AES Finalist — 32 Rounds of Conservative Security
Designed by Eli Biham (Technion, Israel) · Ross Anderson (Cambridge) · Lars Knudsen (DTU)
Note: Both ciphers execute every round of their full specification — Serpent-256-CTR runs all 32 rounds per block, AES-256-GCM runs all 14. AES-256-GCM benefits from hardware acceleration (AES-NI) via the Web Crypto API. Serpent-256-CTR runs in WebAssembly without hardware acceleration. This comparison reflects real-world browser throughput, not algorithmic speed.
"This performance gap is the price of Serpent's 2.7× security margin. The AES committee chose speed. Serpent chose to survive."
Eli Biham studied under Adi Shamir (the "S" in RSA) at the Weizmann Institute. Together they developed differential cryptanalysis — the technique that broke DES and reshaped how every modern block cipher is designed. Biham brought this deep understanding of attack mechanisms to Serpent's design, building a cipher specifically resistant to the techniques he himself had pioneered.
In the AES competition (1997–2000), Serpent placed second to Rijndael. Rijndael received 86 votes to Serpent's 59. NIST's selection criteria weighted performance alongside security. Rijndael was faster with fewer rounds (10/12/14 vs 32), while Serpent prioritized a conservative security margin — using twice as many rounds as needed to block all known shortcut attacks at the time.