|
The Twofish Encryption Algorithm: A 128-Bit Block Cipher
by Bruce Schneier ; John Kelsey ; Doug Whiting ; David Wagner ; Chris Hall ; Niels Ferguson
Wiley Computer Publishing, John Wiley & Sons, Inc.
ISBN: 0471353817 Pub Date: 03/01/99
|
Chapter 2
Twofish Design Goals
Twofish was designed to meet NISTs design criteria for AES [NIST97b]. Specifically, they are:
- A 128-bit symmetric block cipher.
- Key lengths of 128 bits, 192 bits, and 256 bits.
- No weak keys.
- Efficiency, both on the Intel Pentium Pro and other software and hardware platforms.
- Flexible design: e.g., accept additional key lengths; be implementable on a wide variety of platforms and applications; and be suitable for a stream cipher, hash function, and MAC.
- Simple design, both to facilitate ease of analysis and ease of implementation.
Additionally, we imposed the following performance criteria on our design:
- Encrypt data in less than 500 clock cycles per block on an Intel Pentium, Pentium Pro, and Pentium II for a fully optimized version of the algorithm.
- Be capable of setting up a 128-bit key (for optimal encryption speed) in less than the time required to encrypt 32 blocks on a Pentium, Pentium and Pentium II.
- Encrypt data in less than 5000 clock cycles per block on a Pentium, Pentium Pro, and Pentium II, with no key setup time.
- Not contain any operations that make it inefficient on other 32-bit microprocessors.
- Not contain any operations that make it inefficient on 8-bit and 16-bit microprocessors.
- Not contain any operations that reduce its efficiency on existing and proposed 64-bit microprocessors; e.g., Merced.
- Not include any elements that make it inefficient in hardware.
- Have a variety of performance tradeoffs with respect to the key schedule.
- Encrypt data in less than 10 milliseconds on a commodity 8-bit microprocessor.
- Be implementable on an 8-bit microprocessor with only 64 bytes of RAM.
- Be implementable in hardware using less than 20000 gates.
Our cryptographic goals were as follows:
- 12-round Twofish (without whitening) should have no chosen-plaintext attack requiring fewer than 280 chosen plaintexts and less than 2N time, where N is the key length.
- 12-round Twofish (without whitening) should have no related-key attack requiring fewer than 264 chosen plaintexts, and less than 2N/2 time, where N is the key length.
Finally, we imposed the following flexibility goals:
- Accept any key length up to 256 bits.
- Have variants with a variable number of rounds.
- Have a key schedule that can be precomputed for maximum speed, or computed on the fly for maximum agility and minimum memory requirements. Additionally, it should be suitable for dedicated hardware applications: e.g., no large tables.
- Be suitable as a stream cipher, one-way hash function, MAC, and pseudo-random number generator, using well-understood construction methods.
- Have a family-key variant to allow for different, non-interoperable versions of the cipher.
We feel we have met all of these goals in the design of Twofish.