An observation on the Key Schedule of Twosh
Fauzan Mirza
Sean Murphy
Information Security Group, Royal Holloway,
University of London, Egham, Surrey TW20 0EX, U.K.
January 15, 1999
Abstract
The 16-byte block cipher Twosh was proposed as a candidate for the Advanced Encryption Standard (AES). This paper notes the following two properties of the Twosh key
schedule. Firstly, there is a non-uniform distribution of 16-byte whitening subkeys. Secondly, in a reduced (xed Feistel round function) Twosh with an 8-byte key, there is a
non-uniform distribution of any 8-byte round subkey. An example of two distinct 8-byte
keys giving the same round subkey is given.
1 Brief Description of Twosh
Twosh is a block cipher on 16-byte blocks under the action of a 16, 24 or 32-byte key. For
simplicity, we consider the version with a 16-byte key. Twosh has a Feistel-type design.
Suppose we have a 16-byte plaintext P = (P P ) and a 16-byte key K = (K K ). Let
F = GF (28 ) be the nite eld dened by the primitive polynomial x8 + x6 + x3 + x2 + 1.
Twosh uses an invertible round function
L
g
S0 S1
: F4
F4
R
L
! F4
R
F4 parameterised by two 4-byte quantities S0 = RS K and S1 = RS K , where RS is a 4 8
matrix given by
0
1
L
BB 01
RS = B
BB A4
@ 02
A4
56
A1
A4 55
55
82
FC
87
87
F3
C1
5A
5A
1E
47
58
R
58
C6
AE
DB
DB
68
3D
9E
9E
E5
19
03
CC
CC :
CA
The 4-byte round subkeys K (i = 0 39) are dened by a key scheduling function
i
h( ) : F 8
i
F8
! F4
F4
(i = 0 19)
so we have (K2 K2 +1 ) = h( ) (K K ) for i = 0 19.
i
i
i
L
R
This author is supported by an EPSRC award and completed part of the work whilst visiting the Department
of Informatics, University of Bergen, Norway.
1
The key scheduling function h( ) operates as follows. Let A = (q0 (2i) q1 (2i) q0 (2i) q1 (2i))
and B = (q0 (2i + 1) q1 (2i + 1) q0 (2i + 1) q1 (2i + 1)), where q0 and q1 are key-independent
bijective S-boxes acting on one byte inputs. Then
C = Q(A Y ) W
D = Q(B Z ) X
(K2 K2 +1 ) = H (C D )
where (W X ) = K , (Y Z ) = K , and Q and H are permutations of F 4 and F 8 respectively.
Note that h( ) has the property that
h( ) (x y) 6= h( ) (x y) for any x y 2 F 8 and i 6= j:
Suppose we dene + to denote a pair of modulo 232 additions, and = (e ) and 0 =
(;1 e), where e is the identity transformation on 32 bits and is a left rotation by one place
of 32 bits. A Twosh encryption of P = (P P ) under key K = (K K ) to give ciphertext
C = (C C ) is then given by
L0 = P (K0 K1 )
R0 = P (K2 K3 )
L +1 = (R (g 0 1 (L ) + (K2 +8 K2 +9 )))0 i = 0 15]
R +1 = L
i = 0 15]
C = R16 (K4 K5 )
C = R16 (K6 K7 ):
i
i
i
i
L
i
i
i
i
i
i
i
R
i
i
j
L
L
R
L
R
R
L
R
i
i
i
S S
i
i
i
i
L
R
2 Whitening Subkeys
The subkeys (K0 K1 K2 K3 ) and (K4 K5 K6 K7 ) XORed before the rst and after the last
round are known as whitening subkeys. They have been used in many block ciphers, for example
FEAL 3] and DES-X 2]. It turns out that for a 16-byte Twosh key there are less than 2128
possibilities for the pre-whitening subkeys (K0 K1 K2 K3 ). For example, (0 0 0 0) is not a
valid pre-whitening subkey, for if it were then h(0) (x y) = h(1) (x y) for some (x y). The number
of times a 16-byte pre-whitening key occurs would seem to follow a Poisson distribution with
mean 1, so only 1 ; e;1 = 0:632 of 4-byte values occur as pre-whitening subkeys. A similar
argument applies to post-whitening keys.
