Security Encyclopedia


Twofish is a well-regarded symmetric-key block cipher that is available in the public domain. 

Specifically, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. Among its positive attributes are the use of substitution boxing (S-boxes) to obfuscate the relationship between the key and ciphertext, and a relatively complex key schedule. 

Twofish is notable as well for being a runner up in the Advanced Encryption Standard (AES) process. As the Data Encryption Standard (DES) was being deprecated in the face of stronger brute force attacks, from 1997-2000 the US Government’s National Institute of Standards and Technology held an open contest for its replacement. Teh Twofish algorithm lost to Rijndael, the original name for AES. Following Twofish’s failure to be selected and ratified as the AES, the algorithm suffered as CPUs tooled up for Rijndael caused Twofish to be inefficient and slow. It has since remained unpatented and available for anyone to use, and has found its way into the Pretty Good Privacy (PGP) program. 

Twofish is used less commonly than its earlier, similar algorithm, Blowfish. Both were created in part by renowned American cryptographer and security professional, Bruce Schneier. AES, sanctioned by NIST, is the dominant algorithm used to protect data.


“When NIST held a contest to replace the reigning encryption standard DES, Twofish was a runner-up, losing out to Rijndael, which became the Advanced Encryption Standard, or AES.”