| Twofish |
| Home | About | Publications | Practical Cryptography |
Further Observations on the Key Schedule of Twofish
Twofish Technical Report #4, March 1999.
Twofish is a 128-bit block cipher submitted as an AES candidate. Mirza and Murphy recently noted two interesting properties in the Twofish key schedule for 128-bit keys: there is a non-uniform distribution of 128-bit whitening keys, and the 64-bit round subkeys are non-uniformly distributed over each subset of keys that fixes the S-boxes. This paper extends these results and explains why they do not affect the security of Twofish. First, it is shown that pairs of 64-bit subkeys in Twofish, including the whitening keys, actually have less than 117 bits of entropy, considerably less than predicted by Mirza and Murphy, but that this fact is not at odds with the goal of the whitening keys. Second, it is shown that other block ciphers, notably DES and Triple DES, achieve far less uniform subkey distributions than Twofish over similarly constructed subsets of keys, but this fact has never led to a known attack on these ciphers.
Zipped PostScript (60 kB)
PDF (159 kB)
| Home | About | Publications | Practical Cryptography |
Copyright © 1999-2003 by MacFergus BV, last update 2003-04-01.