Articulo Blowfish

7/28/2019 Articulo Blowfish

1/14

D es c r i p t io n o f a N ew V ar i ab le -L en g th K e y , 6 4 -B it B l o ck C i p h e r (B l o w f is h )Bruce Sc tmeier

Co u n t e rp an e Sy s tems , 73 0 Fa i r O ak s A v e , O ak Pa rk , IL 6 0 3 0 2sc lmeier@chine t .com

Abstract :Blow f i sh , a new secre t -key b lock c ipher , i s p roposed . I ti s a Feis tel network, i terat ing a s imple encrypt ionfunc t ion 16 t imes . The b lock si ze is 64 b i t s , and the keycan be any l eng th up to 448 b i ts . Al tho ugh there i s acom plex in i ti a l iza t ion phase requ i red b efore anyencryp t ion can t ake p lace , the ac tua l encry p t ion o f da ta i svery e f f i c i en t on l a rge microprocessors .

T h e c ry p t o g rap h i c co mm u n i t y n eed s t o p rov i d e th e w o r l d w i t h a n ew en c ry p t i o ns tandard . DES [16], the workhorse encryp t ion a lgor i thm fo r the pas t f i f teen years , isnear ing the end o f i ts usefu l l i fe . I t s 56-b i t key s i ze i s vu lnerab le to a b ru te - fo rceat tack [22] , and rec ent adva nces in di fferent ial cryptan alys is [1] and l inea rcryptanalys is [10] indicate that DES is vulnerable to other at tacks as wel l .M an y o f t h e o t h e r u n b ro k en al g o ri th ms i n t h e l it e r a t u r e --K h u fu [1 1 ,1 2 ] , R E D O C I I[2 ,2 3 , 2 0 ] , an d ID E A [7 ,8 ,9 ] - -a r e p ro tec ted b y p a ten ts . RC 2 an d RC4 , ap p ro v ed fo rexpo r t wi th a sm al l key s i ze , a re p ropr ie ta ry [18]. GO ST [6] , a Sov ie t gove rnm enta lgor i thm , i s spec i f ied wi thou t the S-boxes. The U .S. gove rnm ent i s m oving towardssecre t a lgor i thms , such as the Sk ip jack a lgor ithm in the Cl ipper an d C aps tone ch ips[17].I f the w or ld i s to have a secure , unpaten ted , and f ree ly -ava i lab le encry p t ion a lgor ithmby the tu rn o f the cen tu ry , we need to deve lop severa l cand ida te encryp t iona lgor i thms now . These a lgor i thms can then be sub jec ted to years o f pub l ic sc ru t inyand cryp tana lys i s . Then , the hope i s tha t one o r more cand ida te a lgor i thm s wi l lsu rv ive th i s p rocess , and can even tua l ly becom e a new s tandard .Th i s paper d i scusses the requ irements fo r a s tandard encryp t ion a lgor i thm . W hi le i tm ay no t be p oss ib le to sa t i s fy a l l requ i rements wi th a s ing le a lgor i thm, i t m ay beposs ib le to sa t i s fy them wi th a fam i ly o f a lgor ithms based on the same cryp tograph icprinciples .A R E A S O F A P P L I C A T I O NA s tandard en cryp t ion a lgor i thm mus t be su i tab le fo r m any d i f fe ren t app l ica t ions :

Bu lk encryp t ion . The a lgor i thm shou ld be e f f i c i en t in encryp t ing da ta fi l es o ra con t inuous da ta s t ream.


2/14

192

R a n d o m b i t g en e ra t i o n . T h e a lg o r i th m s h o u ld b e e f f i c i en t i n p ro d u c in g s i n g leran d o m b i t s .

Pack e t en c ry p t i o n . T h e a lg o r i t h m s ho u ld b e e f f i c i en t i n en c ry p t i n g p ack e t -s i zed d a t a . (An A T M p ack e t h a s a 4 8 -b y t e d a t a f i e ld . ) I t s h o u ldim p lem en tab l e i n an ap p l ica t io n wh e re s u cces s iv e p ack e t s m ay b een c ry p t ed o r d ec ry p t ed wi th d i f f e ren t k ey s .

Has h in g . T h e a lg o r i t h m s h o uld b e e f f ic i en t i n b e in g co n v e r t ed t o a o n e -w ayhash func t ion .

P L A T F O R M SA s t an d a rd e n c ry p t i o n a lg o r it h m m u s t b e im p lem en tab l e o n a v a r i e t y o f d i f f e ren tp l a t fo rm s , e a ch wi th t h e i r o wn req u i r em en t s . T h es e i nc lu d e:

Sp ec i a l h a rd ware . T h e a lg o r i th m s h o u ld b e e f fi c i en t l y im p lem en tab l e inc u s to m V L S I h a r dw a r e .

L a rg e p ro ces s o r s . W h i le d ed ica t ed h a rd ware wi l l a lway s b e u s ed fo r t h efa s te s t ap p l ica t io n s , s o ftwa re im p lem en ta ti o n s a re m o re co m m o n . T h ea lg o r i th m s h o u ld b e e f f i c ien t o n 3 2 -b it m ic ro p ro ces s o r s w i th 4 k b y t ep ro g ram an d d a t a cach es .

