Twofish: A 128-Bit Block Cipher

Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson

AES submission, June 1998.

Abstract

Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2⁸), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2^22.5 chosen plaintexts and 2⁵¹ effort.

More information

This AES submission was updated and extended, and published as a book.

More information on Twofish, including working code, can be found on the Twofish web site. See also the other Twofish-related publications in the list of publications.

Download

Available as PDF (583 kB) or as Zipped PostScript (303 kB).

Home

About

Publications

Practical Cryptography