s2k-cipher-mode default
Werner Koch
wk at gnupg.org
Tue Jun 2 18:31:24 CEST 2015
On Tue, 2 Jun 2015 17:33, dkg at fifthhorseman.net said:
> I think it should change to AES256, with explanation below.
I am fine to switch to AES-128 for 2.0 too.
> secret key, it should be the strongest symmetric cipher known to the
> running system. This is probably AES256, not CAST5 or AES128.
Whether AES-256 is stronger than AES-128 in the real world is a pretty
good bike shedding topic. Changing the default cipher to AES-256 should
be the least problem for those who need such a kind of protection.
Here is my reason why AES-128 is a better *default*:
AES-128 | nanosecs/byte mebibytes/sec cycles/byte
CFB enc | 1.77 ns/B 537.9 MiB/s 4.08 c/B
CFB dec | 0.374 ns/B 2548.9 MiB/s 0.861 c/B
OCB enc | 0.527 ns/B 1810.8 MiB/s 1.21 c/B
OCB dec | 0.546 ns/B 1746.0 MiB/s 1.26 c/B
AES-256 | nanosecs/byte mebibytes/sec cycles/byte
CFB enc | 2.42 ns/B 393.6 MiB/s 5.57 c/B
CFB dec | 0.543 ns/B 1755.1 MiB/s 1.25 c/B
OCB enc | 0.695 ns/B 1372.9 MiB/s 1.60 c/B
OCB dec | 0.728 ns/B 1310.2 MiB/s 1.67 c/B
OpenPGP uses CFB mode. I listed OCB in case rfc4880bis will switch to
that mode.
Encrypting with AES-128 is 35% faster than with AES-256.
Decrypting with AES-128 is 45% faster than with AES-256.
It makes a difference whether you need 32 or 45 minutes to encrypt 1TiB.
Yeah, I know this is theoretical because a backup is I/O bounded but
nevertheless AES-256 takes up more CPU resources than AES-128.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list