This preview shows page 1. Sign up to view the full content.
Unformatted text preview: he Blowfish algorithm. The exact method follows. (1) Initialize first the Parray and then the four Sboxes, in order, with a fixed string. This string consists of the hexadecimal digits of p. (2) XOR P1 with the first 32 bits of the key, XOR P2 with the second 32bits of the key, and so on for all bits of the key (up to P18). Repeatedly cycle through the key bits until the entire Parray has been XORed with key bits. (3) Encrypt the allzero string with the Blowfish algorithm, using the subkeys described in steps (1) and (2). (4) Replace P1 and P2 with the output of step (3). (5) Encrypt the output of step (3) using the Blowfish algorithm with the modified subkeys. (6) Replace P3 and P4 with the output of step (5). (7) Continue the process, replacing all elements of the Parray, and then all four Sboxes in order, with the output of the continuously changing Blowfish algorithm. In total, 521 iterations are required to generate all required subkeys. Applications can store the subkeys—there’s no need to execute this derivation process multiple times. Security of Blowfish
Serge Vaudenay examined Blowfish with known Sboxes and r rounds; a differential attack can recover the Parray with 28r + 1 chosen plaintexts [1568]. For certain weak keys that generate bad Sboxes (the odds of getting them randomly are 1 in 214), the same attack requires only 24r + 1 chosen plaintexts to recover the Parray. With unknown Sboxes this attack can detect whether a weak key is being used, but cannot determine what it is (neither the Sboxes nor the Parray). This attack only works against reducedround variants; it is completely ineffective against 16round Blowfish. Of course, the discovery of weak keys is significant, even though they seem impossible to exploit. A weak key is one in which two entries for a given Sbox are identical. There is no way to check for weak keys before doing the key expansion. If you are worried, you have to do the key expansion and check for identical Sbox entries. I don’t think this is n...
View
Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details