Paper 2005/115

Characteristics of Key-Dependent S-Boxes: the Case of Twofish

Marco Macchetti


In this paper we analyze and discuss the cryptographic robustness of key-dependent substitution boxes (KDSBs); these can be found in some symmetric-key algorithms such as Khufu, Blowfish, and the AES finalist Twofish. We analyze KDSBs in the framework of composite permutations, completing the theory developed by O'Connor. Under the basic assumption that KDSBs are built choosing permutations randomly from the symmetric group $S_{2^m}$ by means of the key, the expressions of their linear and differential characteristics are derived. These results are used as a statistical tool to show that Twofish KDSBs, although very efficient, can be easily distinguished from truly randomly built KDSBs. We also analyze the motivations that lead to this previously unknown property; it can be concluded that the efficiency of the construction and the small computational complexity of Twofish KDSBs, although very desirable, cannot be easily obtained together with the highest level of security.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. not published elsewhere
Block cipherskey-dependent s-boxeslinear cryptanalysisTwofish.
Contact author(s)
macchett @ elet polimi it
2005-04-20: received
Short URL
Creative Commons Attribution


      author = {Marco Macchetti},
      title = {Characteristics of Key-Dependent S-Boxes: the Case of Twofish},
      howpublished = {Cryptology ePrint Archive, Paper 2005/115},
      year = {2005},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.