M ed iu m -s i ze p ro ces s o r s . T h e a lg o ri t h m sh o u ld ru n o n m ic ro co n t ro l l e r s an do th e r m ed iu m -s i ze p ro cess o r s , s u ch a s th e 6 8 H C 1 1 .

Sm a l l p ro ces s o r s . I t sh o u ld b e p o s sib le to im p lem en t t h e a lg o r i t h m o n s m ar tcards , even inef f ic ien t ly .

T h e r eq u i r em en t s fo r s m a ll p ro ces s o rs a re th e m o s t d if f icu l t . R A M an d R O Ml im i t a ti o n s a re s ev e re fo r t hi s p la t fo rm . Al s o , e f f i c i en cy i s m o re im p o r t an t o n t h e s esmal l ma ch ines . W orks ta t ions doub le the i r capac i ty a lmo s t annual ly . Sm al lembedded sys tems are the same year a f te r year , and there i s l i t t l e capac i ty to spare .I f th e re i s a ch o i ce , t h e ex t r a co m p u ta t io n b u rd en s h o u ld b e o n l a rg e p ro ces s o r s r a t h e rthan smal l p rocessors .A D D I T I O N A L R E Q U I R E M E N T SThese ad d i t iona l requ i rem ents shou ld , i f poss ib le , be lev ied on a s tandard enc ryp t iona lgor i thm.

T h e a lg o r i t h m s h o u ld b e s im p le to co d e . E x p e r i en ces wi th DE S [19 ] s h o wth a t p ro g ram m ers wi l l o f t en m ak e im p lem en ta t io n m i s t ak es i f th e a lg o r i t h m i scom pl ica ted . I f poss ib le , the a lgor i thm shou ld be robus t aga ins t thesemis takes .T h e a lg o r i th m s h o u ld h av e a f l a t k ey s p ace , a l lo win g an y r an d o m b i t s t r in g o f


3/14

193

t he requ i red l eng th to be a poss ib le key . There shou ld be no we ak keys .The a lgor i thm shou ld fac il it a te easy key -m anage m ent fo r so f twareimplem enta t ions . Sof tware implementa t ions o f DES genera l ly use poor keym anag em ent t echn iques . In par t icu la r, t he password tha t the user types inbecom es the key . Th i s means tha t a l though DE S h as a theore t ica l keyspace o f256, the ac tual keyspace is l im i ted to key s const ruc ted w i th the 95 characters ofp r in tab le ASC II . Addi t iona l ly , keys cor respond ing to words and near wordsa re m u ch mo re l ik e l y .Th .e a lgor i thm shou ld be eas ily modi f i ab le fo r d i f fe re n t l eve ls o f secur i ty , bo thm i n i mu m an d m ax i mu m req u ir emen ts .Al l opera t ions shou ld manipu la te da ta in by te-s i zed b locks . W here poss ib le ,operat ions should manipulate data in 32-bi t b locks .

D E S I G N D E C I S IO N SBased on the above parameters , w e have m ade these des ign deci s ions . The a lgor i thmshould :

Manipulate data in large blocks , preferably 32 bi ts in s ize (and not in s ingleb i t s , such as DES) .Have ei ther a 64-bi t or a 128-bi t b lock s ize.Have a scalable key, f rom 32 bi ts to at leas t 256 bi ts .Use s imple operat ions tha t a re e f f ic i en t on microprocessors : e .g . , exc lus ive-or , a ddi t ion, table lookup, mod ular-mu l t ip licat ion. I t should not use variable-l eng th sh i ft s o r b i t-wise permuta t ions , o r cond i t iona l jum ps .Be i mp l emen tab l e o n an 8 -bi t p ro ces s o r w i t h a m i n i mu m o f 2 4 b y t e s o f R A M(in add i t ion to the RA M requ ired to s to re the key) and 1 k iloby te o f RO M .Em ploy p recomputab le subkeys. On l a rge-mem ory sys tems , these subkeys canbe p recom puted fo r fas t e r opera tion . Not p recom put ing the subkeys wi l l resu l tin s low er opera t ion , bu t i t shou ld s t il l be poss ib le to encry p t da ta wi thou t anyprecomputa t ions .Con s i s t o f a var i ab le number o f i te ra tions. Fo r app l i ca tions wi th a smal l keys ize , the t rad e-of f be tween the com plex i ty o f a b ru te - fo rce a t t ack and ad i f fe ren t i a l a t t ack mak e a l arge number o f i t e ra tions super fluous . He nce , i tshou ld be poss ib le to reduce the num ber o f i t e ra t ions wi th no loss o f secur i ty(beyond tha t o f the reduced key s i ze).I f possib le , have no weak keys . I f no t poss ib le , the p ropor t ion o f weak keysshou ld be smal l enoug h to make it un l ike ly to choose one a t random . Also ,


4/14

194

an y w eak k ey s s h o u ld b e ex p li c it l y k n o w n s o t h ey can b e we ed ed o u t d u r in gthe key genera t ion p rocess .

Us e s u b k ey s th a t a r e a o n e -way h ash o f t h e k ey . T h i s wo u ld a l l o w th e u s e o fl o n g p as sp h ra se s fo r t h e k ey wi th o u t co m p ro m is in g s ecu r i t y .H av e n o l i n ea r st ruc tu re s ( e . g . , t h e co m p lem en ta t i o n p ro p e r t i e o f DE S) t h a tr ed u ce t h e co m p lex i t y o f ex h au s t iv e s ea rch [4] .Use a des ign tha t i s s imple to unders tand . Th is wi l l fac i l i t a te ana lys i s andincrease the conf idence in the a lgor i thm. In p rac t ice , th i s mean s tha t thea lgor i thm wi l l be a F e is te l it e ra ted b lock c ipher [21] .

