Improved impossible differentials on Twofish

Abstract

Twofish is one of the finalists for the Advanced Encryption Standard selection process (AES). The best up-to-date analysis of Twofish was presented by one of its designers, who showed that its complexity on 6-round Twofish with 128-bit keys is 4.6 2128 one-round computations. In this paper we present an improvement of the attack on 6-round Twofish, whose complexity is 1.84 · 2128 one-round computations. For other key sizes, our results have the complexity 13 · 2160 one-round computations for 192-bit keys and 24.2·2192 one-round computations for 256-bit keys. For 7-round Twofish, the designers mentioned an attack, and estimated its complexity to be about 2256 simple steps for 256-bit keys, and for other key sizes have complexities that exceed exhaustive search. We present an improvement of the attack on 7-round Twofish, whose complexity is 2226.48 one-round computations for 256-bit keys. We also show, for the first time, that this attack is faster than exhaustive search for 192-bit keys for which it breaks 7-round Twofish in 2 · 2192 one-round computations, while exhaustive search takes 7 · 2192.