THe CASE For SERPENT Ress Awdasen CLe Bcham lors Knudsen* NIST'S mata cation : algorithm i the west importent factor in th, tweluahen” . In detail : - He wast secure algeritim which is alee acceptably fast Cie, fuer than BDES ) on a widt range + pled forms NOT ~ the fastest algenthm ona paricula- Prceoter agoinat which no-on hao @ prduction atinck yet * We engureered Serpent exe My Lo th, sptcificationProtection Rag pi remrauts * NIST: “Aw algorithm for te tut, - first eantury ° Basic merimum: a uatful Sanvice Lifting , plus a human Uprine aftr that - so at least 100 yews Mau need mrare than (00 yeas = end of Moore's Uw — mare Umg- Lived sensitive clatu, = porsubanc, ot stondanls - auch ay Spacd UinaG, exam ple So what dees it mean for & cipher toCrypts ecurihy No-one should dinesver on trploctehl shortcut ortacle, enn afGr O ctrlery Cond more) progres in mathemalics , physics, ... 4 The lest Solulion we con offer lo: - @ Simple, easy T analyse aplhir - ato well -crnderstoed primihine anal builds on ta hugs amount of wrek dont on DES 7 hes many more rounds than we minded today, & give a ca of eps” Cary mery were the principle behind the 4 Theat dingn of SerpentAssuronce . Algorithm oasurerce - olid we implement at ight? Easint B check with Simple Options, Strchue . Syotm omurance - did we uae i ight ? Tho ta whine most real failien hopper : ~ bad random number gurserhirs ~ Memory runanence * Hasrig ayo that ove ‘only just J enough” io fetal on the ears many of thus commen flaws « Se 256 bit eyo ave umpertent - ond vaust be the defoult - regorlleas of Meore's LawConfidance + Recall what happened wih dES: - was dat a hapdrer ? - wae the beylergth “deliberate” end if so for what purpose ? — wee DES “brksn’ by Aiffercntial caypterotyats ? Mons firsC- rovnd AES concliclatiy wee rejected onda git by the Cowan doris becamee of “cartificationel ‘ asincks . Tha risk of umng WR Sarasat Cor any q te other froltss) w a eartftcaH onal attack at Crypts 2050' - vohat’s tu Ceonow. cost af His 7 RES mul alee withstand cartificaHonal adincks - nek gust prduchon ottrch, ~ for at lat 100 years |Speod © The ‘cormeationa! unacem’ on Serpent to thet ct in the wrost seewe concdichate by far, but ia half a0 fast ar He othirs becuse ue untd Ane, The numb of rounds we nesclid & BUT: ~ Serpent io best cn hasta ~ Sarpant io enesllant tn smatteanlg Se the cAti cal youuhon a was Sepint's secwity bought af an waacceptate ls pace 1 Sefewove Saeed has) larger processors 7 What's the leect bsrchmore ?The Bese Benchmora ° Sows Condidetio are haasily optnsed for teug on Partium. But opps wh 06 hires fa syotina Oren tha wooct commen, or “the wast dimonding es lL - ATH: 3 balides ied ~ prrocols : | black / * Netunt binchwore : ATH, osnge 4 3 eneuptions + deceyphtona tacladng buy sutup + With tae banca, W atl gives : MARS RCE dad Sapent Tewofits (A-6% §=2%65 9-308] S04 2269 227 | PACE «340% «(2686 ogg 0241S 3453 Serpent we second fostest afer Rijndack | * On Pantin , with Osvik's s-beves, Sept to Sel or Oth diptadig en prcserConclusions C1) ° Serpent's Seewihy ues nat laorg lt at an unacceptable wost in cpecd - i's best om hardwore - t's second on smorteady - tbls Second on WASG/PA-RISC in a most tereby catical apps of wa 2st Contury ~ trea et file oa te ae “e. than meela dhe specification 4 * fas Haan 30ES * * We Prpese 32 - round 256 - bit on ta Adwoned Enoyphix strrdard + Uf 128 ond 192 bie ned enpltert supper, tha standord shod sll recommetad 256 + UF 2 abgenthns win, Supint shovlel lee We pamony aLgerithm ond hy weakerCorehumion (2) Serpent should be chosen an th Adluoncd Enenption Strrdevl bscone if is te most Secure of the Lolate s