AES vs. Serpent vs. Twofish (was Re: KeePass or any other password wallet to store and transport keys)

Ben McGinnes ben at adversary.org
Thu Jul 26 11:56:09 CEST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 26/07/12 6:40 PM, Robert J. Hansen wrote:
> On 7/26/2012 4:05 AM, Ben McGinnes wrote:
>> On a semi-related tangent, does this mean that utilising the
>> three symmetric ciphers available in TrueCrypt (AES, Serpent and
>> Twofish) is a bad idea or do they play well together?
> 
> My understanding is they at least tolerate each other, but I'm 
> unaware of any serious analysis that suggests you enjoy increased 
> cryptographic strength by stacking them.  It wouldn't surprise me
> if you did, but at the same time ... as I mentioned earlier, I
> really don't see the point.

Okay.

>> Also, if you had to pick one of those three, which would you
>> choose (for general purposes rather than a specific threat model
>> and ignoring the possible speed differences between AES and
>> Serpent)?
> 
> This presumes I'm competent to have an opinion.  I really don't 
> think I am.  Evaluating cryptographic algorithms is almost as hard 
> as designing them.  It's the sort of thing that's best done by a 
> handful of experts all looking at the algorithms through slightly 
> different prisms of experience and skill.

Fair enough.  Unfortunately I don't have any cryptographers or
cryptanalysts on speed dial.  This group is probably one amongst my
better sources of information.  Although maybe I should be asking
Werner since he's clearly implemented all three algorithms (and
several others).

> For instance, I don't like Serpent very much on account of how 
> complex it is.  My rule of thumb is, "if I don't believe an 
> undergraduate in computer science can understand this algorithm,
> how can I expect people to implement this algorithm correctly?"
> So, had I been on the AES selection committee, I'd have given
> Serpent a thumbs-down.  Other people with different perspectives
> would've given it thumbs-ups and thumbs-down, and our ultimate
> recommendation would take into account all the input of the
> different experts on the selection committee.

Interesting.  Most of the things I've read on Serpent, which
admittedly isn't much, is about how it was not accepted for AES
because of the speed aspects rather than other aspects and that it may
be more secure.

> But whenever you ask one person for his or her opinion on a
> cipher, all you're getting is one perspective, and you really need
> more perspectives than that.

Exactly.  I figured this would be a good place to start and I'd
definitely like to read what other list members think on this topic.

> Still, you asked a question, and now that I've spent three 
> paragraphs explaining why you shouldn't trust my answer I'll give 
> you my answer: Twofish.

Heh.  Caveats are important, especially on a topic like this which so
often looks like black magic.

> Most symmetric ciphers nowadays are built around Feistel networks. 
> We have a lot of experience with Feistel networks: many algorithms 
> built around them have held up quite well over the years.  (3DES, 
> for instance, which pretty much every cryppie holds in a mixture
> of distaste, disgust, fear, terror, awe and reverence, is built
> around a Feistel network.  30+ years, no really meaningful results
> against it.)  Feistel networks make me happy: who doesn't like a
> track record of success?

This is a very good point and you're also right about the 3DES thing.

> Rijndael is not a Feistel cipher.  That doesn't mean it's bad, far 
> from it.

Cool.

> But if Feistel networks give me the warm fuzzies, then that means
> I need to strike non-Feistel networks from my list.

Okay, this bit I don't follow.  I get favouring Feistel networks
because of their proven track record, but I don't see why it would
necessitate ruling out Substitution-Permutation networks and other
types of ciphers.

> I don't like Serpent's complexity: I think that leads to
> difficulty in implementing it.  By comparison, I've implemented
> Twofish a couple of times and have seen undergraduates implement it
> correctly.

Okay, that makes sense.

> So, yeah, for my money I prefer Twofish.  But I don't think you 
> should trust my opinion worth a damn.  :)

Fair enough.  I think I'd like to get more opinions now.


Regards,
Ben

-----BEGIN PGP SIGNATURE-----

iEYEAREKAAYFAlARFDkACgkQNxrFv6BK4xM4XACgjL8ESxQj/rH68W1H9Y8cYuUj
ozYAnRWLAceszUxCnyyyVNnuEPb12+KC
=P9Zt
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list