
2575:
2573:
2570:
2568:
2565:
2563:
2560:
2558:
2555:
2553:
2550:
2548:
2545:
2543:
2540:
2538:
2535:
2533:
2530:
2528:
2527:BEAR and LION
2525:
2523:
2520:
2518:
2515:
2513:
2510:
2508:
2505:
2503:
2500:
2498:
2495:
2493:
2490:
2488:
2485:
2484:
2482:
2476:
2470:
2467:
2465:
2462:
2460:
2457:
2455:
2452:
2450:
2447:
2445:
2442:
2440:
2437:
2435:
2432:
2430:
2427:
2425:
2422:
2420:
2417:
2415:
2412:
2411:
2409:
2403:
2397:
2394:
2392:
2389:
2387:
2384:
2381:
2377:
2373:
2370:
2368:
2365:
2363:
2360:
2359:
2357:
2351:
2346:
2342:
2341:Block ciphers
2335:
2330:
2328:
2323:
2321:
2316:
2315:
2312:
2308:
2304:
2297:
2294:
2291:
2285:
2280:
2279:
2269:
2264:
2260:
2259:
2254:
2249:
2237:
2233:
2228:
2224:
2219:
2218:
2205:
2192:
2183:
2178:
2174:
2170:
2169:Orr Dunkelman
2163:
2155:
2142:
2134:
2127:
2119:
2106:
2087:
2080:
2073:
2065:
2052:
2041:
2034:
2032:
2030:
2028:
2020:
2017:
2012:
2005:
2000:
1982:
1981:"serpent.pdf"
1976:
1961:
1957:
1953:
1947:
1945:
1943:
1941:
1939:
1937:
1928:
1922:
1914:
1910:
1905:
1900:
1896:
1892:
1888:
1884:
1880:
1876:
1872:
1865:
1863:
1843:
1839:
1833:
1829:
1825:
1821:
1814:
1807:
1805:
1800:
1789:
1786:
1785:
1779:
1775:
1772:
1769:
1767:
1763:
1762:Orr Dunkelman
1759:
1754:
1752:
1748:
1743:
1741:
1737:
1736:cryptanalysts
1733:
1729:
1725:
1715:
1713:
1703:
1700:
1303:
1225:
1147:
1134:
1127:
1119:
1118:
1114:
1113:
1109:
1108:
1107:
1105:
291:
288:
285:
283:
279:
275:
271:
266:
257:
255:
251:
247:
243:
242:public domain
238:
235:
231:
225:
223:
219:
218:cryptanalysis
215:
211:
207:
203:
199:
195:
191:
187:
183:
178:
176:
172:
168:
167:Ross Anderson
164:
160:
156:
153:
152:symmetric key
149:
138:
135:
134:cryptanalysis
130:
126:
124:
120:
117:
114:
110:
106:
104:
100:
96:
94:
90:
87:Cipher detail
85:
82:
79:
77:Certification
75:
72:
69:
65:
61:
57:
54:
50:
46:
45:Ross Anderson
43:
39:
34:
25:
20:
3686:Free ciphers
3588:Block cipher
3433:Key schedule
3423:Key exchange
3413:Kleptography
3376:Cryptosystem
3325:Cryptography
3175:Partitioning
3133:Side-channel
3111:
3078:Higher-order
3063:Differential
2944:Key schedule
2385:
2256:
2240:. Retrieved
2236:the original
2230:Biham, Eli.
2191:cite journal
2162:
2141:cite journal
2126:
2105:cite journal
2093:. Retrieved
2086:the original
2072:
2051:cite journal
2018:
2011:
1999:
1987:. Retrieved
1975:
1963:. Retrieved
1921:
1878:
1874:
1851:25 September
1849:. Retrieved
1842:the original
1819:
1776:
1773:
1770:
1755:
1744:
1721:
1709:
1697:
1301:
1223:
1145:
1123:
1104:permutations
1101:
1038:key_schedule
330:// roundkeys
289:
286:
281:
274:Golden ratio
269:
267:
263:
260:Key Schedule
239:
226:
179:
175:Lars Knudsen
155:block cipher
147:
146:
132:Best public
81:AES finalist
67:Derived from
53:Lars Knudsen
3576:Mathematics
3567:Mix network
3260:Utilization
3246:NSA Suite B
3231:AES process
3180:Rubber-hose
3118:Related-key
3026:Brute-force
2405:Less common
2167:Eli Biham,
212:, using 32
180:Like other
103:Block sizes
3675:Categories
3527:Ciphertext
3497:Decryption
3492:Encryption
3453:Ransomware
3210:Chi-square
3128:Rotational
3068:Impossible
2989:Block size
2883:Spectr-H64
2707:Ladder-DES
2702:Kuznyechik
2647:Hierocrypt
2517:BassOmatic
2480:algorithms
2407:algorithms
2380:Triple DES
2355:algorithms
2242:15 January
2095:19 January
