- Blowfish (cipher)
Infobox block cipher
name = Blowfish
caption = The round function (Feistel function) of Blowfish
publish date = 1993
derived from =
derived to =
key size = 32-448 bits in steps of 8 bits; default 128 bits
block size = 64 bits
rounds = 16
cryptanalysis = Four rounds of Blowfish are susceptible to a second-order
differential attack(Rijmen, 1997); for a class of weak keys, 14 rounds of Blowfish can be distinguished from a pseudorandom permutation(Vaudenay, 1996).In cryptography, Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneierand included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysisof it has been found to date. However, the Advanced Encryption Standardnow receives more attention.
Schneier designed Blowfish as a general-purpose algorithm, intended as a replacement for the aging DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by
patents or were commercial/government secrets. Schneier has stated that, "Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone."
Notable features of the design include key-dependent
S-boxes and a highly complex key schedule.
Blowfish has a 64-bit block size and a variable
key lengthfrom 0 up to 448 bits [http://www.schneier.com/paper-blowfish-fse.html] . It is a 16-round Feistel cipherand uses large key-dependent S-boxes. It is similar in structure to CAST-128, which uses fixed S-boxes.
The diagram to the left shows the action of Blowfish. Each line represents 32 bits. The algorithm keeps two subkey arrays: the 18-entry P-array and four 256-entry S-boxes. The S-boxes accept 8-bit input and produce 32-bit output. One entry of the P-array is used every round, and after the final round, each half of the data block is XORed with one of the two remaining unused P-entries.
The diagram to the right shows Blowfish's F-function. The function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input to the S-boxes. The outputs are added modulo 232 and XORed to produce the final 32-bit output.
Since Blowfish is a Feistel network, it can be inverted simply by XORing P17 and P18 to the ciphertext block, then using the P-entries in reverse order.
key schedulestarts by initializing the P-array and S-boxes with values derived from the hexadecimaldigits of pi, which contain no obvious pattern (see nothing up my sleeve number). The secret key is then XORed with the P-entries in order (cycling the key if necessary). A 64-bit all-zero block is then encrypted with the algorithm as it stands. The resultant ciphertext replaces P1 and P2. The ciphertext is then encrypted again with the new subkeys, and P3 and P4 are replaced by the new ciphertext. This continues, replacing the entire P-array and all the S-box entries. In all, the Blowfish encryption algorithm will run 521 times to generate all the subkeys - about 4KB of data is processed.
Cryptanalysis of Blowfish
There is no effective
cryptanalysison the full-round version of Blowfish known publicly as of 2008update after|2009|1|1. A sign extensionbug in one publication of C code has been identified. [http://www.schneier.com/blowfish-bug.txt]
Serge Vaudenayfound a known-plaintext attack requiring 28"r" + 1 known plaintexts to break, where "r" is the number of rounds. Moreover, he also found a class of weak keys that can be detected and broken by the same attack with only 24"r" + 1 known plaintexts. This attack cannot be used against the regular Blowfish; it assumes knowledge of the key-dependent S-boxes. Vincent Rijmen, in his Ph.D. thesis, introduced a second-order differential attack that can break four rounds and no more. There remains no known way to break the full 16 rounds, apart from a brute-force search. cite paper
author = Serge Vaudenay
title = On the Weak Keys of Blowfish
date = 1996
url = http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Vau96a
accessdate = 2006-08-23]
Bruce Schneier notes that while Blowfish is still in use, he recommends using the more recent
Twofishalgorithm instead cite web
title= Bruce Almighty: Schneier preaches security to Linux faithful
author= Dahna McConnachie
quote= At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead.]
Blowfish in practice
Blowfish is one of the fastest
block ciphers in widespread use, except when changing keys. Each new key requires pre-processing equivalent to encrypting about 4 kilobytes of text, which is very slow compared to other block ciphers. This prevents its use in certain applications, but is not a problem in others. In one application, it is actually a benefit: the password-hashing method used in OpenBSDuses an algorithm derived from Blowfish that makes use of the slow key schedule; the idea is that the extra computational effort required gives protection against dictionary attacks. "See" key strengthening.
In some implementations, Blowfish has a memory footprint of just over 4 kilobytes of RAM. This constraint is not a problem even for older desktop and laptop computers, though it does prevent use in the smallest
embedded systemssuch as early smartcards.
Blowfish is not subject to any patents and is therefore freely available for anyone to use. This benefit has contributed to its popularity in cryptographic software.
Advanced Encryption Standard
Notes and references
* Vincent Rijmen, "Cryptanalysis and design of iterated block ciphers", doctoral dissertation, October 1997.
* Bruce Schneier, Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish). Fast Software Encryption 1993: 191-204 [http://www.schneier.com/paper-blowfish-fse.html] .
* Bruce Schneier, The Blowfish Encryption Algorithm -- One Year Later, "
Dr. Dobb's Journal", 20(9), p. 137, September 1995 [http://www.schneier.com/paper-blowfish-oneyear.html] .
* Serge Vaudenay, "On the weak keys of Blowfish," Fast Software Encryption (FSE'96), LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 27--32.
* [http://www.schneier.com/blowfish.html Official Blowfish website]
* [http://www.schneier.com/blowfish-products.html List of products using Blowfish]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#Blowfish SCAN's entry for Blowfish]
* [http://pear.php.net/package/Crypt_Blowfish/ Blowfish PHP implementation]
* [http://www.aurigalogic.com/auriga/avs/home/downloads/crypto.html Blowfish Java implementation (LGPL)]
Wikimedia Foundation. 2010.