A Study of DES and Blowfish Encryption Algorithm
Tingyuan Nie
Communication and Electronic Engineering Institute
Qingdao Technological University
Qingdao, China
tynie@qtech.edu.cn
Abstract—With the rapid growing of internet and networks
applications, data security becomes more important than ever
before. Encryption algorithms play a crucial role in information
security systems. In this paper, we have a study of the two
popular encryption algorithms: DES and Blowfish. We
overviewed the base functions and analyzed the security for both
algorithms. We also evaluated performance in execution speed
based on different memory sizes and compared them. The
experimental results show the relationship between function run
speed and memory size.
Keywords-Encryption Algorithm; DES; Blowfish
I. INTRODUCTION
Encryption is the process of transforming plaintext data into
cipher text in order to conceal its meaning and so preventing
any unauthorized recipient from retrieving the original data.
Hence, the main task of encryption is to ensure secrecy.
Companies usually encrypt their data before transmission to
ensure that the data is secure during transit. The encrypted data
is sent over the public network and is decrypted by the intended
recipient.
There are many encryption algorithms are developed and
widely used for information security. They can be categorized
into symmetric (private) and asymmetric (public) keys
encryption.
Symmetric keys encryption only uses one key to encrypt
and decrypt data. The key should be distributed before
transmission between entities. Keys play a very important role
because if weak key is used in algorithm then everyone may
decrypt the data. Strength of Symmetric key encryption
depends on the size of used key. For the same algorithm,
encryption using longer key is harder to break than the one
done using smaller key. There are many examples of strong
and weak keys of cryptography algorithms like RC2, DES,
3DES, RC6, Blowfish, and AES. RC2 and DES use one 64-bit
key. Triple DES (3DES) uses three 64-bits keys while AES
uses various (128,192,256) bits keys. Blowfish uses various
(32-448) key. RC6 uses various (128,192,256) bit keys where
default is 128 bits [1-3].
Asymmetric key encryption is used to solve the problem of
key distribution. In Asymmetric keys, two keys are used:
private and public keys. Public key is used for encryption and
private key is used for decryption (E.g. RSA and Digital
A Project of Shandong Province Higher Educational Science and Technology Program (No. J09LG10)
978-1-4244-4547-9/09/$26.00 ©2009 IEEE
Teng Zhang
Communication and Electronic Engineering Institute
Qingdao Technological University
Qingdao, China
Signatures). Public key is known to the public while private
key is known only to the user. There is no need for distributing
them prior to transmission. However, public key encryption is
based on mathematical functions, computationally intensive
and is not very efficient for small mobile devices such as cell
phone, PDA, and so on.
In some occasion, legal, commercial, and other documents
need to be signed. Accordingly, various schemes have been
devised for digital signatures, using both private-key and
public-key algorithms.
There are a variety of different types of encryption
methods, basically the methods of producing cipher text are
stream cipher (such as RC4) and block cipher (such as DES,
blowfish and so on). The two methods are similar except for
the amount of data each encrypts on each pass. Most modern
encryption schemes use some form of a block cipher. Other
special encryption method is the one way encryption whose
encrypting process is irreversible (for instance password
encryption on UNIX systems), and hybrid systems by
combining public and private key cryptosystems (such as
Pretty Good Privacy (PGP)).
In this paper, we study the algorithms of common DES and
Blowfish. They are both symmetric key encryption algorithms
using block cipher. Referencing their encryption process
methods, we analyze their security. And do experiments to
evaluate performance of two encryption algorithms using
different memory sizes. From the experimental results, we find
the relationship between encryption speed and computer
memory utilization. We also show the advantages and
disadvantages of both encryption algorithms.
The remainder of this paper is organized as follows. We
review the related works in section 2. Introduce the two
encryption algorithms and analyze the security in section 3.
And show the evaluation in section 4, followed by conclusion
in section 5.
II. RELATED WORKS
As [5], every security system must provide a bundle of
security functions that assure the secrecy of the system. These
functions are usually referred to as the goals of the security
system. These goals can be listed as following:
Authentication: Before sending and receiving data using
the system, the receiver and sender identity should be verified.
TENCON 2009
1
 Secrecy or Confidentiality: Usually this function is how
most people identify a secure system. It means that only the
authenticated people are able to interpret the message content
and no one else.
Integrity: Integrity means that the content of the
communicated data is assured to be free from any type of
modification between the end points (sender and receiver). The
basic form of integrity is packet check sum in IPv4 packets.
Non-Repudiation: This function implies that neither the
sender nor the receiver can falsely deny that they have sent a
certain message.
Service Reliability and Availability: Since secure systems
usually get attacked by intruders, which may affect their
availability and type of service to their users. Such systems
should provide a way to grant their users the quality of service
they expect.
