Twofish Encryption/Decryption

Twofish is a symmetric 128-bit block cipher designed by a six-person team — Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson — at Counterpane Internet Security. Submitted to the NIST AES competition in 1998, it reached the final round alongside Rijndael, Serpent, RC6, and MARS. Its fundamental design innovation is key-dependent S-boxes: during key setup, each of four 8-to-8-bit S-boxes is constructed from the key material using two fixed permutations (q0 and q1) and one multiplication through a 4×4 Maximum Distance Separable matrix over GF(2⁸), ensuring that the substitution layer differs for every distinct key.

Each 16-round Feistel step applies a g() function that maps two 32-bit words through the four key-dependent S-boxes and the MDS matrix, then combines both results via a Pseudo-Hadamard Transform (PHT) — a simple but effective diffusion step using 32-bit addition. Input whitening (XOR with four subkeys before round 1) and output whitening (XOR with four subkeys after round 16) prevent slide attacks. No attack on full 16-round Twofish has been published since the cipher's 1998 introduction; the best reduced-round attacks cover at most 6 rounds under non-standard assumptions.

Key Features

• Key-dependent S-boxes: all four 8-to-8-bit S-boxes are uniquely derived from the key during setup using q0/q1 fixed permutations and MDS matrix multiplication — a different S-box configuration for every key prevents precomputed differential analysis against the substitution layer
• MDS (Maximum Distance Separable) matrix: the 4×4 MDS matrix over GF(2⁸) used in each round's g() function guarantees that any non-zero input difference produces a maximum-weight output difference, giving optimal resistance to differential cryptanalysis in each linear layer
• PHT (Pseudo-Hadamard Transform): each 16-round Feistel step uses 32-bit addition to combine the two g() outputs, providing fast and hardware-efficient diffusion without requiring additional S-box evaluations
• Input and output whitening: the plaintext is XOR'd with four 32-bit subkeys before round 1, and the post-round-16 state is XOR'd with four more subkeys before output — this prevents known-plaintext slide attacks that target any cipher without full-block key mixing at both ends

Encryption Modes

• CBC: Cipher Block Chaining for Twofish — Twofish's 128-bit blocks XOR with the previous ciphertext before each 16-round Feistel pass. The 128-bit block size eliminates Sweet32 birthday attacks (collision threshold at 2⁶⁴ blocks, about 2³² zettabytes — practically unreachable). Re-keying is driven by policy requirements, not block birthday constraints.
• ECB: Electronic Codebook for Twofish — each 128-bit (16-byte) block independently processed through all 16 Feistel rounds using same-key-derived S-boxes. Identical plaintext blocks produce identical ciphertexts. Use only for single-block operations: key wrapping, token encryption, or format-preserving tests.
• CFB: Cipher Feedback for Twofish — the 16-round block function encrypts the running ciphertext state (IV-initialized) and the output XORs with plaintext bits. Twofish's 128-bit block eliminates Sweet32; suitable for streaming sessions where Twofish's key-dependent S-box construction is preferred over AES.
• OFB: Output Feedback for Twofish — the block function iterates on the feedback register (IV-initialized) independently of plaintext, generating a deterministic keystream. With a 128-bit internal state, the birthday cycle length is 2¹²⁸ blocks (essentially unlimited). Appropriate for applications needing Twofish's key-dependent diffusion in a stream-cipher mode.

Security Considerations

• No attack on full 16-round Twofish has been published since its 1998 AES submission. The best documented reduced-round results cover 6 rounds or fewer under related-key or chosen-plaintext conditions with complexity that does not threaten the full cipher. The MDS matrix and key-dependent S-boxes have shown no structural weakness across 25 years of public cryptanalysis.
• Twofish's key-dependent S-boxes provide an additional layer of attack resistance not present in AES: an attacker must compromise key material to determine even the substitution layer structure. This property was specifically designed to counter precomputed differential attacks against fixed S-box ciphers.
• Twofish is recommended as the spiritual successor to Blowfish for applications that need to replace BF-CBC (which is vulnerable to Sweet32 on 64-bit blocks) with a cipher offering similar design heritage but 128-bit block protection. Twofish-256-CBC or Twofish-256-CTR provides this upgrade path.
• For new applications, AES-256-GCM with hardware acceleration (AES-NI) is the standard recommendation for performance-sensitive deployments. Twofish-256 is an excellent choice for: offline encryption, VeraCrypt multi-cipher cascades (Twofish+AES+Serpent), environments where AES patent concerns historically applied, and maximum-margin symmetric encryption without requiring AES-NI.

Use Cases

• VeraCrypt multi-cipher cascade encryption: Twofish-256 is one of the three standard layers in VeraCrypt's AES-Twofish-Serpent cascade, where compromise of any single cipher's algorithm does not break the combined encryption — chosen specifically for its different design lineage from AES
• Blowfish BF-CBC migration: replacing legacy OpenVPN BF-CBC or PGP Blowfish configurations with Twofish offers the same Schneier design heritage but in a 128-bit block cipher that eliminates Sweet32 vulnerability entirely
• Environments without AES-NI hardware: Twofish's software-only implementation provides strong 128-bit block encryption on microcontrollers, older CPUs, and embedded targets where AES-NI is unavailable, supplementing the key-dependent S-box setup cost with per-block Feistel efficiency
• Long-term high-security cryptographic storage: Twofish-256 for encrypted volumes and key-derivation records where algorithm diversity from AES is desired — VeraCrypt documentation cites Twofish as providing independent security assurance from AES certification assumptions

References

• Official Twofish Page - schneier.com
• Wikipedia - Twofish