M o s t o f t h e s e d esig n dec is i on s a re n o t n ew. A lm o s t a l l b lo ck c ip h e r s s i n ce L u c i f e r[5 ,21] a re Fe is te l c iphers , and a l l have a f l a t keyspa ce (w i th the poss ib le ex cep t ion o fa f ew weak k ey s ) . FE A L [1 3 , 1 4 ,1 5 ] an d Kh u fu [1 1] u s e a v a r i ab le n u m b er o fi t e ra tions . Kh ufu [11] has a l a rge number o f subkeys tha t a re a one -w ay func t ion o fthe key . RC 2 [18] has a var iab le - leng th key . G O ST [6] uses a 32-b i t w ord leng thand a 64-b i t b lock s ize . MM B [2] uses a 32-b i t wo rd leng th and a 128-b i t b lo ck s ize .B U I L D I N G B L O C K ST h e re a re a n u m b er o f b u il d in g b lock s t ha t h av e b een d em o n s t r a t ed t o p ro d u ce s t ro n gc ip h e r s. M an y o f th e s e can b e e ff i c ien t l y im p lem en ted o n 3 2 -b i t m ic ro p ro ces s o r s .

La rge S-box es . Larg er S-boxes a re mo re res i s tan t to d i f fe ren t ia l c ryp tana lys i s .An a lg o r i th m wi th a 3 2 -b it wo rd l en g th can u s e 3 2 -b i t S -b o x es . Kh u fu an dR E DO C I I I b o th u se a 2 5 6 -en t ry , 3 2 -b it w id e S -b o x [1 1 , 2 0 ] .Ke y -d ep en d en t S -b o x es . W h i l e fi x ed S -b o x es m u s t b e d es ig n ed t o b e r e s i st an tt o d i f f e ren ti a l an d l i n ea r c ry p t ana ly si s , k ey -d ep en d en t S -b o x es a re m u ch m o reres i s tan t to these a t tacks . Th ey are used in the K huf u a lgor i thm [11] .Va r i ab l e S -b o x es , wh ich co u ld p o s sib ly b e k ey d ep en d en t , a r e u s ed i n G OS T[6].C o m b in in g o p e ra ti o n s f ro m d i f fe ren t a l g eb ra i c g ro u p s . T h e IDE A c ip h e rin t ro d u ced t h is co n cep t , co m b in in g XO R m o d 2 16 , ad d i t i o n m o d 2 1 6 , a n dm u l t i p l ica t i o n m o d 2 16 + 1 [7] . T h e M M B c ip h e r u se s a 3 2 -b i t wo rd , an dcom bines X O R m od 232 wi th m ul t ip lica t ion m od 232-1 [2 ] .K ey-d epe nden t permu ta t ions . The f ixed in i ti a l and f -rea l perm uta t ions o f DE Sh av e b een l o n g r eg a rd ed as c ry p to g rap h i ca ll y wo r th l e ss . Kh u fu XO R s t h e tex tb lo ck w i th k ey m a te r ia l a t th e b eg inn in g an d t h e en d o f t h e a lg o r i t h m [1 1] .

B L O W F I S HB lo w f i s h is a v a r i ab le - l en g th k ey b lo ck c ip h e r . I t d o es n o t m ee t a l l t h e r eq u i r em en t sfo r a new cryp tograph ic s tandard d i scussed above: i t i s on ly su i tab le fo r app l ica t ions


5/14

195

w h er e t h e k ey d o es n o t ch an g e o f t en , l i k e a co m m u n ica t i o n s l i n k o r an au to m a t i c f i l ee n c r y p t o r . I t i s si g ni fi c an t ly fa s t e r t h a n D E S w h e n i m p l e m e n t e d o n 3 2 - b i tm i c r o p r o c e s s o r s w i t h l a rg e d a t a ca c h e s , s u ch a s t he P e n t i u m a n d t h e P o w e r P C .D E S C R I P T IO N O F T H E A L G O R I T H MB lo w f i s h is a v a r i ab le - l en g th k ey , 6 4 - b i t b lo ck c ip h e r . Th e a lg o r i t h m co n s i s t s o f tw op art s." a k ey - ex p an s io n p a r t an d a d a t a -en c r y p t io n p a r t . K ey ex p a n s io n co n v e r t s a k eyo f a t m o s t 4 4 8 b i t s i n to s ev e r a l s u b k ey a r r ay s t o t a l i n g 4 1 6 8 b y t e s .D a ta en c r y p t io n o ccu r s v i a a 1 6 - ro u n d F e i s te l n e tw o r k . Eac h r o u n d co n s i s t s o f a k ey -d ep en d e n t p e r m u ta t i o n , an d a k ey - an d d a t a - d ep en d en t s u b s ti t ut i o n . A l l o p e r a t i o n sa r e X O R s an d ad d i ti o n s o n 3 2 - b it w o r d s . Th e o n ly ad d it i o n a l o p e r a t i o n s a r e f o u rin d ex ed a r r ay d a t a l o o k u p s p e r r o u n d .S u b k ey s :B l o w f i s h u s e s a la r g e n u m b e r o f su b k e y s. T h e s e k e y s m u s t b e p r e c o m p u t e d b e f o r ean y d a t a en c r y p t io n o r d ec r y p t io n .

