Editing Serpent (cipher)

{{Short description|Block cipher}}
{{Use dmy dates|date=October 2019}}{{Infobox block cipher
| name          = Serpent
| image         = [[File:Serpent-linearfunction.svg|200px|center]]
| caption       = Serpent's linear mixing stage
| designers     = [[Ross J. Anderson|Ross Anderson]], [[Eli Biham]], [[Lars Knudsen]]
| publish date  = 1998-08-21
| derived from  = [[Square (cipher)|Square]]
| related to    =
| certification = [[AES finalist]]
| key size      = 128, 192 or 256 bits
| block size    = 128 bits
| structure     = [[Substitution–permutation network]]
| rounds        = 32
| cryptanalysis =
All publicly known attacks are computationally infeasible, and none of them affect the full 32-round Serpent.  A 2011 attack breaks 11 round Serpent (all key sizes) with 2<sup>116</sup> known plaintexts, 2<sup>107.5</sup> time and 2<sup>104</sup> memory (as described in<ref name=acisp-2011 />).

The same paper also describes two attacks which break 12 rounds of Serpent-256. The first requires 2<sup>118</sup> known plaintexts, 2<sup>228.8</sup> time and 2<sup>228</sup> memory. The other attack requires 2<sup>116</sup> known plaintexts and 2<sup>121</sup> memory but also requires 2<sup>237.5</sup> time.
}}

'''Serpent''' is a [[symmetric key]] [[block cipher]] that was a finalist in the [[Advanced Encryption Standard process|Advanced Encryption Standard (AES) contest]], in which it ranked second to [[Rijndael]].<ref name=":1">{{Cite journal |last1=Nechvatal |first1=J. |last2=Barker |first2=E. |last3=Bassham |first3=L. |last4=Burr |first4=W. |last5=Dworkin |first5=M. |last6=Foti |first6=J. |last7=Roback |first7=E. |date=May 2001 |title=Report on the development of the Advanced Encryption Standard (AES) |url=https://doi.org/10.6028/jres.106.023 |journal=Journal of Research of the National Institute of Standards and Technology |volume=106 |issue=3 |pages=511–577 |doi=10.6028/jres.106.023 |issn=1044-677X |pmc=4863838 |pmid=27500035}}</ref> Serpent was designed by [[Ross J. Anderson|Ross Anderson]], [[Eli Biham]], and [[Lars Knudsen]].<ref>{{Cite web |title=Serpent Home Page |url=https://www.cl.cam.ac.uk/~rja14/serpent.html }}</ref>

Like other [[Advanced Encryption Standard|AES]] submissions, Serpent has a [[block size (cryptography)|block size]] of 128 bits and supports a [[key size]] of 128, 192, or 256 bits.<ref name=":0">{{cite web
| url=http://www.cl.cam.ac.uk/~rja14/serpent.html
| title=Serpent: A Candidate Block Cipher for the Advanced Encryption Standard
| author=Ross J. Anderson
| author-link=Ross J. Anderson
| date=2006-10-23
| publisher=[[University of Cambridge Computer Laboratory]]
| access-date=2013-01-14}}</ref> The [[cipher]] is a 32-round [[substitution–permutation network]] operating on a block of four 32-bit [[Word (computer architecture)|words]].  Each round applies one of eight 4-bit to 4-bit [[S-box]]es 32 times in parallel. Serpent was designed so that all operations can be executed in [[parallel computing|parallel]], using 32 [[bit slice]]s. This maximizes parallelism but also allows use of the extensive [[cryptanalysis]] work performed on [[Data Encryption Standard|DES]].

Serpent took a conservative approach to security, opting for a large security margin: the designers deemed 16 rounds to be sufficient against known types of attack but specified 32 rounds as insurance against future discoveries in cryptanalysis.<ref>{{Cite web |title=serpent.pdf |url=https://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf |access-date=25 April 2022}}</ref> The official NIST report on AES competition classified Serpent as having a high security margin like [[MARS (cryptography)|MARS]] and [[Twofish]] and in contrast to the adequate security margin of RC6 and Rijndael (currently AES).<ref name=":1" /> In final voting, Serpent had the fewest negative votes among the finalists but ranked in second place overall because Rijndael had substantially more positive votes, the deciding factor being that Rijndael allowed for a far more efficient software implementation.{{citation needed|date=June 2016}}

The Serpent cipher algorithm is in the [[public domain]] and has not been [[patented]].<ref>[http://www.cl.cam.ac.uk/~rja14/serpentpr.html Serpent Holds the Key to Internet Security – Finalists in world-wide encryption competition announced] (1999)</ref> The reference code is [[public domain software]], and the optimized code is licensed under the [[GPL]].<ref>[http://www.cl.cam.ac.uk/~rja14/serpent.html SERPENT – A Candidate Block Cipher for the Advanced Encryption Standard ] ''"Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know!"'' (1999)</ref> There are no restrictions or encumbrances regarding its use. As a result, anyone is free to incorporate Serpent in their software (or in hardware implementations) without paying license fees.

