Further Observations on the Key Schedule of Twofish

D. Whiting, J. Kelsey, B. Schneier, D. Wagner, N. Ferguson, and C. Hall

Twofish Technical Report #4, March 16, 1999.

ABSTRACT: Twofish is a 128-bit block cipher submitted as an AES candidate [SKW+98]. Mirza and Murphy [MM99] recently noted two interesting properties in the Twofish key schedule for 128-bit keys: there is a non-uniform distribution of 128-bit whitening keys, and the 64-bit round subkeys are non-uniformly distributed over each subset of keys that fixes the S-boxes. This paper extends these results and explains why they do not affect the security of Twofish. First, it is shown that pairs of 64-bit subkeys in Twofish, including the whitening keys, actually have less than 117 bits of entropy, considerably less than predicted by [MM99], but that this fact is not at odds with the goal of the whitening keys. Second, it is shown that other block ciphers, notably DES and Triple DES, achieve far less uniform subkey distributions than Twofish over simiarly constructed subsets of keys, but this fact has never led to a known attack on these ciphers.

[full text - PDF (Acrobat)] [full text - Postscript]

Categories: New Algorithms

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.