|
The Twofish Encryption Algorithm: A 128-Bit Block Cipher
by Bruce Schneier ; John Kelsey ; Doug Whiting ; David Wagner ; Chris Hall ; Niels Ferguson
Wiley Computer Publishing, John Wiley & Sons, Inc.
ISBN: 0471353817 Pub Date: 03/01/99
|
Chapter 12
Conclusions and Further Work
We have presented Twofish, the rationale behind its design, and the results of our initial cryptanalysis. Design and cryptanalysis go hand in handit is impossible to do one without the otherand it is only in the analysis that the strength of an algorithm can be demonstrated.
During the design process, we learned several lessons about cipher design:
- The encryption algorithm and key schedule must be designed in tandem; subtle changes in one affect the other. It is not enough to design a strong round function and then to graft a strong key schedule onto it (unless you are satisfied with an inefficient and inelegant construction like Blowfish has); both must work together.
- There is no such thing as a key-dependent S-box, only a complicated multistage non-linear function that is implemented as a key-dependent S-box for efficiency.
- Keys should be as short as possible. It is much harder to design an algorithm with a long key than an algorithm with a short key. Throughout our design process, we found it easier to design and analyze Twofish with a 128-bit key than Twofish with a 192-or 256-bit key.
- Build a cipher with strong local encryption and let the round function handle the global diffusion. Designing Twofish in this manner made it very hard to mount any statistical cryptanalytical attacks.
- Consider performance at every stage of the design. Having a code optimization guru on our team from the beginning drastically changed the way we looked at design tradeoffs, to the ultimate benefit of Twofish.
- Analysis can go on forever. Even after the 15 June 1998 AES submission deadline, we are still cryptanalyzing Twofish.
We believe Twofish to be an ideal algorithm choice for AES. It is efficient on large microprocessors, smart cards, and dedicated hardware, The multiple layers of performance tradeoffs in the key schedule make it suitable for a variety of implementations. And the attention to cryptographic detail in the designboth the encryption function and the key schedulemake it suitable as a codebook, output-feedback and cipher-feedback stream cipher, one-way hash function (using standard techniques for converting block ciphers into hash functions), and pseudorandom number generator.
We welcome any new cryptanalysis from the cryptographic community. We plan on continuing to evaluate Twofish all through the AES selection process and beyond. Specifically:
- Whether the number of rounds can safely be reduced. At this point our best non-related-key attacka differential attackcan only break five rounds. If no better attacks are found after a few years, it may be safe to reduce the number of rounds to 14 or even 12. 12-round Twofish can encrypt and decrypt data at about 220 clock cycles per block on a Pentium, Pentium Pro, and Pentium II.
- Whether there are alternative fixed tables that increase security. We have chosen both the MDS matrix and the fixed permutations, q0 and q1, to meet our mathematical requirements. In the event we find better constants that make Twofish even harder to cryptanalyze, we may want to revise the algorithm.
- Whether we can define a Twofish variant with fixed S-boxes. This variant would have a faster key setup time than the algorithm presented hereabout 1200 clock cycles on a Pentium Proand the same encryption and decryption speeds. Although we cannot break Twofish with fixed S-boxes, further research is required on what the fixed S-boxes would look like, and how much data could be safely encrypted with this variant.
- Whether we can improve our lower bounds on the complexity of a differential attack and a linear attack.
Developing Twofish was a richly rewarding experience, and one of our most satisfying cryptographic projects to date. There is an enormous gap between simply creating a cryptographic primitive and completing a full design process, and we have learned much by completing the process.