== Key schedule ==
The Serpent key schedule consists of 3 main stages. In the first stage the key is initialized by adding padding if necessary. This is done in order to make short keys map to long keys of 256-bits, one "1" bit is appended to the end of the short key followed by "0" bits until the short key is mapped to a long key length.<ref name=":0" />

In the next phase, the "prekeys" are derived using the previously initialized key. 32-bit key parts XORed, the ''FRAC'' which is the fraction of the [[Golden ratio]] and the round index is XORed with the key parts, the result of the [[Exclusive or|XOR]] operation is rotated to left by 11. The ''FRAC'' and round index were added to achieve an even distribution of the keys bits during the rounds.<ref name=":0" />

Finally the "subkeys" are derived from the previously generated "prekeys". This results in a total of 33 128-bit "subkeys".<ref name=":0" />

At the end the round key or "subkey" are placed in the "initial permutation IP" to place the key bits in the correct column.<ref name=":0" />

=== Key schedule in C++ ===
<syntaxhighlight lang="cpp">
#define FRAC 0x9e3779b9     //  fractional part of the golden ratio
#define ROTL(A, n) ((A) << n | (A) >> 32-n)

uint32_t key[8];        // key provided by user
uint32_t subkey[33][4]; // roundkeys
const uint8_t S[8][16] = {}; // S-boxes

/* key schedule: get prekeys */
void get_pre(uint32_t w[4*33], const uint32_t k[8]) {
    uint32_t x[4*33+8];
    for (int i = 0; i < 8; i++)
        x[i] = k[i];
    for (int i = 8; i < 140; i++) {
        x[i] = ROTL(x[i-8] ^ x[i-5] ^ x[i-3] ^ x[i-1] ^ FRAC ^ (i-8), 11);
        w[i-8] = x[i];
    }
}

/* key schedule: get subkeys */
void get_sk(const uint32_t w[4*33], uint32_t (*sk)[4]) {

	uint8_t i, p, j, s, k;
	
	for (i = 0; i < 33; i++) {
		p = 32 + 3 - i;
        for (j = 0; j < 4; j++)
            sk[i][j] = 0;
		for (k = 0; k < 32; k++) {
			s = S[p % 8][((w[4 * i + 0] >> k) & 0x1) << 0 |
						 ((w[4 * i + 1] >> k) & 0x1) << 1 |
						 ((w[4 * i + 2] >> k) & 0x1) << 2 |
						 ((w[4 * i + 3] >> k) & 0x1) << 3 ];
			for (j = 0; j < 4; j++) {
				sk[i][j] |= ((s >> j) & 0x1) << k;
			}
		}
	}
}

void key_schedule() {
    uint32_t w[4*33];
    get_pre(w, key);
    get_sk(w, subkey);
}
</syntaxhighlight>

== S-boxes ==
The Serpent s-boxes are 4-bit [[permutation]]s, and subject to the following properties:

* a 1-bit input difference will never lead to a 1-bit output difference, a differential characteristic has a probability of 1:4 or less.<ref name="algeb-2009" />
* linear characteristics have a probability between 1:2 and 1:4, linear relationship between input and output bits has a probability between 1:2 and 1:8.<ref name="algeb-2009" />
* the nonlinear order of the output bits as function of the input bits is 3. However there have been output bits found which in function of the input bits have an order of only 2.<ref name="algeb-2009" />

The Serpent s-boxes have been constructed based on the 32 rows of the [[Data Encryption Standard|DES]] s-boxes. These were transformed by swapping entries, resulting arrays with desired properties were stored as the Serpent s-boxes. This process was repeated until a total of 8 s-boxes were found. The following key was used in this process: <code>"sboxesforserpent"</code>.<ref name=":0" />

== Permutations and transformations ==

=== Initial permutation (IP) ===
The initial permutation works on 128 bits at a time moving bits around.<syntaxhighlight lang="cpp">
for i in 0 .. 127
    swap( bit(i), bit((32 * i) % 127) )
</syntaxhighlight>

