On the Twofish Key Schedule
Total Page:16
File Type:pdf, Size:1020Kb
On the Two sh Key Schedule ? ?? ??? y Bruce Schneier , John Kelsey , Doug Whiting ,David Wagner , Chris z x Hall , and Niels Ferguson Abstract. Two sh is a new blo ck cipher with a 128 bit blo ck, and a key length of 128, 192, or 256 bits, which has b een submitted as an AES candidate. In this pap er, we brie y review the structure of Two sh, and then discuss the key schedule of Two sh, and its resistance to attack. We close with some op en questions on the securityofTwo sh's key schedule. 1 Intro duction NIST announced the Advanced Encryption Standard AES program in 1997 [NIST97a]. NIST solicited comments from the public on the prop osed standard, and eventually issued a call for algorithms to satisfy the standard [NIST97b]. The intention is for NIST to make all submissions public and eventually, through a pro cess of public review and comment, cho ose a new encryption standard to replace DES. Two sh is our submission to the AES selection pro cess. It meets all the required NIST criteria|128-bit blo ck; 128-, 192-, and 256-bit key; ecienton various platforms; etc.|and some strenuous design requirements, p erformance as well as cryptographic, of our own. Two sh was designed to meet NIST's design criteria for AES [NIST97b]. Sp eci cally, they are: { A 128-bit symmetric blo ck cipher. { Key lengths of 128 bits, 192 bits, and 256 bits. { No weak keys. { Eciency, b oth on the Intel Pentium Pro and other software and hardware platforms. { Flexible design: e.g., accept additional key lengths; be implementable on a wide varietyof platforms and applications; and be suitable for a stream cipher, hash function, and MAC. ? Counterpane Systems; 101 E Minnehaha Parkway, Minneap olis, MN 55419, USA; [email protected]. ?? Counterpane Systems; [email protected]. ??? Hi/fn, Inc., 5973 Avenida Encinas Suite 110, Carlsbad, CA 92008, USA; dwhiting@ hifn.com. y University of California Berkeley, So da Hall, Berkeley, CA 94720, USA; daw@ cs.berkeley.edu. z Counterpane Systems; [email protected]. x Counterpane Systems; [email protected]. { Simple design, b oth to facilitate ease of analysis and ease of implementation. A central feature of Two sh's security and exibility is its key schedule. In this pap er, we will brie y review the design of Two sh, and then discuss the security features of the key schedule. The remainder of the pap er is as follows: First, we discuss the sp eci c design of Two sh. Next, we analyze the Two sh key schedule in some detail. Finally, we p oint out some op en questions with resp ect to the key schedule. Note that for space reasons, this pap er do es not include a complete discussion of the Two sh design. Instead, we refer the reader to http://www.counterpane.com. 2 Two sh Two sh uses a 16-round Feistel-like structure with additional whitening of the input and output. The only non-Feistel elements are the 1-bit rotates. The ro- tations can b e moved into the F function to create a pure Feistel structure, but this requires an additional rotation of the words just b efore the output whitening step. The plaintext is split into four 32-bit words. In the input whitening step, these are xored with four key words. This is followed by sixteen rounds. In each round, the twowords on the left are used as input to the g functions. One of them is rotated by 8 bits rst. The g function consists of four byte-wide key-dep endent S-b oxes, followed by a linear mixing step based on an MDS matrix. The results of the two g functions are combined using a Pseudo-Hadamard Transform PHT, and twokeywords are added. These two results are then xored into the words on the right one of which is rotated left by 1 bit rst, the other is rotated right afterwards. The left and right halves are then swapp ed for the next round. After all the rounds, the swap of the last round is reversed, and the four words are xored with four more key words to pro duce the ciphertext. More formally, the 16 bytes of plaintext p ;:::;p are rst split into4words 0 15 P ;:::;P of 32 bits each using the little-endian convention. 