To achieve the goals of security system, the encryption Figure 1. DES algorithm.
algorithms must provide enough strength with high security
implemented in an accepted speed limitation. Therefore, the The flow of DES algorithm is shown in Fig.1. DES is a 64-
bit block cipher under 56-bit key. The algorithm processes with
performance evaluation becomes very important to the existing
an initial permutation, sixteen rounds block cipher and a final
encryption algorithms. Many approaches are proposed:
permutation. DES application is very popular in commercial,
The research of [4] is conducted for different popular secret military, and other domains in the last decades. There are
key algorithms such as DES, 3DES, AES, and Blowfish. The variants like 3DES [7], AES [8] by enhancing DES function.
performance of the algorithms was compared by encrypting
input files of varying contents and sizes on two different B. Blowfish Algorithm
hardware platforms. The results showed that Blowfish had a
very good performance compared to other algorithms, and AES Bruce Schneier, one of the world's leading cryptologists,
designed the Blowfish algorithm [2] and made it available in
had a better performance than 3DES and DES. It also shows
the public domain. Blowfish is a variable length key, 64-bit
that 3DES has almost 1/3 throughput of DES, namely it needs
block cipher. The algorithm was first introduce in 1993, and
3 times of DES to process the same amount of data. has not been cracked yet. It can be optimized in hardware
Elminaam et al. selected several symmetric encryption applications due to its compactness.
algorithms such as AES, DES, 3DES, RC6, Blowfish and RC2
having a performance evaluation in [3]. They concluded: there
is no significant difference when the results are displayed either
in hexadecimal base encoding or in base 64 encoding; Blowfish
has better performance than other common encryption
algorithms used, followed by RC6; In the case of changing data
type such as image, RC2, RC6 and Blowfish has disadvantage
over other algorithms in terms of time consumption; Higher
key size leads to clear change in the battery and time
consumption.
Most of above related works focused on the analysis of
encryption/decryption speed of different input type, battery
power consumption and so on. In this paper, we analyze the
security of both encryption algorithms and emphasize speed- Figure 2. Blowfish algorithm
memory relation research.
The algorithm is shown in Fig.2. It consists of two parts: a
III. ENCRYPTION ALGORITHM ANALYSIS key-expansion part and a data- encryption part. Key expansion
In this section, we have an overview and cryptanalysis for converts a key of at most 448 bits into several sub-key arrays
both DES and Blowfish algorithms. totaling 4168 bytes. Data encryption occurs via a 16-round
(commonly) network. Each round consists of a key-dependent
permutation, and a key- and data-dependent substitution. All
A. DES Algorithm
operations are XORs and additions on 32-bit words. The only
DES (Data Encryption Standard) was the first encryption additional operations are four indexed array data lookups per
standard to be recommended by NIST (National Institute of round.
Standards and Technology). It was developed by an IBM team
around 1974 and adopted as a national standard in 1997 [6].

2
C. Security Analysis We can see, Blowfish run much faster than DES. Both
In this section, we analyze the algorithms’ strength against DES and Blowfish run slow in 92M memory size. However,
attacks from two aspects: differential cryptanalysis and linear DES runtime improved rapidly from 224M memory size and
cryptanalysis. became steady. Blowfish also improved from 224M memory
size, but became steady in 352M memory size. We think this is
Eli Biham and Adi Shamir introduced differential because Blowfish function needs much more memory to
cryptanalysis in 1990. They found a chosen-plaintext attack initialize sub-keys and S-boxes than DES function.
against DES which was more efficient than brute force. The
TABLE 1
best attack against full 16-round DES requires 247 chosen RUNTIME for DES and BLOWFISH
plaintexts. This can be converted to a known plaintext attack, Runtime（µs)
but requires 255 known plaintexts. And 237 DES operations Memory Size Difference
DES Blowfish
are required during analysis. The attack is heavily dependent on Avg:1.1528 Avg:0.1503
the structure of the S-boxes which happen to be optimized 96M (1.1520,1.1530) (0.1500,0.1500) 86.96%
against differential cryptanalysis in DES. In addition, the (1.1520,1.1540) (0.1500,0.1510)
resistance of DES can be improved by increasing the number Avg:0.8370 Avg:0.1373
224M (0.8450,0.8360) (0.1320,0.1370) 83.60%
of rounds [9]. (0.8330,0.8340) (0.1370,0.1430)
Linear cryptanalysis is another type of cryptanalytic attack Avg:0.8330 Avg:0.1234
352M (0.8330,0.8340) (0.1230,0.1230) 85.19%
invented by Mitsuru Matsui. The attack uses linear (0.8320,0.8330) (0.1230,0.1240)
approximations to describe the action of a block cipher [10]. Avg:0.8463 Avg:0.1234
Against full 16-round DES, this attack can recover the key with 480M (0.8330,0.8810) (0.1230,0.1240) 85.42%
an average of 243 known plaintexts. A software (0.8340,0.8370) (0.1230,0.1230)
implementation of this attack recovered a DES key in 50 days Avg:0.8350 Avg:0.1250
608M (0.8350,0.8340) (0.1240,0.1270) 85.03%
using 12 HP9000/735 workstations which is the most effective (0.8380,0.8330) (0.1250,0.1240)
attack so far [11]. Linear cryptanalysis is newer than Avg:0.8440 Avg:0.1245
differential cryptanalysis and it is efficient against reduced 736M (0.8330,0.8740) (0.1240,0.1270) 85.25%
round DES variants. (0.8330,0.8360) (0.1240,0.1230)
Avg:0.8445 Avg:0.1245
From above analysis, DES can provide a certain security 992M (0.8330,0.8590) (0.1240,0.1240) 85.26%
guarantee in some degree by optimizing the construction of S- (0.8520,0.8340) (0.1240,0.1260)
boxes.