1965:14 January
1724:XSL attack
348:// S-boxes
214:bit slices
186:block size
62:1998-08-21
3517:Plaintext
3185:Black-bag
3105:Boomerang
3094:Known-key
3073:Truncated
2898:Threefish
2893:SXAL/MBAL
2783:MultiSwap
2738:MacGuffin
2697:KN-Cipher
2637:Grand Cru
2592:CS-Cipher
2572:COCONUT98
2177:CiteSeerX
1895:1044-677X
1795:Footnotes
1758:Eli Biham
171:Eli Biham
112:Structure
93:Key sizes
49:Eli Biham
41:Designers
3656:Category
3562:Kademlia
3522:Codetext
3465:(CSPRNG)
3236:CRYPTREC
3200:Weak key
3153:Acoustic
2994:Key size
2838:Red Pike
2657:IDEA NXT
2537:Chiasmus
2532:CAST-256
2512:BaseKing
2497:Akelarre
2492:Adiantum
2459:Skipjack
2424:CAST-128
2419:Camellia
2367:Blowfish
1989:25 April
1913:27500035
1782:See also
1728:Rijndael
1718:Security
1699:Rijndael
1574:<<
1469:<<
1047:uint32_t
1014:<<
996:>>
933:<<
915:>>
900:<<
882:>>
867:<<
849:>>
834:<<
816:>>
597:uint32_t
588:uint32_t
387:uint32_t
375:uint32_t
363:uint32_t
321:uint32_t
309:uint32_t
246:patented
210:parallel
190:key size
163:Rijndael
107:128 bits
3332:General
3277:Padding
3195:Rebound
2903:Treyfer
2853:SAVILLE
2813:PRESENT
2803:NOEKEON
2748:MAGENTA
2743:Madryga
2723:Lucifer
2587:CRYPTON
2396:Twofish
2386:Serpent
1904:4863838
1098:S-Boxes
1056:get_pre
615:uint8_t
357:get_pre
336:uint8_t
234:Twofish
206:S-boxes
148:Serpent
36:General
17:Serpent
3443:Keygen
3241:NESSIE
3190:Davies
3138:Timing
3053:Linear
3013:Attack
2932:Design
2923:Zodiac
2888:Square
2863:SHACAL
2858:SC2000
2818:Prince
2798:Nimbus
2793:NewDES
2778:MULTI2
2768:MISTY1
2711:LOKI (
2687:KHAZAD
2682:KeeLoq
2677:KASUMI
2672:Kalyna
2557:CLEFIA
2542:CIKS-1
2502:Anubis
2353:Common
2179:
2175:2001.
2021:(1999)
2006:(1999)
1911:
1901:
1893:
1834:
1086:subkey
1074:get_sk
579:get_sk
324:subkey
194:cipher
173:, and
123:Rounds
71:Square
3473:(PRN)
3123:Slide
2979:Round
2964:P-box
2959:S-box
2918:XXTEA
2878:Speck
2873:Simon
2868:SHARK
2848:SAFER
2833:REDOC
2758:Mercy
2717:89/91
2667:Iraqi
2632:G-DES
2622:FEA-M
2602:DES-X
2567:Cobra
2522:BATON
2507:Ascon
2487:3-Way
2478:Other
2089:(PDF)
2082:(PDF)
2043:(PDF)
1984:(PDF)
1845:(PDF)
1816:(PDF)
1788:Tiger
1637:short
1313:short
1005:&
924:&
891:&
858:&
825:&
585:const
372:const
333:const
202:words
150:is a
3251:CNSA
3110:Mod
3036:MITM
2808:NUSH
2763:MESH
2753:MARS
2627:FROG
2617:FEAL
2597:DEAL
2577:Crab
2562:CMEA
2469:XTEA
2454:SEED
2434:IDEA
2429:GOST
2414:ARIA
2244:2013
2204:help
2154:help
2118:help
2097:2015
2064:help
1991:2022
1967:2013
1909:PMID
1891:ISSN
1853:2014
1832:ISBN
1722:The
1655:<
1613:ROTL
1589:ROTL
1508:ROTL
1484:ROTL
1403:ROTL
1379:ROTL
1331:<
1247:swap
1169:swap
1035:void
963:<
786:<
735:<
669:<
576:void
531:FRAC
501:ROTL
474:<
420:<
354:void
282:FRAC
270:FRAC
232:and
230:MARS
3205:Tau
3165:XSL
2969:SPN
2913:xmx
2908:UES
2843:S-1
2828:RC2
2773:MMB
2652:ICE
2607:DFC
2464:TEA
2449:RC6
2444:RC5
2439:LEA
2391:SM4
2372:DES
2362:AES
2173:FSE
1899:PMC
1883:doi
1879:106
1824:doi
1732:AES
1631:for
1307:for
1286:127
1265:bit
1253:bit
1244:127
1229:for
1208:127
1187:bit
1175:bit
1166:127
1151:for
1126:DES
1068:key
1008:0x1
942:for
927:0x1
894:0x1
861:0x1
828:0x1
765:for
714:for
648:for
477:140
456:int
450:for
402:int
396:for
345:{};
312:key
278:XOR
254:GPL
222:DES
182:AES
3677::
2733:M8
2728:M6
2715:,
2713:97
2612:E2
2378:,
2255:.
