At 05:57 PM 11/9/00 -0500, Meyer Wolfsheim wrote:

...

example, about Gnu Privacy Guard (GnuPG), an open source competitor to PGP. There's no doubt in Zimmermann's mind that GnuPG suffers for being managed by programmers. He offers the Blowfish encryption method as an example: "I would never, ever allow Blowfish to be implemented in PGP, because it's not as good a design as Twofish; Twofish is superior. PGP 7 implements Two fish. Yet we see GnuPG implemented Blowfish."

Okay, I just spent 15 minutes searching the web for information on vulnerabilities in Blowfish. Didn't find anything. Certainly I could have tried harder... but does anyone know of any risks of using Blowfish?

There are none. Blowfish has a very large key setup time, so unless you cache its internal state, its a poor choice for *certain* apps ---those where you need to switch contexts frequently. But it is very strong, because of that key schedule, and its structure. Twofish has a much faster key setup. I can't imagine what PKZ what talking about otherwise, and what you've quoted is intriguing for that reason.