# Difference between revisions of "Blowfish (cipher)"

Sandy Harris (Talk | contribs) (new article, moving text from block cipher) |
Sandy Harris (Talk | contribs) m |
||

Line 13: | Line 13: | ||

The F function XORs the input with the 32-bit round key, splits the result into bytes and runs each byte through a different S-box to get four 32-bit results. Those are combined nonlinearly with x = ((a+b)^c)+d. As for [[Block_cipher#F_function_and_S-boxes|CAST]], the '''F function has ideal avalanche properties''' — every output bit depends nonlinearly on all input bits and all key bits. Complete avalanche — all 64 output bits depend on all 64 input bits — is achieved in three rounds. | The F function XORs the input with the 32-bit round key, splits the result into bytes and runs each byte through a different S-box to get four 32-bit results. Those are combined nonlinearly with x = ((a+b)^c)+d. As for [[Block_cipher#F_function_and_S-boxes|CAST]], the '''F function has ideal avalanche properties''' — every output bit depends nonlinearly on all input bits and all key bits. Complete avalanche — all 64 output bits depend on all 64 input bits — is achieved in three rounds. | ||

− | Blowfish [[Block cipher#S-boxes|S-boxes]] are key-dependent, randomly generated at cipher setup time. They are not as nonlinear as the carefully optimised [[ | + | Blowfish [[Block cipher#S-boxes|S-boxes]] are key-dependent, randomly generated at cipher setup time. They are not as nonlinear as the carefully optimised [[CAST cipher|CAST]] S-boxes, but they have the advantage of being unknown to an attacker and they are, with overwhelming probability, nonlinear enough. The key scheduling starts with a round key array of 18 32-bit entries (16 actual round keys plus 64 bits for [[#Whitening_and_tweaking|whitening]]) and four S-boxes, all initialised with apparently random bits derived from an expansion of pi. XOR the primary key into the round key array; the key can be any size up to the 576 bits of that array, Then run the cipher repeatedly and use the output to change both the round keys and the S-boxes; this takes 521 cipher iterations. |

For some applications, this key setup is inconveniently expensive; Blowfish may not be the best choice if keys need to be changed often. However, the actual encryption and decryption are fast. | For some applications, this key setup is inconveniently expensive; Blowfish may not be the best choice if keys need to be changed often. However, the actual encryption and decryption are fast. | ||

The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. |

## Revision as of 15:35, 23 July 2009

The **Blowfish** block cipher
^{[1]}
was designed by Bruce Schneier. It is a Feistel cipher with 64-bit blocks and 16 rounds. Supported key sizes are 32 to 576 bits; at least 128 is recommended.

The F function XORs the input with the 32-bit round key, splits the result into bytes and runs each byte through a different S-box to get four 32-bit results. Those are combined nonlinearly with x = ((a+b)^c)+d. As for CAST, the **F function has ideal avalanche properties** — every output bit depends nonlinearly on all input bits and all key bits. Complete avalanche — all 64 output bits depend on all 64 input bits — is achieved in three rounds.

Blowfish S-boxes are key-dependent, randomly generated at cipher setup time. They are not as nonlinear as the carefully optimised CAST S-boxes, but they have the advantage of being unknown to an attacker and they are, with overwhelming probability, nonlinear enough. The key scheduling starts with a round key array of 18 32-bit entries (16 actual round keys plus 64 bits for whitening) and four S-boxes, all initialised with apparently random bits derived from an expansion of pi. XOR the primary key into the round key array; the key can be any size up to the 576 bits of that array, Then run the cipher repeatedly and use the output to change both the round keys and the S-boxes; this takes 521 cipher iterations.

For some applications, this key setup is inconveniently expensive; Blowfish may not be the best choice if keys need to be changed often. However, the actual encryption and decryption are fast.

The cipher is freely available for any use. It has a home page; see external links.- ↑ "Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)",
*Fast Software Encryption, Cambridge Security Workshop Proceedings*: 191-204, December 1993