From Newsgroup: sci.crypt

Is this blog post significant? <https://hatchjs.com/cryptographydeprecationwarning-blowfish-has-been-deprecated/>

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

On 15/07/2025 16:54, Anonymous wrote:

Is this blog post significant? <https://hatchjs.com/cryptographydeprecationwarning-blowfish-has-been-deprecated/>

Somewhat, though nothing new.

Blowfish uses 64-bit blocks which can lead to birthday and other
collision attacks - nowadays even 128 bits isn't really enough for a new
block cipher (some may disagree). 3DES has the same block size problem.

Blowfish is also susceptible to meet-in-the-middle and differential
attacks. The variable key size is also problematic.

Implemented properly Blowfish is still secure - but it is getting harder
to implement it properly, and some older implementations may no longer
be secure. You have to worry about total traffic encrypted under one
key, key size, some restrictions in modes - so overall it is considered
better to use something more modern.

Also again, as it is being deprecated, some platforms may no longer
support it.



Peter Fairbrother

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

Anonymous <nobody@yamn.paranoici.org> wrote:

Is this blog post significant? <https://hatchjs.com/cryptographydeprecationwarning-blowfish-has-been-deprecated/>

The major significance is this sentence fragment from the first
paragraph:

"and should not be used for new applications."

Don't start a new project and pick Blowfish as the cipher.

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

On 16/07/2025 00:07 Rich <rich@example.invalid> wrote:

Anonymous <nobody@yamn.paranoici.org> wrote:

Is this blog post significant?
<https://hatchjs.com/cryptographydeprecationwarning-blowfish-has-been-deprecated/>

The major significance is this sentence fragment from the first
paragraph:

"and should not be used for new applications."

Don't start a new project and pick Blowfish as the cipher.

I can't conjure up any application which uses Blowfish, except
maybe older versions of TrueCrypt and E4M.

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

The Running Man <running_man@writeable.com> wrote:

On 16/07/2025 00:07 Rich <rich@example.invalid> wrote:

Anonymous <nobody@yamn.paranoici.org> wrote:

Is this blog post significant?
<https://hatchjs.com/cryptographydeprecationwarning-blowfish-has-been-deprecated/>

The major significance is this sentence fragment from the first
paragraph:

"and should not be used for new applications."

Don't start a new project and pick Blowfish as the cipher.

I can't conjure up any application which uses Blowfish, except
maybe older versions of TrueCrypt and E4M.

At this point, they would all likely be old legacy applications, few of
which are likely still in use.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

Rich wrote:

The Running Man <running_man@writeable.com> wrote:

On 16/07/2025 00:07 Rich <rich@example.invalid> wrote:

Anonymous <nobody@yamn.paranoici.org> wrote:

Is this blog post significant? <https://hatchjs.com/cryptographydeprecationwarning-blowfish-has-been-deprecated/>

The major significance is this sentence fragment from the first paragraph:

"and should not be used for new applications."

Don't start a new project and pick Blowfish as the cipher.

I can't conjure up any application which uses Blowfish, except
maybe older versions of TrueCrypt and E4M.

At this point, they would all likely be old legacy applications, few of which are likely still in use.

The problem is that the OP is one of many people from a.p.a-s who are
still using old hard/software and are not upgrading nor following the
latests best security practices.

Regards
Stefan
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

Stefan Claas <stefan@mailchuck.com> wrote:

Rich wrote:

The Running Man <running_man@writeable.com> wrote:

On 16/07/2025 00:07 Rich <rich@example.invalid> wrote:

Anonymous <nobody@yamn.paranoici.org> wrote:

Is this blog post significant?
<https://hatchjs.com/cryptographydeprecationwarning-blowfish-has-been-deprecated/>

The major significance is this sentence fragment from the first
paragraph:

"and should not be used for new applications."

Don't start a new project and pick Blowfish as the cipher.

I can't conjure up any application which uses Blowfish, except
maybe older versions of TrueCrypt and E4M.

At this point, they would all likely be old legacy applications, few of
which are likely still in use.

The problem is that the OP is one of many people from a.p.a-s who are
still using old hard/software and are not upgrading nor following the
latests best security practices.

