A Twofish Retreat: Related-Key Attacks Against Reduced-Round Twofish
نویسندگان
چکیده
The Twofish AES submission document contains a partial chosen-key and a related-key attack against ten rounds of Twofish without whitening, using 256-bit keys. This attack does not work; it makes use of a postulated class of weak key pairs which has the S-box keys and eight successive round keys equal, but no such pairs exist. In this report we analyze the occurrence of this kind of weak key pair and describe how such pairs may be used both to mount attacks on reduced-round Twofish and to find properties of reduced-round Twofish that are not present in an ideal cipher. We find that related-key and chosen-key attacks are considerably less powerful against Twofish than was previously believed.
منابع مشابه
Trawling Twofish (revisited) NES/DOC/UIB/WP3/004/a
Twofish is a 128-bit block cipher submitted as a candidate for the Advanced Encryption Standard (AES). It has a structure related to the Feistel structure and runs in 16 rounds. In this paper we consider mainly differentials of Twofish and show that there are differentials for Twofish for up to 16 rounds, predicting at least 32 bits of nontrivial information in every round. In addition, it hold...
متن کاملKey Separation in Twofish
In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key schedule, and compare it with other block ciphers. While every block cipher has this property in some abstract sense, the specific structure of Twofish makes it an interesting property to consider. We explain why we don’t believe this property leads to any interesting attacks on Twof...
متن کاملTwofish: A 128-Bit Block Cipher
Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish e...
متن کاملFurther Observations on the Key Schedule of Twofish
Twofish is a 128-bit block cipher submitted as an AES candidate [SKW+98]. Mirza and Murphy [MM99] recently noted two interesting properties in the Twofish key schedule for 128-bit keys: there is a non-uniform distribution of 128-bit whitening keys, and the 64-bit round subkeys are non-uniformly distributed over each subset of keys that fixes the S-boxes. This paper extends these results and exp...
متن کاملUpper bounds on differential characteristics in Twofish
In [SK+98] the Twofish block cipher was introduced, and initial estimates of an upper bounds on the probability of a 12-round differential were given. These results used an imperfect model of Twofish. We present an improved model, and show that any 12-round differential characteristic has a probability of at most 2−102.8.
متن کامل