Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Performance 2 Cryptanalysis 3 See also 4 References 5 Articles 6 External links

Twofish

●Català ●Čeština ●Deutsch ●Español ●فارسی ●Français ●한국어 ●Bahasa Indonesia ●Italiano ●עברית ●Nederlands ●日本語 ●Polski ●Português ●Русский ●Simple English ●Suomi ●Svenska ●Тоҷикӣ ●Türkçe ●Українська ●中文 Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

Twofish
General
The Twofish algorithm
Designers	Bruce Schneier
First published	1998
Derived from	Blowfish, SAFER, Square
Related to	Threefish
Certification	AES finalist
Cipher detail
Key sizes	128, 192 or 256 bits
Block sizes	128 bits
Structure	Feistel network
Rounds	16
Best public cryptanalysis
Truncated differential cryptanalysis requiring roughly 2⁵¹ chosen plaintexts.^[1] Impossible differential attack that breaks 6 rounds out of 16 of the 256-bit key version using 2²⁵⁶ steps.^[2]

Incryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.

Twofish's distinctive features are the use of pre-computed key-dependent S-boxes, and a relatively complex key schedule. One half of an n-bit key is used as the actual encryption key and the other half of the n-bit key is used to modify the encryption algorithm (key-dependent S-boxes). Twofish borrows some elements from other designs; for example, the pseudo-Hadamard transform^[3] (PHT) from the SAFER family of ciphers. Twofish has a Feistel structure like DES. Twofish also employs a Maximum Distance Separable matrix.

When it was introduced in 1998, Twofish was slightly slower than Rijndael (the chosen algorithm for Advanced Encryption Standard) for 128-bit keys, but somewhat faster for 256-bit keys. Since 2008, virtually all AMD and Intel processors have included hardware acceleration of the Rijndael algorithm via the AES instruction set; Rijndael implementations that use the instruction set are now orders of magnitude faster than (software) Twofish implementations.^[4]

Twofish was designed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson: the "extended Twofish team" met to perform further cryptanalysis of Twofish. Other AES contest entrants included Stefan Lucks, Tadayoshi Kohno, and Mike Stay.

The Twofish cipher has not been patented, and the reference implementation has been placed in the public domain. As a result, the Twofish algorithm is free for anyone to use without any restrictions whatsoever. It is one of a few ciphers included in the OpenPGP standard (RFC 4880). However, Twofish has seen less widespread usage than Blowfish^{[dubious – discuss]}, which has been available longer.

Performance

[edit]

During the design of Twofish, performance was always an important factor. It was designed to allow for several layers of performance trade offs, depending on the importance of encryption speed, memory usage, hardware gate count, key setup and other parameters. This allows a highly flexible algorithm, which can be implemented in a variety of applications.

There are multiple space–time tradeoffs that can be made, in software as well as in hardware for Twofish. An example of such a tradeoff would be the precomputation of round subkeys or s-boxes, which can lead to speed increases of a factor of two or more. These come, however, at the cost of more RAM needed to store them.

The estimates in the table below are all based on existing 0.35 μm CMOS technology.

Hardware trade offs (128-bit key)^[5]
Gate counts	h blocks	Clocks per block	Pipeline levels	Clock speed	Throughput (Mbit/s)	Startup clocks	Comments
14000	1	64	1	40 MHz	80	4	subkeys on the fly
19000	1	32	1	40 MHz	160	40
23000	2	16	1	40 MHz	320	20
26000	2	32	2	80 MHz	640	20
28000	2	48	3	120 MHz	960	20
30000	2	64	4	150 MHz	1200	20
80000	2	16	1	80 MHz	640	300	S-box RAMs

Cryptanalysis

[edit]

In 1999, Niels Ferguson published an impossible differential attack that breaks 6 rounds out of 16 of the 256-bit key version using 2²⁵⁶ steps.^[2]

As of 2000^[update], the best published cryptanalysis of the Twofish block cipher is a truncated differential cryptanalysis of the full 16-round version. The paper claims that the probability of truncated differentials is 2^−57.3 per block and that it will take roughly 2⁵¹ chosen plaintexts (32 petabytes worth of data) to find a good pair of truncated differentials.^[6]

Bruce Schneier responded in a 2005 blog entry that this paper did not present a full cryptanalytic attack, but only some hypothesized differential characteristics: "But even from a theoretical perspective, Twofish isn't even remotely broken. There have been no extensions to these results since they were published in 2000."^[7]

References

[edit]

^ Ship Moriai; Yiqun Lisa Yin (2000). "Cryptanalysis of Twofish (II)" (PDF). Retrieved 2013-01-14. {{cite journal}}: Cite journal requires |journal= (help)

^ ^a ^b Niels Ferguson (1999-10-05). "Impossible differentials in Twofish" (PDF). Retrieved 2013-01-14. {{cite journal}}: Cite journal requires |journal= (help)

^ "Team Men In Black Presents: TwoFish" (PDF). Archived from the original (PDF) on 26 September 2017. Retrieved 26 September 2017.

^ Bruce Schneier; Doug Whiting (2000-04-07). "A Performance Comparison of the Five AES Finalists" (PDF/PostScript). Retrieved 2013-01-14. {{cite journal}}: Cite journal requires |journal= (help)

^ Schneier, Bruce (15 June 1998). "Twofish: A 128-Bit Block Cipher" (PDF). Counterpane: 68.

^ Shiho Moriai; Yiqun Lisa Yin (2000). "Cryptanalysis of Twofish (II)" (PDF). Retrieved 2013-01-14. {{cite journal}}: Cite journal requires |journal= (help)

^ Schneier, Bruce (2005-11-23). "Twofish Cryptanalysis Rumors". Schneier on Security blog. Retrieved 2013-01-14.

Articles

[edit]

Bruce Schneier; John Kelsey; Doug Whiting; David Wagner; Chris Hall; Niels Ferguson (1998-06-15). "The Twofish Encryption Algorithm" (PDF/PostScript). Retrieved 2013-01-14. {{cite journal}}: Cite journal requires |journal= (help)
Bruce Schneier; John Kelsey; Doug Whiting; David Wagner; Chris Hall; Niels Ferguson (1999-03-22). The Twofish Encryption Algorithm: A 128-Bit Block Cipher. New York City: John Wiley & Sons. ISBN 0-471-35381-7.

External links

[edit]

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics, Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

Cryptography

General

Mathematics

Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=Twofish&oldid=1220684497" Categories: ●Block ciphers ●Feistel ciphers ●Free ciphers Hidden categories: ●CS1 errors: missing periodical ●Articles with short description ●Short description matches Wikidata ●All accuracy disputes ●Articles with disputed statements from October 2022 ●Articles containing potentially dated statements from 2000 ●All articles containing potentially dated statements ●This page was last edited on 25 April 2024, at 08:30 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view