We present a new scheme called universal block chaining with sum (or chain & sum primitive (C&S) for short), and show its application to the problem of combined encryption and authentication of data. The primitive is a weak CBC-type encryption along with a summing step, and can be used as a front end to stream ciphers to encrypt pages or blocks of data (e.g., in an encrypted file system or in a video stream). Under standard assumptions, the resulting encryption scheme provably acts as a random permutation on the blocks, and has message integrity features of standard CBC encryption. The primitive also yields a very fast message authentication code (MAC), which is a multivariate polynomial evaluation hash. The multivariate feature and the summing aspect are novel parts of the design. Our tests show that the chain & sum primitive adds approximately 20 percent overhead to the fastest stream ciphers. 1

The 16-byte block cipher Twofish was proposed as a candidate for the Advanced Encryption Standard (AES). This paper notes the following two properties of the Twofish key schedule. Firstly, there is a non-uniform distribution of 16-byte whitening subkeys. Secondly, in a reduced (fixed Feistel round function) Twofish with an 8-byte key, there is a non-uniform distribution of any 8-byte round subkey. An example of two distinct 8-byte keys giving the same round subkey is given. 1 Brief Description of Twofish Twofish is a block cipher on 16-byte blocks under the action of a 16, 24 or 32-byte key [1]. For simplicity, we consider the version with a 16-byte key. Twofish has a Feistel-type design. Suppose we have a 16-byte plaintext P =(PL,P R ) and a 16-byte key K =(KL,K R ) considered as row vectors. Let F = GF (2 8 ) be the finite field defined by the primitive polynomial x 8 + x 6 + x 3 + x 2 +1. Twofish uses an invertible round function g S0 ,S1 : F 4 F 4 # F 4 F 4...