Twofish
Encyclopedia
In cryptography
, Twofish is a symmetric key
block cipher
with a block size
of 128 bit
s and key size
s up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest
, but was not selected for standardisation. Twofish is related to the earlier block cipher Blowfish
.
Twofish's distinctive features are the use of pre-computed key-dependent S-box
es, and a relatively complex key schedule
. One half of an n-bit key is used as the actual encryption key and the other half of the n-bit key is used to modify the encryption algorithm (key-dependent S-boxes). Twofish borrows some elements from other designs; for example, the pseudo-Hadamard transform
(PHT) from the SAFER
family of ciphers. Twofish uses the same Feistel structure as DES
.
On most software platforms Twofish is slightly slower than Rijndael (the chosen algorithm for Advanced Encryption Standard
) for 128-bit key
s, but somewhat faster for 256-bit keys.
Twofish was designed by Bruce Schneier
, John Kelsey
, Doug Whiting, David Wagner, Chris Hall
, and Niels Ferguson
; the "extended Twofish team" who met to perform further cryptanalysis of Twofish and other AES contest entrants included Stefan Lucks
, Tadayoshi Kohno, and Mike Stay.
The Twofish cipher has not been patent
ed and the reference implementation
has been placed in the public domain
. As a result, the Twofish algorithm is free for anyone to use without any restrictions whatsoever. It is one of a few ciphers included in the OpenPGP standard (RFC 4880). However, Twofish has seen less widespread usage than Blowfish
, which has been available longer.
published an impossible differential attack that breaks 6 rounds out of 16 of the 256-bit key version using 2256 steps.
, the best published cryptanalysis on the Twofish block cipher is a truncated differential cryptanalysis
of the full 16-round version. The paper claims that the probability of truncated differentials is 2-57.3 per block and that it will take roughly 251 chosen plaintexts (32 petabyte
s worth of data) to find a good pair of truncated differentials.
Bruce Schneier
responds in a 2005 blog entry that this paper does not present a full cryptanalytic attack, but only some hypothesized differential characteristics: "But even from a theoretical perspective, Twofish isn't even remotely broken. There have been no extensions to these results since they were published in 2000."
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, Twofish is a symmetric key
Symmetric-key algorithm
Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both encryption of plaintext and decryption of ciphertext. The encryption key is trivially related to the decryption key, in that they may be identical or there is...
block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
with a block size
Block size (cryptography)
In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size...
of 128 bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s and key size
Key size
In cryptography, key size or key length is the size measured in bits of the key used in a cryptographic algorithm . An algorithm's key length is distinct from its cryptographic security, which is a logarithmic measure of the fastest known computational attack on the algorithm, also measured in bits...
s up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest
Advanced Encryption Standard process
The Advanced Encryption Standard , the block cipher ratified as a standard by National Institute of Standards and Technology of the United States , was chosen using a process markedly more open and transparent than its predecessor, the aging Data Encryption Standard...
, but was not selected for standardisation. Twofish is related to the earlier block cipher Blowfish
Blowfish (cipher)
Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date...
.
Twofish's distinctive features are the use of pre-computed key-dependent S-box
Substitution box
In cryptography, an S-Box is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext — Shannon's property of confusion...
es, and a relatively complex key schedule
Key schedule
[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("...
. One half of an n-bit key is used as the actual encryption key and the other half of the n-bit key is used to modify the encryption algorithm (key-dependent S-boxes). Twofish borrows some elements from other designs; for example, the pseudo-Hadamard transform
Pseudo-Hadamard transform
The pseudo-Hadamard transform is a reversible transformation of a bit string that provides cryptographic diffusion. See Hadamard transform.The bit string must be of even length, so it can be split into two bit strings a and b of equal lengths, each of n bits...
(PHT) from the SAFER
SAFER
In cryptography, SAFER is the name of a family of block ciphers designed primarily by James Massey on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule...
family of ciphers. Twofish uses the same Feistel structure as DES
Data Encryption Standard
The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
.
On most software platforms Twofish is slightly slower than Rijndael (the chosen algorithm for Advanced Encryption Standard
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
) for 128-bit key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
s, but somewhat faster for 256-bit keys.
Twofish was designed by Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
, John Kelsey
John Kelsey (cryptanalyst)
John Kelsey is a cryptographer currently working at NIST. His research interests include cryptanalysis and design of symmetric cryptography primitives , analysis and design of cryptographic protocols, cryptographic random number generation, electronic voting, side-channel attacks on cryptography...
, Doug Whiting, David Wagner, Chris Hall
Chris Hall (cryptographer)
Christopher Hall is an American cryptographer and mathematician. He is one of the creators of the cryptosystem Twofish. He obtained a Ph.D. in Mathematics from Princeton University in 2003, under Nick Katz.-References:...
, and Niels Ferguson
Niels Ferguson
Niels T. Ferguson is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protocols, and writing papers and books...
; the "extended Twofish team" who met to perform further cryptanalysis of Twofish and other AES contest entrants included Stefan Lucks
Stefan Lucks
Stefan Lucks is a researcher in the fields of communications security and cryptography. Lucks is known for his attack on Triple DES, and for extending Lars Knudsen's Square attack to Twofish, a cipher outside the Square family, thus generalising the attack into integral cryptanalysis...
, Tadayoshi Kohno, and Mike Stay.
The Twofish cipher has not been patent
Patent
A patent is a form of intellectual property. It consists of a set of exclusive rights granted by a sovereign state to an inventor or their assignee for a limited period of time in exchange for the public disclosure of an invention....
ed and the reference implementation
Reference implementation
In the software development process, a reference implementation is the standard from which all other implementations, with their attendant customizations, are measured, and to which all improvements are added...
has been placed in the public domain
Public domain
Works are in the public domain if the intellectual property rights have expired, if the intellectual property rights are forfeited, or if they are not covered by intellectual property rights at all...
. As a result, the Twofish algorithm is free for anyone to use without any restrictions whatsoever. It is one of a few ciphers included in the OpenPGP standard (RFC 4880). However, Twofish has seen less widespread usage than Blowfish
Blowfish (cipher)
Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date...
, which has been available longer.
Cryptanalysis
In 1999, Niels FergusonNiels Ferguson
Niels T. Ferguson is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protocols, and writing papers and books...
published an impossible differential attack that breaks 6 rounds out of 16 of the 256-bit key version using 2256 steps.
, the best published cryptanalysis on the Twofish block cipher is a truncated differential cryptanalysis
Truncated differential cryptanalysis
In cryptography, truncated differential cryptanalysis is a generalization of differential cryptanalysis, an attack against block ciphers. Lars Knudsen developed the technique in 1994. Whereas ordinary differential cryptanalysis analyzes the full difference between two texts, the truncated variant...
of the full 16-round version. The paper claims that the probability of truncated differentials is 2-57.3 per block and that it will take roughly 251 chosen plaintexts (32 petabyte
Petabyte
A petabyte is a unit of information equal to one quadrillion bytes, or 1000 terabytes. The unit symbol for the petabyte is PB...
s worth of data) to find a good pair of truncated differentials.
Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
responds in a 2005 blog entry that this paper does not present a full cryptanalytic attack, but only some hypothesized differential characteristics: "But even from a theoretical perspective, Twofish isn't even remotely broken. There have been no extensions to these results since they were published in 2000."
External links
- Reference implementation and derived code
- Twofish web page with full specifications, free source code, and other Twofish resources.
- David Wagner's sci.crypt post recommending AES over Twofish — Wagner was one of the designers of Twofish.
- SCAN's entry for Twofish
- http://www.schneier.com/twofish-products.html List of products using TwoFish