Editing Serpent (cipher) (section)

{{Short description|Block cipher}}
{{Use dmy dates|date=October 2019}}{{Infobox block cipher
| name          = Serpent
| image         = [[File:Serpent-linearfunction.svg|200px|center]]
| caption       = Serpent's linear mixing stage
| designers     = [[Ross J. Anderson|Ross Anderson]], [[Eli Biham]], [[Lars Knudsen]]
| publish date  = 1998-08-21
| derived from  = [[Square (cipher)|Square]]
| related to    =
| certification = [[AES finalist]]
| key size      = 128, 192 or 256 bits
| block size    = 128 bits
| structure     = [[Substitution–permutation network]]
| rounds        = 32
| cryptanalysis =
All publicly known attacks are computationally infeasible, and none of them affect the full 32-round Serpent.  A 2011 attack breaks 11 round Serpent (all key sizes) with 2<sup>116</sup> known plaintexts, 2<sup>107.5</sup> time and 2<sup>104</sup> memory (as described in<ref name=acisp-2011 />).

The same paper also describes two attacks which break 12 rounds of Serpent-256. The first requires 2<sup>118</sup> known plaintexts, 2<sup>228.8</sup> time and 2<sup>228</sup> memory. The other attack requires 2<sup>116</sup> known plaintexts and 2<sup>121</sup> memory but also requires 2<sup>237.5</sup> time.
}}

'''Serpent''' is a [[symmetric key]] [[block cipher]] that was a finalist in the [[Advanced Encryption Standard process|Advanced Encryption Standard (AES) contest]], in which it ranked second to [[Rijndael]].<ref name=":1">{{Cite journal |last1=Nechvatal |first1=J. |last2=Barker |first2=E. |last3=Bassham |first3=L. |last4=Burr |first4=W. |last5=Dworkin |first5=M. |last6=Foti |first6=J. |last7=Roback |first7=E. |date=May 2001 |title=Report on the development of the Advanced Encryption Standard (AES) |url=https://doi.org/10.6028/jres.106.023 |journal=Journal of Research of the National Institute of Standards and Technology |volume=106 |issue=3 |pages=511–577 |doi=10.6028/jres.106.023 |issn=1044-677X |pmc=4863838 |pmid=27500035}}</ref> Serpent was designed by [[Ross J. Anderson|Ross Anderson]], [[Eli Biham]], and [[Lars Knudsen]].<ref>{{Cite web |title=Serpent Home Page |url=https://www.cl.cam.ac.uk/~rja14/serpent.html }}</ref>

Like other [[Advanced Encryption Standard|AES]] submissions, Serpent has a [[block size (cryptography)|block size]] of 128 bits and supports a [[key size]] of 128, 192, or 256 bits.<ref name=":0">{{cite web
| url=http://www.cl.cam.ac.uk/~rja14/serpent.html
| title=Serpent: A Candidate Block Cipher for the Advanced Encryption Standard
| author=Ross J. Anderson
| author-link=Ross J. Anderson
| date=2006-10-23
| publisher=[[University of Cambridge Computer Laboratory]]
| access-date=2013-01-14}}</ref> The [[cipher]] is a 32-round [[substitution–permutation network]] operating on a block of four 32-bit [[Word (computer architecture)|words]].  Each round applies one of eight 4-bit to 4-bit [[S-box]]es 32 times in parallel. Serpent was designed so that all operations can be executed in [[parallel computing|parallel]], using 32 [[bit slice]]s. This maximizes parallelism but also allows use of the extensive [[cryptanalysis]] work performed on [[Data Encryption Standard|DES]].

Serpent took a conservative approach to security, opting for a large security margin: the designers deemed 16 rounds to be sufficient against known types of attack but specified 32 rounds as insurance against future discoveries in cryptanalysis.<ref>{{Cite web |title=serpent.pdf |url=https://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf |access-date=25 April 2022}}</ref> The official NIST report on AES competition classified Serpent as having a high security margin like [[MARS (cryptography)|MARS]] and [[Twofish]] and in contrast to the adequate security margin of RC6 and Rijndael (currently AES).<ref name=":1" /> In final voting, Serpent had the fewest negative votes among the finalists but ranked in second place overall because Rijndael had substantially more positive votes, the deciding factor being that Rijndael allowed for a far more efficient software implementation.{{citation needed|date=June 2016}}

The Serpent cipher algorithm is in the [[public domain]] and has not been [[patented]].<ref>[http://www.cl.cam.ac.uk/~rja14/serpentpr.html Serpent Holds the Key to Internet Security – Finalists in world-wide encryption competition announced] (1999)</ref> The reference code is [[public domain software]], and the optimized code is licensed under the [[GPL]].<ref>[http://www.cl.cam.ac.uk/~rja14/serpent.html SERPENT – A Candidate Block Cipher for the Advanced Encryption Standard ] ''"Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know!"'' (1999)</ref> There are no restrictions or encumbrances regarding its use. As a result, anyone is free to incorporate Serpent in their software (or in hardware implementations) without paying license fees.