The Twofish Encryption Algorithm: A 128-Bit Block Cipher The Twofish Encryption Algorithm: A 128-Bit Block Cipher
by Bruce Schneier ; John Kelsey ; Doug Whiting ; David Wagner ; Chris Hall ; Niels Ferguson
Wiley Computer Publishing, John Wiley & Sons, Inc.
ISBN: 0471353817   Pub Date: 03/01/99
  

Previous Table of Contents Next


Chapter 2
Twofish Design Goals

Twofish was designed to meet NIST’s design criteria for AES [NIST97b]. Specifically, they are:

  A 128-bit symmetric block cipher.
  Key lengths of 128 bits, 192 bits, and 256 bits.
  No weak keys.
  Efficiency, both on the Intel Pentium Pro and other software and hardware platforms.
  Flexible design: e.g., accept additional key lengths; be implementable on a wide variety of platforms and applications; and be suitable for a stream cipher, hash function, and MAC.
  Simple design, both to facilitate ease of analysis and ease of implementation.

Additionally, we imposed the following performance criteria on our design:

  Encrypt data in less than 500 clock cycles per block on an Intel Pentium, Pentium Pro, and Pentium II for a fully optimized version of the algorithm.
  Be capable of setting up a 128-bit key (for optimal encryption speed) in less than the time required to encrypt 32 blocks on a Pentium, Pentium and Pentium II.
  Encrypt data in less than 5000 clock cycles per block on a Pentium, Pentium Pro, and Pentium II, with no key setup time.
  Not contain any operations that make it inefficient on other 32-bit microprocessors.
  Not contain any operations that make it inefficient on 8-bit and 16-bit microprocessors.
  Not contain any operations that reduce its efficiency on existing and proposed 64-bit microprocessors; e.g., Merced.
  Not include any elements that make it inefficient in hardware.
  Have a variety of performance tradeoffs with respect to the key schedule.
  Encrypt data in less than 10 milliseconds on a commodity 8-bit microprocessor.
  Be implementable on an 8-bit microprocessor with only 64 bytes of RAM.
  Be implementable in hardware using less than 20000 gates.

Our cryptographic goals were as follows:

  12-round Twofish (without whitening) should have no chosen-plaintext attack requiring fewer than 280 chosen plaintexts and less than 2N time, where N is the key length.
  12-round Twofish (without whitening) should have no related-key attack requiring fewer than 264 chosen plaintexts, and less than 2N/2 time, where N is the key length.

Finally, we imposed the following flexibility goals:

  Accept any key length up to 256 bits.
  Have variants with a variable number of rounds.
  Have a key schedule that can be precomputed for maximum speed, or computed on the fly for maximum agility and minimum memory requirements. Additionally, it should be suitable for dedicated hardware applications: e.g., no large tables.
  Be suitable as a stream cipher, one-way hash function, MAC, and pseudo-random number generator, using well-understood construction methods.
  Have a family-key variant to allow for different, non-interoperable versions of the cipher.

We feel we have met all of these goals in the design of Twofish.


Previous Table of Contents Next