On the weak keys of blowfish

  • Serge Vaudenay
Block Ciphers — Analysis

DOI: 10.1007/3-540-60865-6_39

Part of the Lecture Notes in Computer Science book series (LNCS, volume 1039)
Cite this paper as:
Vaudenay S. (1996) On the weak keys of blowfish. In: Gollmann D. (eds) Fast Software Encryption. FSE 1996. Lecture Notes in Computer Science, vol 1039. Springer, Berlin, Heidelberg


Blowfish is a sixteen-rounds Feistel cipher in which the F function is a part of the private key. In this paper, we show that the disclosure of F allows to perform a differential cryptanalysis which can recover all the rest of the key with 248 chosen plaintexts against a number of rounds reduced to eight. Moreover, for some weak F function, this attack only needs 223 chosen plaintexts against eight rounds, and 3×251 chosen plaintexts against sixteen-rounds. When the F function is safely kept private, one can detect whether it is weak or not with a differential attack using 222 plaintexts against eight rounds.

Copyright information

© Springer-Verlag 1996

Authors and Affiliations

  • Serge Vaudenay
    • 1
  1. 1.Ecole Normale SupérieureDMIParis Cedex 5France

Personalised recommendations