On the weak keys of Blowfish

Blowfish (Schneier, 1994) is a sixteen-rounds Feistel cipher (Feistel, 1973) in which the F function is a part of the private key. We show that the disclosure of F allows to perform a differential cryptanalysis which can recover all the rest of the key with 2<sup>48</sup> chosen plaintexts against a number of rounds reduced to eight. Moreover, for some weak F function, this attack only needs 2<sup>23</sup> chosen plaintexts against eight rounds, and 3×2<sup>51</sup> chosen plaintexts against sixteen-rounds. When the F function is safely kept private, one can detect whether it is weak or not with a differential attack using 2<sup>22</sup> plaintexts against eight rounds

Published in:
Third International Workshop on Fast Software Encryption, FSE '96, 1039, 27-32
Presented at:
Third International Workshop on Fast Software Encryption, FSE '96, Cambridge, UK, February 21-23, 1996

 Record created 2007-01-18, last modified 2018-03-17

Download fulltextPS
External link:
Download fulltextURL
Rate this document:

Rate this document:
(Not yet reviewed)