2195::
2193:}}
2189:{{
2145::
2143:}}
2139:{{
2109::
2107:}}
2103:{{
2055::
2053:}}
2049:{{
2026:^
1958:.
1935:^
1907:.
1897:.
1889:.
1877:.
1873:.
1861:^
1830:.
1818:.
1803:^
1760:,
1742:.
1667:++
1628:);
1625:22
1604:);
1580:);
1523:);
1499:);
1475:);
1418:);
1394:);
1391:13
1367:];
1343:++
1268:((
1262:),
1241:..
1235:in
1193:32
1190:((
1184:),
1163:..
1157:in
1133:.
1089:);
1071:);
1041:()
990:((
987:|=
984:sk
975:++
939:];
909:((
876:((
843:((
798:++
789:32
753:sk
747:++
696:32
681:++
672:33
609:))
606:sk
552:);
549:11
546:),
543:-8
486:++
432:++
224:.
177:.
169:,
127:32
51:,
47:,
3317:e
3310:t
3303:v
3112:n
3096:)
3092:(
3059:)
3055:(
3032:)
3028:(
3019:)
3015:(
3005:)
3001:(
2823:Q
2719:)
2382:)
2374:(
2347:)
2343:(
2333:e
2326:t
2319:v
2261:.
2246:.
2225:.
2206:)
2202:(
2185:.
2156:)
2152:(
2135:.
2120:)
2116:(
2099:.
2066:)
2062:(
2045:.
1993:.
1969:.
1929:.
1915:.
1885::
1855:.
1826::
1688:}
1685:;
1682:X
1679:=
1676:B
1673:{
1670:)
1664:i
1661:;
1658:4
1652:i
1649:;
1646:0
1643:=
1640:i
1634:(
1622:,
1619:X
1616:(
1610:=
1607:X
1601:5
1598:,
1595:X
1592:(
1586:=
1583:X
1577:7
1571:X
1568:(
1565:^
1562:X
1559:^
1556:X
1553:=
1550:X
1547:;
1544:X
1541:^
1538:X
1535:^
1532:X
1529:=
1526:X
1520:7
1517:,
1514:X
1511:(
1505:=
1502:X
1496:1
1493:,
1490:X
1487:(
1481:=
1478:X
1472:3
1466:X
1463:(
1460:^
1457:X
1454:^
1451:X
1448:=
1445:X
1442:;
1439:X
1436:^
1433:X
1430:^
1427:X
1424:=
1421:X
1415:3
1412:,
1409:X
1406:(
1400:=
1397:X
1388:,
1385:X
1382:(
1376:=
1373:X
1370:}
1364:K
1361:^
1358:S
1355:=
1352:X
1349:{
1346:)
1340:i
1337:;
1334:4
1328:i
1325:;
1322:0
1319:=
1316:i
1310:(
1292:)
1289:)
1283:%
1280:)
1277:i
1274:*
1271:4
1259:i
1256:(
1250:(
1238:0
1232:i
1214:)
1211:)
1205:%
1202:)
1199:i
1196:*
1181:i
1178:(
1172:(
1160:0
1154:i
1092:}
1083:,
1080:w
1077:(
1065:,
1062:w
1059:(
1053:;
1050:w
1044:{
1032:}
1029:}
1026:}
1023:}
1020:;
1017:k
1011:)
1002:)
999:j
993:s
981:{
978:)
972:j
969:;
966:4
960:j
957:;
954:0
951:=
948:j
945:(
936:3
930:)
921:)
918:k
912:w
906:|
903:2
897:)
888:)
885:k
879:w
873:|
870:1
864:)
855:)
852:k
846:w
840:|
837:0
831:)
822:)
819:k
813:S
810:=
807:s
804:{
801:)
795:k
792:;
783:k
780:;
777:0
774:=
771:k
768:(
762:;
759:0
756:=
750:)
744:j
741:;
738:4
732:j
729:;
726:0
723:=
720:j
717:(
711:;
708:i
705:-
702:3
699:+
693:=
690:p
687:{
684:)
678:i
675:;
666:i
663:;
660:0
657:=
654:i
651:(
645:;
642:k
639:,
636:s
633:,
630:j
627:,
624:p
621:,
618:i
612:{
603:*
600:(
594:,
591:w
582:(
570:}
567:}
564:;
561:x
558:=
555:w
540:i
537:(
534:^
528:^
525:x
522:^
519:x
516:^
513:x
510:^
507:x
504:(
498:=
495:x
492:{
489:)
483:i
480:;
471:i
468:;
465:8
462:=
459:i
453:(
447:;
444:k
441:=
438:x
435:)
429:i
426:;
423:8
417:i
414:;
411:0
408:=
405:i
399:(
393:;
390:x
384:{
381:)
378:k
369:,
366:w
360:(
342:=
339:S
327:;
315:;
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.