0 3 3 X 8j P = p 2 i =0;:::;3 i 4i+j j =0 In the input whitening step, these words are xored with 4 words of the expanded key. R = P K i =0;:::;3 0;i i i In each of the 16 rounds, the rst twowords are used as input to the function F , which also takes the round numb er as input. The third word is xored with the rst output of F and then rotated rightby one bit. The fourth word is rotated left by one bit and then xored with the second output word of F . Finally, the two halves are exchanged. Thus, F ;F =F R ;R ;r r;0 r;1 r;0 r;1 2 R =RORR F ; 1 r +1;0 r;2 r;0 R =ROLR ; 1 F r +1;1 r;3 r;1 R = R r +1;2 r;0 R = R r +1;3 r;1 for r =0;:::;15 and where ROR and ROL are functions that rotate their rst argument a 32-bit word left or rightby the numb er of bits indicated by their second argument. The output whitening step undo es the `swap' of the last round, and xors the data words with 4 words of the expanded key. C = R K i =0;:::;3 i i+4 16;i+2 mo d 4 The four words of ciphertext are then written as 16 bytes c ;:::;c using the 0 15 same little-endian conversion used for the plaintext. C bi=4c 8 mo d 2 i =0;:::;15 c = i 8i mo d 4 2 2.1 The Function F The function F is a key-dep endent p ermutation on 64-bit values. It takes three arguments, two input words R and R , and the round number r used to select 0 1 the appropriate subkeys. R is passed through the g function, which yields T . 0 0 R is rotated left by 8 bits and then passed through the g function to yield 1 T . The results T and T are then combined in a PHT and twowords of the 1 0 1 expanded key are added. T = g R 0 0 T = g ROLR ; 8 1 1 32 F =T + T + K mod2 0 0 1 2r +8 32 F =T +2T + K mod2 1 0 1 2r +9 0 where F ;F is the result of F .We also de ne the function F for use in our 0 1 0 analysis. F is identical to the F function, except that it do es not add anykey blo cks to the output. The PHT is still p erformed. 2.2 The Function g The function g forms the heart of Two sh. The input word X is split into four bytes. Each byte is run through its own key-dep endent S-b ox. Each S-b ox is bijective, takes 8 bits of input, and pro duces 8 bits of output. The four results 8 are interpreted as a vector of length 4 over GF2 , and multiplied by the 4 4 3 8 MDS matrix using the eld GF 2 for the computations. The resulting vector is interpreted as a 32-bit word which is the result of g . 8i 8 x = X=2 mo d 2 i =0;:::;3 i y = s [x ] i =0;:::;3 i i i 0 1 0 1 0 1 z y 0 0 B C B C z y B C . 1 1 B C B C . = @ A . MDS @ A @ A z y 2 2 z y 3 3 3 X 8i Z = z 2 i i=0 where s are the key-dep endent S-b oxes and Z is the result of g .For this to b e i well-de ned, we need to sp ecify the corresp ondence b etween byte values and the 8 8 eld elements of GF2 . We representGF2 as GF2[x]=v x where v x= 8 6 5 3 x + x + x + x +1 is a primitive p olynomial of degree 8 over GF 2. The P 7 i eld element a = a x with a 2 GF2 is identi ed with the byte value i i i=0 P 7 i 8 a 2 . This is in some sense the \natural" mapping; addition in GF 2 i i=0 corresp onds to a xor of the bytes. 2.3 The Key Schedule The key schedule has to provide 40 words of expanded key K ;:::;K , and the 0 39 4key-dep endent S-b oxes used in the g function. Two sh is de ned for keys of length N = 128, N = 192, and N = 256. Keys of any length shorter than 256 bits can b e used by padding them with zero es until the next larger de ned key length. We de ne k = N=64. The key M consists of 8k bytes m ;:::;m . The 0 8k 1 bytes are rst converted into 2k words of 32 bits each 3 X 8j M = m 2 i =0;:::;2k 1 i 4i+j j =0 and then into twoword vectors of length k .