your mail

Bram Cohen bram at
Mon Apr 15 13:08:28 EDT 2002

Pawe³ Krawczyk wrote:

> In this paper we study the security of such ciphers under an
> additional hypothesis: the S-box can be described by an overdefined
> system of algebraic equations (true with probability 1). We show that
> this hypothesis is true for both Serpent (due to a small size of
> S-boxes) and Rijndael (due to unexpected algebraic properties).

They claim an attack on 256-bit Rijndael and 192 and 256 bit Serpent. This
is a bit ironic, since Serpent's big claim previously was that it
exchanged some performance loss for better security, which turns out not
to be the case.

-Bram Cohen

"Markets can remain irrational longer than you can remain solvent"
                                        -- John Maynard Keynes

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list