An observation on the Key Schedule of Twosh

Fauzan Mirza Sean Murphy

Information Security Group Royal Holloway

University of London Egham Surrey TW EX UK

January

Abstract

The byte blo ck cipher Twosh was prop osed as a candidate for the Advanced En

cryption Standard AES This pap er notes the following two prop erties of the Twosh key

schedule Firstly there is a nonuniform distribution of byte whitening subkeys Sec

there is a ondly in a reduced xed Feistel round function Twosh with an byte key

nonuniform distribution of any byte round subkey An example of two distinct byte

keys giving the same round subkey is given

Brief Description of Twosh

Twosh is a blo ck cipher on byte blo cks under the action of a or byte key For

simplicity we consider the version with a byte key Twosh has a Feisteltyp e design

Supp ose we have a byte plaintext P P P and a byte key K K K Let

L R L R

  

F GF be the nite eld dened by the primitive p olynomial x x x x

Twosh uses an invertible round function

   

g F F F F

S S



parameterised bytwo byte quantities S RS K and S RS K whereRS is a

 L  R

matrix given by

A A DB E

C B

C B

A F E C E

C B

RS

C B

C B

A FC C AE D

A

A A DB E

The byte round subkeys K i are dened bya key scheduling function

i

i  

h F F F F i

i

K fori so wehaveK K h K

L R i i 

This author is supp orted byanEPSRCaward and completed part of the work whilst visiting the Department

of Informatics University of Bergen Norway

i

The key scheduling function h op erates as follows Let A q iq iq iq i

i    

and B q i q i q i q i where q and q are keyindep endent

i      

bijective Sb oxes acting on one byte inputs Then

C QA Y W

i i

D QB Z X

i i

K H C D K

i i  i i 



where WX K Y Z K and Q and H are p ermutations of F and F resp ectively

L R

i

Note that h has the prop ertythat

i j

h x y h x y for any x y F and i j

 

Supp ose we dene to denote a pair of mo dulo additions and e and



e where e is the identity transformation on bits and is a left rotation by one place

of bits ATwosh encryption of P P P under key K K K to give ciphertext

L R L R

C C C isthengiven by

L R

L P K K

 L  

R P K K

 R  



i L R g L K K

i  i S S i i i



R L i

i  i

C R K K

L  

C R K K

R  

Whitening Subkeys

The subkeys K K K K and K K K K XORed b efore the rst and after the last

     

round are known as whitening subkeys They have b een used in many blo ck ciphers for example



FEAL and DESX It turns out that for a byte Twosh key there are less than

p ossibilities for the prewhitening subkeys K K K K For example is not a

   

 

valid prewhitening subkey for if it were then h x y h x y for some x y The number

of times a byte prewhitening key o ccurs would seem to follow a Poisson distribution with



mean so only e of byte values occur as prewhitening subkeys A similar

argument applies to p ostwhitening keys

Reduced Twosh with S S  xed

Consider a reduced version of Twosh in which S and S are xed Then the twohalves of the

 

key K K K are constrained to lie in byte GF subspaces dened by the preimages

L R

 

of S and S resp ectivelysoK RS S and K RS S The kernel of RS N isthe

  L  R 

row space of the matrix T jI given by

A A

C B

C B

A A

C B

T jI

C B

C B

FC

A

F C A

Fixing S S forces K and K to b e in sp ecic cosets of N If K is in the kernel so K

  L R L L

Y Z N thenY Z T soifK is in a coset of the kernel say K Y Z N Y Z

L L

then Y Z T Y Z T Thus if S and S are xed then K and K are uniquely

  L R

dened by their values on four bytes Using these transformations we can dene an byte key

K X Z and key scheduling functions

i

   

F F F F i H

S S





given by for anyW X Y Z RS S S

 

i i

H X Z h X T W X T X Z T Y Z T Z

Reduced Twosh is a Feistel cipher with a known xed invertible round function

   

g F F F F

S S



on byte blo cks under an byte key

Without loss of generalitywenow consider the reduced Twosh in whichS S

 

Thus K WX and K Y Z are elements of the kernel of RS N and so W X T

L R

and Y Z T

   

Weshowhow to nd subkey collisions in reduced Twosh We wish to nd W X Y Z

suchthat

 

C Q A Y W

i i

 

D QB Z X

i i

Using the kernel condition W X T etc wehave

 

X T X T QA Z T QA Z T

i i

 

X X QB Z QB Z

i i

On applying T to the second equation we obtain

 

A Z T QA Z T X X T Q

i i

 

X X T QB Z T QB Z T

i i

Adding these two equations and rearranging gives

 

QA Z T QB Z T QA Z T QB Z T

i i i i



Thus searching for subkey collisions is equivalent to nding collisions of the function R F

i



F dened by

R Z QA Z T QB Z T

i i i



This function b ehaves like a random function on F so we would exp ect to nd a collision



after ab out evaluations of R For example the pair of byte reduced Twosh keys with

S S dened by

 

X Z F

 

FBC C X Z

cause K K CC FBDbytheTwosh key schedule

The number of times an byte round subkey K K o ccurs would seem to follow a

i i 



Poisson distribution with mean one so only e of byte values o ccur as round

subkeys K K This is inconsistent with the statement in Section of where it is

i i 

S to the round function provides no information about claimed that guessing the key input

the round subkeys K

i

The key scheduling of reduced Twosh thus means that an byte round subkey K K

i i 

derived from an byte key cannot take all p ossible values This could sp eed up certain typ es

of cryptanalysis

Conclusion

The key scheduling of Twosh has two prop erties that are contrary to claims implicit in and

could potentially be exploited Firstly both the pre and p ostwhitening subkeys of Twosh

occur with a nonuniform distribution which gives information ab out the key Secondly the

round subkeys of every reduced version of Twosh ie a version of Twosh with S S xed

 

occur with a nonuniform distribution which gives information ab out the key An attack on

any reduced version of Twosh would have cryptographic consequences for the full version of

Twosh for example the unbalanced key schedule describ ed in reduced Twosh may aid an

attacker in deriving collisions if Twosh is used in a DaviesMeyer hash

References

B Schneier J KelseyD Whiting D Wagner C Hall and N Ferguson Twosh A

Bit Blo ck Cipher AES Submission June httpwwwcounterpanecom two sh

paperhtml

J Kilian and P Rogaway How to Protect DES against ExhaustiveSearch CRYPTO

pp SpringerVerlag

A Shimuzu and S Miyaguchi Fast Data Encipherment Algorithm FEAL EUROCRYPT

pp SpringerVerlag