1 . Th e P - a r r ay co n s i st s o f 1 8 3 2 - b i t s u b k ey s :P1, P2 . . . . P~8.

. Th e r e a r e f o u r 3 2 - b i t S - b o x es w i th 2 5 6 en t r i e s e ach :Si,0, S t: ... .. $1,255;$2,o, $2,1 .... S~,2ss;$3.o, $3,1 . . . . $3.2~5;8 4 , 0 , 8 4 : , . . , , 8 4 ,2 5 5 -

Th e ex ac t m e th o d u s ed t o ca l cu l a t e t h e s e s u b k ey s w i l l b e d e s c r ib ed l a t e r .En c r y p t io n :B low f ish i s a Fe is te l ne tw ork cons is t ing o f 16 rounds ( see F igu re 1 ) . Th e inpu t i s a6 4 - b i t d a t a e l em en t , x .

Div ide x in to tw o 32-b i t ha lves : x L , x RF o r i = 1 t o 16:XL = XL X O R P ixR = F(XL) X O R xRSw ap XL and xR

Sw ap XL and x~ (Und o the las t sw ap . )x~ = xR X O R P I TXL = XL X O R PlaR e c o m b i n e xL a n d x RF u n c t io n F ( s ee F ig u r e 2 ) :

Div ide XL in to fou r e igh t -b i t quar te r s : a , b , c , a nd d


6/14

196

P1

P 2

P16

P18

32 b i ts

(32 b its

Plaintext ~)6 4 b i t s 32 b i ts

# + 3 2 b i t s

[._f

\

"-\ j32 b i ts

C

; i r - ~ _ r- \13 m ore itera t ions /

vk,"._ fP17 -k . .

32 b i ts64 b itsCipher text

F ig u re 1 " B lo ck D ia g ra m o f B lo w fish


7/14

197

F ( X L ) = ( ( S 1 , a + S2 , b m od 232) X O R S3,,) + S 4 , d m od 2 32De cryp t ion i s exac t ly the sam e as encryp t ion , excep t tha t PI , P2 . . . . P18 are u sed inthe reverse o rder .Imp lemen ta t ions o f B lowfi sh tha t requ ire the fas tes t speeds shou ld unro l l the loop andensure that a l l subkeys are s tored in cache.Genera t ing the Subkeys :The subkeys a re ca lcu la ted us ing the Blowfi sh a lgor i thm . The exa c t m ethod i s asfo l lows :

1 . In i ti a li ze f i r s t the P-ar ray and then the four S-boxes , in o rder , wi th a f ixedst r ing. This s t r ing consis ts of the hex ade cim al d igi ts of p i ( less the in i t ia l 3) .Fo r ex amp l e :

3 2 b i ts

8 bi ts t,, S - b o x 1

8 b i t s [ S - b o x 2

8 b i t s I S - b o x 3

32 bits

32 b i t s

8 b its [ , S - b o x 4 I 3 2 b its[ - - ] 3 2 b i t s

I I " -

F i g u r e 2 : F u n c t io n F


8/14

198

P1 = 0x243f6a88P 2 = 0 x 8 5 a 3 0 8 d 3P3 = 0x13198a2eP4 = 0x03707344

2 . XO R P1 wi th the f i r s t 32 b it s o f the key , XO R Pz wi th the second 32-b itso f the ke y , and so on fo r a l l b i ts o f the key (possib ly up to P14). Repea ted lycyc le th rough the ke y b i ts un t i l the en t i re P-ar ray has be en XO Red wi th keyb i t s. (For every shor t key , there is a t leas t one equ iva len t longer key ; fo rexam ple , i f A i s a 64-b it key , then AA, AA A, e tc . , a re eq u iva len t keys . )3 . Encry p t the a ll -zero s t r ing wi th the Blow fi sh a lgor i thm , us ing the subkeysdescribed in steps (1) and (2).4 . Rep lace P~ and P2 w i th the output of s tep (3) .5 . Encryp t the ou tpu t o f s tep (3 ) us ing the Blowfi sh a lgor i thm wi th themo d i f i ed s u b k ey s.6 . Rep lace P3 and P4 w i th the outpu t of s tep (5) .7 . Con t inue the p rocess, rep lac ing a ll en t r ies o f the P-ar ray , and then a l l fourS-boxes in o rder , wi th the ou tpu t o f the con t inuous ly -chang ing Blowfi sha lgor i thm.

