The idea of avoiding something less popular, is that if someone gets your encrypted data, they could look through the algorithm and find a hole and break it without you knowing. However, choosing Serpent is not a choice of security through obscurity. Serpent is as open as AES, and in this day and age we have fairly reliable ways of deciding what makes a strong encryption cipher. Serpent came in 2nd in the AES contest, only beaten by Rijndael (which directly became AES). It is a 32-round substitution-permutation network where 16 rounds were deemed sufficient. Which, by the way, helped against the XSL attack (which can weaken AES), when applied to Serpent it is more expensive than a brute force attack (not true for AES).
There is probably more to gain by announcing you broke Serpent than by using it for personal gain, where I would argue the opposite is true of AES. That said, this conversation was initially about personal laptops and personal computers, and I only ever suggest it for personal use. Of course if you have government secrets or corporate data that needs to be secured, you should use something under heavy scrutiny. There is a lesser chance of a determined group of mathematicians getting at your data since many in the academic world are actively trying to break it. To say either AES or Serpent will never be broken is simply ignorant, but when it happens there will likely be programs to decrypt such data. Lets say which ever cipher you chose is broken tomorrow. I'm guessing the AES tools will be easier to get, and use than the Serpent ones. So if some random thief steals your laptop, they are more likely to decrypt it if you use AES. This scenario is more likely if they make an image of the hard drive to save for later. Again, all this changes if your data is very valuable for some reason, but I don't consider it a bad choice for personal use. On Thu, Mar 6, 2008 at 8:30 AM, Peter Meier <[EMAIL PROTECTED]> wrote: > Hi > > > I just wanted to jump in and say that I'm personally a fan of Serpent. > I > > like to use something that's a little less popular, but still open. It > is > > similar in strength (IMHO), but there will be more people trying to > break > > AES than Serpent. For example, I've read the XSL attack that can weaken > AES > > is too complex when used on Serpent -- it would be more expensive than a > > brute force attack. > > in my opinion quite a bad assumption. the more a crypto algorithm is > open, the more people it test, the more it can be assumed that it is > safe against current known attacks. > > greets pete > -- > [email protected] mailing list > >