=== Final permutation (FP) ===
The final permutation works on 128 bits at a time moving bits around.<syntaxhighlight lang="cpp">
for i in 0 .. 127
    swap( bit(i), bit((4 * i) % 127) )
</syntaxhighlight>

=== Linear transformation (LT) ===
Consists of XOR, bit shift left and bit rotate left operations. These operations are performed on 4 32-bit words.
<syntaxhighlight lang="cpp">
// The input is the result of key mixing and substitution.
for (short i = 0; i < 4; i++) {
    X[i] = S[i][B[i] ^ K[i]];
}

// Linear transformation.
X[0] = ROTL(X[0], 13);
X[2] = ROTL(X[2], 3 );
X[1] = X[1] ^ X[0] ^ X[2];
X[3] = X[3] ^ X[2] ^ (X[0] << 3);
X[1] = ROTL(X[1], 1 );
X[3] = ROTL(X[3], 7 );
X[0] = X[0] ^ X[1] ^ X[3];
X[2] = X[2] ^ X[3] ^ (X[1] << 7);
X[0] = ROTL(X[0], 5 );
X[2] = ROTL(X[2], 22);

// The output becomes the new state.
for (short i = 0; i < 4; i++) {
    B[i + 1] = X[i];
}
</syntaxhighlight>

== Rijndael vs. Serpent ==
[[Rijndael]] is a substitution-linear transformation network with ten, twelve, or fourteen rounds, depending on the key size, and with key sizes of 128 bits, 192 bits, or 256 bits, independently specified. Serpent is a substitution–permutation network which has thirty-two rounds, plus an initial and a final permutation to simplify an optimized implementation. The round function in Rijndael consists of three parts: a nonlinear layer, a linear mixing layer, and a key-mixing XOR layer. The round function in Serpent consists of key-mixing XOR, thirty-two parallel applications of the same 4×4 S-box, and a linear transformation, except in the last round, wherein another key-mixing XOR replaces the linear transformation. The nonlinear layer in Rijndael uses an 8×8 S-box whereas Serpent uses eight different 4×4 S-boxes. The 32 rounds mean that Serpent has a higher security margin than Rijndael; however, Rijndael with 10 rounds is faster and easier to implement for small blocks.<ref>{{cite web |title=The Twofish Team's Final Comments on AES Selection |author1=Bruce Schneier |author2=John Kelsey |author3=Doug Whiting |author4=David Wagner |author5=Chris Hall. Niels Fergusonk |author6=Tadayoshi Kohno |author7=Mike Stay |year=2000 |url=https://www.schneier.com/paper-twofish-final.pdf |access-date=19 January 2015 |archive-date=2 January 2010 |archive-url=https://web.archive.org/web/20100102041117/http://schneier.com/paper-twofish-final.pdf |url-status=dead }}</ref> Hence, Rijndael was selected as the winner in the AES competition.

==Serpent-0 vs. Serpent-1==
The original Serpent, Serpent-0, was presented at the 5th workshop on [[Fast Software Encryption]], but a somewhat tweaked version, Serpent-1, was submitted to the AES competition.  The AES submission paper discusses the changes, which include key-scheduling differences.

==Security==
The [[XSL attack]], if effective, would weaken Serpent (though not as much as it would weaken [[Rijndael]], which became [[Advanced Encryption Standard|AES]]). However, many [[cryptanalysts]] believe that once implementation considerations are taken into account the XSL attack would be more expensive than a [[brute force attack]].{{Citation needed|date=July 2010}}

In 2000, a paper by Kohno et al. presents a [[meet-in-the-middle attack]] against 6 of 32 rounds of Serpent and an [[amplified boomerang attack]] against 9 of 32 rounds in Serpent.<ref>{{cite conference
 | last1 = Kohno | first1 = Tadayoshi
 | last2 = Kelsey | first2 = John
 | last3 = Schneier | first3 = Bruce
 | contribution = Preliminary Cryptanalysis of Reduced-Round Serpent
 | contribution-url = https://www.schneier.com/paper-serpent-aes.html
 | pages = 195–211
 | publisher = National Institute of Standards and Technology
 | title = The Third Advanced Encryption Standard Candidate Conference, April 13–14, 2000, New York, New York, USA
 | year = 2000}}</ref>

