The title of this thread pretty much sums up what I'm asking: what is the best encryption to use out of the three — Blowfish, Twofish, or Threefish?
Asked
Active
Viewed 2.3k times
5 Answers
23
TL;DR: Twofish and Threefish are fine.
It is not the best idea to have the cipher you want to use hardcoded because you can't upgrade easily when one of them is broken. to quote mikeazo in the comments:
What you should do is develop your application to not be bound to a specific cipher.
Twofish
In 1999, Niels Ferguson published an impossible differential attack that breaks six rounds out of 16 of the 256-bit key version using $2^{256}$ steps.
As of 2000, the best published cryptanalysis on the Twofish block cipher is a truncated differential cryptanalysis of the full 16-round version. The paper claims that the probability of truncated differentials is $2^{−57.3}$ per block and that it will take roughly $2^{51}$ chosen plaintexts (32 petabytes worth of data) to find a good pair of truncated differentials.
Bruce Schneier responds in a 2005 blog entry that this paper does not present a full cryptanalytic attack, but only some hypothesized differential characteristics: "But even from a theoretical perspective, Twofish isn't even remotely broken. There have been no extensions to these results since they were published in 2000."
https://www.schneier.com/academic/twofish/
https://www.schneier.com/blog/archives/2005/11/twofish_cryptan.html
Threefish
In October 2010, an attack that combines rotational cryptanalysis with the rebound attack was published. The attack mounts a known-key distinguisher against 53 of 72 rounds in Threefish-256, and 57 of 72 rounds in Threefish-512. It also affects the Skein hash function. This is a follow-up to the earlier attack published in February, which breaks 39 and 42 rounds respectively. In response to this attack, the Skein team tweaked the rotation constants used in Threefish and thereby the key schedule constants for round 3 of the NIST hash function competition.
In 2009, a related key boomerang attack against a reduced round Threefish version was published. For the 32-round version, the time complexity is $2^{226}$ and the memory complexity is $2^{12}$ for the 33-round version, the time complexity is $2^{352.17}$ with a negligible memory usage. The attacks also work against the tweaked version of Threefish: for the 32-round version, the time complexity is $2^{222}$ and the memory complexity is $2^{12}$ for the 33-round version, the time complexity is $2^{355.5}$ with a negligible memory usage.
http://www.skein-hash.info/ (the design of Threefish is based on it).
Blowfish
At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead. — Bruce Schneier, Blowfish's creator, 2007
Swordfish
GABRIEL
Here's the deal. I need a worm,
Stanley. A hydra, actually. A
multi-headed worm to break an
encryption and then sniff out
latent digital footprints
throughout an encrypted network.
STANLEY
What kind of cypher?
GABRIEL
Vernam encryption.
STANLEY
A Vernam's impossible. Its key
code is destroyed upon
implementation. Not to mention
being a true 128 bit encryption.
GABRIEL
Actually, we're talking 512 bit.
10
If you want to choose a fishy cipher by Bruce et al, I'd go for Twofish.
Reason:
- Blowfish is not recommended anymore because of the small block size of 64 bits, among others. Even Bruce is not recommending it anymore - it's an old but unbroken cipher;
- Twofish is a relatively modern 128 bit block cipher which is a drop in for AES - for the simple reason that it was designed to be AES;
- Threefish is mainly used as tweakable block cipher construction within the Skein hash function; it has a large block size and high number of (relatively simple) rounds;
- Dopefish is actually not a block cipher but a character in Commander Keen.
Threefish is too specialized and not explicitly defined for block cipher modes of operation. Furthermore, Threefish has a block size different from AES candidates (256 or even 512 bits instead of 128). This makes it less likely that you will find it in many cryptographic libraries and makes it harder to switch to / from other AES candidates or AES itself.
The fact that it is tweakable and has a large block size may make Threefish more applicable for state-of-the art schemes - but I don't think that's what you're are after.
Blowfish and Dopefish are right out, leaving Twofish.
Maarten Bodewes
- 96,351
- 14
- 169
- 323
1
I agree that you shouldn't use Blowfish.
Whether Twofish or Threefish, depends on the application. Of course, if there is hardware support for AES, then you should use AES.
A good application for Threefish would be an embedded controller using a micro with no AES hardware. It has no S-Boxes, so it's ROM needs are fairly small. If you forego the tweak feature and add in the subkey number "on the fly", you only need N+1 subkeys, all of which can be precomputed and stored in ROM, thus saving a lot of RAM.
If you want/need the tweak feature, consider using a different key instead, to save both RAM and key set up time.
Also, be sure to use CBC or other mode that uses Initialization Vectors.
PenguinOutOfWater
- 41
- 2
-3
I would say Two Fish although I still love Blow Fish and I love the variable block size in Three Fish but everybody wants speed and Three Fish is a little slower;it is sad when speed beats security.
-4
I prefer blowfish because the key length is 448 bits. But due to it`s small block size (64 bits), I recommend using CBC mode.
I prefer blowfish to AES because AES is the government standard and I don`t trust the government. For instance, the old government standard, DES, was 56 bits. At the time DES was created, it was strong enough to not be broken by a PC, but weak enough to be broken by the NSA. The government has a history of making powerful encryption illegal.
Russell Hankins
- 99
- 3