## Twofish: A 128-Bit Block Cipher (1998)

### Cached

### Download Links

Venue: | in First Advanced Encryption Standard (AES) Conference |

Citations: | 56 - 8 self |

### BibTeX

@INPROCEEDINGS{Schneier98twofish:a,

author = {Bruce Schneier and John Kelsey and Doug Whiting and David Wagner and Chris Hall and Niels Ferguson},

title = {Twofish: A 128-Bit Block Cipher},

booktitle = {in First Advanced Encryption Standard (AES) Conference},

year = {1998}

}

### OpenURL

### Abstract

Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

### Citations

3067 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...stem,” is equivalent to a public-key cryptosystem [BFL96]. Again, as cryptographers weswould achieve far greater recognition by publishing a public-key cryptosystem that is not dependent on factorin=-=g [RSA78] o-=-r the discrete logarithm problem [DH76, ElG85, NIST94]. And the resulting algorithm’s dual capabilities as both a symmetric and public-key algorithm would make it far more flexible than the AES comp... |

2845 | New Directions in Cryptography - Diffie, Hellman - 1976 |

2033 |
The theory of error-correcting Codes
- MacWilliams, Sloane
- 1977
(Show Context)
Citation Context ...ping from a field elements to b field elements, producing a composite vector of a + b elements, with the property that the minimum number of non-zero elements in any non-zero vector is at least b + 1 =-=[MS77]. Pu-=-t another way, the “distance” (i.e., the number of elements that differ) between any two distinct vectors produced by the MDS mapping is at least b + 1. It can easily be shown that no mapping can ... |

1173 | A public key cryptosystem and a signature scheme based on discrete logarithms - ElGamal - 1985 |

492 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...onstruction must ensure that only a single key length is used. 11.3 Message Authentication Codes Any one-way hash function can be used to build a message authentication code using existing techniques =-=[BCK96]. -=-Again, we believe Twofish’s strong key schedule makes it very suitable for these constructions. 11.4 Pseudo-Random Number Generators Twofish can also be used as a primitive in a pseudo-random number... |

463 | Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ...n. However, we do have these comments to make on the design. Side-channel cryptanalysis [KSWH98b] uses information about the cipher in addition to the plaintext or ciphertext. Examples include timing =-=[Koc96]-=-, power consumption (including differential power analysis [Koc98]), NMR scanning, and electronic emanations. 21 With many algorithms it is possible to reconstruct the key from these side channels. Wh... |

448 |
cryptanalysis method for DES cipher
- Matsui, \Linear
- 1994
(Show Context)
Citation Context ...le research in designing ciphers to be resistant to known attacks [Nyb91, Nyb93, OCo94a, OCo94b, OCo94c, Knu94a, Knu94b, Nyb94, DGV94b, Nyb95, NK95, Mat96, Nyb96], such as differential [BS93], linear =-=[Mat94], an-=-d related-key cryptanalysis [Bih94, KSW96, KSW97]. This research has culminated in strong cipher designs—CAST-128 [Ada97a] and MISTY [Mat97] are probably the most noteworthy—as well as some excell... |

388 |
The MD4 message digest algorithm
- Rivest
- 1991
(Show Context)
Citation Context ...r to combine the output of F with the target block. This is done primarily for simplicity; xor is the most efficient operation in both hardware and software. We chose not to use addition (used in MD4 =-=[Riv91]-=-, MD5 [Riv92], RIPEMD160 [DBP96] and SHA [NIST93]), or a more complicated combining function like Latin squares (used in DESV [CDN95]). We did not implement dynamic swapping [KKT94] or any additional ... |

350 |
Di®erential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...been considerable research in designing ciphers to be resistant to known attacks [Nyb91, Nyb93, OCo94a, OCo94b, OCo94c, Knu94a, Knu94b, Nyb94, DGV94b, Nyb95, NK95, Mat96, Nyb96], such as differential =-=[BS93], li-=-near [Mat94], and related-key cryptanalysis [Bih94, KSW96, KSW97]. This research has culminated in strong cipher designs—CAST-128 [Ada97a] and MISTY [Mat97] are probably the most noteworthy—as wel... |

315 | On the Importance of Checking Cryptographic Protocols for Faults, proceedings of Eurocrypt - Boneh, DeMillo, et al. - 1997 |

282 | The RC5 encryption algorithm
- Rivest
- 1995
(Show Context)
Citation Context ...[NBS77]. It is the basis of most block ciphers published since then, including FEAL [SM88], GOST [GOST89], Khufu and Khafre [Mer91], LOKI [BPS90, BKPS93], CAST-128 [Ada97a], Blowfish [Sch94], and RC5 =-=[Riv95]-=-. The fundamental building block of a Feistel network is the F function: a key-dependent mapping of an input string onto an output string. An F function is always non-linear and possibly non-surjectiv... |

