Cryptography Reference
In-Depth Information
R
i
32
P
i
32
subkey
8
8
8
8
S
1
S
2
S
3
S
4
32
32
32
32
addition
XOR
addition
f(R)
i
32
Figure 5.24:
Round function of the Blowfish algorithm. The S-boxes are com-
puted dependent on the key.
However, referring to Figure 4.6,
R
i
is also XORed with a subkey,
P
i
. Each
of the four key-dependent S-boxes contains 256 values of 32 bits each. This
reminds us a little of DES with key-dependent S-boxes (Section 5.2.2), but the
round function is clearly more complex, and since it uses XOR and addition,
its non-linearity is stronger.
The
cryptanalysis
of Blowfish showed no weaknesses in the algorithm. An
attack with 2080 chosen plaintexts and about 2
34
computations was found
against the 3-round method. However, Blowfish uses 16 rounds. According
to Schneier [SchnCr], there is a differential cryptanalysis by Vaudenay, which
finds the subkeys of the Blowfish algorithm with
r
rounds using 2
8
r
+
1
cho-
sen plaintexts. This does not mean that the attacker knows the S-boxes yet.
Weak keys required 'only' 2
4
r
+
1
chosen plaintexts, so they don't give reason
for concern.
Blowfish can be programmed very effectively on large microprocessors, such as
Pentium or Power Chip (Schneier states 26 CPU cycles per byte; this would cor-
respond to about 5 Mbytes/s on a Pentium-133!). It requires less than 5 Kbytes
of memory and, not least, it's free. Altogether an interesting algorithm indeed.
You can find an implementation in C on our Web site (see A.1).
