Editing Blowfish (cipher) (section)

==The algorithm==
Blowfish has a 64-bit [[block size (cryptography)|block size]] and a variable [[key length]] from 32 bits up to 448 bits.<ref name="blowfish-paper">{{cite journal
 |url         = https://www.schneier.com/paper-blowfish-fse.html
 |title       = Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)
 |author      = Bruce Schneier
 |author-link = Bruce Schneier
 |journal     = Fast Software Encryption, Cambridge Security Workshop Proceedings
 |publisher   = [[Springer-Verlag]]
 |pages       = 191–204
 |year        = 1993
 |url-status  = live
 |archive-url  = https://web.archive.org/web/20140126182135/https://www.schneier.com/paper-blowfish-fse.html
 |archive-date = 2014-01-26
}}</ref> It is a 16-round [[Feistel cipher]] and uses large key-dependent [[S-box]]es. In structure it resembles [[CAST-128]], which uses fixed S-boxes.
[[File:Blowfish diagram.svg|right|thumb|316px|The Feistel structure of Blowfish]]
The adjacent diagram shows Blowfish's encryption routine. Each line represents 32&nbsp;bits. There are five subkey-arrays: one 18-entry P-array (denoted as K in the diagram, to avoid confusion with the Plaintext) and four 256-entry S-boxes (S0, S1, S2 and S3).

Every round ''r'' consists of 4 actions: 
{| class="wikitable"
|'''Action 1'''
|XOR the left half (L) of the data with the ''r'' th P-array entry
|-
|'''Action 2'''
|Use the XORed data as input for Blowfish's F-function
|-
|'''Action 3'''
|XOR the F-function's output with the right half (R) of the data
|-
|'''Action 4'''
|Swap L and R
|}

The F-function splits the 32-bit input into four 8-bit quarters and uses the quarters as input to the S-boxes. The S-boxes accept 8-bit input and produce 32-bit output. The outputs are added [[modular arithmetic|modulo]] 2<sup>32</sup> and XORed to produce the final 32-bit output (see image in the upper right corner).<ref>{{Cite web |title = Cryptography: Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish) |url = https://www.schneier.com/cryptography/archives/1994/09/description_of_a_new.html |website = Schneier on Security |access-date = 2015-12-31 |url-status = live |archive-url = https://web.archive.org/web/20160304200440/https://www.schneier.com/cryptography/archives/1994/09/description_of_a_new.html |archive-date = 2016-03-04}}</ref>

After the 16th round, undo the last swap, and XOR L with K18 and R with K17 (output whitening).

Decryption is exactly the same as encryption, except that P1, P2, ..., P18 are used in the reverse order. This is not so obvious because xor is commutative and associative. A common misconception is to use inverse order of encryption as decryption algorithm (i.e. first XORing P17 and P18 to the ciphertext block, then using the P-entries in reverse order).

Blowfish's [[key schedule]] starts by initializing the P-array and S-boxes with values derived from the [[hexadecimal]] digits of [[pi]], which contain no obvious pattern (see [[nothing up my sleeve number]]). The secret key is then, byte by byte, cycling the key if necessary, XORed with all the P-entries in order. A 64-bit all-zero block is then encrypted with the algorithm as it stands. The resultant ciphertext replaces P<sub>1</sub> and P<sub>2</sub>. The same ciphertext is then encrypted again with the new subkeys, and the new ciphertext replaces P<sub>3</sub> and P<sub>4</sub>. This continues, replacing the entire P-array and all the S-box entries. In all, the Blowfish encryption algorithm will run 521 times to generate all the subkeys{{snd}} about 4&nbsp;KB of data is processed.

Because the P-array is 576&nbsp;bits long, and the key bytes are XORed through all these 576&nbsp;bits during the initialization, many implementations support key sizes up to 576&nbsp;bits. The reason for that is a discrepancy between the original Blowfish description, which uses 448-bit keys, and its reference implementation, which uses 576-bit keys. The test vectors for verifying third-party implementations were also produced with 576-bit keys. When asked which Blowfish version is the correct one, Bruce Schneier answered: "The test vectors should be used to determine the one true Blowfish".

Another opinion is that the 448&nbsp;bits limit is present to ensure that every bit of every subkey depends on every bit of the key,<ref name="blowfish-paper"/> as the last four values of the P-array don't affect every bit of the ciphertext. This point should be taken in consideration for implementations with a different number of rounds, as even though it increases security against an exhaustive attack, it weakens the security guaranteed by the algorithm. And given the slow initialization of the cipher with each change of key, it is granted a natural protection against brute-force attacks, which doesn't really justify key sizes longer than 448&nbsp;bits.