A 2001 attack by [[Eli Biham]], [[Orr Dunkelman]] and Nathan Keller presents a [[linear cryptanalysis]] attack that breaks 10 of 32 rounds of Serpent-128 with 2<sup>118</sup> known plaintexts and 2<sup>89</sup> time, and 11 rounds of Serpent-192/256 with 2<sup>118</sup> known plaintexts and 2<sup>187</sup> time.<ref name=linear-2001>{{cite conference
 | last1 = Biham | first1 = Eli | author1-link = Eli Biham
 | last2 = Dunkelman | first2 = Orr | author2-link = Orr Dunkelman
 | last3 = Keller | first3 = Nathan
 | editor-last = Matsui | editor-first = Mitsuru
 | contribution = Linear Cryptanalysis of Reduced Round Serpent
 | doi = 10.1007/3-540-45473-X_2
 | pages = 16–27
 | publisher = Springer
 | series = Lecture Notes in Computer Science
 | title = Fast Software Encryption, 8th International Workshop, FSE 2001 Yokohama, Japan, April 2-4, 2001, Revised Papers
 | volume = 2355
 | year = 2001| isbn = 978-3-540-43869-4 }}</ref>

A 2009 paper has noticed that the nonlinear order of Serpent S-boxes were not 3 as was claimed by the designers. Specifically, four elements had order 2.<ref name=algeb-2009>{{cite web
| title=On Algebraic Relations of Serpent S-boxes
|author1=Bhupendra Singh |author2=Lexy Alexander |author3=Sanjay Burman | year= 2009
| url= https://eprint.iacr.org/2009/038.pdf}}</ref>

A 2011 attack by Hongjun Wu, Huaxiong Wang and Phuong Ha Nguyen, also using linear cryptanalysis, breaks 11 rounds of Serpent-128 with 2<sup>116</sup> known plaintexts, 2<sup>107.5</sup> time and 2<sup>104</sup> memory.<ref name=acisp-2011>{{cite book  |chapter=Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis  |author1=Huaxiong Wang, Hongjun Wu  |title=Information Security and Privacy  |volume=6812  |pages=61–74  |author2=Phuong Ha Nguyen  |name-list-style=amp  |year=2011  |publisher=ACISP 2011  |chapter-url=http://www3.ntu.edu.sg/home/wuhj/research/publications/2011_ACISP_MLC.pdf  |doi=10.1007/978-3-642-22497-3_5  |series=Lecture Notes in Computer Science  |isbn=978-3-642-22496-6  |access-date=25 September 2014  |archive-date=14 April 2017  |archive-url=https://web.archive.org/web/20170414133320/http://www3.ntu.edu.sg/home/wuhj/research/publications/2011_ACISP_MLC.pdf  |url-status=dead  }}</ref>

The same paper also describes two attacks which break 12 rounds of Serpent-256. The first requires 2<sup>118</sup> known plaintexts, 2<sup>228.8</sup> time and 2<sup>228</sup> memory. The other attack requires 2<sup>116</sup> known plaintexts and 2<sup>121</sup> memory but also requires 2<sup>237.5</sup> time.

==See also==
* [[Tiger (cryptography)|Tiger]] – hash function by the same authors

==Footnotes==
{{Reflist}}

==Further reading==
* {{cite web
| url=http://embeddedsw.net/Cipher_Reference_Home.html#SERPENT
| title=Cryptography – 256 bit ciphers: Reference (AES submission) implementation
| first1=Ross 
| last1=Anderson
| first2=Eli
| last2=Biham
| first3=Lars 
| last3=Knudsen
| year=1998}}
* {{cite web
| url=https://www.cs.technion.ac.il/~biham/Reports/Serpent/
| title=Serpent – A New Block Cipher Proposal for AES
| first=Eli
| last=Biham
| access-date=15 January 2013
| archive-date=17 June 2014
| archive-url=https://web.archive.org/web/20140617083036/http://www.cs.technion.ac.il/~biham/Reports/Serpent/
| url-status=dead
}}
* {{cite web
| url=https://www.nytimes.com/2008/05/05/business/media/05trial.html
| title= In Pellicano Case, Lessons in Wiretapping Skills
| first=David M 
| last=Halbfinger
| date=2008-05-05
| work=[[The New York Times]]}}
* {{cite web
| url=https://www.cl.cam.ac.uk/~fms27/serpent/
| title=Serpent reference implementation
| first=Frank 
| last=Stajano
| date=2006-02-10
| publisher=University of Cambridge Computer Laboratory}}

==External links==
* {{Official website}}
* [http://embeddedsw.net/Cipher_Reference_Home.html 256 bit ciphers] – SERPENT Reference implementation and derived code

{{Cryptography navbox|block}}

[[Category:Block ciphers]]
[[Category:Free ciphers]]