[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: carrick, Blowfish & the NSA



On Sun, 14 Apr 1996, Perry E. Metzger wrote:

> At least partially broken, yes. I've forgotten the details. I believe
> they were discussed at Eurocrypt. It may be that with the full number
> of rounds that no one yet has a cryptanalysis but I don't recall and
> it doesn't particularly matter from my perspective.

It doesn't make much sense to condemn an iterated cipher based on attacks
on reduced-round versions.  Any such cipher becomes weak if you use
sufficiently few rounds.  Conversely, many broken ciphers become secure if
you use sufficiently many rounds (in which case they also become too slow
to be useful).  I don't think there are currently any public attacks that
seriously affect the security of Blowfish.

On the other hand, if you ask cryptographers what they would use if they
were not concerned with efficiency, I think most of them would say triple
DES.

Wei Dai