The Twofish Team's Final Comments on AES Selection

B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, T. Kohno, M. Stay

May 15, 2000

In 1996, the National Institute of Standards and Technology initiated a program to choose an Advanced Encryption Standard (AES) to replace DES. In 1997, after soliciting public comment on the process, NIST requested proposed encryption algorithms from the cryptographic community. Fif teen algorithms were submitted to NIST in 1998. NIST held two AES Candidate Conferences—the first in California in 1998, and the second in Rome in 1999—and then chose five finalist candidates: MARS, RC6, Rijndael, Serpent, and Twofish. NIST held the Third AES Candidate Conference in New York in April 2000, and is about to choose a single algorithm to become AES.

We, the authors of the Twofish algorithm and members of the extended Twofish team, would like to express our continued support for Twofish. Since first proposing the algorithm in 1998, we have continued to perform extensive analysis of the cipher, with respect to both security and per formance. We feel that Twofish offers the best security/ performance tradeoff of all the AES finalists, and urge NIST to choose Twofish as the single AES standard.

These comments are an expanded version of the comments we submitted to the Third AES Candidate Conference.

[full text - postscript] [full text - PDF (Acrobat)]

Categories: Miscellaneous Papers

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.