What are the disadvantages of Twofish?

Is Twofish obsolete?

I have been reading a book called "Cryptography: A Primer", and it says that Twofish is obsolete and I should use a better one instead.

Is that really true? What would you recommend instead? From the official site of the Twofish algorithm: The Twofish algorithm is the first member of the AES (Advanced Encryption Standard) family, and is based on Feistel networks with nonlinear permutations. This was the first practical block cipher with a security of 128 bits against all known attacks, and has been adopted by several standards including the U. Federal government's Advanced Encryption Standard.

So it seems as though it is still a standard and a well-known algorithm. There's no indication that it is obsolete. It is just not as widely used as the other algorithms in the AES family.

What is the difference between Blowfish and Twofish encryption?

Is the security of Blowfish/Twofish algorithms equivalent to that of Blowfish?

Is it a matter of the speed at which Twofish encrypts more data than Blowfish? If so, is there any way to make Blowfish secure as efficiently as Twofish? Why is Blowfish faster than Twofish? It's basically a tradeoff. Blowfish encryption uses the same method as DES (Data Encryption Standard) used in the first public release of PGP, which also used a substitution cipher with large table lookup, as did Twofish.

Blowfish and DES were originally designed for compatibility reasons; Blowfish was faster and more secure than DES, but required longer encryption key lengths. There are some attacks on Blowfish that break it, and it's possible to weaken it by reducing key sizes.

As far as I know, DES (and Blowfish) encryption remains perfectly secure, whereas it has been shown that Twofish is vulnerable to brute force attacks. The differences between the two algorithms is described here. In summary, there are many differences, particularly in the speed of execution and the number of possible keys.

If you look at the paper by Schneier et al, you'll find a similar discussion of the relative merits of the algorithms. As a rough measure of performance, note that a 3DES block encrypts one 64 bit message using three 56-bit keys (56 bits being a common default for symmetric ciphers). That means that, compared to a 3DES-256 block (a 256-bit key), it's more than 15 times slower in terms of performance, and is therefore much less suitable for real time applications.

Security wise, the paper you link does a good job of outlining the problems with some of the attacks on Twofish, but does not attempt to compare Blowfish/Twofish against other algorithms.

What is better than Blowfish?

Not much.

Blowfish is the encryption library that, more than anything else, got me into cryptanalysis. When Blowfish was first released in 1999, it took all of about five minutes to get it working on a modern 32-bit x86 machine. If you don't know how it works, and if you're wondering what this means in the context of a blog post, it's good.

Since Blowfish is now over 10 years old, it seems an opportune time to assess its current status and see if it still holds up. Unfortunately, I've discovered that even when the crypto-world is moving forward at a rapid pace, the security of Blowfish has been essentially stagnant for the past few years. Since the introduction of the AES, Blowfish has become an academic curiosity rather than an actual tool of serious cryptographers.

If you want to be really picky, you can tell that Blowfish is not as strong as it was 10 years ago. It is, however, one of the stronger block ciphers available, thanks largely to its extremely slow key schedule. In addition to this, the cipher is based on the idea that we are all a little suckers when it comes to using random numbers. This is a decent idea if you can find good random number generators, but most of the time, there's little point in being paranoid because no one's going to bother with a super-fast key schedule.

Blowfish is not exactly weakit's just not as strong as it was in the '90s. The cipher isn't that bad, though. Blowfish is still a reasonably fast cipher, especially given how many rounds it has. In my testing, it has an effective speed of 10 cycles per byte. Most notably, though, is the ease of its key schedules. Blowfish can do its key schedule in around 0.2 second, which is quite easy for any hardware routine. It's also a very simple cipher; if you have the key, you can always figure out the initialization vector.

Unfortunately, Blowfish also doesn't offer much in the way of security guarantees. The cipher has several vulnerabilities, and those weaknesses are easily exploitable. Its biggest weakness, though, is that in some key schedules, the cipher will produce invalid outputs for some inputs. These are very minor problems, but it shows just how old Blowfish really is.

What are the disadvantages of Twofish?

The Twofish cipher has a drawback over DES/3DES/AES.

It has a small number of rounds. But that does not affect security of the cipher itself. It affects the encryption speed. There is a new version of the cipher called Twofish-2 which has an order of magnitude faster encryption speed than the original Twofish, but it has also some minor drawbacks over the original. There are no disadvantages with Threefish-2 if one can make all the rounds in an acceptable time. I'll try to discuss here what I know about the drawbacks and advantages of Twofish-2. The original paper introducing Twofish-2 can be found here.

Let's look at the advantages and drawbacks for both the standard and fast variant: Advantages of Twofish-2. It has much faster decryption speed. Decrypting data twice as fast. I know it sounds insignificant, but this is really the key to the cipher. A couple of extra microseconds per decryption means two times more data can be processed and decrypted in the same amount of time. That can make a real difference when your target is processing huge volumes of data.

If you don't have any problems with time in your system it may be worth just waiting a bit less. It can encrypt with higher key sizes. The key size range of Twofish-2 is from 64 to 256 bits. In fact, most systems use 128 or 192 bit keys and do an AES implementation internally, so this change will not have any impact.

It has better key and message schedule resistance. AES has been the most vulnerable to schedule attacks. The weaknesses in AES implementations are well known and documented. Even though Twofish-2 does not actually provide the same amount of key stream distribution over the length of a block, its schedule resistance is still superior to that of AES. The reason for this is as follows: If we can attack AES by finding the schedule resistance (we can achieve that by just trying out different keys and seeing how much our keystream gets changed) then we can do the same thing with Twofish, but in practice the schedule resistance is much lower than for AES. For instance, if we get 0% change on schedule resistance when using 192 bit keys, then we can assume that the keystream is identical.