New Results on the Twofish Encryption Algorithm

B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson

Second AES Candiate Conference, April 1999.

ABSTRACT: Twofish is a 128-bit block cipher submitted as an AES candidate. We provide several new results, continuing the research in [SKW+98a,SKW+99b]. 1) We provide new performance numbers, including: faster encryption and decryption on the Pentium Pro/II, faster key setup on the Pentium and Pentium Pro/II in assembly language, large-RAM implementations on 32-bit CPUs, Alpha performance, more implementation options on smart cards, and a low-gate-count hardware implementation. 2) In the initial Twofish paper [SKW+98a], we gave initial estimates of an upper bounds on the probability of a 12-round differential. These results used an imperfect model of Twofish. We present an improved model, and show that any 12-round differential characteristic has a probability of at most 2-102.8. 3) We show that each distinct Twofish key generates a unique sequence of subkeys Ki, and each round function F is unique for a distinct value of the S bits used to generate the S-boxes. Thus, no two distinct keys result in an identical sequence of round functions.

[full text - PDF (Acrobat)] [full text - Postscript]

Categories: New Algorithms

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.