270 |
Applied Cryptography, Second Edition
- Schneier
- 1996
(Show Context)
Citation Context ...zation principles associated with high-performance CPUs. Thus, many algorithms are not as efficient as they could be. Minor modifications in the design of Blowfish [Sch94], SEAL [RC94, RC97], and RC4 =-=[Sch96] c-=-ould improve performance without affecting security [SW97] (or, alternatively, increase the algorithms’ complexity without affecting performance). In designing Twofish, we tried to evaluate all desi... |

261 | New directions in cryptography - Di±e, Hellman - 1976 |

243 | Differential fault analysis of secret key cryptosystems - Biham, Shamir |

184 |
Timing Attacks on
- Kocher
- 1996
(Show Context)
Citation Context ...n. However, we do have these comments to make on the design. Side-channel cryptanalysis [KSWH98b] uses information about the cipher in addition to the plaintext or ciphertext. Examples include timing =-=[Koc96]-=-, power consumption (including differential power analysis [Koc98]), NMR scanning, and electronic emanations. 21 With many algorithms it is possible to reconstruct the key from these side channels. Wh... |

169 | Description of a new variable-length key, 64-bit block cipher (Blow¯sh
- Schneier
- 1994
(Show Context)
Citation Context ...pularized by DES [NBS77]. It is the basis of most block ciphers published since then, including FEAL [SM88], GOST [GOST89], Khufu and Khafre [Mer91], LOKI [BPS90, BKPS93], CAST-128 [Ada97a], Blowfish =-=[Sch94]-=-, and RC5 [Riv95]. The fundamental building block of a Feistel network is the F function: a key-dependent mapping of an input string onto an output string. An F function is always non-linear and possi... |

166 | New Types of Cryptanalytic Attacks Using Related Keys
- Biham
- 1994
(Show Context)
Citation Context ...sen-plaintext queries; however, as we shall see next, there is a generalization to related-key attacks as well. Related-key slide attacks were first discovered by Biham in his attack on a DES variant =-=[Bih94]. -=-To mount a related-key slide attack on Twofish, an attacker must find a pair of keys M, M ∗ such that the key-dependent S-boxes in g are unchanged, but the subkey sequences slide down one round. Thi... |

155 | A Proposal for a New Block Encryption Standard - Lai, Massey - 1991 |

143 |
Cryptography and computer privacy
- Feistel
- 1973
(Show Context)
Citation Context ...istel Networks A Feistel network is a general method of transforming any function (usually called the F function) into a permutation. It was invented by Horst Feistel [FNS75] in his design of Lucifer =-=[Fei73]-=-, and popularized by DES [NBS77]. It is the basis of most block ciphers published since then, including FEAL [SM88], GOST [GOST89], Khufu and Khafre [Mer91], LOKI [BPS90, BKPS93], CAST-128 [Ada97a], B... |

141 | Differentially uniform mappings for cryptography - Nyberg - 1994 |

119 | The block cipher Square
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ...hat all possible square submatrices, obtained by discarding rows or columns, are non-singular. Serge Vaudenay first proposed MDS matrices as a cipher design element [Vau95]. Shark [RDP+96] and Square =-=[DKR97]-=- use MDS matrices (see also [YMT97]), although we first saw the construction used in the unpublished cipher Manta 3 [Fer96]. Twofish uses a single 4-by-4 MDS matrix over GF(2 8 ). 3.4 Pseudo-Hadamard ... |

118 |
Analysis and design of cryptographic hash functions
- Preneel
- 1993
(Show Context)
Citation Context ...h from this. 11.2 One-Way Hash Functions The most common way of using a block cipher as a hash function is a Davies-Meyer construction [Win84]: Hi = Hi−1 ⊕ EMi (Hi−1) There are fifteen other var=-=iants [Pre93]-=-. We believe that Twofish can be used securely in any of these formats; note, however, that the key schedule has been analyzed mainly for related-key attacks, not for the class of chosen-key attack th... |

117 | RIPEMD-160: a strengthened version of RIPEMD
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...h the target block. This is done primarily for simplicity;sxor is the most efficient operation in both hardware and software. We chose not to use addition (used in MD4 [Riv91], MD5 [Riv92], RIPEMD160 =-=[DBP96]-=- and SHA [NIST93]), or a more complicated combining function like Latin squares (used in DESV [CDN95]). We did not implement dynamic swapping [KKT94] or any additional complexity. 7.7 Use of Different... |