In to tal , 521 i terat ions are required to generate al l required subkeys . Appl icat ions cans to re the subkeys ra ther than execu te th is der iva t ion p rocess m ul t ip le t imes .M I N I - B L O W F I S HThe fo l lowing m in i vers ions o f Blowfi sh a re def ined so le ly fo r c ryp tana lys i s . Theyare no t suggested for actual im plem entat ion. Blow fish-32 has a 32-bi t b lock s ize andsubke y arrays of 16-bit ent r ies (each S-box has 16 entr ies). Blow fish-16 has a 16-bitb lock s ize and subkey arrays of 8-bi t ent r ies (each S-box has 4 entr ies) .D E S I G N D E C I S IO N SThe under ly ing ph i losophy beh ind B lowfi sh i s tha t s impl ic ity o f des ign y ie lds ana lgor i thm tha t is bo th eas ie r to unders tand and eas ie r to implement . Through the useof a s t reaml ined Fe i st e l ne two rk- -a s imple S-box subs t itu tion and a s imple P-boxsubs t i tu t ion- - I hope tha t the des ign w i ll no t con ta in any f l aws .A 64-bi t b lock s ize yields a 32-bi t word s ize, and maintains block-s ize compat ibi l i tyw ith exis ting algori thms. Blo wfish is easy to scale up to a 128-bit b lock, and do w n tosmal le r b lock s i zes . Cryp tana lys i s o f the min i -Blow fi sh var ian ts m ay be s ign if i can tlyeas ie r than c ryp tana lys i s o f the fu l l vers ion .T h e fu n d am en t a l o p e ra ti o n s w ere ch o s en w i t h sp eed in mi n d . X O R, A D D , an d MO V


9/14

K

K

199

F i g u r e 3 : G e n e r a l F e i s t e l I t e r a t i o nf r o m a c a c h e a r e e f fi c i e n t o n b o t h I n t e l a n d M o t o r o l a a r c h i te c t u r e s . A l l s u b k e y s f it i nt h e c a c h e o f a 8 0 4 8 6 , 6 8 0 4 0 , P e n t i u m , a n d P o w e r P C .T h e F e i s te l n e t w o r k t h at m a k e s u p t h e b o d y o f B l o w f i s h is d e s ig n e d t o b e a s s i m p l ea s p o s s i b l e , wh i l e s ti ll r e ta i n i n g t h e d e s ir a b l e c r y p t o g r a p h i c p r o p e r t i e s o f th es t r u c tu r e . F i g u r e 3 is r o u n d i o f a g e n e r a l F e i s t e l n e t wo r k : P ~ , i a r e r e v e r s i b l ef u n c t i o n s o f t e x t a n d k e y , a n d N~ i s a n o n - r e v e r s i b l e fu n c t i o n o f te x t a n d k e y . F o rs p e e d a n d s i m p l i c i t y , I c h o s e X O R a s m y re v e r s i b l e f u n c t i o n . T h i s l e t m e c o l l a p s et h e f o u r XOR s i n t o a s i n g l e XOR , s i n c e :

R ' l , i + l = Rl. i+l XOR R 2 , i . 1 X O R R 3 , i X O R R 4.iT h i s i s t h e P - a r r a y s u b s t it u t io n i n B l o wf i s h . T h e XO R c a n a ls o b e c o n s i d e r e d t o b ep a r t o f t h e n o n - r e v e r s i b l e f u n c t i o n , N~ , o c c u r r i n g a t t h e e n d o f t h e f u n c t i o n .( A l t h o u g h e q u i v a l e n t , I c h o s e n o t t o i l l u s t r a t e t h e m i n t h i s wa y b e c a u s e i t s i m p l i f i e sd e s c r i p t io n o f t h e s u b k e y - g e n e ra t i o n p r o c e s s .) T h e r e a r e t w o X O R s t h a t re m a i n a f te rt h i s re d u c t i o n : R I i n th e f i rs t r o u n d a n d R 2 i n th e l a s t r o u n d . I c h o s e n o t t o e l im i n a t et h e s e i n o r d e r t o h i d e t h e i n p u t t o t h e f i r s t n o n - r e v e r s i b l e f u n c t i o n .


