AES vs. Serpent vs. Twofish (was Re: KeePass or any other password wallet to store and transport keys)

Robert J. Hansen rjh at sixdemonbag.org
Thu Jul 26 15:04:13 CEST 2012


On 7/26/2012 5:56 AM, Ben McGinnes wrote:
> Interesting.  Most of the things I've read on Serpent, which 
> admittedly isn't much, is about how it was not accepted for AES 
> because of the speed aspects rather than other aspects and that it
> may be more secure.

Yeah, well -- this tends to get written by people who have a thing for
Serpent.  :)  The Serpent submission claimed that they tried to account
for as-yet undiscovered cryptanalysis by having a sort of "safety net"
against future discoveries.  The problem is that if you believe Serpent
on this, then you also probably need to believe Twofish and MARS when
they make similar claims.

My understanding is the AES voting went down like this: those who
preferred speed over larger security margins tended to go for Rijndael,
those who preferred larger security margins over speed tended to go for
Serpent, and pretty much everyone agreed that Twofish was an excellent
second choice.  Under some kinds of voting (approval, instant runoff,
etc.), Twofish would have won the AES competition as being the option
highly preferable to the most people.  Under the rules that were in
play, the first-place finish went to Rijndael.

>> But if Feistel networks give me the warm fuzzies, then that means I
>> need to strike non-Feistel networks from my list.
> 
> Okay, this bit I don't follow.  I get favouring Feistel networks 
> because of their proven track record, but I don't see why it would 
> necessitate ruling out Substitution-Permutation networks and other 
> types of ciphers.

It doesn't.  We're not talking about which algorithms are good: we're
talking about which algorithms I like.  :)

I like Feistel networks, and for that reason I tend to go for the
Feistel cipher of the three.  The fact Twofish is also simpler
implementation-wise is icing on the cake.

(Note that these lines are all somewhat arbitrary.  A Feistel network
that uses S-boxes is going to be very similar to a
substitution-permutation network, and vice-versa.  But still, Twofish is
pretty clearly Feistel, and AES and Serpent are pretty clearly not.)



More information about the Gnupg-users mailing list