3 Reduced Twosh with (
0
S S
1)
xed
Consider a reduced version of Twosh in which S0 and S1 are xed. Then the two halves of the
key K = (K K ) are constrained to lie in 4-byte GF (28 )-subspaces dened by the pre-images
of S0 and S1 respectively, so K 2 RS ;1 (S0 ) and K 2 RS ;1 (S1 ). The kernel of RS , N , is the
row space of the matrix (T jI ), given by
L
R
L
R
0
BB 01
(T jI ) = B
BB A4
@ 55
A4
56
82
87 F3
02
A1
FC
C1
A4
55
87
5A
2
01
00
00
00
00
01
00
00
00
00
01
00
00
00
00
01
1
CC
CC :
CA
Fixing (S0 S1 ) forces K and K to be in specic cosets of N . If K is in the kernel, so K =
(Y Z ) 2 N , then Y = Z T , so if K is in a coset of the kernel, say K = (Y Z ) 2 N +(Y Z ),
then Y = Z T + Y + Z T . Thus if S0 and S1 are xed, then K and K are uniquely
dened by their values on four bytes. Using these transformations, we can dene an 8-byte key
K^ = (X Z ) and key scheduling functions
L
R
L
L
L
L
L
H(( )0
i
S S1
)
: F4
F4
! F4
F4
R
i = 0 19
given by, for any (W X Y Z ) 2 RS ;1 (S0 S1 ),
H ( ) (X Z ) = h( ) ((X T W X T X ) (Z T Y Z T Z )):
i
i
Reduced Twosh is a Feistel cipher with a known xed invertible round function
g
S0 S1
: F4
F4
! F4
F4 on 16-byte blocks under an 8-byte key.
Without loss of generality, we now consider the reduced Twosh in which (S0 S1 ) = (0 0).
Thus K = (W X ) and K = (Y Z ) are elements of the kernel of RS , N , and so W = X T
and Y = Z T .
We show how to nd subkey collisions in reduced Twosh. We wish to nd ((W 0 X 0 ) (Y 0 Z 0 ))
such that
C = Q(A Y 0 ) W 0
D = Q(B Z 0) X 0 :
Using the kernel condition W = X T etc, we have
L
R
i
i
i
i
X T X 0 T = Q(A Z T ) Q(A Z 0 T )
X X 0 = Q(B Z ) Q(B Z 0):
i
i
i
i
On applying T to the second equation we obtain
(X X 0 ) T = Q(A Z T ) Q(A Z 0 T )
(X X 0 ) T = Q(B Z ) T Q(B Z 0 ) T:
i
i
i
i
Adding these two equations and re-arranging gives
Q(A Z T ) Q(B Z ) T = Q(A Z 0 T ) Q(B Z 0) T:
i
i
i
i
Thus searching for subkey collisions is equivalent to nding collisions of the function R : F 4 !
F 4 dened by
R (Z ) = Q(A Z T ) Q(B Z ) T:
This function behaves like a \random" function on F 4 , so we would expect to nd a collision
after about 216 evaluations of R. For example, the pair of 8-byte reduced Twosh keys, with
(S0 S1 ) = (0 0), dened by
i
i
i
i
(X Z ) = (00000000 000006F5)
(X 0 Z 0 ) = (0015FB5C 000311C3)
3
cause (K8 K9 ) = (C82616C0 9FB7D001) by the Twosh key schedule.
The number of times an 8-byte round subkey (K2 K2 +1 ) occurs would seem to follow a
Poisson distribution with mean one, so only 1 ; e;1 = 0:632 of 8-byte values occur as round
subkeys (K2 K2 +1 ). This is inconsistent with the statement in Section 8.6 of 1] where it is
claimed that guessing the key input S to the round function \provides no information about
the round subkeys K ".
The key scheduling of reduced Twosh thus means that an 8-byte round subkey (K2 K2 +1 )
derived from an 8-byte key cannot take all possible values. This could speed up certain types
of cryptanalysis.
i
i
i
i
i
i
i
4 Conclusion
The key scheduling of Twosh has two properties that are contrary to claims implicit in 1], and
could potentially be exploited. Firstly, both the pre- and post-whitening subkeys of Twosh
occur with a non-uniform distribution, which gives information about the key. Secondly, the
round subkeys of every reduced version of Twosh (i.e., a version of Twosh with (S0 S1 ) xed)
occur with a non-uniform distribution, which gives information about the key. An attack on
any reduced version of Twosh would have cryptographic consequences for the full version of
Twosh (for example, the unbalanced key schedule described in reduced Twosh may aid an
attacker in deriving collisions if Twosh is used in a Davies-Meyer hash).
References
1] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson. Twosh: A 128Bit Block Cipher, AES Submission, 15 June 1998. http://www.counterpane.com/twoshpaper.html
2] J. Kilian and P. Rogaway. How to Protect DES against Exhaustive Search, CRYPTO '96,
pp267{278, Springer-Verlag, 1996.
3] A. Shimuzu and S. Miyaguchi. Fast Data Encipherment Algorithm FEAL, EUROCRYPT
'87, pp267{278, Springer-Verlag, 1988.
4