NOTICE: Citizendium is still being set up on its newer server, treat as a beta for now; please see here for more. Citizendium - a community developing a quality comprehensive compendium of knowledge, online and free. Click here to join and contribute—free CZ thanks our previous donors. Donate here. Treasurer's Financial Report -- Thanks to our content contributors. --

# Blowfish (cipher)

(Redirected from Blowfish)

Main Article
Talk
Related Articles  [?]
Bibliography  [?]
Citable Version  [?]

This editable Main Article is under development and not meant to be cited; by editing it you can help to improve it towards a future approved, citable version. These unapproved articles are subject to a disclaimer.

The Blowfish block cipher [1] was designed by Bruce Schneier. It is a Feistel cipher with 64-bit blocks and 16 rounds. Supported key sizes are 32 to 576 bits; at least 128 is recommended.

The F function XORs the input with the 32-bit round key, splits the result into bytes and runs each byte through a different S-box to get four 32-bit results. Those are combined nonlinearly with x = ((a+b)^c)+d. As for CAST, the F function has ideal avalanche properties — every output bit depends nonlinearly on all input bits and all key bits. Complete avalanche — all 64 output bits depend on all 64 input bits — is achieved in three rounds.

Blowfish S-boxes are key-dependent, randomly generated at cipher setup time. They are not as nonlinear as the carefully optimised CAST S-boxes, but they have the advantage of being unknown to an attacker and they are, with overwhelming probability, nonlinear enough. The key scheduling starts with a round key array of 18 32-bit entries (16 actual round keys plus 64 bits for whitening) and four S-boxes, all initialised with apparently random bits derived from an expansion of pi. XOR the primary key into the round key array; the key can be any size up to the 576 bits of that array, Then run the cipher repeatedly and use the output to change both the round keys and the S-boxes; this takes 521 cipher iterations.

For some applications, this key setup is inconveniently expensive; Blowfish may not be the best choice if keys need to be changed often. However, the actual encryption and decryption are fast.

The cipher is freely available for any use. It has a home page.

There are later block ciphers from Schneier and co-workers named Twofish (a candidate in the AES competition) and Threefish (used in the Skein hash, a candidate in the AHS competition). Except for the names, these bear little resemblance to Blowfish.

## References

1. "Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)", Fast Software Encryption, Cambridge Security Workshop Proceedings: 191-204, December 1993