The F function XORs the input with the 32-bit round key, splits the result into bytes and runs each byte through a different S-box to get four 32-bit results. Those are combined nonlinearly with x = ((a+b)^c)+d. As for CAST, the F function has ideal avalanche properties — every output bit depends nonlinearly on all input bits and all key bits. Complete avalanche — all 64 output bits depend on all 64 input bits — is achieved in three rounds.
Blowfish S-boxes are key-dependent, randomly generated at cipher setup time. They are not as nonlinear as the carefully optimised CAST S-boxes, but they have the advantage of being unknown to an attacker and they are, with overwhelming probability, nonlinear enough. The key scheduling starts with a round key array of 18 32-bit entries (16 actual round keys plus 64 bits for whitening) and four S-boxes, all initialised with apparently random bits derived from an expansion of pi. XOR the primary key into the round key array; the key can be any size up to the 576 bits of that array, Then run the cipher repeatedly and use the output to change both the round keys and the S-boxes; this takes 521 cipher iterations.
For some applications, this key setup is inconveniently expensive; Blowfish may not be the best choice if keys need to be changed often. However, the actual encryption and decryption are fast.
The cipher is freely available for any use. It has a home page.
There are later block ciphers from Schneier and co-workers named Twofish (a candidate in the AES competition) and Threefish (used in the Skein hash, a candidate in the AHS competition). Except for the names, these bear little resemblance to Blowfish.
- "Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)", Fast Software Encryption, Cambridge Security Workshop Proceedings: 191-204, December 1993