In which case that is their choice, and this NIST announcement changes
nothing for them, they are equally at risk today as they were yesterday (this announcement did not reveal any new breaks).

All this does is put them on notice that not upgrading is exposing them
to potential risk.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

On 2025-07-15 23:25, Peter Fairbrother wrote:

On 15/07/2025 16:54, Anonymous wrote:

-a-a Is this blog post significant?
<https://hatchjs.com/cryptographydeprecationwarning-blowfish-has-been-deprecated/>

Somewhat, though nothing new.

Blowfish uses 64-bit blocks which can lead to birthday and other
collision attacks - nowadays even 128 bits isn't really enough for a new block cipher (some may disagree). 3DES has the same block size problem.

Blowfish is also susceptible to meet-in-the-middle and differential
attacks. The variable key size is also problematic.

Implemented properly Blowfish is still secure - but it is getting harder
to implement it properly, and some older implementations may no longer
be secure. You have to worry about total traffic encrypted under one
key, key size, some restrictions in modes - so overall it is considered better to use something more modern.

Also again, as it is being deprecated, some platforms may no longer
support it.

Peter Fairbrother

Someone rescaled Blowfish to 128-bit blocks:

https://alexpukall.github.io/blowfish2/blowfish2-gcc.txt

But the memory print of this version is monstrous.


Chax Plore
--

-----BEGIN PGP PUBLIC KEY FINGERPRINT-----
5745 807C 2B82 14D8 AB06 422C 8876 5DFC 2A51 778C
------END PGP PUBLIC KEY FINGERPRINT------
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

Chax Plore <nznmrqmrxr@qazk.bet> wrote:

Someone rescaled Blowfish to 128-bit blocks:

https://alexpukall.github.io/blowfish2/blowfish2-gcc.txt

But the memory print of this version is monstrous.

Can you quantify "monstrous"? Just how big is that?
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

On 7/24/2025 1:03 PM, Rich wrote:

Chax Plore <nznmrqmrxr@qazk.bet> wrote:

Someone rescaled Blowfish to 128-bit blocks:

https://alexpukall.github.io/blowfish2/blowfish2-gcc.txt

But the memory print of this version is monstrous.

Can you quantify "monstrous"? Just how big is that?

Big enough to make people say this is a scary part in a horror movie?
Say dead space? Well, I am jesting here. Not sure how to quantify "monstrous"... Sigh. ;^o
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

On 2025-07-24 22:03, Rich wrote:

Chax Plore <nznmrqmrxr@qazk.bet> wrote:

Someone rescaled Blowfish to 128-bit blocks:

https://alexpukall.github.io/blowfish2/blowfish2-gcc.txt

But the memory print of this version is monstrous.

Can you quantify "monstrous"? Just how big is that?

In this particular case: 16912 bytes total of P-box and S-boxes onstants.
--

-----BEGIN PGP PUBLIC KEY FINGERPRINT-----
5745 807C 2B82 14D8 AB06 422C 8876 5DFC 2A51 778C
------END PGP PUBLIC KEY FINGERPRINT------
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: sci.crypt

Chax Plore <nznmrqmrxr@qazk.bet> wrote:

On 2025-07-24 22:03, Rich wrote:

Chax Plore <nznmrqmrxr@qazk.bet> wrote:

Someone rescaled Blowfish to 128-bit blocks:

https://alexpukall.github.io/blowfish2/blowfish2-gcc.txt

But the memory print of this version is monstrous.

Can you quantify "monstrous"? Just how big is that?

In this particular case: 16912 bytes total of P-box and S-boxes onstants.

While that may very well be significantly larger than other algorithms,
unless you are working in a very RAM constrained embedded system, ~16k
of state is not likely to be significant for most systems. And even if
one were doing some kind of network server where each network link
consumed that amount for 'state', 1GiB of RAM would still hold enough
state blocks for 63,489 simultaneous network flows. And any server
meant for that much networking is likely going to have by far more than
1GiB of RAM installed.

--- Synchronet 3.21a-Linux NewsLink 1.2