Mailing List Archive: GnuPG: users

AES vs. Serpent vs. Twofish (was Re: KeePass or any other password wallet to store and transport keys)

Index | Next | Previous | View Threaded

ben at adversary

Jul 26, 2012, 2:56 AM

Post #1 of 3 (418 views)
Permalink

AES vs. Serpent vs. Twofish (was Re: KeePass or any other password wallet to store and transport keys)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 26/07/12 6:40 PM, Robert J. Hansen wrote:
> On 7/26/2012 4:05 AM, Ben McGinnes wrote:
>> On a semi-related tangent, does this mean that utilising the
>> three symmetric ciphers available in TrueCrypt (AES, Serpent and
>> Twofish) is a bad idea or do they play well together?
>
> My understanding is they at least tolerate each other, but I'm
> unaware of any serious analysis that suggests you enjoy increased
> cryptographic strength by stacking them. It wouldn't surprise me
> if you did, but at the same time ... as I mentioned earlier, I
> really don't see the point.

Okay.

>> Also, if you had to pick one of those three, which would you
>> choose (for general purposes rather than a specific threat model
>> and ignoring the possible speed differences between AES and
>> Serpent)?
>
> This presumes I'm competent to have an opinion. I really don't
> think I am. Evaluating cryptographic algorithms is almost as hard
> as designing them. It's the sort of thing that's best done by a
> handful of experts all looking at the algorithms through slightly
> different prisms of experience and skill.

Fair enough. Unfortunately I don't have any cryptographers or
cryptanalysts on speed dial. This group is probably one amongst my
better sources of information. Although maybe I should be asking
Werner since he's clearly implemented all three algorithms (and
several others).

> For instance, I don't like Serpent very much on account of how
> complex it is. My rule of thumb is, "if I don't believe an
> undergraduate in computer science can understand this algorithm,
> how can I expect people to implement this algorithm correctly?"
> So, had I been on the AES selection committee, I'd have given
> Serpent a thumbs-down. Other people with different perspectives
> would've given it thumbs-ups and thumbs-down, and our ultimate
> recommendation would take into account all the input of the
> different experts on the selection committee.

Interesting. Most of the things I've read on Serpent, which
admittedly isn't much, is about how it was not accepted for AES
because of the speed aspects rather than other aspects and that it may
be more secure.

> But whenever you ask one person for his or her opinion on a
> cipher, all you're getting is one perspective, and you really need
> more perspectives than that.

Exactly. I figured this would be a good place to start and I'd
definitely like to read what other list members think on this topic.

> Still, you asked a question, and now that I've spent three
> paragraphs explaining why you shouldn't trust my answer I'll give
> you my answer: Twofish.

Heh. Caveats are important, especially on a topic like this which so
often looks like black magic.

> Most symmetric ciphers nowadays are built around Feistel networks.
> We have a lot of experience with Feistel networks: many algorithms
> built around them have held up quite well over the years. (3DES,
> for instance, which pretty much every cryppie holds in a mixture
> of distaste, disgust, fear, terror, awe and reverence, is built
> around a Feistel network. 30+ years, no really meaningful results
> against it.) Feistel networks make me happy: who doesn't like a
> track record of success?

This is a very good point and you're also right about the 3DES thing.

> Rijndael is not a Feistel cipher. That doesn't mean it's bad, far
> from it.

Cool.

> But if Feistel networks give me the warm fuzzies, then that means
> I need to strike non-Feistel networks from my list.

Okay, this bit I don't follow. I get favouring Feistel networks
because of their proven track record, but I don't see why it would
necessitate ruling out Substitution-Permutation networks and other
types of ciphers.

> I don't like Serpent's complexity: I think that leads to
> difficulty in implementing it. By comparison, I've implemented
> Twofish a couple of times and have seen undergraduates implement it
> correctly.

Okay, that makes sense.

> So, yeah, for my money I prefer Twofish. But I don't think you
> should trust my opinion worth a damn. :)

Fair enough. I think I'd like to get more opinions now.

Regards,
Ben

-----BEGIN PGP SIGNATURE-----

iEYEAREKAAYFAlARFDkACgkQNxrFv6BK4xM4XACgjL8ESxQj/rH68W1H9Y8cYuUj
ozYAnRWLAceszUxCnyyyVNnuEPb12+KC
=P9Zt
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

Jul 26, 2012, 6:04 AM

Post #2 of 3 (409 views)
Permalink

Re: AES vs. Serpent vs. Twofish (was Re: KeePass or any other password wallet to store and transport keys) [In reply to]

On 7/26/2012 5:56 AM, Ben McGinnes wrote:
> Interesting. Most of the things I've read on Serpent, which
> admittedly isn't much, is about how it was not accepted for AES
> because of the speed aspects rather than other aspects and that it
> may be more secure.