Bruce Schneier show differential cryptanalysis on Blowfish
is possible either against a reduced number of rounds or with
the piece of information which describes the F function.
However, the boxes are well designed to resist to an attacks
while they are randomly generated in Blowfish [12]. As we
know, there is no successful cryptanalysis against Blowfish.

D. Speed Estimation
We realized the algorithms in C language program under
Windows XP OS. We estimated the performance of the
algorithms by using a PC with CPU Pentium (R) 4 3.00GHz in
the experiment.
We implemented the program to run 109 times encryption
for a plaintext of 256 characters. We calculate the average
value for one-time encryption speed. The experimental results
are shown in Table 1.
The first column shows memory sizes, from 96M to 992M.
The second large column displays the algorithm runtime which
includes two sub-columns: DES runtime and Blowfish runtime.
Corresponding to different memory size, there are three rows
for DES and Blowfish runtime column. We show four different
runtime test values in row 2 and row 3, and show the average
runtime in row 1. The fourth column displays difference ratio
between DES and Blowfish function runtime, which calculated
in formulation (1).
DES Runtime - Blowfish Runtime
× 100 %
DES Runtime (1)
Figure 3. Runtime comparison between DES and Blowfish
It illustrates runtime varied with memory size more clearly
in Fig.3. It also shows Blowfish used less time to encrypt the
same text.
From the curve in Fig.4, we can also see the runtime
difference ratio between DES and Blowfish decreased rapidly
in 224M memory and became steady from 352M memory. It
can also be considered that Blowfish function needs much
more memory to initialize sub-keys and S-boxes than DES.
DES became effective from 224M memory relatively. From the
results, we conclude Blowfish runs much faster than DES yet
consumes lager memory simultaneously. Although Blowfish is
optimized for applications, the large memory requirement
makes it infeasible for smart card applications.

3

Figure 4. Runtime difference ratio between DES and Blowfish
IV. CONCLUSION
In this paper, we studied two popular encryption
algorithms: DES and Blowfish. We overviewed the basic flow
of the two algorithms and analyzed the security. Both
algorithms have high security to resist differential cryptanalysis
and linear cryptanalysis attacks. We evaluated encryption
function speed based on different memory sizes. The
experimental results show Blowfish is much faster than DES
but the speed increasing for Blowfish is slower compared to
DES because it needs much more memory for sub-key and S-
boxes initialization.
REFERENCES
[1] Coppersmith, D. "The Data Encryption Standard (DES) and Its Strength
Against Attacks."IBM Journal of Research and Development, May
1994, pp. 243 -250.
[2] Bruce Schneier. The Blowfish Encryption Algorithm Retrieved October
25, 2008, http://www.schneier.com/blowfish.html
[3] Diaa Salama Abdul. Elminaam, Hatem Mohamed Abdul Kader and
Mohie Mohamed Hadhoud3, “Performance Evaluation of Symmetric
Encryption Algorithms,” in IJCSNS International Journal of Computer
Science and Network Security, vol.8 No.12, December 2008, pp. 280-
286.
[4] Nadeem, A. and Javed, M.Y., "A Performance Comparison of Data
Encryption Algorithms," IEEE Information and Communication
Technologies, 2005. ICICT 2005. First International Conference,
February, 2006, pp. 84- 89.
[5] Aaron E. Earle, Wireless Security Handbook. Auerbach Publications,
Boston, MA, 2005.
[6] “Data Encryption Standard,” Federal Information Processing Standards
Publication No. 46, National Bureau of Standards, January 15, 1977.
[7] William C. Barker, “Recommendation for the Triple Data Encryption
Algorithm (TDEA) Block Cipher,” NIST Special Publication 800-67
Version 1.1, May 2008.
[8] Daemen, J., and Rijmen, V. "Rijndael: The Advanced Encryption
Standard."D r. Dobb's Journal, March 2001, pp. 137-139.
[9] E. Biham and A. Shamir, "Differential Cryptanalysis of the Full 16-
Round DES," Advances in Cryptology-CRYPTO '92 Proceedings,
Springer-Verlag, 1993, pp. 487- 496.
[10] M. Matsui, "Linear Cryptanalysis Method for DES Cipher," Advances in
Cryptology-EUROCRYPT '93 Proceedings, Springer-Verlag, 1994, pp.
386-397.
[11] M. Matsui, "The First Experimental Cryptanalysis of the Data
Encryption Standard," Advances in Cryptology-CRYPTO '94
Proceedings, Springer-Verlag, 1994, pp. 1-11.
[12] S. Vaudenay, “On the Weak Keys in Blowfish,” Fast Software
Encryption, Third International Workshop Proceedings, Springer-
Verlag, 1996, pp. 27-32.