The Twofish block cipher is Counterpane Systems's candidate for the new Advanced Encryption Standard (AES). It is one of the five finalists chosen by NIST from a field of 15 candidates. Twofish is designed to be highly secure and highly flexible. Counterpane Systems has spent over one thousand hours cryptanalyzing Twofish, and has found no attacks that go anywhere near to breaking the cipher. The key size is 256 bits (32 characters).

The DES algorithm has become obsolete and is in need of replacement. To this end the National Institute of Standards and Technology (NIST) has been holding a competition to develop the Advanced Encryption Standard (AES) as a replacement for DES. Triple DES has been endorsed by NIST as a temporary standard to be used until the AES is finished sometime in 2001.

NIST has been working very closely with industry and the cryptographic community during the development of the Advanced Encryption Standard. The overall goal is to develop a Federal Information Processing Standard (FIPS) that specifies an encryption algorithm (or algorithms) capable of protecting sensitive government information well into the next century. The algorithm(s) is expected to be used by the U.S. Government and, on a voluntary basis, by the private sector.

On January 2, 1997, NIST announced the initiation of the AES development effort and made a formal call for algorithms on September 12 of that year. The call stipulated that the AES would specify an unclassified, publicly disclosed encryption algorithm(s), available royalty-free, worldwide. In addition, the algorithm(s) must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128 bits and key sizes of 128, 192, and 256 bits.

On August 20, 1998, NIST announced a group of fifteen AES candidate algorithms at the First AES Candidate Conference (AES1). These algorithms had been submitted by members of the cryptographic community from around the world. At that conference and in a simultaneously published Federal Register notice, NIST solicited public comments on the candidates. A Second AES Candidate Conference (AES2) was held in March 1999 to discuss the results of the analysis conducted by the global cryptographic community on the candidate algorithms. The public comment period on the initial review of the algorithms closed on April 15, 1999. Using the analyses and comments received, NIST selected five algorithms from the original fifteen submissions.

The AES finalist candidate algorithms are MARS, RC6, Rijndael, Serpent, and Twofish. Four of the algorithms (MARS, Rijndael, Serpent, and Twofish) are supported by Private Encryptor. NIST has developed a Round 1 Report describing the selection of the finalists.

These finalist algorithms received further analysis during a second, more in-depth review period prior to the selection of the final algorithm(s) for the AES. The comment period on the remaining algorithms ended on May 15, 2000. Comments and analysis were actively sought by NIST on any aspect of the candidate algorithms, including, but not limited to, the following topics: cryptanalysis, intellectual property, comparative analyses of all of the AES finalists, and overall recommendations and implementation issues. An informal AES discussion forum was also provided by NIST for interested parties to discuss the AES finalists and relevant AES issues.

Near the end of Round 2, NIST sponsored the Third AES Candidate Conference (AES3), which was an open, public forum for discussion of the analyses of the AES finalists. AES3 was held April 13-14, 2000 in New York. Submitters of the AES finalists were invited to attend and engage in discussions regarding comments on their algorithms.

At the time this document is being written, the Round 2 public analysis period is just ending. Over the next few months NIST intends to study all available information from the Round 2 analysis and make a selection for the AES from among one or more of the finalists. Currently, NIST anticipates that it will announce the AES selection by late summer or early fall of 2000. No date has yet been set for this announcement. Following the announcement, NIST intends to publish a Round 2 Report that will summarize information from Round 2 and explain the algorithm selection.

Shortly thereafter, a draft Federal Information Processing Standard (FIPS) for the AES will be published for public review and comment. Following the comment period, the standard will be revised by NIST in response to those comments. A review and approval process will then follow. If all steps of the AES development process proceed as planned, it is anticipated that the standard will be completed by the summer of 2001.
About Twofish

The Twofish block cipher is Counterpane Labs' candidate for the new Advanced Encryption Standard. It is one of the five finalists chosen by NIST from a field of 15 candidates as explained above. Twofish is designed to be highly secure and highly flexible. It is well suited for large microprocessors, 8-bit smart card microprocessors, and dedicated hardware. Counterpane Labs has spent over one thousand hours cryptanalyzing Twofish, and has found no attacks that can break the full 16 round version of the algorithm. Attacks have been found against a weaker 5 round Twofish, but the algorithm is very secure when the full 16 rounds are used. It is also the fastest AES candidate, and one of the most compact. Its conservative design allows the ability to trade off key setup time for encryption speed, as well as sacrificing smaller memory requirements to obtain greater encryption speed. Algorithm implementers are given a lot of flexibility to play around with to produce a version of Twofish that is just right for the job at hand.

Twofish was designed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. Bruce Schneier also designed the Blowfish algorithm, which remains unbroken after eight years of cryptanalysis and has been implemented in over 130 commercial applications.
In Depth

Twofish is a 128-bit block cipher, meaning that data is encrypted and decrypted in 128-bit chunks. The key length can vary, but for the purposes of the AES it is defined to be either 128, 192, or 256 bits. This block size and variable key length is standard among all AES candidates and was one of the major design requirements specified by NIST. The official Twofish algorithm uses 16 rounds, or iterations of the main algorithm, to ensure maximum security. Twofish can be implemented with fewer rounds but there is no compelling reason to do this, as Twofish is a very fast algorithm already and attacks have been discovered against the 5 round version. More than 16 rounds can also be used, but it has been found that the increases in security decrease rapidly after 16 rounds until the trade off in speed is no longer worth the slightly better security.

Private Encryptor's implementation of Twofish uses a 256 bit key and the full 16 rounds. We decided to use the largest possible key size to ensure that the user always enjoys the best possible security. Our design philosophy is that security always comes before speed. If a shorter key is provided by the user, Private Encryptor pads the key in a special, seemingly random, way to make it 256 bits long.

The detailed description of the actual algorithm is contained in the official Twofish paper submitted for the AES by Counterpane Labs. The paper is rather technical and a certain degree of mathematical proficiency is required of the reader in order to understand it.