Serpent Designed by Ross Anderson, Eli Biham, and Lars Knudsen; published in 1998. It uses a 256-bit
key, 128-bit block, and operates in XTS mode (see the section
Modes of Operation ). Serpent was
one of the AES finalists. It was not selected as the proposed AES algorithm even though it
appeared to have a higher security margin than the winning Rijndael [4]. More concretely, Serpent
appeared to have a
high security margin, while Rijndael appeared to have only an
adequate security margin [4]. Rijndael has also received some criticism suggesting that its mathematical
structure might lead to attacks in the future [4].
In [5], the Twofish team presents a table of safety factors for the AES finalists. Safety factor is
defined as: number of rounds of the full cipher divided by the largest number of rounds that has
been broken. Hence, a broken cipher has the lowest safety factor 1. Serpent had the highest safety
factor of the AES finalists: 3.56 (for all supported key sizes). Rijndael-256 had a safety factor of
1.56.
In spite of these facts, Rijndael was considered an appropriate selection for the AES for its
combination of security, performance, efficiency, implementability, and flexibility [4]. At the last AES
Candidate Conference, Rijndael got 86 votes, Serpent got 59 votes, Twofish got 31 votes, RC6 got
23 votes, and MARS got 13 votes [18, 19].*
Twofish Designed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels
Ferguson; published in 1998. It uses a 256-bit key and 128-bit block and operates in XTS mode
(see the section
Modes of Operation ). Twofish was one of the AES finalists. This cipher uses key-
dependent S-boxes
.
Twofish may be viewed as a collection of 2
128
different cryptosystems, where
128 bits derived from a 256-bit key control the selection of the cryptosystem [4]. In [13], the
Twofish team asserts that key-dependent S-boxes constitute a form of security margin against
unknown attacks [4].
AES-Twofish Two ciphers in a cascade [15, 16]
operating in XTS mode (see the section
Modes of Operation ).
Each 128-bit block is first encrypted with Twofish (256-bit key) in XTS mode and then with AES
(256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are
mutually independent (note that header keys are independent too, even though they are derived
from a single password – see
Header Key Derivation, Salt, and Iteration Count ). See above for
information on the individual cascaded ciphers.