Re: blowfish's keylen

Cicero (cicero@redneck.efga.org)
2 Jul 1998 05:54:33 -0000

• Next message: Hamdi Tounsi: "blowfish's key len: using 576-bit keys"
• Previous message: Bruce Schneier: "Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))"

Bram wrote:
>On Thu, 2 Jul 1998, Hamdi Tounsi wrote:
>
>> in various papers decribing blowfish, it was mentioned that the key can
>> be as long as 448 bits (14 long words).
>
>I gather from the stuff I've read that the only form of blowfish which has
>been extensively used/cryptanalyzed is the 64-bit one, so my
>implementation of it only supports that. Does anyone know if this is
>reasonable, or am I living in a state of sin?
>
>-Bram

I know.

It is reasonable.

I don't know you well enough to comment about your living arrangements.

To quote Schneier:

        The 448 limit on the key size ensures that
        every bit of every subkey depends on every bit of the key.
        (Note that every bit of P15, P16, P17, and P18 does not affect every
        bit of the ciphertext, and that any S-box entry only has a .06
        probability of affecting any single ciphertext block.)

So, the last permutation boxes don't mix as well.

Incidently, if you go through scheduling twice, as Rubin has commented
that he does in Nautilus, then this phenomenon goes away. Not that it
matters; your pass phrase isn't _that_ long.

I don't think any of the cryptanalyses (such as Vaudenay's) assumed a
64 bit keylength. The expanded key schedule is generally attacked.

Cicero

• Next message: Hamdi Tounsi: "blowfish's key len: using 576-bit keys"
• Previous message: Bruce Schneier: "Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))"