10/14

200

I cons idered a more compl ica ted revers ib le func t ion , one wi th modular mul t ip l ica t ionsan d ro t at io n s . H o w ev e r , t h es e o p e ra ti o n s wo u ld g rea t l y i n c rea s e th e a lg o r i t h m ' sex ecu t i o n t im e . S in ce fu n c t io n F i s t h e p r im ary s o u rce o f th e a lg o r i t h m ' s s ecu r i t y , Id ec id ed t o s av e t im e -co n s u m in g co m p l i ca ti o n s fo r t h a t fu n c ti o n .Funct ion F , the non-revers ib le func t ion , g ives Blowfish the bes t poss ib le ava lanchee f fec t fo r a Fe i s t e l n e two rk : ev e ry t ex t b i t o n th e l e f t h a l f o f th e ro u n d a f f ec t s ev e ryt ex t b i t o n t h e r i g h t h a lf . Ad d i t i o n a ll y , s i nce ev e ry s u b k ey b i t is a f f ec t ed b y ev e ryk ey b i t , t h e fu n c t i o n a ls o h as a p e r fec t av a l an ch e e f f ec t b e tween t h e k e y an d t h e r i g h th a l f o f th e t ex t a f t e r ev e ry ro u n d . Hen ce , t h e a lg o r it h m ex h ib it s a p e r f ec t av a l an ch ee f fec t a f te r t h ree ro u n d s an d ag a in ev e ry two ro u n d s a f t e r t h at .I co n s id e red ad d in g a r ev e r s ib l e m ix in g fu n c t io n , m o re co m p l i ca t ed t h an XO R , b e fo rethe f i r s t and a f te r the las t round . Th is wo uld fu r ther confuse the en t ry va lues in to theFe i s t e l n e tw o rk an d en s u re a co m p le t e av a lan ch e e f f ec t a f t e r t h e f ir s t two ro u n d s . Iev en tu a l l y d is ca rd ed t h e ad d i t io n a s a t im e-co n s u m in g co m p l i ca t i o n wi th n o c l ea rc ry p to g rap h i c b en e f i ts .The non -revers ib le func t ion i s des igned fo r s treng th , speed , and s impl ic i ty . Idea l ly , Iwan ted a s ing le S-bo x w i th 232 32-b i t word s , bu t tha t was im prac t ica l . M y even tua lch o i ce o f 2 5 6 -en t ry S -b o x es was a co m p ro m is e b e tween m y th ree d es ig n g o a l s. T h es m a l l -n u m b er o f b it s t o l a rg e -n u m b er o f bi ts m ay h av e w eak n es se s w i th r e s p ec t t ol i n ea r c ry p t an a ly s is , b u t t h e s e weak n es s e s a re h id d en b o th b y co m b in in g th e o u tp u t o ffo u r S -b o x es an d m ak in g t h em d ep en d en t o n t h e k ey .I u s ed fo u r d i f f e ren t S -b o x es i n s tead o f o n e S -b o x p r im ar i l y t o av o id s y m m et r i e sw hen d i f fe ren t by tes o f the inpu t a re equa l , o r w hen the 32-b i t inpu t to func t ion F i s ab y t ewi s e p e rm u ta t i o n o f an o th e r 3 2 -b it i n pu t . I co u ld h av e u s ed o n e S -b o x an d m ad eeach o f the four d i f fe ren t ou tpu ts a non- t r iv ia l permuta t ion o f the s ing le ou tpu t , bu tthe four S-box des ign i s fas te r , eas ie r to p rogram, and seems more secure .Th e func t ion tha t com bines the four S-box ou tpu ts is as fas t as poss ib le . A s implerfu n c t i o n wo u ld b e t o X O R th e fo u r v a lu es , b u t m ix in g ad d i ti o n m o d 2 32 an d X ORcom bines two d i f fe ren t a lgebra ic g roups wi th no add i t iona l ins t ruc t ions . Th ea l t e rn a t i o n o f ad d i t io n an d X OR en d s wi th an ad d i t io n o p e ra ti o n b ecau s e an X ORcom bines the f ina l resu l t wi th x R .I f t he fo u r i n d ex es ch o s e v a lu es o u t o f t h e s am e S -b o x , a m o re co m p lex co m b in in gfu n c t i o n wo u ld b e r eq u i r ed t o e lim in a t e s y m m et r ie s . I co n s id e red u s in g a m o recomplex combin ing func t ion in Blowfish (us ing modular mul t ip l ica t ions , ro ta t ions ,e t c . ) , b u t ch o s e n o t t o b ecau s e t h e ad d ed co m p l i ca t i o n s eem ed u n n eces s a ry .T h e k ey -d ep e n d en t S -b o x es p ro t ec t ag ain st d i f f eren t ia l an d l i n ea r c ry p tan a ly s is . S in cethe s t ruc tu re o f the S-boxes i s comple te ly h idden f rom the c ryp tana lys t , these a t tackshave a mo re d i f f icu l t t ime exp lo i t ing tha t s truc tu re . W hi le it wo u ld be poss ib le torep l ace t h e s e v a r i ab l e S -b o x es w i th fo u r f i x ed S -bo x es t ha t w e re d es ig n ed t o b eres i s tan t to these a t tacks , key-dependen t S-boxes a re eas ie r to implement and lesssuscep t ib le to a rguments o f "h idden" p roper t ies . Add i t iona l ly , these S-boxes can be


11/14

201

c rea t ed o n d em an d , r ed u c in g t h e n eed fo r l a rg e d a ta s t ru c tu re s s t o red wi th t h ea lgor i thm.

