Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security. It is notable that almost all the proposed ciphers that are based on Feistel networks follow the same design construction: half the bits operate on the other half. There is no inherent reason that this should be so; as we will demonstrate, it is possible to design Feistel networks across a much wider, richer design space. In this paper, we examine the nature of the...

Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key di erential cryptanalysis: attacks that allowbothkeys and plaintexts to bechosen with speci c di erences. We show how these attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including three-key triple-DES. 1

Key-dependent S-boxes have recently gained prominence as a component in block cipher design. In this paper we make some observations on how the cryptanalyst might work with key-dependent S-boxes, we begin to develop a framework for the differential cryptanalysis of key-dependent S-boxes, and we introduce some basic techniques that were used in an analysis of reduced-round Twofish.

i must be done modulo to make sure that the correct number of bits is not exceeded. The best part about the above method is that you can use non-invertible functions for f i . When you are done with n rounds, your ciphertext is the concatenation of R n and L n . They are concatenated with R n becoming the most signicant bits and L n the least, so the method used for encryption is the same as for decryption. As an example, I'm going to encrypt the number 173, using a 3 round network. The functions will be dened as follows. f 0 (x) = 1110 f 1 (x) = x 1010 f 2 (x) = x + 0011 All that's left to do is to translate 173 into binary, then break it into L 0 and R 0<F1