114 | Markov Ciphers and Differential Cryptanalysis - Lai, Massey, et al. - 1991 |

101 | Truncated and higher order differentials
- Knudsen
- 1994
(Show Context)
Citation Context ...gher-order differentials that can be exploited in the cryptanalysis of Twofish. 8.2.2 Truncated Differentials Attacks using truncated differentials apply a differential attack to only a partial block =-=[Knu95b]-=-. We have not found any truncated attacks against Twofish. The almost complete diffusion within a round function makes it very difficult to isolate a portion of the block and ignore the rest of the bl... |

96 | Minimal key lengths for symmetric ciphers to provide adequate commercial security - Blaze, Di±e, et al. - 1996 |

91 | How to protect DES against exhaustive key search
- Kilian, Rogaway
- 1996
(Show Context)
Citation Context ...mily. 3.5 Whitening Whitening, the technique of xoring key material before the first round and after the last round, was used by Merkle in Khufu/Khafre, and independently invented by Rivest for DES-X =-=[KR96]-=-. In [KR96], it was shown that whitening substantially increases the difficulty of keysearch attacks against the remainder of the cipher. In our attacks on reduced-round Twofish variants, we discovere... |

88 | Side channel cryptanalysis of product ciphers
- KELSEY, SCHNEIER, et al.
- 1998
(Show Context)
Citation Context ...alysis Resistance to these attacks was not part of the AES criteria, and hence not a major concern in this design. However, we do have these comments to make on the design. Side-channel cryptanalysis =-=[KSWH98b]-=- uses information about the cipher in addition to the plaintext or ciphertext. Examples include timing [Koc96], power consumption (including differential power analysis [Koc98]), NMR scanning, and ele... |

74 | Perfect nonlinear S-boxes - NYBERG - 1991 |

73 |
Hellman: Exhaustive Cryptanalysis of the NBS Data Encryption Standard
- Diffie, E
- 1977
(Show Context)
Citation Context ...troversy. Some cryptographers objected to the "closed-door" design process of the algorithm. The debate about whether DES' key is too short for acceptable commercial security has raged for m=-=any years [DH79]-=-, but recent advances in distributed key search techniques have left no doubt in anyone's mind that its key is simply too short for today's security applications [Wie94, BDR+96]. TripleDES has emerged... |

71 |
The Data Encryption Standard (DES) and Its Strength Against Attacks."I
- Coppersmith
- 1994
(Show Context)
Citation Context ...weak [BS93, Mat95], and CMEA was weakened extensively because of a poor S-box choice [WSK97]. Some cipher designers responded to this threat by carefully crafting S-boxes to resist known attacks— DE=-=S [Cop94], s -=-n DES [KPL93, Knu93c, KLPL95], CAST [MA96, Ada97a]—while others relied on random key-dependent S-boxes for security—Khufu, Blowfish, WAKE [Whe94]. 13 The best existing attack on Khufu breaks 16 ro... |

70 | E±cient DES key search - Wiener - 1994 |

69 | Two practical and provably secure block ciphers: BEAR and LION - Anderson, Biham - 1996 |

68 | Linear approximations of block ciphers - NYBERG - 1995 |

65 |
New block encryption algorithm MISTY
- Matsui
- 1997
(Show Context)
Citation Context ...K95, Mat96, Nyb96], such as differential [BS93], linear [Mat94], and related-key cryptanalysis [Bih94, KSW96, KSW97]. This research has culminated in strong cipher designs—CAST-128 [Ada97a] and MIST=-=Y [Mat97] a-=-re probably the most noteworthy—as well as some excellent cryptanalytic theory. However, it is dangerous to rely solely on theory when designing ciphers. Ciphers provably secure against differential... |

65 | A fast new DES implementation in software - Biham - 1997 |

64 |
a tiny encryption algorithm
- Wheeler, Needham, et al.
- 1994
(Show Context)
Citation Context ...alyze and rely on more ad-hoc arguments for security (e.g., REDOCII [CW91]). However, with enough rounds, even bad round functions can be made to be secure. 10 Even a simple round function like TEA’=-=s [WN95] o-=-r RC5’s seems secure after 32 rounds [BK98]. In Twofish, we tried to create a simple round function and then iterate it more than enough times for security. 6.3.1 Reusing Primitives One of the ways ... |

63 | The interpolation attack on block ciphers
- Jakobsen, Knudsen
- 1997
(Show Context)
Citation Context ...rely solely on theory when designing ciphers. Ciphers provably secure against differential cryptanalysis have been attacked with higher-order differentials [Lai94, Knu95b] or the interpolation attack =-=[JK97]-=-: KN-cipher [NK95] was attacked in [JK97, SMK98], Kiefer [Kie96] in [JK97], and a version of CAST in [MSK98a]. The CAST cipher cryptanalyzed in [MSK98a] is not CAST-128, but it does illustrate that wh... |

