The Twofish Encryption Algorithm: A 128-Bit Block Cipher The Twofish Encryption Algorithm: A 128-Bit Block Cipher
by Bruce Schneier ; John Kelsey ; Doug Whiting ; David Wagner ; Chris Hall ; Niels Ferguson
Wiley Computer Publishing, John Wiley & Sons, Inc.
ISBN: 0471353817   Pub Date: 03/01/99
  

Previous Table of Contents Next


4.3.1 Additional Key Lengths

Twofish can accept keys of any byte length up to 256 bits. For key sizes that are not defined above, the key is padded at the end with zero bytes to the next larger length that is defined. For example, an 80-bit key m0, ... , m9 would be extended by setting mi = 0 for i = 10, ..., 15 and treating it as a 128-bit key. Every key of non-standard length is thus equivalent to exactly one key of a standard length.


Fig. 4.2.  The Function h

We have not defined Twofish for keys whose length is not an integral number of bytes. Although this can be done trivially, we see no reason to do so. Keys that span only part of a byte create a lot of extra software complexity that can easily lead to implementation bugs. There is very little to be gained from the use of such odd-sized keys.

4.3.2 The Function h

Figure 4.2 shows an overview of the function h. This is a function that takes two inputs—a 32-bit word X and a list L = (L0, ..., Lk-1) of 32-bit words of length k—and produces one word of output. This function works in k stages. In each stage, the four bytes are each passed through a fixed S-box and then XORed with a byte derived from the list. Finally, the bytes are once again passed through a fixed S-box, and the four bytes are multiplied by the MDS matrix just as in g. More formally: we split the words into bytes.

li,j = [Li/28j] mod 28
xj = [X/28j] mod 28

for i = 0,..., k – 1 and j = 0, ..., 3. Then the sequence of substitutions and XORs is applied.

yk,j = xj j = 0,...,3

If k = 4 we have

y3,0 = q1[y4,0] ⊕ l3,0
y3,1 = q0[y4,1] ⊕ l3,1
y3,2 = q0[y4,2] ⊕ l3,2
y3,3 = q1[y4,3]