pythonpython-3.xcryptographytwofish

Twofish Key Expansion

I am trying to implement the Twofish cypher step by step as described in the 1998 paper of Bruce Schneider. Nevertheless, I already fail at the key expansion.

I tried to copy the details of the paper 1-to-1 into python, with the following result:

#! /usr/bin/python3.2

def expandKey256 (key):
    m = [0] * (32)
    for i in range (32):
        m [i] = (key >> (i * 8) ) & 0xff
        #m [31 - i] = (key >> (i * 8) ) & 0xff
    print ('m = {}\n'.format ( [hex (b) for b in m] ) )

    M = [0] * 8
    for i in range (8):
        for j in range (4):
            M [i] += m [4 * i + j] * 2 ** (8 * j)
    print ('M = {}\n'.format ( [hex (b) for b in M] ) )

    Me = [M [0], M [2], M [4], M [6] ]
    Mo = [M [1], M [3], M [5], M [7] ]
    print ('Me = {}\n'.format ( [hex (b) for b in Me] ) )
    print ('Mo = {}\n'.format ( [hex (b) for b in Mo] ) )

    RS = [ [0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E],
        [0xA4, 0x56, 0x82, 0xF3, 0x1E, 0xC6, 0x68, 0xE5],
        [0x02, 0xA1, 0xFC, 0xC1, 0x47, 0xAE, 0x3D, 0x19],
        [0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E, 0x03] ]

    s = [ [0] * 4] * 4
    S = [0] * 4
    for i in range (4):
        for j in range (4):
            for k in range (8):
                s [i] [j] += m [8 * i + k] * RS [j] [k]
                s [i] [j] &= 0xff
            S [i] += s [i] [j] * 2 ** (8 * j)
    for i in range (4):
        print ('S{} = {}'.format (i, hex (S [i] ) ) )

expandKey256 (0x0123456789ABCDEFFEDCBA987654321000112233445566778899AABBCCDDEEFF)

However, my output isn't the same as specified in the test vectors. I already tried to read the bytes the other way round (the commented line), but no avail.

These are the results of the test vector:

B89FF6F2
B255BC4B
45661061
8E4447F7

And these are mine:

S0 = 0x612a646d
S1 = 0x527cc87a
S2 = 0x1482c008
S3 = 0xa4d128ce

Can anyone see my error?

Solution

  • At least this line

    s = [ [0] * 4] * 4

    probably is not doing what you think it is doing. It is not doing the same thing as

    s = [[0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0]]

    I didn't go through all of the code however.

    EDIT

    Apparently the OP needs more proof. Here some output from IDLE showing the difference

    >>> s = [ [0] * 4] * 4
>>> s
[[0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0]]
>>> s[0][0] += 1
>>> s
[[1, 0, 0, 0], [1, 0, 0, 0], [1, 0, 0, 0], [1, 0, 0, 0]]
>>> s = [[0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0]]
>>> s
[[0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0]]
>>> s[0][0] += 1
>>> s
[[1, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0]]
>>>

    The expression s = [ [0] * 4] * 4 creates a list containing another list of zeros, then makes 3 more copies of the reference to the list. It is equivalent to v = [0]*4; s=[v,v,v,v]