Yeah, well -- this tends to get written by people who have a thing for
Serpent. :) The Serpent submission claimed that they tried to account
for as-yet undiscovered cryptanalysis by having a sort of "safety net"
against future discoveries. The problem is that if you believe Serpent
on this, then you also probably need to believe Twofish and MARS when
they make similar claims.

My understanding is the AES voting went down like this: those who
preferred speed over larger security margins tended to go for Rijndael,
those who preferred larger security margins over speed tended to go for
Serpent, and pretty much everyone agreed that Twofish was an excellent
second choice. Under some kinds of voting (approval, instant runoff,
etc.), Twofish would have won the AES competition as being the option
highly preferable to the most people. Under the rules that were in
play, the first-place finish went to Rijndael.

>> But if Feistel networks give me the warm fuzzies, then that means I
>> need to strike non-Feistel networks from my list.
>
> Okay, this bit I don't follow. I get favouring Feistel networks
> because of their proven track record, but I don't see why it would
> necessitate ruling out Substitution-Permutation networks and other
> types of ciphers.

It doesn't. We're not talking about which algorithms are good: we're
talking about which algorithms I like. :)

I like Feistel networks, and for that reason I tend to go for the
Feistel cipher of the three. The fact Twofish is also simpler
implementation-wise is icing on the cake.

(Note that these lines are all somewhat arbitrary. A Feistel network
that uses S-boxes is going to be very similar to a
substitution-permutation network, and vice-versa. But still, Twofish is
pretty clearly Feistel, and AES and Serpent are pretty clearly not.)

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

faramir.cl at gmail

Jul 27, 2012, 6:27 PM

Post #3 of 3 (402 views)
Permalink

Re: AES vs. Serpent vs. Twofish (was Re: KeePass or any other password wallet to store and transport keys) [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 26-07-2012 5:56, Ben McGinnes escribió:
> On 26/07/12 6:40 PM, Robert J. Hansen wrote:
...
>> For instance, I don't like Serpent very much on account of how
>> complex it is. My rule of thumb is, "if I don't believe an
>> undergraduate in computer science can understand this algorithm,
>> how can I expect people to implement this algorithm correctly?"

Lets hope people developing TrueCrypt have a graduated in computer
science among them ;)

...
> Interesting. Most of the things I've read on Serpent, which
> admittedly isn't much, is about how it was not accepted for AES
> because of the speed aspects rather than other aspects and that it
> may be more secure.

I *think* I remember B. Schneier said Serpent is the most secure
from AES contest. Current AES is recommended because it is the
standard, so, "no one gets fired for using AES" (like IBM), and for
his money, he would use TwoFish (if we consider Schneier was
uncomfortable with some things about AES that now are known to be not
as strong as they were supposed to be, maybe TwoFish lacks those
vulnerabilities... but might have other undiscovered issues. Good
thing is, *if* they remain undiscovered, they won't be exploited).

Anyway, one reason to cascade the 3 algorithms might be: Serpent,
because it is the most secure. TwoFish, because it might lack the
vulnerabilities AES has, and because we might be affraid Serpent was
not implemented right. And AES, because it is the standard, and no one
gets fired for chosing AES. Now, if we consider Serpent was rejected
because its lack of speed, the 3 algos together must be like an
arthritic snail...

Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJQE0AJAAoJEMV4f6PvczxA/dIH/0PI/mVXDIaPVIepybEPTwhu
xEcTwm4g+1tpN7E55WdRoLIbA9tGvmEHSYk2Wt/fKhee0Txs/Aymnu/jhGL7Ikt0
24+Qjp5ZD3Z90Vmqppc9khBQiYI9i5MWnV5ZgiHejBNL/SI5wkHB/0AuV/Ck0KPO
4DEl+U5s/6uidcxmZGr3Xg74fCiOMzKSWhQ49j5rLuK3NhStcuUUpuUMj977Fuae
jVsD6Nt38n7dCoNq2sUduFgWeBnvuO5z0Ms7OroCvqlpKgXQiCcdR6IRWIEZhAAi
jGvoJfN/A+QpZ6S+xAq3dWecmS+O63j1Lp3laycMQfImotWYZi2mVs/xqQNkZHI=
=RI9P
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads