Blowfish (cipher)

Last updated
Blowfish
General
Designers Bruce Schneier [1]
First published1993 [1]
Successors Twofish
Cipher detail
Key sizes 32–448 bits
Block sizes 64 bits
Structure Feistel network
Rounds 16
Best public cryptanalysis
Four rounds of Blowfish are susceptible to a second-order differential attack (Rijmen, 1997); [2] for a class of weak keys, 14 rounds of Blowfish can be distinguished from a pseudorandom permutation (Vaudenay, 1996).

Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date for smaller files. It is recommended Blowfish should not be used to encrypt files larger than 4GB in size, Twofish should be used instead. [3]

Contents

Blowfish has a 64-bit block size and therefore it could be vulnerable to Sweet32 birthday attacks. [4]

Schneier designed Blowfish as a general-purpose algorithm, intended as an alternative to the aging DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by patents, or were commercial or government secrets. Schneier has stated that "Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone." [5]

Notable features of the design include key-dependent S-boxes and a highly complex key schedule.

The algorithm

Blowfish has a 64-bit block size and a variable key length from 32 bits up to 448 bits. [5] It is a 16-round Feistel cipher and uses large key-dependent S-boxes. In structure it resembles CAST-128, which uses fixed S-boxes.

The Feistel structure of Blowfish Blowfish diagram.svg
The Feistel structure of Blowfish

The adjacent diagram shows Blowfish's encryption routine. Each line represents 32 bits. There are five subkey-arrays: one 18-entry P-array (denoted as K in the diagram, to avoid confusion with the Plaintext) and four 256-entry S-boxes (S0, S1, S2 and S3).

Every round r consists of 4 actions:

Action 1XOR the left half (L) of the data with the r th P-array entry
Action 2Use the XORed data as input for Blowfish's F-function
Action 3XOR the F-function's output with the right half (R) of the data
Action 4Swap L and R

The F-function splits the 32-bit input into four 8-bit quarters and uses the quarters as input to the S-boxes. The S-boxes accept 8-bit input and produce 32-bit output. The outputs are added modulo 232 and XORed to produce the final 32-bit output (see image in the upper right corner). [6]

After the 16th round, undo the last swap, and XOR L with K18 and R with K17 (output whitening).

Decryption is exactly the same as encryption, except that P1, P2, ..., P18 are used in the reverse order. This is not so obvious because xor is commutative and associative. A common misconception is to use inverse order of encryption as decryption algorithm (i.e. first XORing P17 and P18 to the ciphertext block, then using the P-entries in reverse order).

Blowfish's key schedule starts by initializing the P-array and S-boxes with values derived from the hexadecimal digits of pi, which contain no obvious pattern (see nothing up my sleeve number). The secret key is then, byte by byte, cycling the key if necessary, XORed with all the P-entries in order. A 64-bit all-zero block is then encrypted with the algorithm as it stands. The resultant ciphertext replaces P1 and P2. The same ciphertext is then encrypted again with the new subkeys, and the new ciphertext replaces P3 and P4. This continues, replacing the entire P-array and all the S-box entries. In all, the Blowfish encryption algorithm will run 521 times to generate all the subkeys  about 4 KB of data is processed.

Because the P-array is 576 bits long, and the key bytes are XORed through all these 576 bits during the initialization, many implementations support key sizes up to 576 bits. The reason for that is a discrepancy between the original Blowfish description, which uses 448-bit keys, and its reference implementation, which uses 576-bit keys. The test vectors for verifying third-party implementations were also produced with 576-bit keys. When asked which Blowfish version is the correct one, Bruce Schneier answered: "The test vectors should be used to determine the one true Blowfish".

Another opinion is that the 448 bits limit is present to ensure that every bit of every subkey depends on every bit of the key, [5] as the last four values of the P-array don't affect every bit of the ciphertext. This point should be taken in consideration for implementations with a different number of rounds, as even though it increases security against an exhaustive attack, it weakens the security guaranteed by the algorithm. And given the slow initialization of the cipher with each change of key, it is granted a natural protection against brute-force attacks, which doesn't really justify key sizes longer than 448 bits.

Blowfish in pseudocode

P[18]            // P-array of 18 elements S[4][256]        // S-boxes: 4 arrays of 256 elementsfunction f(x):     // Calculates a function f on a 32-bit input x, using S-boxes and bit manipulation     high_byte := (x shifted right by 24 bits)     second_byte := (x shifted right by 16 bits) AND 0xff     third_byte := (x shifted right by 8 bits) AND 0xff     low_byte := x AND 0xff      h := S[0][high_byte] + S[1][second_byte]     return (h XOR S[2][third_byte]) + S[3][low_byte]  procedure blowfish_encrypt(L, R):     // Encrypts two 32-bit halves L and R using the P-array and function f over 16 roundsfor round := 0 to 15:         L := L XOR P[round]         R := f(L) XOR R         swap values of L and Rswap values of L and R     R := R XOR P[16]     L := L XOR P[17]  procedure blowfish_decrypt(L, R):     // Decrypts two 32-bit halves L and R using the P-array and function f over 16 rounds in reversefor round := 17 down to 2:         L := L XOR P[round]         R := f(L) XOR R         swap values of L and Rswap values of L and R     R := R XOR P[1]     L := L XOR P[0]   // Initializes the P-array and S-boxes using the provided key, followed by key expansion // Initialize P-array with the key values key_position := 0 for i := 0 to 17:     k := 0     for j := 0 to 3:         k := (k shifted left by 8 bits) OR key[key_position]         key_position := (key_position + 1) mod key_length     P[i] := P[i] XOR k  // Blowfish key expansion (521 iterations) L := 0, R := 0 for i := 0 to 17 by 2:     blowfish_encrypt(L, R)     P[i] := L     P[i + 1] := R  // Fill S-boxes by encrypting L and Rfor i := 0 to 3:     for j := 0 to 255 by 2:         blowfish_encrypt(L, R)         S[i][j] := L         S[i][j + 1] := R

Blowfish in practice

Blowfish is a fast block cipher, except when changing keys. Each new key requires the pre-processing equivalent of encrypting about 4 kilobytes of text, which is very slow compared to other block ciphers. This prevents its use in certain applications, but is not a problem in others.

Blowfish must be initialized with a key. It is good practice to have this key hashed with a hash function before use.

In one application Blowfish's slow key changing is actually a benefit: the password-hashing method (crypt $2, i.e. bcrypt) used in OpenBSD uses an algorithm derived from Blowfish that makes use of the slow key schedule; the idea is that the extra computational effort required gives protection against dictionary attacks. See key stretching.

Blowfish has a memory footprint of just over 4 kilobytes of RAM. This constraint is not a problem even for older desktop and laptop computers, though it does prevent use in the smallest embedded systems such as early smartcards.

Blowfish was one of the first secure block ciphers not subject to any patents and therefore freely available for anyone to use. This benefit has contributed to its popularity in cryptographic software.

bcrypt is a password hashing function which, combined with a variable number of iterations (work "cost"), exploits the expensive key setup phase of Blowfish to increase the workload and duration of hash calculations, further reducing threats from brute force attacks.

bcrypt is also the name of a cross-platform file encryption utility developed in 2002 that implements Blowfish. [7] [8] [9] [10]

Weakness and successors

Blowfish's use of a 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to birthday attacks, particularly in contexts like HTTPS. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with a 64-bit block size. [11] The GnuPG project recommends that Blowfish not be used to encrypt files larger than 4 GB [3] due to its small block size. [4]

A reduced-round variant of Blowfish is known to be susceptible to known-plaintext attacks on reflectively weak keys. Blowfish implementations use 16 rounds of encryption, and are not susceptible to this attack. [12] [13]

Bruce Schneier has recommended migrating to his Blowfish successor, Twofish. [14]

Blowfish2 was released in 2005, developed by Alexander Pukall. It has exactly the same design but has twice as many S tables and uses 64-bit integers instead of 32-bit integers. It no longer works on 64-bit blocks but on 128-bit blocks like AES. Blowfish2 is used for example, in FreePascal. [15] [16]

See also

Related Research Articles

<span class="mw-page-title-main">Advanced Encryption Standard</span> Standard for the encryption of electronic data

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

<span class="mw-page-title-main">Data Encryption Standard</span> Early unclassified symmetric-key block cipher

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

<span class="mw-page-title-main">Symmetric-key algorithm</span> Algorithm

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

<span class="mw-page-title-main">RC5</span> Block cipher

In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.

In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

<span class="mw-page-title-main">Feistel cipher</span> Cryptography construction

In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research while working for IBM; it is also commonly known as a Feistel network. A large number of block ciphers use the scheme, including the US Data Encryption Standard, the Soviet/Russian GOST and the more recent Blowfish and Twofish ciphers. In a Feistel cipher, encryption and decryption are very similar operations, and both consist of iteratively running a function called a "round function" a fixed number of times.

<span class="mw-page-title-main">Serpent (cipher)</span> Block cipher

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, in which it ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

<span class="mw-page-title-main">DES-X</span> Block cipher

In cryptography, DES-X is a variant on the DES symmetric-key block cipher intended to increase the complexity of a brute-force attack. The technique used to increase the complexity is called key whitening.

In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu.

In cryptography, the Cellular Message Encryption Algorithm (CMEA) is a block cipher which was used for securing mobile phones in the United States. CMEA is one of four cryptographic primitives specified in a Telecommunications Industry Association (TIA) standard, and is designed to encrypt the control channel, rather than the voice data. In 1997, a group of cryptographers published attacks on the cipher showing it had several weaknesses which give it a trivial effective strength of a 24-bit to 32-bit cipher. Some accusations were made that the NSA had pressured the original designers into crippling CMEA, but the NSA has denied any role in the design or selection of the algorithm. The ECMEA and SCEMA ciphers are derived from CMEA.

In cryptography, Madryga is a block cipher published in 1984 by W. E. Madryga. It was designed to be easy and efficient for implementation in software. Serious weaknesses have since been found in the algorithm, but it was one of the first encryption algorithms to make use of data-dependent rotations, later used in other ciphers, such as RC5 and RC6.

In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, a cipher key made by random number generation is very unlikely to give rise to a security problem. Nevertheless, it is considered desirable for a cipher to have no weak keys. A cipher with no weak keys is said to have a flat, or linear, key space.

In cryptography, NewDES is a symmetric key block cipher. It was created in 1984–1985 by Robert Scott as a potential DES replacement.

In cryptography, ciphertext stealing (CTS) is a general method of using a block cipher mode of operation that allows for processing of messages that are not evenly divisible into blocks without resulting in any expansion of the ciphertext, at the cost of slightly increased complexity.

In cryptography, key whitening is a technique intended to increase the security of an iterated block cipher. It consists of steps that combine the data with portions of the key.

In cryptography, SXAL is a block cipher designed in 1993 by Yokohama-based Laurel Intelligent Systems. It is normally used in a special mode of operation called MBAL. SXAL/MBAL has been used for encryption in a number of Japanese PC cards and smart cards.

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

<span class="mw-page-title-main">Twofish</span> Block cipher

In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.

References

  1. 1 2 R. Shirey (August 2007). Internet Security Glossary, Version 2. Network Working Group. doi: 10.17487/RFC4949 . RFC 4949.Informational.
  2. Vincent Rijmen (1997). "Cryptanalysis and Design of Iterated Block Ciphers" (PostScript). Ph.D. Thesis. Archived from the original on 2013-05-08.
  3. 1 2 "GnuPG Frequently Asked Questions". Archived from the original on 2017-12-21. Retrieved 2018-01-26. Blowfish should not be used to encrypt files larger than 4Gb in size, but Twofish has no such restrictions.
  4. 1 2 "GnuPG Frequently Asked Questions". Archived from the original on 2017-12-21. Retrieved 2018-01-27. For a cipher with an eight-byte block size, you'll probably repeat a block after about 32 gigabytes of data. This means if you encrypt a single message larger than 32 gigabytes, it's pretty much a statistical guarantee you'll have a repeated block. That's bad. For this reason, we recommend you not use ciphers with eight-byte data blocks if you're going to be doing bulk encryption. It's very unlikely you'll have any problems if you keep your messages under 4 gigabytes in size.
  5. 1 2 3 Bruce Schneier (1993). "Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)". Fast Software Encryption, Cambridge Security Workshop Proceedings. Springer-Verlag: 191–204. Archived from the original on 2014-01-26.
  6. "Cryptography: Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)". Schneier on Security. Archived from the original on 2016-03-04. Retrieved 2015-12-31.
  7. "Bcrypt - Blowfish File Encryption" Archived 2015-08-29 at the Wayback Machine bcrypt file encryption program homepage (bcrypt.sourceforge.net)
  8. "bcrypt Free Download - whodunnit.tools.bcrypt". bcrypt463065.android.informer.com. Archived from the original on 4 March 2016. Retrieved 7 May 2018.
  9. "T2 package - trunk - bcrypt - A utility to encrypt files". www.t2-project.org. Archived from the original on 21 April 2017. Retrieved 7 May 2018.
  10. "Oracle GoldenGateのライセンス". docs.oracle.com. Archived from the original on 27 October 2017. Retrieved 7 May 2018.
  11. Karthikeyan Bhargavan; Gaëtan Leurent (August 2016). "On the Practical (In-)Security of 64-bit Block Ciphers — Collision Attacks on HTTP over TLS and OpenVPN". ACM CCS 2016. Archived from the original on 2016-10-09.
  12. Tom Gonzalez (January 2007). "A Reflection Attack on Blowfish" (PDF). Journal of LATEX Class Files. Archived from the original (PDF) on 2015-11-18. Retrieved 2015-11-17.
  13. Orhun Kara & Cevat Manap (March 2007). "A New Class of Weak Keys for Blowfish" (PDF). FSE 2007. Archived (PDF) from the original on 2016-10-05.
  14. Dahna, McConnachie (2007-12-27). "Bruce Almighty: Schneier preaches security to Linux faithful". Computerworld . p. 3. Archived from the original on 2016-12-02. Retrieved 2018-01-26. At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead.
  15. "Blowfish2 included in Feepascal". Gitlab.
  16. "Blowfish2 on Github". Github.