8

I heard that Serpent and Twofish are much stronger than AES, but it was chosen because it is faster. If that's true, please tell me why it is stronger. Also: is it true that Twofish and serpent are better protected from brute force attacks because they take longer to en/decrypt?

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Richard R. Matthews
  • 4,545
  • 9
  • 31
  • 49

3 Answers3

10

SHORT: This is kind of true. However, things are bit different now. Better protection against brute force is inaccurate claim.

At the time Rijndael (AES) won the competition, it was faster, and sufficiently strong. After the competition, Rijndael (AES) has gotten faster (AES-NI and other hardware improvements). Also Rijndael (AES) has also gotten significant amount of analysis, but it has not been broken in a practical way. Therefore, Rijndael (AES) has been shown to be quite good pick.

The other AES finalists are also believed to be very good, but as they've not been as standardized they will lack interoperability. Also, we've gotten very good in making Rijndael implementations during the last two decades. Because Serpent and Twofish have gotten less attention, it may be harder to find as good implementations of these algorithms than it is to find very good AES implementation.

The difference in en/decryption speed between these algorithms does not translate into any meaningful difference in protection against brute force attacks.

For more information, see also earlier answer by B-Con to similar question regarding advantages of Rijndael against Twofish and Serpent at: https://crypto.stackexchange.com/a/5290.

Community
  • 1
user4982
  • 5,379
  • 21
  • 33
5

Here are quotes from Cryptography Engineering: Design Principles and Practical Applications (Niels Ferguson, Bruce Schneier, Tadayoshi Kohno) :

Serpent [...] is built like a tank. Easily the most conservative of all the AES submissions, Serpent is in many ways the opposite of AES. Whereas AES puts emphasis on elegance and efficiency, Serpent is designed for security all the way.

[...]

Twofish [...] can be seen as a compromise between AES and Serpent. It is nearly as fast as AES, but it has a larger security margin.

Which seems to imply that AES is indeed weaker than Twofish and Serpent.

Moreover, the paragraph about AES, in the same book, lists important advances that have been made against AES. It then says that it's still reasonable to use it, but advises to build "some flexibility" in new systems, "in case you need to replace AES with another block cipher in the future".

Hey
  • 151
  • 1
  • 3
4

No, there is no mathematical proof to conclusively prove that Serpent and Twofish are stronger. The newer processors (intel, AMD, and even processors used in phones) have hardware instructions for AES, which apart from making AES much faster than the other two, defends against all kinds of side channel attacks (timing attacks, power consumption analysis etc). That means in practical sense AES is stronger than the other two.

user12480
  • 293
  • 2
  • 9