Blowfish in the Merkle–Damgård construction?

Question

Is there a library that uses Blowfish in the Merkle–Damgård construction, for the purpose of constructing a cryptographic hash? I'm not interested in password hashing, but a general purpose cryptographic hash. (In an application where we're already using Blowfish.)

Answer 1

Rolling your own crypto is a VERY VERY BAD idea. Read it, repeat it loudly, do it again.

Especially for hash functions. Cryptographers around the world are currently in the process of designing a new hash function, through the SHA-3 competition. It began in 2007, it will supposedly end in 2012, and several dozens (more probably hundreds) of smart people who specialize at cryptographic design (read: PhD and more) work hard at it. Assuming that you can, by yourself in a few weeks, do better than all those people in five years, verges on the preposterous. It turns out that building a secure hash function is a difficult problem (on a theoretical point of view, we do not even know if a secure hash function can really exist). Building a secure block cipher is quite easier.

The designer of Blowfish (Bruce Schneier) is one of the designers of Skein, one of the candidates for SHA-3. Note that he did not reuse Blowfish for that. Note that he also published in 1998 the Twofish block cipher, a candidate to the AES selection process, as a much advanced successor to Blowfish; Twofish was much more scrutinized than Blowfish, so even for symmetric encryption you should not use Blowfish but Twofish (or, better yet, use the AES, aka "Rijndael", which was preferred over Twofish).

Answer 2

Blowfish is problematic to use as a hash compression function, for a couple of reasons.:

Firstly, many of the unbroken schemes for turning block ciphers into hash functions produce a hash that is the same length as the block cipher's block length. For Blowfish, with only a 64 bit block size, this is insufficient - a 64 bit hash length provides only 32 bits of security, which is trivially defeated.

Secondly, all of the secure schemes change the block cipher key on every block of the input message. Blowfish has a notoriously slow key setup procedure, so a hash based on it will necessarily be slow too.

If you remain undeterred, look up double-block-length hash constructions such as Tandem Davies-Meyer and Abreast Davies-Meyer. However, I would strongly suggest that you use an implemention of a function from the SHA-2 family instead - these are also easy to find, are fast and are considered secure. You will not gain anything by re-using Blowfish as your hash function.