Eac h b i t o f XL i s on ly used as the inpu t to one S-box . In D ES m any b i t s a re used asinpu ts to two S-boxes , which s t reng thens the a lgor i thm cons iderab ly aga ins td i f fe ren t ia l a t tacks . I fee l tha t th i s added comp l ica t ion i s no t as necessa ry wi th key -d ep en d en t S -b o x es. Ad d i t i o n a ll y , l a rg e r S -b o x es wo u ld t ak e u p co n s id e rab ly m o rem e m o r y s p a c e .Fun ct ion F does no t depe nd on the it e ra t ion . I cons idered add ing th i s depe nden cy ,b u t d id n o t f ee l t h a t it h ad an y c ry p to g rap h i c m er i t . T h e P -a r r ay s u b s t it u ti o n can b econs idered to be par t o f th i s func t ion , and tha t i s a l ready i t e ra t ion-dependen t .T h e n u m b er o f ro u n d s i s s e t a t 1 6 p r im ar i l y o u t o f d e si r e t o b e co n s e rv a t iv e .Ho we v e r , t h i s n u m b er a f f ec t s t h e s i ze o f t h e P -a r r ay an d t h e re fo re t h e s u b k ey -genera t ion p rocess ; 16 it e ra t ions perm i t s key leng ths up to 448 b i ts . I expe c t to beab le to reduce th i s number , and g rea t ly speed up the a lgor i thm in the p rocess , as Iaccu m u la t e m o re c ry p t an a ly s i s d a ta .In a lgor i thm des ign , there a re two bas ic ways to ensure tha t the key i s long enough toensure a par t i cu la r secur i ty leve l . One i s to carefu l ly des ign the a lgor i thm so tha t theen t ir e en t ro p y o f t h e k ey i s p re s e rv ed , s o t h e re is n o b e t t e r way t o c ry p t an a ly ze t h ea lg o r i th m o th e r t h an b ru t e fo rce . T h e o th e r is t o d e s ig n t h e a lg o r i th m w i th so m a n ykey b i t s tha t a t tacks tha t red uce the e f fec t ive key leng th by severa l b i t s a re i r re levan t .S in ce B lo wf i s h i s d e s ig n ed fo r l a rg e m ic ro p ro ces so r s w i th l a rg e am o u n t s o f m em o ry ,I chose the lat ter .T h e s u b k ey g en e ra t i o n p ro ces s i s d e s ig n ed t o p re s e rv e t h e en t i re en t ro p y o f t h e k eyand to d i st r ibu te tha t en t ropy un i f o rm ly th rougho u t the subkeys . I t is a l so des igned tod i s tr i bu t e t h e s e t o f a l l o wed s u b k ey s r an d o m ly t h ro u g h o u t t h e d o m a in o f p o s s ib l esubkeys . I chose the d ig it s o f p i as the in it ia l subkey tab le fo r two reasons : beca use i ti s a random sequence no t re la ted to the a lgor i thm, and because i t cou ld e i ther bes to red a s p a r t o f t he a lg o r i t h m o r d e r i v ed wh en n eed ed . T h e re is n o th in g s ac redab o u t p i ; an y s t ri n g o f r an d o m b i t s - -d ig i ts o f e , R A ND t ab le s , o u tp u t o f a r an d o mn u m b er g en e ra to r - -w i l l s u f fi ce . Ho we v e r , i f t h e in i ti a l s tr in g i s n o n - ran d o m in an yway ( fo r ex am p le , A SC I I t ex t w i th t h e h ig h b it o f ev e ry b y t e a 0 ) , t hi s n o n -randomness wi l l p ropagate th roughou t the a lgor i thm.In the subkey genera t ion p rocess , the subkeys change s l igh t ly wi th every pa i r o fsubkeys genera ted . Th is i s p r im ar i ly to p ro tec t aga inst any a t tacked o f the subkeygenera t ion p rocess tha t exp lo i t the f ixed and know n subkeys . I t a l so reduces s to ragereq u i rem en t s . T h e 4 4 8 l im i t o n t h e k ey s ize en su re s th a t th e ev e ry b i t o f ev e rys u b k ey d ep end s o n ev e ry b i t o f th e k ey . (No te t h a t ev e ry b i t o f P15 , P 1 6 , P 1 7 , and P lsd o es n o t a f f ec t ev e ry b i t o f t h e c ip h e r t ex t, an d t h a t an y S -b o x en t ry o n ly h as a . 0 6probab i l i ty o f a f fec t ing any s ing le c ipher tex t b lock . )The k ey b i t s a re rep ea ted ly X OR ed w i th the d ig it s o f p i in the in i ti a l P-ar ra y toprev en t the fo l lowing po ten t ia l a t tack : Assum e tha t the key b i t s a re no t repea ted , bu t


12/14

202

i n st ead p ad d ed wi th ze ro s t o ex ten d i t t o th e l en g th o f t h e P -a r r ay . An a t t ack e r m ig h tf ind two keys tha t d i f fe r on ly in the 64-b i t va lue XORed wi th PI and P2 tha t , u s ingth e in i ti a l k n o w n s u b k ey s , p ro d u ce t h e s am e en c ry p t ed v a lu e . I f s o , h e can f i n d twokeys tha t p rod uce a l l the same subke ys . Th is i s a h igh ly tempt ing a t tack fo r am a l i c io u s k ey g en e ra to r .To p r eve n t th is sam e typ e o f a t t ack , I f ixe d the in i ti a l p la in tex t va lue in the subke y-genera t ion p rocess . Th ere i s no th ing spec ia l abou t the a l l-zeros s t r ing , bu t i t i simportant that th is value be f 'Lxed.T h e s u b k ey -g en e ra t i o n a lg o r i th m d o es n o t a ss u m e th a t t h e k ey b it s a r e r an d o m . E v e nh ig h ly co r re l a t ed k ey b i t s, s u ch a s an a lp h an u m er i c ASC II s t r in g w i th t h e b i t o f ev e ryb y t e se t t o 0, w i ll p ro d u ce r an d o m s u b k ey s. Ho we v e r , t o p ro d u c e s u b k ey s wi th th es am e e n t ro p y , a l o n g e r a l p h an u m er i c k ey is r eq u i red .T h e t im e-co n s u m in g s u b k ey -g en e ra t i o n p ro ces s ad d s co n s id e rab l e co m p lex i t y fo r ab ru te - fo rce a t tack . Th e subkeys a re too long to be s to red on a mass ive tape , so theywo u ld h av e to b e g en e ra t ed b y a b ru t e - fo rce c rack in g m ac h in e a s req u i r ed . A t o t a l o f522 i t e ra t ions o f the encryp t ion a lgor i thm are requ i red to t es t a s ing le key , e f fec t ive lyad d i ng 2 9 s t eps t o an y b ru t e - fo rce a t t a ck.P O S S I B L E S I M P L I F I C A T I O N SI am exp lo r ing severa l poss ib le s impl i f ica t ions , a imed a t decreas ing memoryreq u i r em en t s an d ex ecu t i o n t im e . T h es e a re o u t l in ed b e lo w:

