The Twofish Encryption Algorithm

Twofish is an Advanced Encryption Standard (AES) blockcypher algorithm. Twofish is not vulnerable to a simple brute force attack and is not inherently insecure against side-channel attacks.

Let’s explore Twofish here.  

History of Twofish

In 1997, Twofish was entered into a NIST competition to replace the DES algorithm.  Among the most successful cryptographic algorithms, DES was widely criticized due to its closed-door design process.

So, the goal of the NIST competition was to develop a block cipher algorithm that can flexibly handle a variety of properties:

• Fast speed
• Large block size
• Long security key length

Specifically, the NIST design criteria called for algorithms with 128-bit symmetric block ciphers that can handle 128- to 256-bit key lengths, with no weak keys, a simple design for analysis and processing in low-power devices, and implementable on a variety of platforms and applications.

Developers of the Twofish algorithm aimed to achieve these goals with a block cipher algorithm that is not vulnerable to a chosen plaintext attack with an arbitrarily large key length. Specifically, the authors aimed to develop a 16-round Twofish algorithm with no attack for 2^80 chosen plaintexts and a 12-round Twofish with no key-attack for less than 2^64 chosen plaintexts.

(Related reading: how encryption works & data encryption methods to use.)

Capabilities & cryptographic structure of Twofish

The proposed Twofish algorithm achieved this goal by using the following capabilities and cryptographic structure:

Feistel Network

A transformation function that takes the input data, divides it in equal blocks, each processed through a series of encryption rounds depending on the encryption keys derived from either blocks.

Substitution Operation with S-Box

A non-linear substitution between block ciphers based on a predefined substitution table. The idea is to introduce small changes in the form of substitutions, which can result in significant changes on the output. This process obscures the relationship between the input and output data and can have an avalanche effect: changing a single data bit can cause a significant proportion of the corresponding block output to change.

MDS Matrix

The Maximum Distance Separable (MDS) refers to the linear distance between two field elements. This process applies a restriction on two distinct data vectors, such that the minimum distance between two elements is as large as possible.

Pseudo-Hadamard Transforms

A mathematical operation that retains the desired properties of the data transformation using fewer mathematical computations.

Whitening

The process of introducing randomness with each encryption round. The mathematical operation of XOR is applied to the data before the first round and at the end of the final encryption round. Two fish uses a 128-bit text block and applies the XOR operation to four key words.

Key Schedule

A process to ensure that subkeys used in every encryption round are different and not easily predictable.

Twofish structure: how it works

The structure of the Twofish algorithm is as follows:

• A 16-round Feistel network is used. The key-dependent substitution box is generated and two functions G1 and G2 are defined. A 32-bit data input is divided into corresponding 16-bit data input to each block.
• Four subkeys are generated for the pre-whitening phase. An additional two subkeys for each round and finally, four subkeys for the post-whitening phase are generated.
• A plaintext undergoes a pre-whitening phase, where the Feistel round function is applied and the transformed data blocks are swapped.
• The MDS matrix combines the transformed output bytes at each S-box output and the final output of the round function block is combined using the PHT transform.
• The final Feistel round is applied without swapping and the post-whitening function is performed.

This algorithm structure is illustrated in the image below:

(Image source)

Twofish was designed to perform well on small devices that contain low-power processing capabilities. The performance advantage emerges from the key schedule, where twofish makes key-dependent S-box and round-subkeys with several variations depending on the application:

• Long key setup for faster encryption of large plaintext data.
• Or, a short key schedule for slower encryption processed over a larger number of encryption boxes.

The encryption and decryption process can take either variation, depending on the performance capabilities of the underlying hardware and performance requirements for the applications.

Rijndael AES vs. Twofish

At the NIST competition, the Rijndael algorithm was chosen as the winner over the Twofish algorithm due to two important factors.

• Rijndael, also known as the AES algorithm, had a simpler design operating on fixed block size with three key length choices, as opposed to Twofish using variable block sizes for a fixed key length.
• In terms of performance, the AES algorithm is faster and more secure. AES relies on a substitution-permutation network and a simple key schedule, whereas the Twofish algorithm using key-dependent substitution boxes follows a complex and expensive key schedule.

Nevertheless, both the AES and Twofish algorithms have yet to be cracked. While some would argue that a longer key-length Twofish implementation may be more secure than a standard AES implementation, the choice comes down to ease of implementation, memory consumption and computational performance.

Other cryptographic algorithms

Check out our key management explainer and explore our three-part series on quantum computing: what it means for your encryptions.