Preliminary Cryptanalysis of Reduced-Round Serpent

T. Kohno, J. Kelsey, and B. Schneier

Third AES Candidate Conference, 2000, to appear

ABSTRACT: Serpent is a 32-round AES block cipher finalist. In this paper we present several attacks on reduced-round variants of Serpent that require less work than exhaustive search. We attack six-round 256-bit Serpent using the meet-in-the-middle technique, 512 known plaintexts, 2246 bytes of memory, and approximately 2247 trial encryptions. For all key sizes, we attack six-round Serpent using standard differential cryptanalysis, 283 chosen plaintexts, 240 bytes of memory, and 290 trial encryptions. We present boomerang and amplified boomerang attacks on seven- and eight-round Serpent, and show how to break nine-round 256-bit Serpent using the amplified boomerang technique, 2110 chosen plaintexts, 2212 bytes of memory, and approximately 2252 trial encryptions.

[full text - postscript] [full text - PDF (Acrobat)]

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..