Few er an d s m a l l e r S -b o x es . I t m ay b e p os s ib l e t o r ed u ce t h e n u m b er o f S -b o x es f ro m fo u r t o o n e . Ad d i t i o n a ll y , it m ay b e p o s s ib l e t o o v e r l ap en t r ie s i na s ing le S-box : en t ry 0 wo uld cons i st o f by tes 0 th rough 3 , en t ry 1 w ou ldco n s is t o f b y te s 1 th ro u g h 4 , e t c . T h e fo rm er s im p l i f i c a ti o n wo u ld r ed u c e t h em e m o ry r eq u i rem en t s fo r t h e fo u r S -b o x es f ro m 4 0 9 6 b y t e s to 1 0 24 b y t e s , t h el a tt e r wo u ld r ed u ce t h e r eq u i r em en t s fo r a s in g le S -b o x f ro m 1 0 24 b y t e s t o 2 5 9by tes . Add i t iona l s teps may be requ i red to e l imina te the symm etr ies tha t theses impl i f ica t ions wo uld in t roduce . Add i t iona l ly , four d i f fe ren t 10- o r 12-b i tindexes in to a s ing le l a rge S-box cou ld be used ins tead o f the cu rren t se r ies o fS -boxes .Few er i t er a ti o n s. I t is p ro b ab ly sa fe t o r ed u ce th e n u m b er o f i te r a ti o n s f ro m1 6 to 8 wi th o u t co m p ro m is in g s ecu r i ty . T h e n u m b er o f i t e ra t io n s r eq u i red fo rs ecu r it y m a y b e d ep en d en t o n th e l en g th o f th e k ey . No te t h a t w i th t h e cu r ren ts u b k ey g en e ra t i o n p ro ced u re , an 8 - it e r at io n a lg o ri t h m can n o t accep t a k eylonger than 192 bi ts .On - th e - f ly su b k ey ca lcu l at io n . T h e cu r ren t m e th o d o f s u b k ey ca l cu l a t io nrequ i res a l l subkeys to be ca lcu la ted advance o f any da ta encry p t ion . In fac t ,i t is impo ss ib le to ca lcu la te the las t subkey o f the las t S-box w i thou tca l cul a ti n g ev e ry s u b k ey th a t co m es b e fo re . An a l te rn a te m e th o d o f s u b k eyca l cu la t i o n wo u ld b e p re fe rab l e : o n e wh e re e v e ry s u b k ey can b e ca l cu la t ed


13/14


14/14

.

.

.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.20.21.22.

23.

204

X. Lai, J. Massey, and S. Murphy, "Markov Ciphers and DifferentialCryptanalysis," Advances in Cryptology--EUROCRYPT "91 Proceedings,Springer-Verlag, 1991, pp. 17-38.

J.L. Massey and X. Lai, "Device for Converting a Digital Block and the UseThereof," International Patent PCT/CH91/00117, 16 May 1991.J.L. Massey and X. Lai, "Device for the Conversion of a Digital Block and Useof Same," U.S. Patent 5,214,703, 25 May 1993.M. Matsui, "Linear Cryptanalysis Method for DES Cipher," Advances inCryptology--CRYP TO "93 Proceedings, Springer-Verlag, 1994, in preparation.R.C. Merkle, "Fast Software Encryption Functions," Advances inCryptology--CRYP TO '90 Proceedings, Springer-Verlag, 1991, pp. 476-501.R.C. Merkle, "Method and Apparatus for Data Encryption," U.S. Patent5,003,597, 26 Mar 1991.S. Miyaguchi, "The FEAL-8 Cryptosystem and Call for Attack," Advances inCryptology--CRYP TO "89 Proceedings, Springer-Verlag, 1990, pp. 624-627.S. Miyaguchi, "Expansion of the FEAL Cipher," NTTReview, v. 2, n. 6, Nov1990.S. Miyaguchi, "The FEAL Cipher Family," Advances in Cryptology--CRYPTO"90 Proc eeding s, Springer-Verlag, 1991, pp. 627-638.National Bureau of Standards, Data Encryption Standard, U.S. Department ofCommerce, FIPS Publication 46, Jan 1977.National Institute of Standards and Technology, "Clipper Chip Technology, 'i 30Apr 1993.RSA Laboratories, Answers to Frequently Asked Questions Ab ou t Toda y'sCryptography, Revision 2.0, RSA Data Security Inc., 5 Oct 1993.B. Schneier, "Data Guardians," MacWorld, Feb 1993, 145-151.B. Schneier, Applied Cryptography, John Wiley & Sons, New York, 1994.J.L Smith, The Design o f Lucifer, A Cryptographic Device fo r D ataCommunication, RC 3326, White Plains: IBM Research.M.J. Weiner, "Efficient DES Key Search," Advances in Cryptology--CRYPTO'93 Proceedings, Springer-Verlag, in preparation.M.C. Wood, "Method of CryptographicaUy Transforming Electronic DigitalData from One Form to Another," U.S. Patent 5,003,596, 26 Mar 1991.

Documents

Articulo Blowfish