Twofish is a block cipher that was designed by Bruce Schneier, David Wagner, Niels Ferguson, John Kelsey, Doug Whiting, and Chris Hall. It was submitted to the AES process, and made it into the final round of 5 candidates, but lost to Rijndael (in the final vote, it was also beaten by Serpent).

Like the other AES ciphers, Twofish operates on 128-bit blocks, under control of a 128, 192, or 256-bit key. There is an additional convention for supporting keys not of these sizes, which involves padding the key with 0 bits until it is of a size acceptable to the key schedule. For performance reasons, Twofish has a different key schedule for different key lengths, meaning an implementation which supports all three lengths has to have different code (or hardware) for each. In fact, if the implementation wants to support keys that are 64 bits (or smaller), four different key schedules are required, for compatibility with the reference implementation. The key schedule is fairly complicated, and involves Reed-Solomon codes, MDS codes, pseudo-Hamadard transformations, and quite a few other things. It generates a set of 4 S-boxes, each of which is a maximum-distance separable code. A set of 40 32-bit round keys are also generated, the first 8 of which are used for whitening.

Encryption starts out by splitting the 128-bit input into 4 32-bit words, and XORing each word with a masking key (this technique is referred to as whitening). This is followed by 16 rounds of encryption, and the output of that is then XORed with another set of 4 masking keys.

The round function of Twofish is quite complicated, and is probably twice as complicated is it needs to be. The idea was that by including plenty of "extras", Twofish might end up being more resistant to attacks developed in the future. The round function takes four 32-bit data words (A, B, C, and D) as input, and modifies two of them (C and D). Denote the round number (going from 0 to 15) as R. The weird X_N notation means accessing the N'th byte of X, using the big endian convention.

round_function(A, B, C, D, R)
X = S0[A_3] ^ S1[A_2] ^ S2[A_1] ^ S3[A_0]
Y = S0[B_0] ^ S1[B_1] ^ S2[B_2] ^ S3[B_3]
X += Y
Y += X
X += ROUND_KEY[2*R+8]
Y + ROUND_KEY[2*R+9]
C = rotate_right(C ^ X, 1)
D = rotate_left(D, 1) ^ Y

Unfortunately, decryption requires mostly different code (or circuitry), unlike most other Feistel networks, where reversing the order of the round keys is sufficient to implement decryption.

Twofish's design is quite good, and it's entirely possible that it is the most secure of all the AES candidates. However, the complexity which gives the algorithm its strength also means it's quite complicated to implement, and this worked against it rather heavily during the AES competition. In addition, there were concerns that Twofish's structure was too complicated for a full analysis to be completed by the time the AES choice had to be finalized.