62 | Higher order derivatives and differential cryptanalysis - Lai |

60 |
LOKI { a cryptographic primitive for authentication and secrecy applications
- Brown, Pieprzyk, et al.
- 1990
(Show Context)
Citation Context ...AL paper [SM88], for example, discussed the benefits of a stronger round function and Table 3: Hardware tradeoffs (128-bit key) fewer rounds. Other cipher designs of the period— REDOC II [CW91], LOK=-=I [BPS90] a-=-nd LOKI 93 [BKPS93], IDEA [LM91, LMM91]—only considered performance as an afterthought. Khufu/Khafre [Mer91] was the first published algorithm that explicitly used operations that were efficient on ... |

55 | Linear cryptanalysis using multiple approximations
- Kaliski, Robshaw
- 1994
(Show Context)
Citation Context ...ryptanalysis Another generalization of linear cryptanalysis looks at non-linear relations [KR96a]: e.g., quadratic relations. While this attack, combined with the technique of multiple approximations =-=[KR94]-=-, managed to improve the best linear attack against DES a minute amount [SK98], we do not believe it can be brought to bear against Twofish for the same reasons that it is immune to linear cryptanalys... |

55 | A software-optimized encryption algorithm - Rogaway - 1994 |

55 | Unbalanced Feistel networks and block cipher design
- Schneier, Kelsey
- 1996
(Show Context)
Citation Context ...ke an F function, which may be a weak encryption algorithm when taken by itself, and repeatedly iterate it to create a strong encryption algorithm. Two rounds of a Feistel network is called a “cycle=-=” [SK96]-=-. In one cycle, every bit of the text block has been modified once. 2 1 A non-surjective F function is one in which not all outputs in the output space can occur. 2 The notion of a cycle allows Feiste... |

53 | HAVAL | a one-way hashing algorithm with variable length output - Zheng, Pieprzyk, et al. - 1993 |

51 | K-64: a byte-oriented block-ciphering algorithm
- Massey, \SAFER
- 1994
(Show Context)
Citation Context ...A pseudo-Hadamard transform (PHT) is a simple mixing operation that runs quickly in software. Given two inputs, a and b, the 32-bit PHT is defined as: a ′ = a + b mod 2 32 b ′ = a + 2b mod 2 32 SA=-=FER [Mas94]-=- uses 8-bit PHTs extensively for diffusion. Twofish uses a 32-bit PHT to mix the outputs from its two parallel 32-bit g functions. This PHT can be executed in two opcodes on most modern microprocessor... |

47 |
Exhaustive Cryptanalysis of the NBS
- Diffie, Hellman
- 1977
(Show Context)
Citation Context ...troversy. Some cryptographers objected to the “closed-door” design process of the algorithm. The debate about whether DES’ key is too short for acceptable commercial security has raged for many =-=years [DH79], bu-=-t recent advances in distributed key search techniques have left no doubt in anyone’s mind that its key is simply too short for today’s security applications [Wie94, BDR+96]. TripleDES has emerged... |

46 | Related-key cryptanalysis of 3-WAY - Kelsey, Schneier, et al. - 1997 |

46 | Cryptanalytic Attacks on Pseudorandom Number Generators - Kelsey, Schneier, et al. - 1998 |

45 |
Provable security against a differential cryptanalysis
- Nyberg, Knudsen
- 1993
(Show Context)
Citation Context ...ory when designing ciphers. Ciphers provably secure against differential cryptanalysis have been attacked with higher-order differentials [Lai94, Knu95b] or the interpolation attack [JK97]: KN-cipher =-=[NK95]-=- was attacked in [JK97, SMK98], Kiefer [Kie96] in [JK97], and a version of CAST in [MSK98a]. The CAST cipher cryptanalyzed in [MSK98a] is not CAST-128, but it does illustrate that while the CAST desig... |

45 |
Fast data encipherment algorithm FEAL
- Shimizu, Miyaguchi
- 1988
(Show Context)
Citation Context ...to a permutation. It was invented by Horst Feistel [FNS75] in his design of Lucifer [Fei73], and popularized by DES [NBS77]. It is the basis of most block ciphers published since then, including FEAL =-=[SM88]-=-, GOST [GOST89], Khufu and Khafre [Mer91], LOKI [BPS90, BKPS93], CAST-128 [Ada97a], Blowfish [Sch94], and RC5 [Riv95]. The fundamental building block of a Feistel network is the F function: a key-depe... |