Blowfish (cipher)

Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date for smaller files.

At the time Blowfish was released, many other designs were proprietary, encumbered by patents, or were commercial or government secrets.

"[5] Notable features of the design include key-dependent S-boxes and a highly complex key schedule.

Blowfish's key schedule starts by initializing the P-array and S-boxes with values derived from the hexadecimal digits of pi, which contain no obvious pattern (see nothing up my sleeve number).

In all, the Blowfish encryption algorithm will run 521 times to generate all the subkeys – about 4 KB of data is processed.

Each new key requires the pre-processing equivalent of encrypting about 4 kilobytes of text, which is very slow compared to other block ciphers.

In one application Blowfish's slow key changing is actually a benefit: the password-hashing method (crypt $2, i.e. bcrypt) used in OpenBSD uses an algorithm derived from Blowfish that makes use of the slow key schedule; the idea is that the extra computational effort required gives protection against dictionary attacks.

This constraint is not a problem even for older desktop and laptop computers, though it does prevent use in the smallest embedded systems such as early smartcards.

bcrypt is a password hashing function which, combined with a variable number of iterations (work "cost"), exploits the expensive key setup phase of Blowfish to increase the workload and duration of hash calculations, further reducing threats from brute force attacks.

bcrypt is also the name of a cross-platform file encryption utility developed in 2002 that implements Blowfish.

[11] The GnuPG project recommends that Blowfish not be used to encrypt files larger than 4 GB[3] due to its small block size.

[4] A reduced-round variant of Blowfish is known to be susceptible to known-plaintext attacks on reflectively weak keys.