New Results on the Twofish Encryption Algorithm

Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson

In Proc. 2nd AES candidate conference, pp 140–152, NIST, 1999.

Abstract

Twofish is a 128-bit block cipher submitted as an AES candidate. We provide several new results, continuing the research in the original submission. 1) We provide new performance numbers, including: faster encryption and decryption on the Pentium Pro/II, faster key setup on the Pentium and Pentium Pro/II in assembly language, large-RAM implementations on 32-bit CPUs, Alpha performance, more implementation options on smart cards, and a low-gate-count hardware implementation. 2) In the initial Twofish paper we gave initial estimates of an upper bounds on the probability of a 12-round differential. These results used an imperfect model of Twofish. We present an improved model, and show that any 12-round differential characteristic has a probability of at most 2^-102.8. 3) We show that each distinct Twofish key generates a unique sequence of subkeys K_i, and each round function F is unique for a distinct value of the S bits used to generate the S-boxes. Thus, no two distinct keys result in an identical sequence of round functions.

Download

Zipped PostScript (95 kB)
PDF (232 kB)

Home

About

Publications

Practical Cryptography