A Linear Analysis of Blowfish and Khufu

  • Jorge NakaharaJr.
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4464)


This paper describes a linear analysis of Blowfish (a block cipher designed by B. Schneier in 1993), and Khufu (a cipher designed by R.C. Merkle in 1989). The nonlinear cipher components of these ciphers are key dependent, and thus, unknown to unauthorized entities. Nonetheless, we estimate the fraction of user keys that generate weak nonlinear components (namely, with large enough bias). As far as we are aware of this paper reports the first known-plaintext (and ciphertext-only) attacks on these ciphers.


Blowfish Khufu linear cryptanalysis key-dependent S- boxes 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biham, E.: On Matsui’s Linear Cryptanalysis. Technion, CS Dept. Technical Report CS0813 (1994)Google Scholar
  2. 2.
    Biham, E., Biryukov, A., Shamir, A.: Miss-in-the-Middle Attacks on IDEA, Khufu and Khafre. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 124–138. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Dunkelman, O., Keller, N.: Linear Cryptanalysis of Reduced Round Serpent. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 16–27. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Biryukov, A.: The Boomerang Attack on 5 and 6-round Reduced AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 11–15. Springer, Heidelberg (2005)Google Scholar
  5. 5.
    Blöcher, U., Dichtl, M.: Problems with the Linear Cryptanalysis of DES using More than One Active S-box per Round. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 256–274. Springer, Heidelberg (1994)Google Scholar
  6. 6.
    Brown, L., Pieprzyk, J.: Introducing the New LOKI97 Block Cipher. In: 1st AES Conference, California, USA (Aug. 1998),
  7. 7.
    Cheon, J.H., et al.: Improved Impossible Differential Cryptanalysis of Rijndael and Crypton. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 39–49. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Daemen, J., Govaerts, R., Vandewalle, J.: Weak Keys for IDEA. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 224–231. Springer, Heidelberg (1994)Google Scholar
  9. 9.
    Daemen, J., Rijmen, V.: The Design of Rijndael – AES – The Advanced Encryption Standard. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  10. 10.
    Gilbert, H., Chauvaud, P.: A Chosen Plaintext Attack of the 16-Round Khufu Cryptosystem. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 359–368. Springer, Heidelberg (1994)Google Scholar
  11. 11.
    Knudsen, L.R.: Weaknesses in LOKI97 (1999),
  12. 12.
    Knudsen, L.R., Mathiassen, J.E.: A Chosen-Plaintext Linear Attack on DES. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 262–272. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Knudsen, L.R., Rijmen, V.: Ciphertext-Only Attack on Akelarre. Cryptologia XXIV(2), 135–147 (2000)Google Scholar
  14. 14.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  15. 15.
    Matsui, M.: On Correlation Between the Order of S-boxes and the Strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  16. 16.
    Matsui, M., Yamagishi, A.: A New Method for Known-Plaintext Attack of FEAL Cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  17. 17.
    Merkle, R.C.: Fast Software Encryption Functions. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 476–501. Springer, Heidelberg (1991)Google Scholar
  18. 18.
    NBS, Data Encryption Standard (DES). FIPS PUB 46, Federal Information Processing Standards Publication 46, U.S. Department of Commerce (Jan. 1977)Google Scholar
  19. 19.
    Rijmen, V.: Cryptanalysis and Design of Iterated Block Ciphers. Dept. Elektrotechniek, Katholieke Universiteit Leuven, Belgium (Oct. 1997)Google Scholar
  20. 20.
    Rivest, R.L., et al.: The RC6 Block Cipher. In: 1st AES Conference, California, USA (Aug. 1998),
  21. 21.
    Schneier, B.: Blowfish–One Year Later. Dr. Dobbs Journal (Sep. 1995)Google Scholar
  22. 22.
    Schneier, B.: Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish). In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 191–204. Springer, Heidelberg (1994)Google Scholar
  23. 23.
    Selçuk, A.A.: On Bias Estimation in Linear Cryptanalysis. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 52–66. Springer, Heidelberg (2000)Google Scholar
  24. 24.
    Shorin, V.V., Jelezniakov, V.V., Gabidulin, E.M.: Linear and Differential Cryptanalysis of Russian GOST. In: Augot, D. (ed.) Proc. of Workshop on Coding and Cryptography, Jan. 2001, pp. 467–476 (2001)Google Scholar
  25. 25.
    Vaudenay, S.: On the Weak Keys of Blowfish. Technical Report, Liens - 95- 27, Ecole Normale SuperieureGoogle Scholar
  26. 26.
    Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Jorge NakaharaJr.
    • 1
  1. 1.UNISANTOSBrazil

Personalised recommendations